adutra commented on PR #3236: URL: https://github.com/apache/polaris/pull/3236#issuecomment-3627866084
Just re-iterating what I said in #3170: If the goal is really about retrieving the OAuth2 token that was used to authenticate, I think Quarkus OIDC token propagation might be a better approach. In particular, one can inject `io.quarkus.oidc.client.Tokens` wherever necessary: https://quarkus.io/guides/security-openid-connect-client-reference#inject-tokens But if the goal is more about exposing ALL the principal credentials through the `PolarisPrincipal` interface, I think the ideal approach would be to move `PolarisCredential` to polaris-core ; then in `PolarisPrincipal` we would expose instead a method like `Set<PolarisCredential> getCredentials()`. (`PolarisCredential` extends a Quarkus interface though, so this would need some refactoring.) The PR currently suggests `Optional<String> getToken()`, but this is imho too OAuth2-oriented. My rationale for suggesting something more generic is because Polaris is a relatively open architecture in terms of authentication, and it would be certainly feasible to run Polaris with a completely different authentication mechanism, e.g. Basic auth – in which case, there is no "token" – but there is a username which could be useful to expose as a credential as well. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
