pacj4: add UserProfile attributes to AuthenticationResult context

[jakubmatyszewski]

Description

I'm adding OIDC context to the AuthenticationResult returned by pac4j extension. I wanted to use this context as input in OpenPolicyAgent authorization. Since AuthenticationResult already accepts context as a parameter it felt okay to pass the profile attributes there.

Release note

pac4j: Add OIDC context to the authentication result

---

Key changed/added classes in this PR

• org.apache.druid.security.pac4j.Pac4jFilter.doFilter()

---

This PR has:

• been self-reviewed.
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[abhishekagarwal87]

Can you describe the authorization flow that uses these attributes?
There are also compilation failures in your code.

[jakubmatyszewski]

Can you describe the authorization flow that uses these attributes? There are also compilation failures in your code.

Sorry, I was still working on this change for druid 28.0.1, code should compile now.
I've seen that @van-vothanh did it similarly here. I wanted to achieve something similar so I can use this context in authorizer (again similarly to @van-vothanh code), but I'm trying to adjust the druid-opa-authorizer to my needs.

[van-vothanh]

+1 to storing all attributes in the authentication context, and thanks @jakubmatyszewski for the tag!

For our use case, we rely on some of the claims (such as group, role etc.) to perform fine grain access control on different types of resources. At the moment, the pac4j oidc extension only supports binary yes/no decision, which might work for basic scenarios but definitely not adequate for more advanced use cases.

[abhishekagarwal87]

can you use UserProfile interface that the iterator is returning?

[jakubmatyszewski]

I'm not certain, I don't know java, but I think it's useful in here - since we use OIDC config here, the UserProfiles should always be complient with OidcProfile anyway. And later OidcProfile is more convenient to pass the context - UserProfile doesn't have explicit function to return all attributes at once, which is the goal here.

I'm eager to learn if what I've wrote is not correct, let me know.

[abhishekagarwal87]

profiles.iterator().next() is returning UserProfile which is an interface. I was thinking that you use that but it doesn't have getAttributes method. But now I am wondering why not pass the whole profile itself.

AuthenticationResult authenticationResult = new AuthenticationResult(profile.getId(), authorizerName, name, ImmutableMap.of("profile", profile))

[abhishekagarwal87]

let's do the above and cast the result of .perform to UserProfile.

[jakubmatyszewski]

Hm, okay. That sounds reasonable.

Need to think about possible security implications of this change

[abhishekagarwal87]

can you please add a unit test to verify that the profile is populated in the context?

[jakubmatyszewski]

can you please add a unit test to verify that the profile is populated in the context?

Um, I've added a test, but I'm not sure if it's any good. Let me know if that's ok, or I should seek guidance on this.

[abhishekagarwal87]

I guess it's not possible to add one. It's best to remove the one you added as that one doesn't look useful.