Skip to content

feat: Extended OIDC support to extract groups & namespaces and token injection with multiple methods #6089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ntkathole merged 41 commits into from
Apr 7, 2026
Merged

feat: Extended OIDC support to extract groups & namespaces and token injection with multiple methods #6089

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
493a6b9
feat: Extract groups and namespaces claims from JWT in OidcTokenParser
aniketpalu Mar 10, 2026
3db6db3
Minor formatting
aniketpalu Mar 10, 2026
0d59eca
feat: Allow Feast SDK to accept a pre-existing OIDC token without con…
aniketpalu Mar 10, 2026
36a5b06
fix: Raise error when configured token_env_var is empty
aniketpalu Mar 10, 2026
a478a80
Minor formatting changes
aniketpalu Mar 10, 2026
1483c6c
Activate _check_mutually_exclusive groups only when all fields are se…
aniketpalu Mar 10, 2026
34474af
Narrow OIDC client routing to use set-based key detection and extract…
aniketpalu Mar 11, 2026
505d6de
Fix .sort() assertions in test_token_parser.py that always compared N…
aniketpalu Mar 11, 2026
5c79fcf
Guard against missing roles key in resource_access to prevent unhandl…
aniketpalu Mar 11, 2026
e0359db
Fixed lint errors
aniketpalu Mar 11, 2026
7453349
Fixed lint error
aniketpalu Mar 11, 2026
4b4c1dd
Fixed lint errors
aniketpalu Mar 11, 2026
1353482
Added support to read ServiceAccount token and Minor improvements
aniketpalu Mar 11, 2026
86c9d76
Improved code readibility
aniketpalu Mar 11, 2026
5621f07
Minor reformatting
aniketpalu Mar 11, 2026
b5db157
fix: Use exact dict-key lookup for kubernetes.io claim to satisfy Cod…
aniketpalu Mar 12, 2026
1331057
feat: Add verify_ssl support to OIDC auth flow for self-signed certif…
aniketpalu Mar 20, 2026
a875169
feat: Lightweight SA token validation for OIDC auth — TokenReview onl…
aniketpalu Mar 23, 2026
7e59a53
Minor reformatting & lint related changes
aniketpalu Mar 23, 2026
611607b
Update sdk/python/feast/permissions/auth/oidc_token_parser.py
aniketpalu Mar 23, 2026
3c1e36b
fix: Restore missing return in intra-comm check and add error handlin…
aniketpalu Mar 23, 2026
c2c4863
Minor reformatting
aniketpalu Mar 23, 2026
eed8b02
Checks preferred_username first (Keycloak default), then falls back t…
aniketpalu Mar 23, 2026
593b95d
feat(operator): Split server/client OIDC config and add secretKeyName…
aniketpalu Mar 24, 2026
a1c75de
Reverted kustomization.yaml
aniketpalu Mar 24, 2026
88a389b
fix: Harden OIDC token parsing and make client_id optional
aniketpalu Mar 25, 2026
f632686
cache K8s client, eliminate double JWT decode, improve error messages
aniketpalu Apr 1, 2026
45666da
Minor formatting
aniketpalu Apr 1, 2026
0a59ad2
feat(odh): wire OIDC_ISSUER_URL from params.env into operator pod
GowthamShanmugam Mar 31, 2026
3557a15
Add issuerUrl to OidcAuthz CRD and OIDC_ISSUER_URL env var support fo…
aniketpalu Apr 6, 2026
30a04c2
Add caCertConfigMap to OidcAuthz CRD and ca_cert_path to SDK for self…
aniketpalu Apr 6, 2026
a967bc6
Reverted kustomization.yaml to use upstream image
aniketpalu Apr 6, 2026
c1d7c11
Shorten CRD field descriptions to fit maxDescLen=120 and revert kusto…
aniketpalu Apr 6, 2026
8aae62a
fix: Remove unused param, nil deref in test, and update secrets baseline
aniketpalu Apr 7, 2026
cacd649
fix: Remove unused secretExtractionFunc from client config chain and …
aniketpalu Apr 7, 2026
9200dd3
Merge branch 'master' into oidc-support
aniketpalu Apr 7, 2026
141c871
Remove always-nil error from getClientRepoConfig and stop leaking ODH…
aniketpalu Apr 7, 2026
bd81904
Remove always-nil error from getClientRepoConfig, stop leaking ODH CA…
aniketpalu Apr 7, 2026
66c3677
Thread ODH CA bundle detection into resolveOidcCACertPath for proper …
aniketpalu Apr 7, 2026
bb6fb52
Provision TokenReview RBAC for OIDC auth and add SSL error logging in…
aniketpalu Apr 7, 2026
2f3e7b9
Merge upstream/master into oidc-support and regenerate secrets baseline
aniketpalu Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Minor formatting changes 
Signed-off-by: Aniket Paluskar <apaluska@redhat.com>
  • Loading branch information
@aniketpalu @ntkathole
aniketpalu authored and ntkathole committed Apr 6, 2026
commit a478a802c6556afb8e0f8fe359780ecf36ab2f7d
12 changes: 10 additions & 2 deletions sdk/python/feast/repo_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -408,8 +408,16 @@ def auth_config(self):
if not self._auth:
if isinstance(self.auth, Dict):
is_oidc_client = self.auth.get("type") == AuthType.OIDC.value and (
("username" in self.auth and "password" in self.auth and "client_secret" in self.auth)
or ("client_secret" in self.auth and "username" not in self.auth and "password" not in self.auth)
(
"username" in self.auth
and "password" in self.auth
and "client_secret" in self.auth
)
or (
"client_secret" in self.auth
and "username" not in self.auth
and "password" not in self.auth
)
or ("token" in self.auth)
or ("token_env_var" in self.auth)
or ("auth_discovery_url" not in self.auth)
Comment thread
aniketpalu marked this conversation as resolved.
Outdated
Expand Down
48 changes: 33 additions & 15 deletions sdk/python/tests/unit/permissions/test_oidc_token_passthrough.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,12 @@
)
from feast.repo_config import RepoConfig


