binarycat0 opened a new issue, #125:
URL: https://github.com/apache/polaris-tools/issues/125
## Feature request: Support OIDC Authorization Code Flow with PKCE
### Motivation
Enable secure authentication via an external OpenID Connect (OIDC) Identity
Provider (e.g. Keycloak) for Console UI application.
Using `grant_type=password` in browser-based apps is discouraged, as it
requires exposing user credentials and/or client secrets.
**Authorization Code Flow with PKCE** is the recommended and secure approach
for SPAs.
### Proposed Configuration
Add optional OIDC settings:
- `OIDC_ISSUER_URL`
- `OIDC_CLIENT_ID`
- `OIDC_REDIRECT_URI`
### Proposed Behavior
If OIDC is configured:
- Show a **“Login with OIDC”** button on the login page
- Redirect the user to the external IdP login page
- After successful authentication, redirect back to `OIDC_REDIRECT_URI`
- On the callback page:
- Exchange the authorization code for tokens using **Authorization Code +
PKCE**
- Store the access token in memory/session
- Use the token for authenticated API requests
### Security Notes
- No client secret stored in the UI
- User credentials are handled only by the IdP
- Aligned with OAuth 2.1 / OIDC SPA best practices
### Suggested Implementation
- JS library: `react-oidc-context`
### Alternative (Optional)
Implement a middleware / BFF layer:
- UI performs redirect-based login only
- Middleware handles token exchange and server-to-server authentication
- Prevents exposing tokens or secrets in the browser
cc: @jbonofre @sohanhonavar
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
