smolnar82 opened a new pull request, #1264: URL: https://github.com/apache/knox/pull/1264
[KNOX-3350](https://issues.apache.org/jira/browse/KNOX-3350) - Add group information into the generated JWT in WebSSOResource ## What changes were proposed in this pull request? This PR introduces the ability to include group information in the JWT tokens generated by `WebSSOResource` (KnoxSSO). Key changes include: * Added a new configuration parameter `knoxsso.token.include.groups` to control whether group information should be included in the issued JWT. * Refactored `WebSSOResource` to include a package-protected `groups()` method, facilitating easier testing and overriding of group retrieval logic. * Updated `getAuthenticationToken` in `WebSSOResource` to populate the `groups` claim in `JWTokenAttributes` when the feature is enabled. * Fixed a typo in the constant name for the new configuration parameter. * Standardized group retrieval in `TokenResource` by utilizing `SubjectUtils.getCurrentGroupPrincipalNames()`. ## How was this patch tested? The changes were verified by adding comprehensive unit tests in `WebSSOResourceTest`: * `testIncludeGroupsTrue`: Verifies that groups are correctly included in the JWT when `knoxsso.token.include.groups` is set to `true`. * `testIncludeGroupsFalse`: Verifies that groups are excluded when the parameter is set to `false`. * `testIncludeGroupsOmitted`: Verifies that the default behavior (when the parameter is missing) is to exclude groups. ## Integration Tests I ran manual testing using my local Knox instance against the `knoxsso` topology. I logged in as `recursiveUser`, verified `hadoop-jwt` (extracted from DEV tools in Chrome) is generated, then checked its content on `jwt.io`: 1. Without `knoxsso.token.include.groups`: <img width="1338" height="525" alt="image" src="https://github.com/user-attachments/assets/c6af3bd7-3ee3-4f20-a968-4bbc38673190"; /> 2. `knoxsso.token.include.groups = false`: <img width="1332" height="520" alt="image" src="https://github.com/user-attachments/assets/bdd3ea1d-ecfb-4604-9aa5-311373b8e4c4"; /> 3. `knoxsso.token.include.groups = true`: <img width="1333" height="626" alt="image" src="https://github.com/user-attachments/assets/605f9429-abcc-4db0-b6df-09dd880516b5"; /> ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
