Package org.apache.pulsar.broker.authentication.oidc

Enum Class FallbackDiscoveryMode

java.lang.Object
java.lang.Enum<FallbackDiscoveryMode>
org.apache.pulsar.broker.authentication.oidc.FallbackDiscoveryMode
All Implemented Interfaces:
Serializable, Comparable<FallbackDiscoveryMode>, Constable
@Evolving public enum FallbackDiscoveryMode extends Enum<FallbackDiscoveryMode>
These are the modes available for configuring how the Open ID Connect Authentication Provider should handle a JWT that has an issuer that is not explicitly in the allowed issuers set configured by AuthenticationProviderOpenID.ALLOWED_TOKEN_ISSUERS. The current implementations rely on using the Kubernetes Api Server's Open ID Connect features to discover an additional issuer or additional public keys to trust. See the Kubernetes documentation for more information on how Service Accounts can integrate with Open ID Connect. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery

  • Nested Class Summary

    Nested classes/interfaces inherited from class java.lang.Enum

    Enum.EnumDesc<E extends Enum<E>>

  • Enum Constant Summary

    Enum Constants
    Enum Constant
    Description
    DISABLED
    There will be no discovery of additional trusted issuers or public keys.
    KUBERNETES_DISCOVER_PUBLIC_KEYS
    The Kubernetes Api Server will be used to discover an additional set of valid public keys by getting the issuer at the Api Server's /.well-known/openid-configuration endpoint, verifying that issuer matches the "iss" claim on the supplied token, then calling the Api Server endpoint to get the public keys using a kubernetes client.
    KUBERNETES_DISCOVER_TRUSTED_ISSUER
    The Kubernetes Api Server will be used to discover an additional trusted issuer by getting the issuer at the Api Server's /.well-known/openid-configuration endpoint, verifying that issuer matches the "iss" claim on the supplied token, then treating that issuer as a trusted issuer by discovering the jwks_uri via that issuer's /.well-known/openid-configuration endpoint.

  • Method Summary

    Modifier and Type
    Method
    Description
    static FallbackDiscoveryMode
    valueOf(String name)
    Returns the enum constant of this class with the specified name.
    static FallbackDiscoveryMode[]
    values()
    Returns an array containing the constants of this enum class, in the order they are declared.

    Methods inherited from class java.lang.Enum

    clone, compareTo, describeConstable, equals, finalize, getDeclaringClass, hashCode, name, ordinal, toString, valueOf

    Methods inherited from class java.lang.Object

    getClass, notify, notifyAll, wait, wait, wait

  • Enum Constant Details

    • DISABLED

      public static final FallbackDiscoveryMode DISABLED
      There will be no discovery of additional trusted issuers or public keys. This setting requires that operators explicitly allow all issuers that will be trusted. For the Kubernetes Service Account Token Projections to work, the operator must explicitly trust the issuer on the token's "iss" claim. This is the default setting because it is the only mode that explicitly follows the OIDC spec for verification of discovered provider configuration.

    • KUBERNETES_DISCOVER_TRUSTED_ISSUER

      public static final FallbackDiscoveryMode KUBERNETES_DISCOVER_TRUSTED_ISSUER
      The Kubernetes Api Server will be used to discover an additional trusted issuer by getting the issuer at the Api Server's /.well-known/openid-configuration endpoint, verifying that issuer matches the "iss" claim on the supplied token, then treating that issuer as a trusted issuer by discovering the jwks_uri via that issuer's /.well-known/openid-configuration endpoint. This mode can be helpful in EKS environments where the Api Server's public keys served at the /openid/v1/jwks endpoint are not the same as the public keys served at the issuer's jwks_uri. It fails to be OIDC compliant because the URL used to discover the provider configuration is not the same as the issuer claim on the token.

    • KUBERNETES_DISCOVER_PUBLIC_KEYS

      public static final FallbackDiscoveryMode KUBERNETES_DISCOVER_PUBLIC_KEYS
      The Kubernetes Api Server will be used to discover an additional set of valid public keys by getting the issuer at the Api Server's /.well-known/openid-configuration endpoint, verifying that issuer matches the "iss" claim on the supplied token, then calling the Api Server endpoint to get the public keys using a kubernetes client. This mode is currently useful getting the public keys from the Api Server because the Api Server requires custom TLS and authentication, and the kubernetes client automatically handles those. It fails to be OIDC compliant because the URL used to discover the provider configuration is not the same as the issuer claim on the token.

  • Method Details

    • values

      public static FallbackDiscoveryMode[] values()
      Returns an array containing the constants of this enum class, in the order they are declared.
      Returns:
      an array containing the constants of this enum class, in the order they are declared

    • valueOf

      public static FallbackDiscoveryMode valueOf(String name)
      Returns the enum constant of this class with the specified name. The string must match exactly an identifier used to declare an enum constant in this class. (Extraneous whitespace characters are not permitted.)
      Parameters:
      name - the name of the enum constant to be returned.
      Returns:
      the enum constant with the specified name
      Throws:
      IllegalArgumentException - if this enum class has no constant with the specified name
      NullPointerException - if the argument is null