AuthService¶

AuthService is a Unity Catalog API service that UnityCatalogServer uses to handle /api/1.0/unity-control/auth endpoint and perform OAuth2 token exchange.

Method	URL	Handler	Params
POST	`/tokens`	grantToken	`OAuthTokenExchangeRequest`

Creating Instance¶

AuthService takes the following to be created:

SecurityContext

Upon creation, AuthService creates the JwksOperations.

AuthService is created when:

UnityCatalogServer is requested to register API services

Grant Token¶

HttpResponse grantToken(
  OAuthTokenExchangeRequest request)

grantToken prints out the following DEBUG message to the logs:

Got token: [request]

OAuthInvalidRequestException

grantToken asserts the following or reports an OAuthInvalidRequestException:

There must be grant_type specified as urn:ietf:params:oauth:grant-type:token-exchange grant type
There must be requested_token_type specified as urn:ietf:params:oauth:token-type:access_token token type
There must be subject_token_type specified
There must be no actor_token_type specified (as not supported yet)

grantToken decodes the given subject_token JSON Web Token (JWT) (from the OAuthTokenExchangeRequest).

No Verification of Token's Signature

grantToken performs no verification of the token's signature.

grantToken finds the issuer of the subject_token token, if specified (using iss claim).

grantToken finds the private claim (keyId) of the subject_token token, if specified (using kid header claim).

grantToken prints out the following DEBUG message to the logs:

Validating token for issuer: [issuer]

grantToken requests the JwksOperations for the verifier for the issuer and private claim.

grantToken uses the JWTVerifier to verify the decoded subject_token JSON Web Token.

grantToken prints out the following DEBUG message to the logs:

Validated. Creating access token.

grantToken requests the SecurityContext to create an access token for the decoded and verified subject_token JSON Web Token.

In the end, grantToken responds with the following:

Property	Value
`accessToken`	The generated access token
`issuedTokenType`	`urn:ietf:params:oauth:token-type:access_token`
`tokenType`	`Bearer`

Logging¶

Enable ALL logging level for io.unitycatalog.server.service.AuthService logger to see what happens inside.

Add the following line to etc/conf/server.log4j2.properties:

logger.AuthService.name = io.unitycatalog.server.service.AuthService
logger.AuthService.level = all

Refer to Logging.