[PR] [#10436] fix(web-v2,server): resolve identity mismatch between UI and server [gravitino]

Sat, 14 Mar 2026 22:52:09 -0700 


gada121982 opened a new pull request, #10437:
URL: https://github.com/apache/gravitino/pull/10437

   ### What changes were proposed in this pull request?
   
   Add a server-side `GET /api/auth/me` endpoint that returns the fully 
resolved principal name, and update the web-v2 UI to call this endpoint after 
OIDC login instead of relying on client-side token parsing.
   
   **Server changes:**
   - New `AuthMeResponse` DTO in `common/` module
   - New `AuthOperations` REST resource with `GET /api/auth/me` endpoint that 
uses `PrincipalUtils.getCurrentUserName()` to return the server-resolved 
principal
   - Unit test `TestAuthOperations`
   
   **Web-v2 changes:**
   - New `getAuthMeApi()` in `lib/api/auth/index.js`
   - Session provider calls `/api/auth/me` after OIDC login, overrides 
`authUser.name` with server-resolved principal
   - OIDC provider prefers `access_token` over `id_token` per OAuth2 spec
   - Logout action cleans up OIDC session via `signoutRedirect()`
   
   ### Why are the changes needed?
   
   When Gravitino is configured with `principalFields: 
"preferred_username,sub"`, the server resolves the caller identity from JWT 
using the first matching field (e.g., `preferred_username` → `"admin"`). 
However, the web-v2 UI uses the OIDC `profile.name` claim (e.g., `"admin 
admin"` — the full display name), causing an identity mismatch. This breaks the 
`serviceAdmins` check since the UI-displayed username doesn't match what the 
server considers the authenticated principal.
   
   Fix: #10436
   
   ### Does this PR introduce _any_ user-facing change?
   
   - New REST API endpoint: `GET /api/auth/me` → returns `{"code": 0, 
"principal": "<resolved-name>"}`
   - Web-v2 UI now displays the server-resolved principal name instead of the 
OIDC profile display name
   
   ### How was this patch tested?
   
   1. Unit test `TestAuthOperations` verifies the endpoint returns the correct 
principal from the authenticated request context
   2. Manual testing on a K8s cluster with Keycloak OIDC: confirmed 
`/api/auth/me` returns `"admin"` (from `preferred_username`) while OIDC profile 
returns `"admin admin"`, and the UI correctly displays the server-resolved 
principal


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to