Re: [DISCUSS] Merge Authenticator and ActiveRolesProvider

2025-08-21 Thread Alexandre Dutra
Hi Dennis and Mike, Thank you both for your flexibility regarding this change. Please feel free to reach out with any questions or comments. > In general I think if we can make it clear in the code everywhere whether > we're dealing with "requestedScopes" or "validatedActiveRoles" and never > r

Re: [DISCUSS] Merge Authenticator and ActiveRolesProvider

2025-08-20 Thread Michael Collado
Hi Alex Thanks for this. Admittedly, the ActiveRolesProvider was *intended* to support the future OIDC/Quarkus support, but that was long before the current HttpAuthenticationMechanism. I'm going to check out this branch and validate, but I think it's a good change. It helps with some changes I h

Re: [DISCUSS] Merge Authenticator and ActiveRolesProvider

2025-08-20 Thread Dennis Huo
The confusion between "scopes" and actually *validated* "activatedRoles" is unfortunate. Originally the AuthenticatedPolarisPrincipal really was supposed to only contain "requestedScopes", and grant-resolution was just in the Resolver. In fact I was trying to do some digging to figure out why there

Re: [DISCUSS] Merge Authenticator and ActiveRolesProvider

2025-08-19 Thread Alexandre Dutra
Hi all, I went ahead and created a PR implementing the proposed changes: https://github.com/apache/polaris/pull/2390 Please take a look and let me know what you think. Thanks, Alex On Wed, Aug 13, 2025 at 9:58 AM Robert Stupp wrote: > > Merging those two things SGTM. > It's what Quarkus/Vert.

Re: [DISCUSS] Merge Authenticator and ActiveRolesProvider

2025-08-13 Thread Robert Stupp
Merging those two things SGTM. It's what Quarkus/Vert.X 'HttpAuthenticationMechanism'/'SecurityIdentity' do (right). On Wed, Aug 13, 2025 at 1:55 AM Dmitri Bourlatchkov wrote: > > Thanks for starting this thread, Alex! > > I fully support merging Authenticator and ActiveRolesProvider. > > Aside f

Re: [DISCUSS] Merge Authenticator and ActiveRolesProvider

2025-08-12 Thread Dmitri Bourlatchkov
Thanks for starting this thread, Alex! I fully support merging Authenticator and ActiveRolesProvider. Aside from the issues you mentioned, from my perspective, it also makes sense conceptually. Authenticating a request implies establishing the principal's identity and consequently its roles. It i

[DISCUSS] Merge Authenticator and ActiveRolesProvider

2025-08-04 Thread Alexandre Dutra
Hi all, ActiveRolesProvider was introduced back in January, in order to enrich SecurityContext with valid roles for a given principal. But that was before the introduction of Quarkus, and the introduction of external authentication with Quarkus Security and OIDC. TLDR: ActiveRolesProvider became