markhoerth commented on code in PR #2013: URL: https://github.com/apache/polaris/pull/2013#discussion_r2195380444
########## site/content/in-dev/unreleased/external-idp.md: ########## @@ -0,0 +1,344 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +title: External Identity Providers +type: docs +weight: 550 +--- + +Apache Polaris supports authentication via external identity providers (IdPs) using OpenID Connect (OIDC) in addition to the internal authentication system. This feature enables flexible identity federation with enterprise IdPs and allows gradual migration or hybrid authentication strategies across realms in Polaris. + +## Authentication Types + +Polaris supports three authentication modes: + +1. `internal` (Default) + - Only Polaris internal authentication is used. +2. `external` + - Authenticates using external OIDC providers (via Quarkus OIDC). + - Disables the internal token endpoint (returns HTTP 501). +3. `mixed` + - Tries internal authentication first; if it fails, it falls back to OIDC. + +Authentication can be configured globally or per realm in `application.properties`: + +```properties +# Global default +polaris.authentication.type=internal +# Per-realm override +polaris.authentication.realm1.type=external +polaris.authentication.realm2.type=mixed +``` + +## Key Components + +### Authenticator + +The Authenticator is a component responsible for creating a Polaris principal from the credentials provided by the authentication process. It is common to all authentication types. Review Comment: Certainly, but `Authenticator` is a formal name. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
