Re: [PR] [#10410] improve(authn) : OAuth2 authentication supports obtaining user group information [gravitino]

via GitHub Wed, 25 Mar 2026 01:52:24 -0700


lasdf1234 commented on code in PR #10503:
URL: https://github.com/apache/gravitino/pull/10503#discussion_r2986742147



##########
docs/security/how-to-authenticate.md:
##########
@@ -208,9 +287,12 @@ Gravitino server and Gravitino Iceberg REST server share 
the same configuration
 | `gravitino.authenticator.oauth.scope`               | OAuth scopes for Web 
UI authentication (space-separated).                                            
                                                                                
                                                                                
   | (none)                                                              | Yes 
if provider is `oidc`                                                           
            | 1.0.0            |
 | `gravitino.authenticator.oauth.jwksUri`             | JWKS URI for 
server-side OAuth token validation. Required when using JWKS-based validation.  
                                                                                
                                                                                
           | (none)                                                             
 | Yes if `tokenValidatorClass` is 
`org.apache.gravitino.server.authentication.JwksTokenValidator` | 1.0.0         
   |
 | `gravitino.authenticator.oauth.principalFields`     | JWT claim field(s) to 
use as principal identity. Comma-separated list for fallback in order (e.g., 
'preferred_username,email,sub').                                                
                                                                                
     | `sub`                                                               | No 
                                                                                
             | 1.0.0            |
+| `gravitino.authenticator.oauth.groupsFields`        | JWT claim field(s) to 
use as group membership. Comma-separated list for fallback in order (e.g., 
'groups,roles').                                                                
                                                                                
       | (none)                                                              | 
No                                                                              
                | 1.2.0            |
 | `gravitino.authenticator.oauth.tokenValidatorClass` | Fully qualified class 
name of the OAuth token validator implementation. Use 
`org.apache.gravitino.server.authentication.JwksTokenValidator` for JWKS-based 
validation or 
`org.apache.gravitino.server.authentication.StaticSignKeyValidator` for static 
key validation. | 
`org.apache.gravitino.server.authentication.StaticSignKeyValidator` | No        
                                                                                
      | 1.0.0            |
 | `gravitino.authenticator.oauth.principalMapper` | Principal mapper type for 
OAuth. Use 'regex' for regex-based mapping, or provide a fully qualified class 
name implementing `org.apache.gravitino.auth.PrincipalMapper`.                  
                                                                               
| `regex`                                                             | No      
                                                                                
        | 1.2.0            |
 | `gravitino.authenticator.oauth.principalMapper.regex.pattern` | Regex 
pattern for OAuth principal mapping. First capture group becomes the mapped 
principal. Only used when principalMapper is 'regex'.                           
                                                                                
                | `^(.*)$`                                                      
      | No                                                                      
                        | 1.2.0            |
+| `gravitino.authenticator.oauth.groupMapper` | Group mapper type for OAuth. 
Use 'regex' for regex-based mapping, or provide a fully qualified class name 
implementing `org.apache.gravitino.auth.GroupMapper`.                           
                                                                              | 
`regex`                                                             | No        
                                                                                
      | 1.2.0            |

Review Comment:
   Got, I have fixed it.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [#10410] improve(authn) : OAuth2 authentication supports obtaining user group information [gravitino]

Reply via email to