Open jbonofre opened 1 month ago
We don't recommend anyone to use it in a prod env, but it's a nice feature to allow people to try Polaris out easily, otherwise they have to hook a third-party token service before doing anything else. What we can do here is to remove it while providing an private endpoint with the same functionality for test purpose. In that case, the real prod user can hook their token service, while we still use the private endpoint for testing.
It is pretty easy to setup Keycloak, for example, as an IdP for "getting started" environments.
Nessie has an example here: https://github.com/projectnessie/nessie/tree/main/docker/authn-keycloak
providing an private endpoint with the same functionality for test purpose
I'm not sure it is as easy as it sounds. A proper OAuth2 implementation is not a small effort. On the other hand, a test impl. that has gaps wrt to the OAuth2 RFC can lead to bugs in production code because it would be tested against a non-compliant OAuth2 server.
I believe it is preferable to reuse existing OSS implementations that provide OAuth2.
A tangential point: if Quarkus were used as the server platform, it provides easy ways to test authN/Z in CI without requiring a full OAuth2/OIDC implementation.
Agreed, it's great to reuse an existing OAuth2 implementation. We will need to see how integration works to choose between them.
The oauth/tokens endpoint is already deprecated for removal due to security concerns. The path forward is described in this doc.