adutra commented on code in PR #2013: URL: https://github.com/apache/polaris/pull/2013#discussion_r2194506828
########## site/content/in-dev/unreleased/external-idp.md: ########## @@ -0,0 +1,344 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +title: External Identity Providers +type: docs +weight: 550 +--- + +Apache Polaris supports authentication via external identity providers (IdPs) using OpenID Connect (OIDC) in addition to the internal authentication system. This feature enables flexible identity federation with enterprise IdPs and allows gradual migration or hybrid authentication strategies across realms in Polaris. + +## Authentication Types + +Polaris supports three authentication modes: + +1. `internal` (Default) + - Only Polaris internal authentication is used. +2. `external` + - Authenticates using external OIDC providers (via Quarkus OIDC). + - Disables the internal token endpoint (returns HTTP 501). +3. `mixed` + - Tries internal authentication first; if it fails, it falls back to OIDC. + +Authentication can be configured globally or per realm in `application.properties`: + +```properties +# Global default +polaris.authentication.type=internal +# Per-realm override +polaris.authentication.realm1.type=external +polaris.authentication.realm2.type=mixed +``` + +## Key Components + +### Authenticator + +The Authenticator is a component responsible for creating a Polaris principal from the credentials provided by the authentication process. It is common to all authentication types. + +The `type` property is used to define the Authenticator implementation. It is overridable per realm: + +```properties +polaris.authentication.authenticator.type=default +polaris.authentication.realm1.authenticator.type=custom +``` + +### Active Roles Provider + +The Active Roles Provider is a component responsible for determining which roles the principal is requesting and should be activated. It is common to all authentication types. + +Only the `type` property is defined; it is used to define the provider implementation to use: + +```properties +polaris.active-roles-provider.type=default +``` + +Contrary to the Authenticator, the Active Roles Provider is defined only once for the entire Polaris instance. It is not overridable per realm. + +## Internal Authentication Configuration + +### Token Broker + +The Token Broker signs and verifies tokens to ensure that they cannot be tampered with and can be validated without requiring contact with the original issuer on every request. Review Comment: This sentence ("without ... request") is imho unnecessary. Here, Polaris is both the auth server and the resource server, so I guess it is in permanent contact with itself :-) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
