feat: Lightweight SA token validation for OIDC auth — TokenReview only, no RBAC queries

aniketpalu · aniketpalu · commit bcd3bd349357 · 2026-03-23T21:02:51.000+05:30
Replace KubernetesTokenParser delegation with a lightweight
_validate_k8s_sa_token_and_extract_namespace() method in OidcTokenParser.
Validates SA tokens via TokenReview API and extracts namespace from the
authenticated identity. No RoleBinding/ClusterRoleBinding queries needed,
so the server SA only requires tokenreviews/create permission.

Also updates OIDC auth documentation with token priority, verify_ssl,
groups claim, and multi-token support sections.

Made-with: Cursor
Signed-off-by: Aniket Paluskar &lt;apaluska@redhat.com&gt;
diff --git a/docs/getting-started/components/authz_manager.md b/docs/getting-started/components/authz_manager.md
@@ -40,52 +40,87 @@ auth:
 With OIDC authorization, the Feast client proxies retrieve the JWT token from an OIDC server (or [Identity Provider](https://openid.net/developers/how-connect-works/))
 and append it in every request to a Feast server, using an [Authorization Bearer Token](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#bearer).
 
-The server, in turn, uses the same OIDC server to validate the token and extract the user roles from the token itself.
+The server, in turn, uses the same OIDC server to validate the token and extract user details — including username, roles, and groups — from the token itself.
 
 Some assumptions are made in the OIDC server configuration:
 * The OIDC token refers to a client with roles matching the RBAC roles of the configured `Permission`s (*)
-* The roles are exposed in the access token that is passed to the server
+* The roles are exposed in the access token under `resource_access.<client_id>.roles`
 * The JWT token is expected to have a verified signature and not be expired. The Feast OIDC token parser logic validates for `verify_signature` and `verify_exp` so make sure that the given OIDC provider is configured to meet these requirements.
-* The preferred_username should be part of the JWT token claim.
-
+* The `preferred_username` should be part of the JWT token claim.
+* For `GroupBasedPolicy` support, the `groups` claim should be present in the access token (requires a "Group Membership" protocol mapper in Keycloak).
 
 (*) Please note that **the role match is case-sensitive**, e.g. the name of the role in the OIDC server and in the `Permission` configuration
 must be exactly the same.
 
-For example, the access token for a client `app` of a user with `reader` role should have the following `resource_access` section:
+For example, the access token for a client `app` of a user with `reader` role and membership in the `data-team` group should have the following claims:
 ```json
 {
+  "preferred_username": "alice",
   "resource_access": {
     "app": {
       "roles": [
         "reader"
       ]
     }
-  }
+  },
+  "groups": [
+    "data-team"
+  ]
 }
 ```
 
-An example of feast OIDC authorization configuration on the server side is the following: 
+#### Server-Side Configuration
+
+The server requires `auth_discovery_url` and `client_id` to validate incoming JWT tokens via JWKS:
 ```yaml
 project: my-project
 auth:
   type: oidc
-  client_id: _CLIENT_ID__
+  client_id: _CLIENT_ID_
   auth_discovery_url: _OIDC_SERVER_URL_/realms/master/.well-known/openid-configuration
 ...
 ```
 
-In case of client configuration, the following settings username, password and client_secret must be added to specify the current user:
+When the OIDC provider uses a self-signed or untrusted TLS certificate (e.g. internal Keycloak on OpenShift), set `verify_ssl` to `false` to disable certificate verification:
+```yaml
+auth:
+  type: oidc
+  client_id: _CLIENT_ID_
+  auth_discovery_url: https://keycloak.internal/realms/master/.well-known/openid-configuration
+  verify_ssl: false
+```
+
+{% hint style="warning" %}
+Setting `verify_ssl: false` disables TLS certificate verification for all OIDC provider communication (discovery, JWKS, token endpoint). Only use this in development or internal environments where you accept the security risk.
+{% endhint %}
+
+#### Client-Side Configuration
+
+The client supports multiple token source modes. The SDK resolves tokens in the following priority order:
+
+1. **Intra-communication token** — internal server-to-server calls (via `INTRA_COMMUNICATION_BASE64` env var)
+2. **`token`** — a static JWT string provided directly in the configuration
+3. **`token_env_var`** — the name of an environment variable containing the JWT
+4. **`client_secret`** — fetches a token from the OIDC provider using client credentials or ROPC flow (requires `auth_discovery_url` and `client_id`)
+5. **`FEAST_OIDC_TOKEN`** — default fallback environment variable
+6. **Kubernetes service account token** — read from `/var/run/secrets/kubernetes.io/serviceaccount/token` when running inside a pod
+
+**Token passthrough** (for use with external token providers like [kube-authkit](https://github.com/opendatahub-io/kube-authkit)):
+```yaml
+project: my-project
+auth:
+  type: oidc
+  token_env_var: FEAST_OIDC_TOKEN
+```
+
+Or with a bare `type: oidc` (no other fields) — the SDK falls back to the `FEAST_OIDC_TOKEN` environment variable or a mounted Kubernetes service account token:
 ```yaml
+project: my-project
 auth:
   type: oidc
-  ...
-  username: _USERNAME_
-  password: _PASSWORD_
-  client_secret: _CLIENT_SECRET__
 ```
 
