Cleanup debug log and update documentation

README.md

@@ -93,6 +93,10 @@ The filter relies on the spark [spark.ui.filters](https://spark.apache.org/docs/
 | `cookie-cipher-secret-key` | `AUTH_COOKIE_ENCRYPTION_KEY`  |    -    | Cookie encryption key</br> Can be generated using: `openssl enc -aes-128-cbc -k <PASS PHRASE> -P -md sha1 -pbkdf2`                                                                                                                                             |
 | `cookie-is-secure`         | `AUTH_COOKE_IS_SECURE`        |  true   | When enabled, the cookie is transmitted over a secure connection only (HTTPS).</br> Disable the option if your run with a non secure connection (HTTP)                                                                                                         |
 | `user-id`         | `AUTH_USER_ID`        |  email   | * `email`: set the id seen by spark acls as the email filled in the access token. </br> * `sub`: set the id seen by spark acls as the sub filled in the access token.                                                                                                          |
+| `jwt-header`         | `JWT_HEADER`        |  jwt_token   | Header that may contain the JWT Token that will be used for authentication. If not present, it will fall back with the default autentication workflow with a redirection on the login page.                                                                                                          |
+| `jwt-header-signing-alg`         | `JWT_HEADER_SIGNING_ALG`        |  RS256, ES256   | Signature algorithm used to verify the JWT Token provided.                                                                                                         |
+| `jwt-header-issuer`         | `JWT_HEADER_ISSUER`        |  issuer-uri from well known configuration | Issuer if different from the default issuer uri retrieved from the well known configuration fetched with 'issuer-uri' parameter.                                                                                                        |
+| `jwt-header-jwks-uri`         | `JWT_HEADER_JWKS_URI`        |  jwks uri from well known configuration   | JWKS URI used to retrieve the key needed to verify the JWT token signature. By default will use the JWKS URI filled in the well known configuration fetched with 'issuer-uri' parameter.                                                                                                    |
 
 > [!NOTE]
 > 1. `issuer-uri` property or `AUTH_ISSUER_URI` env variable

src/main/java/io/okdp/spark/authc/OidcAuthFilter.java

@@ -328,28 +328,20 @@ public void doFilter(
     Optional<String> maybeJWTHeader =
         HttpAuthenticationUtils.getHeaderValue(jwtHeader, servletRequest);
 
-    if (log.isInfoEnabled()) {
-      log.info("Request Headers Dump");
-      HttpAuthenticationUtils.getHeaders(servletRequest)
-          .forEach(
-              e -> log.info("Header : {}, Values : {}", e.getKey(), e.getValue().joining(",")));
-    }
-
     if (maybeJWTHeader.isPresent()) {
       JWTClaimsSet claimsSet;
 
       try {
-        log.info("JWT Header : {}", maybeJWTHeader.get());
+        log.debug("JWT Header : {}", maybeJWTHeader.get());
         claimsSet = jwtProcessor.process(maybeJWTHeader.get(), null);
         // Add the user and groups in the user/group mappings authorization cache
         PersistedToken persistedToken =
             authProvider.httpSecurityConfig().toPersistedToken(claimsSet);
         OidcGroupMappingServiceProvider.addUserAndGroups(
             persistedToken.id(), persistedToken.userInfo().getGroupsAndRoles());
-        log.info(
-            "JWT Token : User {} and groups {}",
-            persistedToken.id(),
-            persistedToken.userInfo().getGroupsAndRoles());
+        // Add the user and groups in the user/group mappings authorization cache
+        OidcGroupMappingServiceProvider.addUserAndGroups(
+            persistedToken.id(), persistedToken.userInfo().getGroupsAndRoles());
         filterChain.doFilter(
             new PrincipalHttpServletRequestWrapper(
                 (HttpServletRequest) servletRequest, persistedToken.id()),
@@ -363,7 +355,7 @@ public void doFilter(
         log.error("Error on JWT Token validation : {}", e.getMessage());
       }
     } else {
-      log.info("No JWT header ({}) found", jwtHeader);
+      log.debug("No JWT header ({}) found", jwtHeader);
     }
 
     // Get the oidc authorization code if the user is authenticated
@@ -385,7 +377,6 @@ public void doFilter(
               .onException(e -> sendError(servletResponse, e.getHttpStatusCode(), e.getMessage()));
       PersistedToken persistedToken =
           authProvider.httpSecurityConfig().toPersistedToken(accessToken);
-      // UserInfo userInfo = authProvider.httpSecurityConfig().userInfo(accessToken.accessToken());
       log.info(
           "Successfully authenticated user ({}): email {} sub {} (roles: {}, groups: {})",
           persistedToken.userInfo().name(),

src/main/java/io/okdp/spark/authz/OidcGroupMappingServiceProvider.java

@@ -53,7 +53,7 @@ public static void addUserAndGroups(String authenticatedUser, List<String> group
   public Set<String> getGroups(String authenticatedUser) {
     List<String> groups =
         Optional.ofNullable(userGroupsCache.getIfPresent(authenticatedUser)).orElse(emptyList());
-    log.info("Authorization - The user {} is member of the groups: {}", authenticatedUser, groups);
+    log.debug("Authorization - The user {} is member of the groups: {}", authenticatedUser, groups);
     // scala.collection.JavaConverters is deprecated in scala 2.13
     // and replaced by scala.jdk.CollectionConverters
     return asScalaSet(new HashSet<>(groups)).toSet();