Currently we support a single OIDC and validate exp and iss for a valid signature. With this issue we want extend our Authentication to handle multi-tenant setups and add support for opaque tokens.
Work items of this issue:
[ ] Generic OIDC (Test with Entra-ID) - One Tenant per Project. Implement aud or scope validations.
[ ] Support for Zitadel. For Zitadel we need to be able to recieve regular OIDC tokens (JWT) as well as Service Account tokens (Opaque). Zitadel follows the approach that the client shouldn't bother with decoding or routing the token to the correct endpoint. It offers a singe Introspection Endpoint to which all tokens of a domain / zitadel organization should be sent. Different Iceberg Catalog Projects might be assigned to different Zitadel Organizations and thus require different introspection endpoints.
[ ] Keycloak: One Realm per Project
[ ] External Auth: Projects can also decide to not use built-in Authentication. We should extend RequestMetadata to include user-defined headers that can be used by the AuthZ implementation. A typical setup would be an authentication reverse-proxy in front of the catalog, that adds i.e. x-internal-project-id, x-internal-sub headers, that we should forward via request_metadata to the AuthZ implementation.
[ ] Add project_id to request_metadata for all providers
Currently we support a single OIDC and validate exp and iss for a valid signature. With this issue we want extend our Authentication to handle multi-tenant setups and add support for opaque tokens.
Work items of this issue:
RequestMetadata
to include user-defined headers that can be used by the AuthZ implementation. A typical setup would be an authentication reverse-proxy in front of the catalog, that adds i.e. x-internal-project-id, x-internal-sub headers, that we should forward viarequest_metadata
to the AuthZ implementation.project_id
torequest_metadata
for all providers