adutra commented on code in PR #1397:
URL: https://github.com/apache/polaris/pull/1397#discussion_r2060304846
##########
quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/internal/InternalAuthenticationMechanism.java:
##########
@@ -56,9 +84,34 @@ public Uni<SecurityIdentity> authenticate(
}
String credential = authHeader.substring(spaceIdx + 1);
+
+ DecodedToken token;
+ try {
+ token = decodeToken(credential);
+ } catch (Exception e) {
+ return configuration.type() == AuthenticationType.MIXED
Review Comment:
Well, the issue is that "parse" and "validate" are basically tied together.
Auth0 has two methods: `JWT.decode` and `JWT.require`: the former decodes
without validating the signature, the latter decodes and validates.
Currently, `JWTBroker.verify()` uses `JWT.require`. We _could_ introduce a
new method in `TokenBroker`, e.g. `parse()` or `decode()`, and call
`JWT.decode` there. But I don't know if it's worth the hassle: I bet that
decoding the token is just slightly faster than decoding and verifying.
BTW that's why I introduced the `MIXED` authentication type: so that the
extra penalty of decoding the token twice is only paid by realms that opt for
that authentication type.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
