Antalya 26.3: OAuth improvements#1799
Draft
zvonand wants to merge 2 commits into
Draft
Conversation
Add a "Mapping groups to ClickHouse roles" subsection under Entra that covers the three practical paths: App Roles (preferred), formatting the `groups` claim via `optionalClaims` (`sam_account_name`, `cloud_displayname`, etc.), and `roles_mapping` as a GUID-only fallback. Note the `roles_filter` retuning needed when switching from GUIDs to names. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When `token_introspection_endpoint` is configured together with `introspection_client_id` / `introspection_client_secret`, the openid processor sends an RFC 7662 introspection probe before falling through to `/userinfo`. The response is authoritative for liveness (`active`), expiry (`exp` bounds the cache TTL), and operator-pinned `iss`/`aud` bindings. The probe runs whenever it's configured, including alongside the JWT fast-path -- JWT validates signature and `exp`, introspection adds the revocation check the JWT path cannot do. Also adds `Accept: application/json` to the userinfo GET, surfaces introspection HTTP failures at WARNING (was TRACE), and warns when the IdP returns a malformed `exp` instead of silently dropping it. Parser: new keys `introspection_client_id` / `introspection_client_secret` (both must be set together); `expected_issuer` / `expected_audience` are now accepted in manual mode when introspection is wired (they're enforced against the introspection response). The manual-mode branch also rejects keys that would silently no-op (`jwks_uri`, `allow_no_expiration`, `verifier_leeway`, `jwks_cache_lifetime`). Tests: three new Keycloak integration tests, each on a dedicated single-processor node so successful auth is provably the introspection path: - manual-mode happy-path + revocation - discovery-mode happy-path + revocation, using a tiny nginx-served mock OIDC doc that points back at real Keycloak but omits `jwks_uri` (Keycloak always advertises one, so the JWKS-less discovery branch is otherwise unreachable end-to-end) - bad-secret rejection (strict default: no silent fallback to userinfo) Test helpers pin `Host: keycloak:8080` on the backchannel calls so Keycloak issues tokens whose `iss` matches the URL ClickHouse uses to introspect them; existing tests keep the host-mapped URL so the device-flow HTML traversal still works. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
zvonand
added
port-antalya
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up for #1784
Changelog category (leave one):
Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
Various token-based auth improvements
CI/CD Options
Exclude tests:
Regression jobs to run: