External (Custom) Authentication Configuration

[jonsnowseven]

Hello all.

I wanted more information regarding External Authentication Configuration. If I understood correctly, the previous configuration assumes the claims come within the JWT token. On our use-case, this is not true: JWT only brings the identity (sub) and we use a different endpoint to get the claims.

Is it possible to extend this module with some custom logic? Is there an interface to do so?

Basically something like this:

<JWT token> -> Get sub -> Get claims calling another endpoint -> parse them into Polaris roles

Thanks in advance.

Note

I did not find this (or similar) question in other discussions. I appolgize in advance if this was already asked.

[dimas-b]

@jonsnowseven : How does it look like from the OIDC perspective? What kind of request is it to get the extra claims?

[jonsnowseven]

@dimas-b, it is a simple http request to our own Identity Provider. The request has the subject and the endpoint returns the claims.

[dimas-b]

Thanks for the clarification! I believe @adutra 's reply shows the right direction in this case :)

[adutra]

@jonsnowseven I think you would need to implement your own org.apache.polaris.service.auth.external.mapping.PrincipalRolesMapper. It shouldn't be too difficult imho.

[jonsnowseven]

Thanks, @adutra
Do you have an implementation example and how can that class be added to the classpath?

[adutra]

You can have a look at the default impl:

https://github.com/apache/polaris/blob/main/runtime/service/src/main/java/org/apache/polaris/service/auth/external/mapping/DefaultPrincipalRolesMapper.java

Given your use case, I think something like below could be a starting point for your impl:

@ApplicationScoped
@Identifier("custom")
class CustomPrincipalRolesMapper implements PrincipalRolesMapper {

  @Override
  public Set<String> mapPrincipalRoles(SecurityIdentity identity) {
    var jwt = (JsonWebToken) identity.getPrincipal();
    String subject = jwt.getSubject();
    Set<String> roles = callRemoteRolesEndpoint(subject);
    return roles.stream()
        .map(r -> "POLARIS_ROLE:" + r)
        .collect(Collectors.toSet());
  }

  private Set<String> callRemoteRolesEndpoint(String subject) {
    // TODO implement
    return Set.of();
  }
}

Polaris makes heavy use of runtime identifier-based bean selection – note the @Identifier("custom") annotation. In order to select this bean at runtime instead of the default one, add this line to your configuration:

polaris.oidc.principal-roles-mapper.type=custom

[adutra]

Also note (just in case): with Quarkus, you cannot add classes to an existing application classpath at runtime, you need to create a new Quarkus application, import the Polaris jars, add your custom CDI bean, and then repackage everything as a new Quarkus application.

[jonsnowseven]

Yes, I'll probably create a docker image that adds those CDI beans and repackages everything. Does Polaris have a base image to start from in a docker build?

[adutra]

It does: https://hub.docker.com/r/apache/polaris/

But I think what would be more helpful is the Polaris Maven artifacts: https://repo.maven.apache.org/maven2/org/apache/polaris/ – you would need to import polaris-runtime-service at a minimum (+ JDBC persistence I guess).

[jonsnowseven]

Thank you for the help, @adutra.

I just have a final question... doing what you mention, how can I ensure that the final Quarkus application = Polaris Quarkus Application + custom bean? I.e., in the end, the main QuarkusApplication class should be the one implemented by Polaris, right?