OpenID Connect support

[fhennig]

As a user of the SDP I want to connect Druid to my existing OpenID IDP, i.e. Keycloak.

Working example

A working example can be found in the integration tests in https://github.com/stackabletech/druid-operator/tree/main/tests/templates/kuttl/oidc

OPA integration

For OPA, we want Druid to use the Keycloak username when requesting policy decisions. By default, the sub from the token is used, which is the user ID from Keycloak. Supposedly the setting druid.auth.pac4j.oidc.oidcClaim should be used to configure a claim that is extracted from the token and used as the user identification, but that doesn't seem to work.

This is the code showing that the UID is extracted to create the AuthenticationResult: https://github.com/apache/druid/blob/fa61e654e47ca80271798c497eda2f3018e9c636/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java#L116

Here we can see that the oidcClaim is used in the JWTFilter: https://github.com/apache/druid/blob/fa61e654e47ca80271798c497eda2f3018e9c636/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/JwtAuthFilter.java#L81 .. The pac4j authorizer should probably do something similar.

This is the pac4j function that is called from the authorizer: https://github.com/pac4j/pac4j/blob/e2b26ee231d38eab4a4f61a736d4614f272f593a/pac4j-core/src/main/java/org/pac4j/core/engine/DefaultSecurityLogic.java#L75

Alternatively, Keycloak can be configured to write the username into the sub field for the Druid client. That seems to be a bit hacky though. Here's the SO question explaining how to do it: https://stackoverflow.com/questions/56666054/keycloak-mapping-username-on-subject-claim

In trino, there's a setting called http-server.authentication.oauth2.principal-field which does someting similar and it works well.

It might be that the oidcClaim setting is actually not working and this might be a bug in Druid.