To validate Databricks Tokens passed to Okera, we have two options:
- Okera requires the public key from DataBricks (so that we can verify the signature)
- Then internally Okera will call the group resolution hook which does not need further authentication.
- or you need to built a REST endpoint that takes responsibility for verifying the token.
- This method will have REST endpoint that accepts the JWT and validates the token; Okera then performs user to group mappings based on the pertinent configuration values.
Note- There will be a limitation that only tokens whose "sub" value is a username will work. Tokens with email addresses as the subject will *NOT* work. Our platform drops everything after the @ symbol when resolving a user (subject) to its groups. This can be changed but needs a more thorough analysis so as to not impact other configurations.