Skip to content

SQL-86: OIDC Custom authentication claim#35237

Merged
SangJunBak merged 2 commits intoMaterializeInc:mainfrom
SangJunBak:jun/oidc-auth-claim
Mar 3, 2026
Merged

SQL-86: OIDC Custom authentication claim#35237
SangJunBak merged 2 commits intoMaterializeInc:mainfrom
SangJunBak:jun/oidc-auth-claim

Conversation

@SangJunBak
Copy link
Contributor

@SangJunBak SangJunBak commented Feb 26, 2026

Stacked on #35185. The first 2 commits belong to the aforementioned PR.

Motivation

Closes https://linear.app/materializeinc/issue/SQL-86/accept-authentication-claim-config-variablea

@SangJunBak SangJunBak requested a review from a team as a code owner February 26, 2026 22:17
@SangJunBak SangJunBak requested review from ohbadiah and teskje and removed request for ohbadiah February 26, 2026 22:17
@github-actions
Copy link

github-actions bot commented Feb 26, 2026

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

@SangJunBak SangJunBak force-pushed the jun/oidc-auth-claim branch 7 times, most recently from f7bb1c1 to 4312ac7 Compare February 27, 2026 16:01
@SangJunBak
adapter: Add authentication claim system variable for OIDC
b07e033 
- Rather than default to email and sub, we add a system variable to decide which claim in the JWT we treat as the username. This follows the spec in the design doc
- Creates a test for requiring the authentication claim to be set
- Creates a test for switching the authentication claim and creating a different user based on the claim set
@SangJunBak SangJunBak force-pushed the jun/oidc-auth-claim branch from fba07b5 to b07e033 Compare March 3, 2026 14:58
teskje
teskje approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@teskje teskje left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just some small comments.

src/authenticator/src/oidc.rs Outdated
/// Extract the username from the OIDC claims.
fn user(&self, authentication_claim: &str) -> Option<&str> {
match authentication_claim {
"sub" => Some(&self.sub),
Copy link
Contributor

@teskje teskje Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason for the special treatment of sub? Looks like this field is not used anywhere else, so can't we just handle it like all other authentication_claim values?

Copy link
Contributor Author

@SangJunBak SangJunBak Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point!

src/adapter-types/src/dyncfgs.rs Outdated
/// OIDC authentication claim to use as username
pub const OIDC_AUTHENTICATION_CLAIM: Config<Option<&'static str>> = Config::new(
"oidc_authentication_claim",
None,
Copy link
Contributor

@teskje teskje Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know if there is a reasonable default most users will choose? If so you could put that here to reduce the setup friction a bit.

Might also be that we want the friction to avoid users being surprised by the default, in which case ignore me!

Copy link
Contributor Author

@SangJunBak SangJunBak Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know if there is a reasonable default most users will choose

I think sub is a reasonable default since the claim will always be there, however most users will want to use their email. Potential issue is we auto-provision the user on login. So in case sub is a random uuid, they'll most likely need to drop that role and configure the claim. But we can always just strongly document this.

@SangJunBak
adapter: Make 'sub' a default value of authentication claim
dd72dbe 
- Makes the authentication claim optional but defaults to 'sub'
- Adds config variable to test suites
@SangJunBak SangJunBak requested a review from a team as a code owner March 3, 2026 16:36
@SangJunBak
Copy link
Contributor Author

SangJunBak commented Mar 3, 2026

TFTR!

@SangJunBak SangJunBak merged commit 66acdca into MaterializeInc:main Mar 3, 2026
126 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@teskje teskje teskje approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SangJunBak @teskje