Improving custom JWT authentication#3681
Draft
MichaelWagner-blue-zone wants to merge 4 commits into
Draft
Conversation
Merge missing improvements from origin
* optional JWKS URL support for JWT validation (jwksUrl) * JWT role normalization during token validation * related authorization updates to respect configured role claim types * PostgreSQL session-context support for propagated claims * a few smaller robustness fixes in the affected components
MichaelWagner-blue-zone
requested review from
Alekhya-Polavarapu,
Aniruddh25,
JerryNixon,
RubenCerna2079,
aaronburtle,
anushakolan,
rusamant,
sourabh1007,
souvikghosh04,
stuartpa and
vadeveka
as code owners
Author
|
@microsoft-github-policy-service agree |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates Data API Builder’s authentication and authorization pipeline to improve JWT handling (configurable role-claim extraction/normalization and JWKS-based signing key resolution) and adds PostgreSQL session-context propagation for processed claims.
Changes:
- Adds configurable JWT role claim parsing/normalization (rolesPath, rolesSeparator) and updates authorization to respect configured role claim types.
- Introduces JWKS URL support for JWT validation and wires in signing-key retrieval during startup/hot-reload configuration.
- Adds PostgreSQL session-context propagation of processed claims via
set_config(...).
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Service/Startup.cs | Configures JWT bearer auth, role-claim behavior, and JWKS fetching during startup. |
| src/Service.Tests/Authentication/Helpers/WebHostBuilderHelper.cs | Updates test host JWT configuration to use configurable role claim type. |
| src/Core/Resolvers/PostgresQueryBuilder.cs | Fixes JSON aggregation typing by casting empty array literal to jsonb. |
| src/Core/Resolvers/PostgreSqlExecutor.cs | Adds PostgreSQL session-context propagation and refactors managed identity token handling. |
| src/Core/Resolvers/OboSqlTokenProvider.cs | Updates authorization-context hashing to respect configured role claim types. |
| src/Core/Authorization/AuthorizationResolver.cs | Updates claim resolution to use configured role claim type while preserving original roles. |
| src/Core/AuthenticationHelpers/JwtRoleClaimsTransformer.cs | Adds role-claim normalization (JSON array + separated string support). |
| src/Core/AuthenticationHelpers/JwtHttpClientFactory.cs | Adds a shared HTTP client factory (incl. optional self-signed cert handling) for JWKS retrieval. |
| src/Core/AuthenticationHelpers/ConfigureJwtBearerOptions.cs | Updates hot-reload JWT bearer configuration to use JWKS and role-claim normalization. |
| src/Core/AuthenticationHelpers/ClientRoleHeaderAuthenticationMiddleware.cs | Hardens principal assignment and maps Generic OAuth provider to JWT bearer scheme. |
| src/Config/ObjectModel/JwtOptions.cs | Expands JWT config model with rolesPath/rolesSeparator/jwksUrl and derived helpers. |
| src/Config/ObjectModel/DataSource.cs | Adds PostgreSqlOptions typed options support. |
| schemas/dab.draft.schema.json | Extends JSON schema to document the new JWT configuration fields. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
MichaelWagner-blue-zone
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why make this change?
Improving custom JWT authentication.
What is this change?
rolesPath,rolesSeparator)jwksUrl)How was this tested?
Sample Request(s)