-Below is an example of feast full OIDC client auth configuration:
+**Client credentials / ROPC flow** (existing behavior, unchanged):
 ```yaml
 project: my-project
 auth:
@@ -97,6 +132,12 @@ auth:
   auth_discovery_url: http://localhost:8080/realms/master/.well-known/openid-configuration
 ```
 
+When using client credentials or ROPC flows, the `verify_ssl` setting also applies to the discovery and token endpoint requests.
+
+#### Multi-Token Support (OIDC + Kubernetes Service Account)
+
+When the Feast server is configured with OIDC auth and deployed on Kubernetes, the `OidcTokenParser` can handle both Keycloak JWT tokens and Kubernetes service account tokens. Incoming tokens that contain a `kubernetes.io` claim are validated via the Kubernetes Token Access Review API and the namespace is extracted from the authenticated identity — no RBAC queries are performed, so the server service account only needs `tokenreviews/create` permission. All other tokens follow the standard OIDC/Keycloak JWKS validation path. This enables `NamespaceBasedPolicy` enforcement for service account tokens while using `GroupBasedPolicy` and `RoleBasedPolicy` for OIDC user tokens.
+
 ### Kubernetes RBAC Authorization
 With Kubernetes RBAC Authorization, the client uses the service account token as the authorizarion bearer token, and the
 server fetches the associated roles from the Kubernetes RBAC resources. Feast supports advanced authorization by extracting user groups and namespaces from Kubernetes tokens, enabling fine-grained access control beyond simple role matching. This is achieved by leveraging Kubernetes Token Access Review, which allows Feast to determine the groups and namespaces associated with a user or service account.
diff --git a/sdk/python/feast/permissions/auth/oidc_token_parser.py b/sdk/python/feast/permissions/auth/oidc_token_parser.py
@@ -11,6 +11,7 @@
 from starlette.authentication import (
     AuthenticationError,
 )
+from kubernetes import client, config
 
 from feast.permissions.auth.token_parser import TokenParser
 from feast.permissions.auth_model import OidcAuthConfig
@@ -25,21 +26,16 @@ class OidcTokenParser(TokenParser):
     A ``TokenParser`` to use an OIDC server to retrieve the user details.
     Server settings are retrieved from the ``auth`` configuration of the Feature store.
 
-    When running inside Kubernetes, an optional ``k8s_parser`` can be supplied.
     Incoming tokens that contain a ``kubernetes.io`` claim (i.e. Kubernetes
-    service-account tokens) are delegated to the K8s parser, while all other
-    tokens follow the standard OIDC/Keycloak JWKS validation path.
+    service-account tokens) are handled via a lightweight TokenReview that
+    extracts only the namespace — no RBAC queries needed.  All other tokens
+    follow the standard OIDC/Keycloak JWKS validation path.
     """
 
     _auth_config: OidcAuthConfig
 
-    def __init__(
-        self,
-        auth_config: OidcAuthConfig,
-        k8s_parser: Optional[TokenParser] = None,
-    ):
+    def __init__(self, auth_config: OidcAuthConfig):
         self._auth_config = auth_config
-        self._k8s_parser = k8s_parser
         self.oidc_discovery_service = OIDCDiscoveryService(
             self._auth_config.auth_discovery_url,
             verify_ssl=self._auth_config.verify_ssl,
@@ -147,11 +143,11 @@ async def user_details_from_access_token(self, access_token: str) -> User:
         if user:
             return user
 
-        if self._k8s_parser and self._is_kubernetes_token(access_token):
+        if self._is_kubernetes_token(access_token):
             logger.debug(
-                "Detected kubernetes.io claim — delegating to KubernetesTokenParser"
+                "Detected kubernetes.io claim — validating via TokenReview"
             )
-            return await self._k8s_parser.user_details_from_access_token(access_token)
+            return await self._validate_k8s_sa_token_and_extract_namespace(access_token)
 
         # Standard OIDC / Keycloak flow
         try:
@@ -182,6 +178,38 @@ async def user_details_from_access_token(self, access_token: str) -> User:
             logger.exception("Exception while parsing the token:")
             raise AuthenticationError("Invalid token.")
 
