Principal data serialization

[langecode]

We were looking at replacing some custom authorization policies with OPA policies. The authorizations that are being replaced are based on OAuth 2.0 based authentication and thus the principal is derived from KafkaPrincipal, i.e., a subclass. The OAuth principal carries information on the claims from the OAuth jwt which may be used for authorization in the rego policies.

However, currently the authorizer explicitly converts the principal to a KafkaPrincipal before serializing to json sending the request OPA. This way we loose all extra information from the jwt.

Would it be possible to change the principal serialization to support a more generic serialization supporting KafkaPrincipal subclasses?

[anderseknert]

Hi Thor! Yeah, that seems like a valid request. I wonder what the best approach would be for achieving that 🤔 I guess we could defer to a different serializer based on the principal type. Did I understand correctly that yours was a custom one? Or is there one for OAuth included in Kafka? I couldn't find one from a cursory search.

[langecode]

Well, there is some default support for OAuth in Kafka, however I do not think that default implementation actually comes with an OAuth principal by default. We are using an authentication plugin that comes with the Strimzi operator so the concrete principal is this: https://github.com/strimzi/strimzi-kafka-oauth/blob/main/oauth-server/src/main/java/io/strimzi/kafka/oauth/server/OAuthKafkaPrincipal.java

But yes, I also wonderful what approach would make the most sense. Could both be a standard serializer picking up the standard Java properties.

Basically we would love to have access to the raw jwt since the jwt functions in OPA is pretty good. I have just forked the OPA authorizer so I was experimenting with some serizlization.

[anderseknert]

Yeah, doing JWT validation in OPA, and policy decisions based on claims makes perfect sense.

@scholzj any idea about how to best go on about allowing this?

[scholzj]

Yeah, it sounds like a good idea. But TBH, I have no idea what is the best way to implement it as a generic functionality which would work for any kind of principal implementation as they can be more different principal implementations than just the one from Strimzi OAuth.

[langecode]

Yeah. I agree. I am not even sure what it will look like if Jackson is just serializing out the Strimzi principal. But for sure there could be other principal implementations. I does seem, however, that Kafka comes with a base class for OAuth that defines a method for getting the token in its base64 encoded form. I am experimenting a bit with trying to rely on that instead of the specific Strimzi implementation. I’ll let you know if I find a way that is only relying on the Kafka standard classes.