Tyooughtul commented on PR #2656: URL: https://github.com/apache/iggy/pull/2656#issuecomment-4016686832
> Added a few more comments (some might be stale already, but some are up to date) - please take a look, and once resolved we could finally merge it :) Thanks for the comment and review 😊! But I met some problem: I've got the A2A JWT authentication working end-to-end for HTTP with integration test coverage, external IdPs can now authenticate users via JWKS endpoints. That said, I'm running into a few architectural rough edges that I'd rather hash out with you before polishing this further. The immediate concern is identity mapping: I'm currently using the external JWT's 'sub' claim directly as the Iggy user_id, which feels like we're begging for namespace collisions between external issuers and our internal IDs. Should I add a claims mapping layer to transform something like "oidc|user123" into a proper local user_id? Related to that, the permission model currently grants A2A tokens full user privileges, which might be too permissive if these tokens leak🤔 Looking ahead to the VSR clustering work, the in-memory JWKS cache and revocation lists are obviously going to be problematic since they're purely local right now. I'm weighing whether each node should just fetch independently, or if we need a distributed cache like Redis, or perhaps leverage VSR replication itself. There's also the protocol question hanging over this: A2A is an application-layer protocol, so should I adapt all the underlying protocols TCP, QUIC, and WebSocket to support it? I honestly feel a bit stuck on what the next steps should be here. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
