Schema Registry authentication through OAuth2 JWT tokens

You can use OAuth2 JSON Web Token (JWT) in Schema Registry for authentication. Authorization continues to be implemented in Ranger; however, you can obtain the principal from a JWT token.

The flow for authenticating with OAuth2 tokens is as follows:

A client requests a token from the OAuth2 service.
During Schema Registry startup the application obtains the public keys needed for validating the incoming tokens.
The client sends the HTTP requests to Schema Registry and these requests contain the bearer token in the HTTP header.
Schema Registry validates the token.

The following image shows the authentication flow with OAuth2 tokens:

note

Schema Registry currently supports JWT tokens only. There is no support for opaque tokens. The following is an example of a JWT token:

{
  "kid": "3",
  "alg": "HS256"
}
-------------------------------------------------
{
  "iss": "sender",
  "aud": "receiver",
  "exp": 1644492815,
  "jti": "5vgglGQCjC9_WZJMJg7mHQ",
  "iat": 1644492515,
  "sub": "abigel"
}
-------------------------------------------------
<signature>

The flow for authorization is as follows:

Once the token is validated, the principal is extracted from the JWT token. By default, the principal is stored in the sub field.
The principal is passed to Ranger which performs the authorization.