This is an automated email from the ASF dual-hosted git repository.
roryqi pushed a commit to branch branch-1.1
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/branch-1.1 by this push:
new 73847f4a7c [#9713] fix(oauth): Allow JWKS validators without serverUri
or tokenPath (#9732)
73847f4a7c is described below
commit 73847f4a7cb5307e30879bf8e205c4d197f5711e
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Fri Jan 16 15:25:16 2026 +0800
[#9713] fix(oauth): Allow JWKS validators without serverUri or tokenPath
(#9732)
### What changes were proposed in this pull request?
Allow JWKS validators without serverUri or tokenPath as these are only
needed in Static validator
### Why are the changes needed?
Earlier the validation was done in base class which was not correct, as
some implementations don't need these configs.
Fix: #9713
### Does this PR introduce _any_ user-facing change?
No
### How was this patch tested?
Added unit tests
Co-authored-by: Bharath Krishna <[email protected]>
---
docs/security/how-to-authenticate.md | 4 ++--
.../authentication/OAuth2TokenAuthenticator.java | 8 -------
.../server/authentication/OAuthConfig.java | 6 +++--
.../TestOAuth2TokenAuthenticator.java | 26 ++++++++++++++++++----
4 files changed, 28 insertions(+), 16 deletions(-)
diff --git a/docs/security/how-to-authenticate.md
b/docs/security/how-to-authenticate.md
index 8834c330f7..ef5338cb5f 100644
--- a/docs/security/how-to-authenticate.md
+++ b/docs/security/how-to-authenticate.md
@@ -125,8 +125,8 @@ Gravitino server and Gravitino Iceberg REST server share
the same configuration
| `gravitino.authenticator.oauth.allowSkewSecs` | The JWT allows skew
seconds when Gravitino uses OAuth as the authenticator.
| `0` | No
| 0. [...]
| `gravitino.authenticator.oauth.defaultSignKey` | The signing key of JWT
when Gravitino uses OAuth as the authenticator.
| (none) | Yes if
use `oauth` as the authenticator
| 0. [...]
| `gravitino.authenticator.oauth.signAlgorithmType` | The signature
algorithm when Gravitino uses OAuth as the authenticator.
| `RS256`
| No
| 0. [...]
-| `gravitino.authenticator.oauth.serverUri` | The URI of the default
OAuth server.
| (none) | Yes if
use `oauth` as the authenticator
| 0. [...]
-| `gravitino.authenticator.oauth.tokenPath` | The path for token of
the default OAuth server.
| (none) | Yes
if use `oauth` as the authenticator
| 0. [...]
+| `gravitino.authenticator.oauth.serverUri` | The URI of the default
OAuth server. Required when using StaticSignKeyValidator, not required for
JWKS-based validators.
| (none) |
Yes if using `StaticSignKeyValidator`
| 0. [...]
+| `gravitino.authenticator.oauth.tokenPath` | The path for token of
the default OAuth server. Required when using StaticSignKeyValidator, not
required for JWKS-based validators.
| (none) |
Yes if using `StaticSignKeyValidator`
| 0. [...]
| `gravitino.authenticator.oauth.provider` | OAuth provider type
(default, oidc). Determines the Web UI authentication flow. Use 'oidc' for Web
UI OIDC login, 'default' for legacy login or API-only authentication.
| `default` | No
| 1. [...]
| `gravitino.authenticator.oauth.clientId` | OAuth client ID for
Web UI authentication.
| (none) | Yes
if provider is `oidc`
| 1. [...]
| `gravitino.authenticator.oauth.authority` | OAuth authority/issuer
URL for OIDC providers for web UI authentication. (e.g., Azure AD tenant URL).
| (none) | Yes if
provider is `oidc`
| 1. [...]
