How does Okera validate Databricks tokens passed to it?
To validate Databricks tokens passed to Okera, we have two options:
- Okera requires the public key from DataBricks so we can verify the signature. Then, Okera will call the group resolution hook which does not need further authentication.
- Alternatively, you can build a REST endpoint that takes responsibility for verifying the token. This method has a REST endpoint that accepts the JWT and validates the token. Okera then performs user to group mappings based on the pertinent configuration values.
Note- There will be a limitation that only tokens whose "sub" value is a username will work. Tokens with email addresses as the subject will *NOT* work. Our platform drops everything after the @ symbol when resolving a user (subject) to its groups.
For more information, refer to the documentation here.