Skip to content

[WiP] Antalya 26.3: OAuth -- rework Entra ID workflow#1784

Draft
zvonand wants to merge 6 commits into
antalya-26.3from
fix/antalya-26.3/oauth-fix-azure
Draft

[WiP] Antalya 26.3: OAuth -- rework Entra ID workflow#1784
zvonand wants to merge 6 commits into
antalya-26.3from
fix/antalya-26.3/oauth-fix-azure

Conversation

@zvonand
Copy link
Copy Markdown
Collaborator

@zvonand zvonand commented May 12, 2026
edited
Loading

Changelog category (leave one):

  • Backward Incompatible Change

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Added a new entra processor type which works with Entra through OIDC flow -- token is validated locally using Entra JWKS. Old azure type will be an alias.
User now needs to specify tenant_id in configuration.

CI/CD Options

Exclude tests:

  • Fast test
  • Integration Tests
  • Stateless tests
  • Stateful tests
  • Performance tests
  • All with ASAN
  • All with TSAN
  • All with MSAN
  • All with UBSAN
  • All with Coverage
  • All with Aarch64
  • All Regression
  • Disable CI Cache

Regression jobs to run:

  • Fast suites (mostly <1h)
  • Aggregate Functions (2h)
  • Alter (1.5h)
  • Benchmark (30m)
  • ClickHouse Keeper (1h)
  • Iceberg (2h)
  • LDAP (1h)
  • Parquet (1.5h)
  • RBAC (1.5h)
  • SSL Server (1h)
  • S3 (2h)
  • S3 Export (2h)
  • Swarms (30m)
  • Tiered Storage (2h)

@zvonand zvonand added port-antalya PRs to be ported to all new Antalya releases antalya-26.3 labels May 12, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026
edited
Loading

Workflow [PR], commit [b755c73]

zvonand and others added 2 commits May 14, 2026 10:34
@zvonand
add static role mapping, add entra as a standalone type (wip)
ba36b26
@zvonand @claude
Merge antalya-26.3 (PR #1777) into oauth-fix-azure
a72e809 
Resolved 3 OAuth-side conflicts:

- TokenProcessorsParse.cpp: kept the audit branch's per-endpoint
  require_allowed_url validation in the openid `locally_configured` path;
  adapted the entra preset to the same conventions -- require_allowed_url on
  configuration_endpoint, allow_http_discovery_urls support, LOG_WARNING when
  expected_issuer / expected_audience are empty, remote_host_filter passed
  through to OpenIdTokenProcessor.
- TokenAccessStorage.cpp: collapsed the auth loop into a single
  roles_mapping -> roles_filter -> roles_transform pipeline behind the audit
  branch's defensive `roles_filter->ok()` guard so a broken regex cannot fall
  through to the permissive grant-all branch.
- TokenProcessorsOpaque.cpp: took the audit branch's discovery hardening
  wholesale (URL allow-list, HTTPS-on-discovery-returned-URLs, issuer-anchor
  verification, jwks_uri required when expected_issuer/audience are set).

Rebuilt clean. Verified: test_token_roles_mapping 4/4, test_jwt_auth 6/6,
test_keycloak_auth 8/8.

PR: #1777

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@zvonand zvonand changed the title [WiP] Antalya 26.3: fixes for OAuth (Entra) [WiP] Antalya 26.3: OAuth -- rework Entra ID workflow May 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

antalya-26.3 port-antalya PRs to be ported to all new Antalya releases

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zvonand