[
https://issues.apache.org/jira/browse/KNOX-3028?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-3028:
------------------------------
Description:
This change will extend the existing TokenResource for KNOXTOKEN service to
include OAuth specifics such as expected URL, error messages and flows to
support Token Exchange Flow and Token Refresh.
This is being driven by a specific need to proxy access to the Iceberg REST
Catalog API. In this specific usecase, we need to intercept the use of the
following endpoint URLs and serve the token exchange flow for the
authenticating user.
{code}
/v1/oauth/tokens
{code}
Details for these requirements can be found in the openapi description for the
catalog API [1].
In addition to this usecase, we should add generic support for the token
exchange flow with more generic URL that better aligns with what others use.
{code}
/oauth/v1/token
{code}
We will support the use of the "oauth" service name within the existing
KNOXTOKEN service with an extension of the TokenResource which adapts the
existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
In order to support both URLs, the deployment contributor will need to register
a url pattern for each usecase and the resource path within the jersey service
will need to accommodate the dynamic nature of the Iceberg REST Catalog API
which will add the catalog API service name as well.
{code}
/icecli/v1/oauth/tokens/
{code}
Where "icecli" may be some configurable service name and need to match to the
incoming URL.
We will wildcard that by making it a regex matched path param.
1.
https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
was:
This change will extend the existing TokenResource for KNOXTOKEN service to
include OAuth specifics such as expected URL, error messages and flows to
support Token Exchange Flow and Token Refresh.
> KnoxToken extension for OAuth Token Flows
> -----------------------------------------
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 2.1.0
>
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
