Skip to content

Proposal for AuthN/Z API Refactor#119

Open
tomncooper wants to merge 2 commits into
kroxylicious:mainfrom
tomncooper:authorization-api-refactor
Open

Proposal for AuthN/Z API Refactor#119
tomncooper wants to merge 2 commits into
kroxylicious:mainfrom
tomncooper:authorization-api-refactor

Conversation

@tomncooper

@tomncooper tomncooper commented Jul 3, 2026

Copy link
Copy Markdown

This PR contains a proposal to extract the Subject and Principal concepts from kroxylicious-api into a new lightweight module, kroxylicious-authentication-api, so that kroxylicious-authorizer-api can be consumed independently of the full proxy API and its transitive dependencies (kafka-clients, jackson-annotations, compression codecs).

The authorizer API was designed for general-purpose reuse, but its dependency on kroxylicious-api makes adoption impractical for non-Kroxylicious projects. Apicurio Registry, for example, has resorted to copying the authorizer API source into their own module to avoid the dependency tree. This refactor removes that barrier.

The proposed kroxylicious-authentication-api module will contain three types in the io.kroxylicious.authentication package:

  • A Principal interface with a single name() method
  • A Subject interface with a single principals() method
  • The @Unique annotation

The proposed package avoids a split-package situation that would block JPMS adoption.

The existing concrete Subject record in kroxylicious-api will be renamed to ProxySubject and will implement the proposed Subject interface. This rename avoids ambiguity when both the interface and the concrete type are in scope. ProxySubject will retain all existing behavior including User-principal validation, uniquePrincipalOfType, allPrincipalsOfType, and isAnonymous.

The kroxylicious-authorizer-api module will switch its compile dependency from kroxylicious-api to kroxylicious-authentication-api. Authorizer.authorize() and AuthorizeResult will reference the Subject interface rather than the concrete type. Method signatures in FilterContext, RouterContext, TransportSubjectBuilder, and SaslSubjectBuilder will be updated to use ProxySubject where the concrete type is required.

These are binary-incompatible and in some cases source-incompatible changes. The project is at 0.x where breaking changes carry lower migration cost, and the authorizer API was introduced recently with minimal external adoption. Downstream changes will follow two mechanical patterns: renaming Subject to ProxySubject and updating Principal/@Unique imports from io.kroxylicious.proxy.authentication to io.kroxylicious.authentication.

A PoC branch containing these proposed changes is available on my fork: https://github.com/tomncooper/kroxylicious/tree/auth-api-refactor

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Cooper <code@tomcooper.dev>
@tomncooper tomncooper requested a review from a team as a code owner July 3, 2026 13:28
@tomncooper tomncooper changed the title Added proposal for AuthN/Z API Refactor Proposal for AuthN/Z API Refactor Jul 3, 2026
Signed-off-by: Thomas Cooper <code@tomcooper.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant