Tyooughtul commented on PR #2656: URL: https://github.com/apache/iggy/pull/2656#issuecomment-4016827506
@spetz Thanks for your comment and review, it helps me a lot 😊! I've got the A2A JWT authentication working end-to-end for HTTP with integration test coverage, external IdPs can now authenticate users via JWKS endpoints. That said, I'm running into a few architectural rough edges that I'd rather hash out with you before polishing this further. The immediate concern is identity mapping: I'm currently using the external JWT's 'sub' claim directly as the Iggy user_id, which feels like we're begging for namespace collisions between external issuers and our internal IDs. Should I add a claims mapping layer to transform something like "oidc|user123" into a proper local user_id? Related to that, the permission model currently grants A2A tokens full user privileges, which might be too permissive if these tokens leak🤔 Looking ahead to the VSR clustering work, I took another look at the doc and realized the shared-nothing architecture is actually a core philosophy.So the local-only JWKS cache and revocation lists might actually be fine with short TTLs rather than trying to synchronize state across nodes. That leaves me wondering: should each node just fetch JWKS independently, or is there a better approach? There's also the protocol scope to consider: JWT authentication currently only works for HTTP, so should I plan to extend this to TCP, QUIC, and WebSocket as well, or is HTTP-only the intended scope for now? Would love your guidance on these points! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