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authentication/OAuth2TokenAuthenticator.java
b/server-common/src/main/java/org/apache/gravitino/server/authentication/OAuth2TokenAuthenticator.java
index 7f2821e411..4b1f3ff81f 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authentication/OAuth2TokenAuthenticator.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authentication/OAuth2TokenAuthenticator.java
@@ -49,14 +49,6 @@ class OAuth2TokenAuthenticator implements Authenticator {
StringUtils.isNotBlank(serviceAudience),
"Service audience cannot be blank for OAuth authentication");
- Preconditions.checkArgument(
- StringUtils.isNotBlank(config.get(OAuthConfig.DEFAULT_TOKEN_PATH)),
- "The path for token of the default OAuth server can't be blank");
- Preconditions.checkArgument(
- StringUtils.isNotBlank(config.get(OAuthConfig.DEFAULT_SERVER_URI)),
- "The uri of the default OAuth server can't be blank");
-
- // Create the appropriate token validator based on configuration
this.tokenValidator = OAuthTokenValidatorFactory.createValidator(config);
}
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authentication/OAuthConfig.java
b/server-common/src/main/java/org/apache/gravitino/server/authentication/OAuthConfig.java
index 4f7078bde5..5fd3613458 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authentication/OAuthConfig.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authentication/OAuthConfig.java
@@ -61,7 +61,8 @@ public interface OAuthConfig {
ConfigEntry<String> DEFAULT_SERVER_URI =
new ConfigBuilder(OAUTH_CONFIG_PREFIX + "serverUri")
- .doc("The uri of the default OAuth server")
+ .doc(
+ "The uri of the default OAuth server. Required when using
StaticSignKeyValidator, not required for JWKS-based validators")
.version(ConfigConstants.VERSION_0_3_0)
.stringConf()
.checkValue(StringUtils::isNotBlank,
ConfigConstants.NOT_BLANK_ERROR_MSG)
@@ -69,7 +70,8 @@ public interface OAuthConfig {
ConfigEntry<String> DEFAULT_TOKEN_PATH =
new ConfigBuilder(OAUTH_CONFIG_PREFIX + "tokenPath")
- .doc("The path for token of the default OAuth server")
+ .doc(
+ "The path for token of the default OAuth server. Required when
using StaticSignKeyValidator, not required for JWKS-based validators")
.version(ConfigConstants.VERSION_0_3_0)
.stringConf()
.checkValue(StringUtils::isNotBlank,
ConfigConstants.NOT_BLANK_ERROR_MSG)
diff --git
a/server-common/src/test/java/org/apache/gravitino/server/authentication/TestOAuth2TokenAuthenticator.java
b/server-common/src/test/java/org/apache/gravitino/server/authentication/TestOAuth2TokenAuthenticator.java
index 080ceb439b..d6571df6bd 100644
---
a/server-common/src/test/java/org/apache/gravitino/server/authentication/TestOAuth2TokenAuthenticator.java
+++
b/server-common/src/test/java/org/apache/gravitino/server/authentication/TestOAuth2TokenAuthenticator.java
@@ -174,6 +174,27 @@ public class TestOAuth2TokenAuthenticator {
assertThrows(IllegalArgumentException.class, () ->
authenticator.initialize(config));
}
+ @Test
+ public void testInitializeStaticKeyValidatorRequiresServerUriAndTokenPath() {
+ OAuth2TokenAuthenticator authenticator = new OAuth2TokenAuthenticator();
+ Config config = new Config(false) {};
+ config.set(OAuthConfig.SERVICE_AUDIENCE, "test-service");
+ Key tempKey = Keys.secretKeyFor(SignatureAlgorithm.HS256);
+ config.set(
+ OAuthConfig.DEFAULT_SIGN_KEY,
Base64.getEncoder().encodeToString(tempKey.getEncoded()));
+ // Use default StaticSignKeyValidator which requires serverUri and
tokenPath
+ config.set(
+ OAuthConfig.TOKEN_VALIDATOR_CLASS,
+ "org.apache.gravitino.server.authentication.StaticSignKeyValidator");
+
+ // Should fail when serverUri and tokenPath are missing for
StaticSignKeyValidator
+ IllegalArgumentException e =
+ assertThrows(IllegalArgumentException.class, () ->
authenticator.initialize(config));
+ assertTrue(
+ e.getMessage().contains("token") || e.getMessage().contains("uri"),
+ "Expected error message about token path or server URI, got: " +
e.getMessage());
+ }
+
@Test
public void testInitializeWithJwksConfiguration() {
OAuth2TokenAuthenticator authenticator = new OAuth2TokenAuthenticator();
@@ -183,13 +204,10 @@ public class TestOAuth2TokenAuthenticator {
config.set(
OAuthConfig.JWKS_URI,
"https://login.microsoftonline.com/common/discovery/v2.0/keys";);
config.set(OAuthConfig.AUTHORITY, "https://login.microsoftonline.com";);
- config.set(OAuthConfig.DEFAULT_TOKEN_PATH, "/token");
- config.set(OAuthConfig.DEFAULT_SERVER_URI, "http://localhost:8080";);
+ // Note: DEFAULT_TOKEN_PATH and DEFAULT_SERVER_URI are not required for
JWKS validator
config.set(
OAuthConfig.TOKEN_VALIDATOR_CLASS,
"org.apache.gravitino.server.authentication.JwksTokenValidator");
-
- // Should initialize with JWKS validator
authenticator.initialize(config);
assertTrue(authenticator.isDataFromToken());
}
