[ https://issues.apache.org/jira/browse/KNOX-3028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17837388#comment-17837388 ]
ASF subversion and git services commented on KNOX-3028: ------------------------------------------------------- Commit d74fb4f8492191d24ab556fbefd50bbf0ebc8ad8 in knox's branch refs/heads/master from Larry McCay [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d74fb4f84 ] KNOX-3028 - add support for OAuth Token Exchange to KNOXTOKEN (#900) * KNOX-3028 - add support for OAuth Token Exchange to KNOXTOKEN > KnoxToken extension for OAuth Token Flows > ----------------------------------------- > > Key: KNOX-3028 > URL: https://issues.apache.org/jira/browse/KNOX-3028 > Project: Apache Knox > Issue Type: Bug > Components: JWT > Reporter: Larry McCay > Assignee: Larry McCay > Priority: Major > Fix For: 2.1.0 > > Time Spent: 3h > Remaining Estimate: 0h > > This change will extend the existing TokenResource for KNOXTOKEN service to > include OAuth specifics such as expected URL, error messages and flows to > support Token Exchange Flow and Token Refresh. > This is being driven by a specific need to proxy access to the Iceberg REST > Catalog API. In this specific usecase, we need to intercept the use of the > following endpoint URLs and serve the token exchange flow for the > authenticating user. > {code} > /v1/oauth/tokens > {code} > Details for these requirements can be found in the openapi description for > the catalog API [1]. > In addition to this usecase, we should add generic support for the token > exchange flow with more generic URL that better aligns with what others use. > {code} > /oauth/v1/token > {code} > We will support the use of the "oauth" service name within the existing > KNOXTOKEN service with an extension of the TokenResource which adapts the > existing KNOXTOKEN behavior to the expectations of clients on OAuth responses. > In order to support both URLs, the deployment contributor will need to > register a url pattern for each usecase and the resource path within the > jersey service will need to accommodate the dynamic nature of the Iceberg > REST Catalog API which will add the catalog API service name as well. > {code} > /icecli/v1/oauth/tokens/ > {code} > Where "icecli" may be some configurable service name and need to match to the > incoming URL. > We will wildcard that by making it a regex matched path param. > We will also need to accommodate a first-class Knox pattern and service name > of "oauth" and only allow "token" or "oauth" after the v1 with the remaining > path fragment being optional for the iceberg specific "tokens". > Not pretty but it will work. > 1. > https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml -- This message was sent by Atlassian Jira (v8.20.10#820010)