# ---------------------------------------------------------------------------
# Config validation
# ---------------------------------------------------------------------------


class TestOidcClientAuthConfigValidation:

def test_bare_oidc_valid(self):
cfg = OidcClientAuthConfig(type="oidc")
assert cfg.token_env_var is None
Expand All @@ -49,7 +47,9 @@ def test_token_plus_custom_env_var_invalid(self):
)

def test_client_secret_without_discovery_url_invalid(self):
with pytest.raises(ValueError, match="Incomplete configuration for 'client_credentials'"):
with pytest.raises(
ValueError, match="Incomplete configuration for 'client_credentials'"
):
OidcClientAuthConfig(
type="oidc",
client_secret="my-secret",
Expand All @@ -76,7 +76,9 @@ def test_full_ropg_valid(self):
assert cfg.username == "user1"

def test_ropg_without_discovery_url_invalid(self):
with pytest.raises(ValueError, match="Incomplete configuration for 'client_credentials'"):
with pytest.raises(
ValueError, match="Incomplete configuration for 'client_credentials'"
):
OidcClientAuthConfig(
type="oidc",
username="user1",
Expand All @@ -85,7 +87,9 @@ def test_ropg_without_discovery_url_invalid(self):
)

def test_username_without_client_secret_invalid(self):
with pytest.raises(ValueError, match="Incomplete configuration for 'client_credentials'"):
with pytest.raises(
ValueError, match="Incomplete configuration for 'client_credentials'"
):
OidcClientAuthConfig(
type="oidc",
username="user1",
Expand All @@ -109,12 +113,13 @@ def test_token_plus_client_secret_invalid(self):


class TestOidcAuthClientManagerGetToken:

def _make_manager(self, **kwargs) -> OidcAuthClientManager:
cfg = OidcClientAuthConfig(type="oidc", **kwargs)
return OidcAuthClientManager(cfg)

