druid icon indicating copy to clipboard operation
druid copied to clipboard
verified publisher icon apache

pacj4: add UserProfile attributes to AuthenticationResult context

Open jakubmatyszewski opened this issue 1 year ago • 3 comments

Description

I'm adding OIDC context to the AuthenticationResult returned by pac4j extension. I wanted to use this context as input in OpenPolicyAgent authorization. Since AuthenticationResult already accepts context as a parameter it felt okay to pass the profile attributes there.

Release note

pac4j: Add OIDC context to the authentication result

Key changed/added classes in this PR
  • org.apache.druid.security.pac4j.Pac4jFilter.doFilter()

This PR has:

  • [ ] been self-reviewed.
  • [ ] added documentation for new or modified features or behaviors.
  • [ ] a release note entry in the PR description.
  • [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • [ ] added or updated version, license, or notice information in licenses.yaml
  • [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • [ ] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • [ ] added integration tests.
  • [ ] been tested in a test Druid cluster.

jakubmatyszewski avatar Mar 12 '24 16:03 jakubmatyszewski

Can you describe the authorization flow that uses these attributes? There are also compilation failures in your code.

abhishekagarwal87 avatar Mar 13 '24 09:03 abhishekagarwal87

Can you describe the authorization flow that uses these attributes? There are also compilation failures in your code.

Sorry, I was still working on this change for druid 28.0.1, code should compile now. I've seen that @van-vothanh did it similarly here. I wanted to achieve something similar so I can use this context in authorizer (again similarly to @van-vothanh code), but I'm trying to adjust the druid-opa-authorizer to my needs.

jakubmatyszewski avatar Mar 15 '24 00:03 jakubmatyszewski

+1 to storing all attributes in the authentication context, and thanks @jakubmatyszewski for the tag!

For our use case, we rely on some of the claims (such as group, role etc.) to perform fine grain access control on different types of resources. At the moment, the pac4j oidc extension only supports binary yes/no decision, which might work for basic scenarios but definitely not adequate for more advanced use cases.

van-vothanh avatar Mar 15 '24 01:03 van-vothanh

can you please add a unit test to verify that the profile is populated in the context?

Um, I've added a test, but I'm not sure if it's any good. Let me know if that's ok, or I should seek guidance on this.

jakubmatyszewski avatar Apr 11 '24 16:04 jakubmatyszewski

I guess it's not possible to add one. It's best to remove the one you added as that one doesn't look useful.

abhishekagarwal87 avatar Apr 18 '24 06:04 abhishekagarwal87