adutra commented on code in PR #2389:
URL: https://github.com/apache/polaris/pull/2389#discussion_r2353131890
##########
runtime/service/src/main/java/org/apache/polaris/service/auth/JWTBroker.java:
##########
@@ -60,34 +58,22 @@ public abstract class JWTBroker implements TokenBroker {
public abstract Algorithm getAlgorithm();
@Override
- public DecodedToken verify(String token) {
+ public PolarisCredential verify(String token) {
+ return verifyInternal(token);
+ }
+
+ private InternalPolarisToken verifyInternal(String token) {
JWTVerifier verifier =
JWT.require(getAlgorithm()).withClaim(CLAIM_KEY_ACTIVE, true).build();
try {
DecodedJWT decodedJWT = verifier.verify(token);
- return new DecodedToken() {
- @Override
- public Long getPrincipalId() {
- return decodedJWT.getClaim("principalId").asLong();
- }
-
- @Override
- public String getClientId() {
- return decodedJWT.getClaim("client_id").asString();
- }
-
- @Override
- public String getSub() {
- return decodedJWT.getSubject();
- }
-
- @Override
- public String getScope() {
- return decodedJWT.getClaim("scope").asString();
- }
- };
-
- } catch (JWTVerificationException e) {
+ return InternalPolarisToken.of(
+ decodedJWT.getSubject(),
Review Comment:
I think we are fine: the `DefaultAuthenticator` does not use the `sub`
claim. It inspects `PolarisCredential.getPrincipalId()` and
`PolarisCredential.getPrincipalName()`, and these fields are mapped as follows:
<table>
<tr><td></td><td>Source claim before this PR</td><td>Source claim after this
PR</td></tr>
<tr><td>getPrincipalId()</td><td>principal_id</td><td>principal_id</td></tr>
<tr><td>getPrincipalName()</td><td>(none)</td><td>sub</td></tr>
</table>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