@patch("feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService")
@patch(
"feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService"
)
def test_token_returned_directly(self, mock_discovery_cls):
mgr = self._make_manager(token="my-static-jwt")
assert mgr.get_token() == "my-static-jwt"
Expand All @@ -126,22 +131,28 @@ def test_no_token_source_raises(self):
mgr.get_token()

@patch.dict(os.environ, {"FEAST_OIDC_TOKEN": "env-jwt-value"})
@patch("feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService")
@patch(
"feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService"
)
def test_explicit_feast_env_var(self, mock_discovery_cls):
mgr = self._make_manager(token_env_var="FEAST_OIDC_TOKEN")
assert mgr.get_token() == "env-jwt-value"
mock_discovery_cls.assert_not_called()

@patch.dict(os.environ, {"FEAST_OIDC_TOKEN": "fallback-jwt"})
@patch("feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService")
@patch(
"feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService"
)
def test_bare_config_falls_back_to_well_known_env(self, mock_discovery_cls):
mgr = self._make_manager()
assert mgr.get_token() == "fallback-jwt"
mock_discovery_cls.assert_not_called()

@patch.dict(os.environ, {"FEAST_OIDC_TOKEN": "should-not-win"}, clear=False)
@patch("feast.permissions.client.oidc_authentication_client_manager.requests")
@patch("feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService")
@patch(
"feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService"
)
def test_network_config_not_overridden_by_well_known_env(
self, mock_discovery_cls, mock_requests
):
Expand All @@ -162,15 +173,19 @@ def test_network_config_not_overridden_by_well_known_env(
assert mgr.get_token() == "idp-token"

@patch.dict(os.environ, {"CUSTOM_TOKEN_VAR": "custom-env-jwt"})
@patch("feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService")
@patch(
"feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService"
)
def test_custom_env_var_read(self, mock_discovery_cls):
mgr = self._make_manager(token_env_var="CUSTOM_TOKEN_VAR")
assert mgr.get_token() == "custom-env-jwt"
mock_discovery_cls.assert_not_called()

@patch.dict(os.environ, {}, clear=False)
@patch("feast.permissions.client.oidc_authentication_client_manager.requests")
@patch("feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService")
@patch(
"feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService"
)
def test_fallthrough_to_client_credentials(self, mock_discovery_cls, mock_requests):
os.environ.pop("FEAST_OIDC_TOKEN", None)

Expand All @@ -193,7 +208,9 @@ def test_fallthrough_to_client_credentials(self, mock_discovery_cls, mock_reques

@patch.dict(os.environ, {}, clear=False)
@patch("feast.permissions.client.oidc_authentication_client_manager.requests")
@patch("feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService")
@patch(
"feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService"
)
def test_ropg_flow(self, mock_discovery_cls, mock_requests):
os.environ.pop("FEAST_OIDC_TOKEN", None)

Expand All @@ -219,7 +236,9 @@ def test_ropg_flow(self, mock_discovery_cls, mock_requests):
assert call_args[1]["data"]["grant_type"] == "password"
assert call_args[1]["data"]["username"] == "user1"

@patch("feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService")
@patch(
"feast.permissions.client.oidc_authentication_client_manager.OIDCDiscoveryService"
)
def test_token_takes_priority_over_env_var(self, mock_discovery_cls):
with patch.dict(os.environ, {"FEAST_OIDC_TOKEN": "env-token"}):
mgr = self._make_manager(token="config-token")
Expand Down Expand Up @@ -247,7 +266,6 @@ def test_configured_env_var_missing_does_not_fall_through(self):


class TestOidcClientRouting:

def _make_repo_config(self, auth_dict: dict) -> RepoConfig:
return RepoConfig(
project="test_project",
Expand Down