+    @staticmethod
+    async def _validate_k8s_sa_token_and_extract_namespace(access_token: str) -> User:
+        """Validate a K8s SA token via TokenReview and extract the namespace.
+
+        Lightweight alternative to full KubernetesTokenParser — only validates
+        the token and extracts the namespace from the authenticated identity.
+        No RBAC queries (RoleBindings, ClusterRoleBindings) are performed,
+        so the server SA needs only ``tokenreviews/create`` permission.
+        """
+        config.load_incluster_config()
+        auth_v1 = client.AuthenticationV1Api()
+
+        token_review = client.V1TokenReview(
+            spec=client.V1TokenReviewSpec(token=access_token)
+        )
+        response = auth_v1.create_token_review(token_review)
+
+        if not response.status.authenticated:
+            raise AuthenticationError(
+                f"Kubernetes token validation failed: {response.status.error}"
+            )
+
+        username = getattr(response.status.user, "username", "") or ""
+        namespaces = []
+        if username.startswith("system:serviceaccount:") and username.count(":") >= 3:
+            namespaces.append(username.split(":")[2])
+
+        logger.info(
+            f"SA token validated — user: {username}, namespaces: {namespaces}"
+        )
+        return User(username=username, roles=[], groups=[], namespaces=namespaces)
+
     def _get_intra_comm_user(self, access_token: str) -> Optional[User]:
         intra_communication_base64 = os.getenv("INTRA_COMMUNICATION_BASE64")
 
diff --git a/sdk/python/feast/permissions/server/utils.py b/sdk/python/feast/permissions/server/utils.py
@@ -121,21 +121,7 @@ def init_auth_manager(
             token_parser = KubernetesTokenParser()
         elif auth_type == AuthManagerType.OIDC:
             assert isinstance(auth_config, OidcAuthConfig)
-            k8s_parser = None
-            try:
-                from feast.permissions.auth.kubernetes_token_parser import (
-                    KubernetesTokenParser,
-                )
-
-                k8s_parser = KubernetesTokenParser()
-                logger.info(
-                    "K8s API available — SA token support enabled for OIDC auth"
-                )
-            except Exception as e:
-                logger.info(f"K8s API unavailable ({e}) — OIDC-only token parsing")
-            token_parser = OidcTokenParser(
-                auth_config=auth_config, k8s_parser=k8s_parser
-            )
+            token_parser = OidcTokenParser(auth_config=auth_config)
         else:
             raise ValueError(f"Unmanaged authorization manager type {auth_type}")
 
diff --git a/sdk/python/tests/unit/permissions/auth/server/mock_utils.py b/sdk/python/tests/unit/permissions/auth/server/mock_utils.py
@@ -32,14 +32,14 @@ async def mock_oath2(self, request):
     }
     monkeypatch.setattr(
         "feast.permissions.client.oidc_authentication_client_manager.requests.get",
-        lambda url: discovery_response,
+        lambda url, verify=True: discovery_response,
     )
     token_response = Mock(spec=Response)
     token_response.status_code = 200
     token_response.json.return_value = {"access_token": "my-token"}
     monkeypatch.setattr(
         "feast.permissions.client.oidc_authentication_client_manager.requests.post",
-        lambda url, data, headers: token_response,
+        lambda url, data, headers, verify=True: token_response,
     )
 
     monkeypatch.setattr(
diff --git a/sdk/python/tests/unit/permissions/auth/test_token_parser.py b/sdk/python/tests/unit/permissions/auth/test_token_parser.py
@@ -1,7 +1,7 @@
 import asyncio
 import os
 from unittest import mock
-from unittest.mock import AsyncMock, MagicMock, patch
+from unittest.mock import MagicMock, patch
 
 import assertpy
 import pytest
@@ -398,48 +398,48 @@ def test_k8s_inter_server_comm(
 # ---------------------------------------------------------------------------
 
