[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=913787&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913787
]
ASF GitHub Bot logged work on KNOX-3028:
----------------------------------------
Author: ASF GitHub Bot
Created on: 09/Apr/24 23:27
Start Date: 09/Apr/24 23:27
Worklog Time Spent: 10m
Work Description: lmccay opened a new pull request, #900:
URL: https://github.com/apache/knox/pull/900
## What changes were proposed in this pull request?
This change will extend the existing TokenResource for KNOXTOKEN service to
include OAuth specifics such as expected URL, error messages and flows to
support Token Exchange Flow and Token Refresh.
This is being driven by a specific need to proxy access to the Iceberg REST
Catalog API. In this specific usecase, we need to intercept the use of the
following endpoint URLs and serve the token exchange flow for the
authenticating user.
/v1/oauth/tokens
Details for these requirements can be found in the openapi description for
the catalog API [1].
In addition to this usecase, we should add generic support for the token
exchange flow with more generic URL that better aligns with what others use.
/oauth/v1/token
We will support the use of the "oauth" service name within the existing
KNOXTOKEN service with an extension of the TokenResource which adapts the
existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
In order to support both URLs, the deployment contributor will need to
register a url pattern for each usecase and the resource path within the jersey
service will need to accommodate the dynamic nature of the Iceberg REST Catalog
API which will add the catalog API service name as well.
/icecli/v1/oauth/tokens/
Where "icecli" may be some configurable service name and need to match to
the incoming URL.
We will wildcard that by making it a regex matched path param.
We will also need to accommodate a first-class Knox pattern and service name
of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
path fragment being optional for the iceberg specific "tokens".
Not pretty but it will work.
1.
https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
## How was this patch tested?
Ran existing tests and added a new unit test to existing
TokenServiceResourceTest for OAuth token changes
Please review [Knox Contributing
Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow)
before opening a pull request.
Issue Time Tracking
-------------------
Worklog Id: (was: 913787)
Remaining Estimate: 0h
Time Spent: 10m
> KnoxToken extension for OAuth Token Flows
> -----------------------------------------
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
> path fragment being optional for the iceberg specific "tokens".
> Not pretty but it will work.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
