frankjkelly commented on issue #7830:
URL: https://github.com/apache/pulsar/issues/7830#issuecomment-683312884
FYI @Joshhw for me the issue / hack was that I needed to provide BOTH
AuthenticationToken implementations in the Proxy Conf definition of
authenticationProviders i.e.
```
authenticationProviders:
"org.apache.pulsar.broker.authentication.AuthenticationProviderToken,com.cogito.platform.signal.stream.pulsar.authn.broker.CogitoAuthenticationProvider"
```
When I defined both AuthN implementations then I found that both role tokens
are forwarded onto the (one) AuthZ provider and that both role tokens need to
be approved.
For example in my case
i) `AuthenticationProviderToken` maps the token --> my "proxy" role
ii) `CogitoAuthenticationProvider` maps the token --> my "cogito" role
Then my AuthZ provider has to Authorize that both "proxy" and "cogito" roles
have permission to do the operation.
I also had to have ``` authenticateOriginalAuthData: "true"``` defined on my
broker alongside ```forwardAuthorizationCredentials: "true"``` in the proxy to
make sure the JWT token is passed along (mine contains critical claims
information I use to validate access). Please let me know if you have any
questions.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
