[
https://issues.apache.org/jira/browse/ATLAS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16859322#comment-16859322
]
Bolke de Bruin commented on ATLAS-3153:
---------------------------------------
[~saqeeb.shaikh136] can you share a bit more on the flow you did and your
configuration? Im having difficulty replicating the behavior I think you are
describing.I have tested this with a manually configured KDC.
I do see that while a Kerberos credential can be available a redirect still
happens due to the fact the Keycloak's filters are earlier in the chain. This
is equal to Knox integration (I have never used Knox, but its filter as also
earlier in the chain) it seems. In short I can turn on Kerberos and Keycloak
and Atlas will always use Keycloak.
> Support OpenID Connect directly rather than through Knox
> --------------------------------------------------------
>
> Key: ATLAS-3153
> URL: https://issues.apache.org/jira/browse/ATLAS-3153
> Project: Atlas
> Issue Type: Improvement
> Components: atlas-core, atlas-webui
> Affects Versions: 2.0.0
> Reporter: Bolke de Bruin
> Priority: Major
> Labels: authentication, authorization
> Attachments: 0001-ATLAS-3153-Add-keycloak-authentication.patch,
> application.log, keycloak.json, openid_connect_atlas.md
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The current SSO implementation with Apache Knox is limiting SSO
> interoperability to Apache Knox. Knox uses JWT verification which could
> easily be extended to allow for direct OpenID Connect support and doesn't
> require organizations to deploy Knox.
> Required changes:
> * Pickup bearer token from headers
> * Improve and standardize redirecting
> * Optionally: obtain certificates from well_known uri
> * Optionally: obtain user groups from userinfo endpoint rather than UGI
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
