From c67a543802c0c5240e3e7acb3d54afa8efb95035 Mon Sep 17 00:00:00 2001 From: Marko Strukelj Date: Wed, 15 Dec 2021 11:13:48 +0100 Subject: [PATCH] Improve README.md text Signed-off-by: Marko Strukelj --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 550f0f18..2bc10e3b 100644 --- a/README.md +++ b/README.md @@ -454,12 +454,12 @@ For example: See [JsonPathFilterQuery JavaDoc](oauth-common/src/main/java/io/strimzi/kafka/oauth/jsonpath/JsonPathFilterQuery.java) for more information about the syntax. -###### Groups extraction +###### Group extraction -When using custom authorization (by installing a custom authorizer via) you may want to take user's group membership into account when making the authorization decisions. -One way is to obtain and inspect a parsed JWT token via `io.strimzi.kafka.oauth.server.OAuthKafkaPrincipal` object available via `AuthorizableRequestContext` passed to your `authorize()` method. +When using custom authorization (by installing a custom authorizer) you may want to take user's group membership into account when making the authorization decisions. +One way is to obtain and inspect a parsed JWT token from `io.strimzi.kafka.oauth.server.OAuthKafkaPrincipal` object available through `AuthorizableRequestContext` passed to your `authorize()` method. Another way is to configure group extraction at authentication time, and get groups as a list of principals from `OAuthKafkaPrincipal` object. -There are two configuration parameters for configuring groups extraction: +There are two configuration parameters for configuring group extraction: - `oauth.groups.claim` (e.g.: `$.roles.client-roles.kafka`) - `oauth.groups.claim.delimiter` (a delimiter to parse the value of the groups claim when it's a single delimited string. E.g.: `,` - that's the default value) @@ -467,7 +467,7 @@ There are two configuration parameters for configuring groups extraction: Use `oauth.groups.claim` to specify a JSONPath query pointing to the claim containing an array of strings, or a delimited single string. Use `oauth.groups.claim.delimiter` to specify a delimiter to use for parsing groups when they are specified as a delimited string. -By default, no group extraction is performed. When you configure `oauth.groups.claim` the groups extraction is enabled and occurs during authentication. +By default, no group extraction is performed. When you configure `oauth.groups.claim` the group extraction is enabled and occurs during authentication. The extracted groups are stored into `OAuthKafkaPrincipal` object. Here is an example how you can extract them in your custom authorizer: ``` public List authorize(AuthorizableRequestContext requestContext, List actions) {