sohanhonavar commented on issue #125: URL: https://github.com/apache/polaris-tools/issues/125#issuecomment-3722377026
I can take this up On Thu, 8 Jan, 2026, 06:16 Artur Rakhmatulin, ***@***.***> wrote: > *binarycat0* created an issue (apache/polaris-tools#125) > <https://github.com/apache/polaris-tools/issues/125> > Feature request: Support OIDC Authorization Code Flow with PKCE Motivation > > Enable secure authentication via an external OpenID Connect (OIDC) > Identity Provider (e.g. Keycloak) for Console UI application. > > Using grant_type=password in browser-based apps is discouraged, as it > requires exposing user credentials and/or client secrets. > *Authorization Code Flow with PKCE* is the recommended and secure > approach for SPAs. > Proposed Configuration > > Add optional OIDC settings: > > - OIDC_ISSUER_URL > - OIDC_CLIENT_ID > - OIDC_REDIRECT_URI > > Proposed Behavior > > If OIDC is configured: > > - Show a *“Login with OIDC”* button on the login page > - Redirect the user to the external IdP login page > - After successful authentication, redirect back to OIDC_REDIRECT_URI > - On the callback page: > - Exchange the authorization code for tokens using *Authorization > Code + PKCE* > - Store the access token in memory/session > - Use the token for authenticated API requests > > Security Notes > > - No client secret stored in the UI > - User credentials are handled only by the IdP > - Aligned with OAuth 2.1 / OIDC SPA best practices > > Suggested Implementation > > - JS library: react-oidc-context > > Alternative (Optional) > > Implement a middleware / BFF layer: > > - UI performs redirect-based login only > - Middleware handles token exchange and server-to-server authentication > - Prevents exposing tokens or secrets in the browser > > cc: @jbonofre <https://github.com/jbonofre> @sohanhonavar > <https://github.com/sohanhonavar> > > — > Reply to this email directly, view it on GitHub > <https://github.com/apache/polaris-tools/issues/125>, or unsubscribe > <https://github.com/notifications/unsubscribe-auth/BZXLO2TEXYZNRTF3TD7EOVD4FWSFBAVCNFSM6AAAAACRAGUATKVHI2DSMVQWIX3LMV43ASLTON2WKOZTG44TAOBSHA2DQMQ> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> > -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
