You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When JWT authenticator is configured to use public key for verification, it would be nice to have an option to pull that key from URL (https only!) as opposed to uploading it to the server / pre-configuring it in an env var. This will allow easier deployment.
Need to consider if this has security implication (e.g. if a key is spoofed + URL is hijacked to deliver matching public key + server is restarted...). I don't think it does as long as HTTPS is used.
Note that ckanext-authz-service now offers the public key (if set) in /authz/public_key.
The text was updated successfully, but these errors were encountered:
When JWT authenticator is configured to use public key for verification, it would be nice to have an option to pull that key from URL (https only!) as opposed to uploading it to the server / pre-configuring it in an env var. This will allow easier deployment.
Need to consider if this has security implication (e.g. if a key is spoofed + URL is hijacked to deliver matching public key + server is restarted...). I don't think it does as long as HTTPS is used.
Note that ckanext-authz-service now offers the public key (if set) in
/authz/public_key.The text was updated successfully, but these errors were encountered: