adutra commented on code in PR #2389:
URL: https://github.com/apache/polaris/pull/2389#discussion_r2353149893
##########
runtime/service/src/main/java/org/apache/polaris/service/auth/JWTBroker.java:
##########
@@ -156,16 +142,18 @@ public TokenResponse generateFromClientSecrets(
if (principal.isEmpty()) {
return new
TokenResponse(OAuthTokenErrorResponse.Error.unauthorized_client);
}
- String tokenString = generateTokenString(clientId, scope,
principal.get().getId());
+ String tokenString =
+ generateTokenString(principal.get().getName(),
principal.get().getId(), clientId, scope);
return new TokenResponse(
tokenString, TokenType.ACCESS_TOKEN.getValue(),
maxTokenGenerationInSeconds);
}
- private String generateTokenString(String clientId, String scope, Long
principalId) {
+ private String generateTokenString(
+ String principalName, long principalId, String clientId, String scope) {
Instant now = Instant.now();
return JWT.create()
.withIssuer(ISSUER_KEY)
Review Comment:
We could definitely include the realm in the token, but I'm not sure about
using the `aud` claim. In all compliance with the specs, this claim should
contain the URI of the Polaris service:
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
But, it could also contain a simple string as well, and the interpretation
of that value is application-specific.
Maybe a separate claim e.g. `polaris_realm` would be better?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
