Fix jwt-auth module documentation bugs#4337
Open
janhoy wants to merge 3 commits intoapache:mainfrom
Open
Conversation
- blockUnknown default corrected from true to false throughout; the wrong default was introduced by apache/lucene-solr#805 (SOLR-13649), a docs-only change that never reflected the actual code (getOrDefault(..., false)). Intro paragraph, parameter table, and complex-example callout all fixed. blockUnknown:true restored in the JWKS URL and Admin UI examples that the same commit had removed, so production configs clearly show the recommended setting. - aud default corrected: no clientId fallback exists; audience validation is skipped entirely when aud is not configured. - adminUiScope: document the second fallback to the hardcoded string "solr". - requireExp: document the 30-second clock-skew tolerance.
github-actions
Bot
added
the
documentation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Solr JWTAuthPlugin reference guide to correct several long-standing documentation inaccuracies around default behaviors and recommended production configuration.
Changes:
- Correct
blockUnknowndefault documentation to match code (false) and clarify enforcement guidance. - Fix documented behavior for
aud(no fallback toclientId) andadminUiScope(includes"solr"fallback). - Document the plugin’s 30s clock-skew tolerance relevant to
expvalidation and update examples to explicitly setblockUnknown: truewhere appropriate.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
It was argued that for 10.x it is better to change the actual default to 'true' and keep the documentation as-is.. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Several long-standing bugs were found in the JWT authentication plugin reference guide.
blockUnknowndefault was wrong since apache/lucene-solr#805 (SOLR-13649). That PR changed the documented default fromfalsetotruewithout touching the code, which has always usedgetOrDefault("blockUnknown", false). We decided to change the code default totruein #4373, so only cosmetic changes in this PR related to this config.auddefault was documented as "UsesclientIdif configured". No such fallback exists in the code — whenaudis not set, audience validation is skipped entirely.adminUiScopefallback was documented as falling back to the firstscopeentry. A second fallback to the hardcoded string"solr"exists in the code but was not mentioned.Clock-skew tolerance — a 30-second
exptolerance is applied by the plugin but was not documented. Added a note to therequireExprow.Intent is to merge this to
mainandbranch_10x. PS: The blockUnknown issue in 9.x will be fixed with a doc change: #4374