bharos opened a new pull request, #7883:
URL: https://github.com/apache/gravitino/pull/7883
# [#7538] feat(auth): Add OAuth 2.0 JWT authentication support for server
components
### What changes were proposed in this pull request?
This PR introduces comprehensive OAuth 2.0 JWT authentication support for
Gravitino server components:
**Core OAuth Authentication Framework**:
- `OAuth2TokenAuthenticator` - Main authenticator for JWT token
validation with Bearer token support
- `OAuthTokenValidator` interface with two implementations:
- `DefaultJwtTokenValidator` - Static key-based JWT validation
(RS256/HS256)
- `JwksTokenValidator` - Dynamic JWKS endpoint-based validation
- `OAuthTokenValidatorFactory` - Factory pattern for validator creation
based on configuration
### Why are the changes needed?
1. **Enterprise Authentication Requirements**: Modern enterprise
environments require OAuth 2.0/JWT authentication for secure, stateless, and
standardized authentication across microservices
2. **Industry Standard Compliance**: Supports JWT token standards, enabling
integration with enterprise identity providers (like Azure AD)
3. **Security Enhancement**: Provides cryptographically secure token
validation with audience verification and expiration checks
4. **Scalability**: Stateless JWT authentication reduces server-side session
management overhead
5. **Interoperability**: Enables integration with existing OAuth 2.0
infrastructure and identity management systems
Fix: #7538
### Does this PR introduce _any_ user-facing change?
**Yes**, this PR introduces the following user-facing changes:
#### **New Authentication Method**:
- **Bearer Token Support**: Servers now accept OAuth 2.0 Bearer tokens via
`Authorization: Bearer <jwt_token>` header
- **JWT Token Requirements**: Tokens must contain:
- Valid `sub` (subject) claim for user identification
- Valid `aud` (audience) claim matching configured service audience
- Valid signature using configured algorithm and key
- Non-expired `exp` (expiration) claim
#### **API Compatibility**:
- **Backward Compatible**: Existing authentication methods continue to work
unchanged
- **Additive**: OAuth authentication is an additional option, not a
replacement
### How was this patch tested?
#### **Unit Tests** (8 test classes, 25+ test methods)
#### **Integration Testing**:
- **Manual Testing**: Validated against real OAuth providers (Azure AD,
custom OAuth servers)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
