Schema Registry authentication through OAuth2 JWT tokens

You can use OAuth2 JSON Web Token (JWT) in Schema Registry for authentication. Authorization continues to be implemented in Ranger, however, you can obtain the principal from a JWT token.

The flow for authenticating with OAuth2 tokens is as follows:
  1. During Schema Registry startup the application obtains the public keys needed for validating the incoming tokens.
  2. A client requests a token from the OAuth2 service.
  3. The client sends the HTTP requests to Schema Registry and these requests contain the bearer token in the HTTP header.
  4. Schema Registry validates the token.
The following image shows the authentication flow with OAuth2 tokens:

The flow for authorization is follows:
  1. Once the token is validated, the principal is extracted from the JWT token. By default, the principal is stored in the sub field.
  2. The principal is passed to Ranger which performs the authorization.