feat: Role mapping support in pac4j extension#18778
Conversation
nozjkoitop
changed the title
|
cc @pjain1 @capistrant can you help in reviewing this. |
|
As per our discussion on druid slack , i'm tagging @kfaraz for review. |
|
Thanks, @AdheipSingh ! I will try to prioritize the review of this PR soon. |
|
Hey, @kfaraz! Quick ping on this PR is it still on your radar? |
| protected static Set<String> claimValuesFromCtx(Map<String, Object> ctx) | ||
| { | ||
| Object value = (ctx == null) ? null : ctx.get(RoleProviderUtil.ROLE_CLAIM_CONTEXT_KEY); | ||
| if (!(value instanceof Set)) { |
There was a problem hiding this comment.
If there is a role claim set i.e. values is not null but we don't find expected type here then instead of returning null and thus not enforcing any role should we throw error?
There was a problem hiding this comment.
Id not throw here, cuz it's more of a misconfiguration than an exceptional case, however i can add warnings on such cases to pinpoint the issue
|
Hi @kfaraz, following up on this PR, wanted to check whether you’ve had a chance to look at it |
FrankChen021
left a comment
FrankChen021
left a comment
There was a problem hiding this comment.
Findings that could not be attached inline:
- extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/JwtAuthFilter.java:90 - [P2] roleClaimPath is ignored by the JWT authenticator. The new OIDCConfig property is documented in the shared pac4j extension configuration, which also documents the jwt authenticator mode, but JwtAuthFilter still creates AuthenticationResult with a null context after validating the ID token. For deployments using druid.auth.authenticator.jwt.type=jwt, configuring roleClaimPath has no effect and authorization falls back to identity-based roles. Extract the configured claim from the validated IDTokenClaimsSet and pass it under the same role context key, or document that the JWT authenticator is unsupported.
| return Optional.of(profile); | ||
| } | ||
|
|
||
| final AccessToken accessToken = ((OidcProfile) profile).getAccessToken(); |
There was a problem hiding this comment.
[P2] OIDC role extraction ignores validated ID-token claims
RoleBasedAuthGen reads only OidcProfile.getAccessToken() and parses that token for the configured role claim. If the role claim is in the validated ID token/profile claims, or the provider issues opaque access tokens, this silently extracts no roles and Druid falls back to identity-based roles. Use the already validated OIDC profile or ID-token claims, or support both token sources with tests for ID-token-only roles.
There was a problem hiding this comment.
Addressed. Docs updated, ID token claim retrieval added
nozjkoitop
changed the title
|
faulty test passes locally and feels completely unrelated to changes |
5 participants
Description
This PR is aimed to enable flexible mapping of OIDC/JWT roles to Druid roles.
By default, the pac4j OIDC authentication only maps the
subclaim to a single Druid role, which is extremely inconvenient.This PR adds support for extracting roles from any nested claim path in the JWT.
Configuration
New property introduced in runtime.properties:
When set, all values found at roleClaimPath are mapped 1:1 to Druid roles.
Example JWT payload
With the configuration:
druid.auth.pac4j.oidc.roleClaimPath=resource_access.client.rolesThe authenticated user will be assigned Druid roles role1 and role2, if those roles exist in the Druid security configuration.
Release note
Added support for extracting OIDC/JWT roles from a configurable nested claim path and mapping them directly to Druid roles.
Key changed/added classes in this PR
RoleBasedAuthGenPac4jFilterRoleProviderUtilLDAPRoleProviderMetadataStoreRoleProviderThis PR has: