[
https://issues.apache.org/jira/browse/HIVE-29276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18033108#comment-18033108
]
Shohei Okumiya commented on HIVE-29276:
---------------------------------------
I'm learning Microsoft Entra ID, and its OAuth 2 access token is unique... This
is a sample payload.
{code:java}
{
"typ": "JWT",
"alg": "RS256",
"kid": "{kid}"
}
{
"aud": "{App ID, UUID}",
"iss": "https://login.microsoftonline.com/{tenant id}/v2.0",
"iat": 1761535310,
"nbf": 1761535310,
"exp": 1761539210,
"aio": "...",
"azp": "...",
"azpacr": "1",
"oid": "...",
"rh": "...",
"roles": [
"catalog2"
],
"sub": "{UUID}",
"tid": "{tenant ID}",
"uti": "...",
"ver": "2.0",
"xms_ftd": "..."
}{code}
It uses "JWT" for "typ" and service accounts(= machine user) use "roles"
instead of "scope"
> Support major OAuth 2 Authorization Server implementation
> ---------------------------------------------------------
>
> Key: HIVE-29276
> URL: https://issues.apache.org/jira/browse/HIVE-29276
> Project: Hive
> Issue Type: Improvement
> Components: Iceberg integration, Standalone Metastore
> Reporter: Shohei Okumiya
> Assignee: Shohei Okumiya
> Priority: Major
>
> HIVE-29020 added OAuth 2 support based on the latest best practice, such as
> "RFC 9068: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens". Some
> real IdPs don't follow some of the new best practices. In this ticket, we
> will update the OAuth 2 configurations so that we can support major identity
> platforms, such as Microsoft Entra ID or Okta.
>
> For example, RFC 9068 recommends including `typ: at+jwt` in a JWT header so
> that a malicious user can't inject a JWT that is not for OAuth 2 protected
> resources. However, Okta's access tokens don't always have the type parameter
> and there is no tuning knob to add it.
> https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#id-token-header
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