 
-@patch(
-    "feast.permissions.auth.oidc_token_parser.OAuth2AuthorizationCodeBearer.__call__"
-)
-@patch("feast.permissions.auth.oidc_token_parser.PyJWKClient.get_signing_key_from_jwt")
 @patch("feast.permissions.auth.oidc_token_parser.jwt.decode")
 @patch("feast.permissions.oidc_service.OIDCDiscoveryService._fetch_discovery_data")
-def test_oidc_parser_routes_sa_token_to_k8s_parser(
-    mock_discovery_data, mock_jwt_decode, mock_signing_key, mock_oauth2, oidc_config
+def test_oidc_parser_handles_sa_token_via_token_review(
+    mock_discovery_data, mock_jwt_decode, oidc_config
 ):
-    """When a token contains kubernetes.io claim, it should be routed to the K8s parser."""
+    """When a token contains kubernetes.io claim, _handle_sa_token is called (not the OIDC JWKS path)."""
     mock_discovery_data.return_value = {
         "authorization_endpoint": "https://localhost:8080/auth",
         "token_endpoint": "https://localhost:8080/token",
         "jwks_uri": "https://localhost:8080/certs",
     }
 
+    mock_jwt_decode.return_value = {
+        "kubernetes.io": {"namespace": "feast"},
+        "sub": "system:serviceaccount:feast:feast",
+    }
+
     sa_user = User(
-        username="feast:feast",
+        username="system:serviceaccount:feast:feast",
         roles=[],
-        groups=["system:serviceaccounts:feast"],
+        groups=[],
         namespaces=["feast"],
     )
 
-    k8s_parser = MagicMock()
-    k8s_parser.user_details_from_access_token = AsyncMock(return_value=sa_user)
+    token_parser = OidcTokenParser(auth_config=oidc_config)
 
-    # jwt.decode is patched globally — the unverified decode inside the parser
-    # returns a payload with kubernetes.io claim
-    mock_jwt_decode.return_value = {
-        "kubernetes.io": {"namespace": "feast"},
-        "sub": "system:serviceaccount:feast:feast",
-    }
+    with patch.object(
+        token_parser,
+        "_validate_k8s_sa_token_and_extract_namespace",
+        return_value=sa_user,
+    ) as mock_handle:
+        user = asyncio.run(
+            token_parser.user_details_from_access_token(access_token="sa-token")
+        )
+        mock_handle.assert_called_once_with("sa-token")
 
-    token_parser = OidcTokenParser(auth_config=oidc_config, k8s_parser=k8s_parser)
-    user = asyncio.run(
-        token_parser.user_details_from_access_token(access_token="sa-token")
+    assertpy.assert_that(user.username).is_equal_to(
+        "system:serviceaccount:feast:feast"
     )
-
-    k8s_parser.user_details_from_access_token.assert_called_once_with("sa-token")
-    assertpy.assert_that(user.username).is_equal_to("feast:feast")
     assertpy.assert_that(user.namespaces).is_equal_to(["feast"])
-    mock_signing_key.assert_not_called()
+    assertpy.assert_that(user.roles).is_equal_to([])
+    assertpy.assert_that(user.groups).is_equal_to([])
 
 
 @patch(
@@ -469,14 +469,11 @@ def test_oidc_parser_routes_keycloak_token_normally(
     }
     mock_jwt_decode.return_value = keycloak_payload
 
-    k8s_parser = MagicMock()
-
-    token_parser = OidcTokenParser(auth_config=oidc_config, k8s_parser=k8s_parser)
+    token_parser = OidcTokenParser(auth_config=oidc_config)
     user = asyncio.run(
         token_parser.user_details_from_access_token(access_token="keycloak-jwt")
     )
 
-    k8s_parser.user_details_from_access_token.assert_not_called()
     assertpy.assert_that(user.username).is_equal_to("testuser")
     assertpy.assert_that(user.roles).is_equal_to(["reader"])
     assertpy.assert_that(user.groups).is_equal_to(["data-team"])

Original file line number	Diff line number	Diff line change
`@@ -32,14 +32,14 @@ async def mock_oath2(self, request):`
`32`	`32`	`}`
`33`	`33`	`monkeypatch.setattr(`
`34`	`34`	`"feast.permissions.client.oidc_authentication_client_manager.requests.get",`
`35`		`- lambda url: discovery_response,`
	`35`	`+ lambda url, verify=True: discovery_response,`
`36`	`36`	`)`
`37`	`37`	`token_response = Mock(spec=Response)`
`38`	`38`	`token_response.status_code = 200`
`39`	`39`	`token_response.json.return_value = {"access_token": "my-token"}`
`40`	`40`	`monkeypatch.setattr(`
`41`	`41`	`"feast.permissions.client.oidc_authentication_client_manager.requests.post",`
`42`		`- lambda url, data, headers: token_response,`
	`42`	`+ lambda url, data, headers, verify=True: token_response,`
`43`	`43`	`)`
`44`	`44`
`45`	`45`	`monkeypatch.setattr(`