major refactor

Author: zvonand

docs/en/operations/external-authenticators/jwt.md

@@ -94,14 +94,8 @@ Only one of `static_jwks` or `static_jwks_file` keys must be present in one veri
     <!- ... -->
     <jwt_validators>
         <basic_auth_server>
-          <uri>http://localhost:8000/.well-known/jwks.json</uri>
-          <connection_timeout_ms>1000</connection_timeout_ms>
-          <receive_timeout_ms>1000</receive_timeout_ms>
-          <send_timeout_ms>1000</send_timeout_ms>
-          <max_tries>3</max_tries>
-          <retry_initial_backoff_ms>50</retry_initial_backoff_ms>
-          <retry_max_backoff_ms>1000</retry_max_backoff_ms>
-          <refresh_ms>300000</refresh_ms>
+          <jwks_uri>http://localhost:8000/.well-known/jwks.json</jwks_uri>
+          <jwks_refresh_timeout>300000</jwks_refresh_timeout>
         </basic_auth_server>
     </jwt_validators>
 </clickhouse>
@@ -110,38 +104,7 @@ Only one of `static_jwks` or `static_jwks_file` keys must be present in one veri
 #### Parameters:
 
 - `uri` - JWKS endpoint. Mandatory.
-- `refresh_ms` - Period for resend request for refreshing JWKS. Optional, default: 300000.
-
-Timeouts in milliseconds on the socket used for communicating with the server (optional):
-- `connection_timeout_ms` - Default: 1000.
-- `receive_timeout_ms` - Default: 1000.
-- `send_timeout_ms` - Default: 1000.
-
-Retry parameters (optional):
-- `max_tries` - The maximum number of attempts to make an authentication request. Default: 3.
-- `retry_initial_backoff_ms` - The backoff initial interval on retry. Default: 50.
-- `retry_max_backoff_ms` - The maximum backoff interval. Default: 1000.
-
-### Verifying access tokens {$verifying-access-tokens}
-
-Access tokens that are not JWT (and thus no data can be extracted from the token directly) need to be resolved by external providers.
-
-**Example**
-```xml
-<clickhouse>
-    <!- ... -->
-    <access_token_processors>
-        <my_access_token_processor>
-          <provider>google</provider>
-        </my_access_token_processor>
-    </access_token_processors>
-</clickhouse>
-```
-
-#### Parameters:
-
-- `provider` - name of provider that will be used for token processing. Mandatory parameter. Possible options: `google`.
-
+- `jwks_refresh_timeout` - Period for resend request for refreshing JWKS. Optional, default: 300000.
 
 ### Enabling JWT authentication in `users.xml` {#enabling-jwt-auth-in-users-xml}
 

docs/en/operations/external-authenticators/tokens.md

@@ -24,8 +24,6 @@ To define an access token processor, add `token_processors` section to `config.x
         <azuure>
             <provider>azure</provider>
             <username_claim>claim_name</username_claim>
-            <client_id>CLIENT_ID</client_id>
-            <tenant_id>TENANT_ID</tenant_id>
         </azuure>
     </token_processors>
 </clickhouse>
@@ -39,10 +37,7 @@ Different providers have different sets of parameters.
 
 - `provider` -- name of identity provider. Mandatory, case-insensitive. Supported options: "Google", "Azure", "OpenID".
 - `username_claim` -- name of claim (field) that will be treated as ClickHouse user name. Optional, default: "sub".
-- `cache_lifetime` --  maximum lifetime of cached token (in seconds). Optional, default: 3600.
-- `email_filter` -- Regex for validation of user emails. Optional parameter, only for Google IdP.
-- `client_id` -- Azure AD (Entra ID) client ID. Optional parameter, used only for Azure IdP.
-- `tenant_id` -- Azure AD (Entra ID) tenant ID. Optional parameter, used only for Azure IdP.
+- `cache_lifetime` -- maximum lifetime of cached token (in seconds). Optional, default: 3600.
 - `groups_claim` -- Name of claim (field) that contains list of groups user belongs to. This claim will be looked up in the token itself (in case token is a valid JWT, e.g. in Keycloak) or in response from `/userinfo`. Optional parameter.
 - `configuration_endpoint` -- URI of `.well-known/openid-configuration`. Optional parameter, useful only for OIDC-compliant providers (e.g. Keycloak).
 - `userinfo_endpoint` -- URI of userinfo endpoint. Optional parameter.

src/Access/AccessControl.cpp

@@ -728,11 +728,6 @@ bool AccessControl::isNoPasswordAllowed() const
     return allow_no_password;
 }
 
-bool AccessControl::isJWTEnabled() const
-{
-    return external_authenticators->isJWTAllowed();
-}
-
 void AccessControl::setPlaintextPasswordAllowed(bool allow_plaintext_password_)
 {
     allow_plaintext_password = allow_plaintext_password_;

src/Access/AccessControl.h

@@ -157,8 +157,6 @@ class AccessControl : public MultipleAccessStorage
     void setNoPasswordAllowed(bool allow_no_password_);
     bool isNoPasswordAllowed() const;
 
-    bool isJWTEnabled() const;
-
     /// Allows users with plaintext password (by default it's allowed).
     void setPlaintextPasswordAllowed(bool allow_plaintext_password_);
     bool isPlaintextPasswordAllowed() const;

src/Access/AccessTokenProcessor.h

@@ -345,10 +345,7 @@ bool Authentication::areCredentialsValid(
         if (authentication_method.getType() != AuthenticationType::JWT)
             return false;
 
-        if (external_authenticators.checkJWTClaims(authentication_method.getJWTClaims(), *token_credentials))
-            return true;
-
-        return external_authenticators.checkAccessTokenCredentials(*token_credentials);
+        return external_authenticators.checkTokenCredentials(*token_credentials);
     }
 
     if ([[maybe_unused]] const auto * always_allow_credentials = typeid_cast<const AlwaysAllowCredentials *>(&credentials))