Re: [PR] [#8047] docs(oauth) : Documentation for OAuth changes using JWKS validation and OIDC login [gravitino]

Thu, 14 Aug 2025 10:06:56 -0700 


bharos commented on code in PR #8048:
URL: https://github.com/apache/gravitino/pull/8048#discussion_r2277217151


##########
docs/security/how-to-authenticate.md:
##########
@@ -111,6 +115,13 @@ GravitinoClient client = GravitinoClient.builder(uri)
 | `gravitino.authenticator.oauth.signAlgorithmType` | The signature algorithm 
when Gravitino uses OAuth as the authenticator.                                 
                                                                                
                                                                   | `RS256`    
       | No                                         | 0.3.0            |
 | `gravitino.authenticator.oauth.serverUri`         | The URI of the default 
OAuth server.                                                                   
                                                                                
                                                                    | (none)    
        | Yes if use `oauth` as the authenticator    | 0.3.0            |
 | `gravitino.authenticator.oauth.tokenPath`         | The path for token of 
the default OAuth server.                                                       
                                                                                
                                                                     | (none)   
         | Yes if use `oauth` as the authenticator    | 0.3.0            |
+| `gravitino.authenticator.oauth.provider`           | OAuth provider type 
(default, oidc). Determines the Web UI authentication flow. Use 'oidc' for Web 
UI OIDC login, 'default' for legacy login or API-only authentication.           
                        | `default`         | No                                
         | 1.0.0            |
+| `gravitino.authenticator.oauth.clientId`           | OAuth client ID for Web 
UI authentication.                                                              
                                                                                
                      | (none)            | Yes if provider is `oidc`           
      | 1.0.0            |
+| `gravitino.authenticator.oauth.authority`          | OAuth authority/issuer 
URL for OIDC providers for web UI authentication. (e.g., Azure AD tenant URL).  
                                                                                
                                                 | (none)            | Yes if 
provider is `oidc`                 | 1.0.0            |
+| `gravitino.authenticator.oauth.scope`              | OAuth scopes for Web UI 
authentication (space-separated).                                               
                                                                                
                       | (none)            | Yes if provider is `oidc`          
       | 1.0.0            |
+| `gravitino.authenticator.oauth.jwksUri`            | JWKS URI for 
server-side OAuth token validation. Required when using JWKS-based validation.  
                                                                                
                                                                             | 
(none)            | No                                         | 1.0.0          
  |

Review Comment:
   Actually if we use JWKS validation, this is not required. This is only used 
in web UI login.
   The server-side JWKS validation code doesn't use these fields. So I think 
the current description is correct, that this is required if provider is `oidc`



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to