[PR] feat(auth): support multiple JWKS sources in JwksTokenValidator [gravitino]

Thu, 26 Mar 2026 17:59:44 -0700 


bharos opened a new pull request, #10564:
URL: https://github.com/apache/gravitino/pull/10564

   Enable Gravitino to validate tokens from N different OAuth providers (e.g., 
Azure AD and an internal proxy) within a single deployment by routing each JWT 
to the correct JWKS endpoint via its 'iss' claim.
   
   Changes:
   - JwksTokenValidator now supports N indexed JWKS entries via config keys 
gravitino.authenticator.oauth.jwks.<N>.uri / .issuer / .audience / 
.principalFields
   - Token routing is O(1): the iss claim is read from the unverified JWT 
payload, then only the matching JWKS is fetched for signature validation — no 
unnecessary cross-provider HTTP calls
   - Audience is validated as containment (handles multi-aud OAuth tokens)
   - Legacy single-entry config (jwksUri + authority + serviceAudience) is 
preserved as a full backward-compatible fallback
   - TestJwksTokenValidator updated; new test covers two-entry routing with 
mocked JWKS sources
   
   <!--
   1. Title: [#<issue>] <type>(<scope>): <subject>
      Examples:
        - "[#123] feat(operator): Support xxx"
        - "[#233] fix: Check null before access result in xxx"
        - "[MINOR] refactor: Fix typo in variable name"
        - "[MINOR] docs: Fix typo in README"
        - "[#255] test: Fix flaky test NameOfTheTest"
      Reference: https://www.conventionalcommits.org/en/v1.0.0/
   2. If the PR is unfinished, please mark this PR as draft.
   -->
   
   ### What changes were proposed in this pull request?
   
   (Please outline the changes and how this PR fixes the issue.)
   
   ### Why are the changes needed?
   
   (Please clarify why the changes are needed. For instance,
     1. If you propose a new API, clarify the use case for a new API.
     2. If you fix a bug, describe the bug.)
   
   Fix: #(issue)
   
   ### Does this PR introduce _any_ user-facing change?
   
   (Please list the user-facing changes introduced by your change, including
     1. Change in user-facing APIs.
     2. Addition or removal of property keys.)
   
   ### How was this patch tested?
   
   (Please test your changes, and provide instructions on how to test it:
     1. If you add a feature or fix a bug, add a test to cover your changes.
     2. If you fix a flaky test, repeat it for many times to prove it works.)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to