Hi Alex I'm going through the PR now and I think the Quarkus security approach seems fine. I was actually thinking of working on this previously myself.
> This shall be done by implementing a new HttpAuthenticationMechanism that will pick the right authentication mechanism (internal token broker vs external IdP) based on the runtime configuration. Regarding this statement, I want to make sure that it would still be possible to use different authn mechanisms for different requests in the same realm. I also recently started picking up some of the work from the federated auth proposal and something we need to ensure is that we can support both external identity providers as well as the internal token broker. Mike On Tue, Apr 15, 2025 at 6:52 AM Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > Hi Alex, > > It sounds like a good plan :) > > Thanks ! > Regards > JB > > On Mon, Apr 14, 2025 at 10:50 PM Alex Dutra > <alex.du...@dremio.com.invalid> wrote: > > > > Hi all, > > > > A recently-reported bug [1] uncovered some serious issues with the JAX-RS > > authentication filters. Fixing this bug requires replacing the > incriminated > > filters with proper Quarkus Security mechanisms. > > > > In parallel to that, support for external identity providers has been > > requested many times, see [2], [3] and [4]. We know however that this > > feature can only be delivered by implementing similar mechanisms. > > > > There might be an opportunity here to kill two birds with one stone. I > > would like therefore to make the following proposal: > > > > 1. In a first PR, *replace the current authentication filters* by > > Quarkus Security. This PR should be transparent to users and should > not > > change the current behavior of Polaris, nor its configuration options. > > 2. In a second PR, *implement support for external identity > providers*. > > This shall be done by implementing a new HttpAuthenticationMechanism > > that will pick the right authentication mechanism (internal token > broker vs > > external IdP) based on the runtime configuration. > > > > If you agree with this proposal, I'm happy to start working on the first > > PR. > > > > Thanks, > > > > Alex > > > > [1]: https://github.com/apache/polaris/issues/1345 > > [2]: https://github.com/apache/polaris/issues/336 > > [3]: https://github.com/apache/polaris/issues/976 > > [4]: https://github.com/apache/polaris/issues/1327 >
