Schema Registry authentication through OAuth2 JWT tokens
You can use OAuth2 JSON Web Token (JWT) in Schema Registry for authentication. Authorization continues to be implemented in Ranger; however, you can obtain the principal from a JWT token.
The flow for authenticating with OAuth2 tokens is as follows:
- A client requests a token from the OAuth2 service.
During Schema Registry startup the application obtains the public keys needed for validating the incoming tokens.
- The client sends the HTTP requests to Schema Registry and these requests contain the bearer token in the HTTP header.
- Schema Registry validates the token.
The following image shows the authentication flow with OAuth2 tokens:
The flow for authorization is as follows:
- Once the token is validated, the principal is extracted from the JWT token. By default,
the principal is stored in the
sub
field. - The principal is passed to Ranger which performs the authorization.