@@ -62,6 +62,7 @@ http-server.authentication.oauth2.client-id: trino
6262http-server.authentication.oauth2.client-secret: ${ENV:TRINO_CLIENT_SECRET}
6363http-server.authentication.oauth2.issuer: https://${ENV:KEYCLOAK_ADDRESS}/realms/master
6464http-server.authentication.oauth2.scopes: openid
65+ http-server.authentication.oauth2.principal-field: preferred_username
6566```
6667
6768==== Druid
@@ -89,7 +90,7 @@ Does not support reading an OIDC discovery URL but requires:
8990We could opt to implement proper OIDC support using fab-oidc. This however needs maintenance work from us.
9091
9192```
92- {
93+ {
9394 'name': 'keycloak',
9495 'icon': 'fa-key',
9596 'token_key': 'access_token',
@@ -163,6 +164,24 @@ spec:
163164 # remove some from this list.
164165 scopes: [ openid, email, profile ]
165166
167+ # If a product extracts some sort of "effective user" that is
168+ # represented by a string internally, this config determines with
169+ # claim is used to extract that string. It is desirable to use
170+ # `sub` in here (or some other stable identifier), but in many
171+ # cases you might need to use `preferred_username` (e.g. in case
172+ # of Keycloak) or a different claim instead.
173+ #
174+ # Please note that some products hard-coded the claim in their
175+ # implementation, so some product operators might error out if
176+ # the product hardcodes a different claim than configured here.
177+ #
178+ # We don't provide any default value, as there is no correct way
179+ # of doing it that works in all setups. Most demos will probably
180+ # use `preferred_username`, although `sub` being more desirable,
181+ # but technically impossible with the current behavior of the
182+ # products.
183+ principalClaim: preferred_username
184+
166185 # Optional provider hint. If unspecified, the product will not
167186 # enable any known quirks and will assume OIDC works as it is
168187 # intended to work.
0 commit comments