diff --git a/openmetadata-docs/content/v1.4.x/deployment/security/azure/bare-metal.md b/openmetadata-docs/content/v1.4.x/deployment/security/azure/bare-metal.md index 7cb4b12adf2..ca0701960cd 100644 --- a/openmetadata-docs/content/v1.4.x/deployment/security/azure/bare-metal.md +++ b/openmetadata-docs/content/v1.4.x/deployment/security/azure/bare-metal.md @@ -24,6 +24,12 @@ Then, - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below. - Update the `principalDomain` to your company domain name. +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + ```yaml authorizerConfiguration: className: "org.openmetadata.service.security.DefaultAuthorizer" diff --git a/openmetadata-docs/content/v1.4.x/deployment/security/azure/docker.md b/openmetadata-docs/content/v1.4.x/deployment/security/azure/docker.md index 2c0d7787fd7..1fe687cc7b2 100644 --- a/openmetadata-docs/content/v1.4.x/deployment/security/azure/docker.md +++ b/openmetadata-docs/content/v1.4.x/deployment/security/azure/docker.md @@ -28,6 +28,12 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Appli AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback ``` +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + ## 2. Start Docker ```commandline diff --git a/openmetadata-docs/content/v1.4.x/deployment/security/azure/index.md b/openmetadata-docs/content/v1.4.x/deployment/security/azure/index.md index 47813345298..51029e4e642 100644 --- a/openmetadata-docs/content/v1.4.x/deployment/security/azure/index.md +++ b/openmetadata-docs/content/v1.4.x/deployment/security/azure/index.md @@ -44,6 +44,21 @@ Admin permissions are required to register the application on the Azure portal. - Provide a redirect URL as a `Single Page Application`. - Click on `Register`. +{% note %} + +- **SPA (Single Page Application):** + This type is designed for implicit flows. In this case, providing both the client ID and client secret will result in a failure because the implicit flow only requires the client ID for authentication. + +- **Web:** + This type is intended for confidential clients. If you select this option, you must provide both the client ID and client secret. Simply passing the client ID will cause the authorization process to fail, as the Authorization Code flow requires both credentials for successful authentication. + +### Recommendation: + +- Use the **Web** type for confidential clients that require both a client ID and secret. +- Use the **SPA** type for applications using implicit flows where only a client ID is needed. + +{% /note %} + {% image src="/images/v1.4/deployment/security/azure/create-app-3.png" alt="create-app" /%} ### Step 3: Where to Find the Credentials diff --git a/openmetadata-docs/content/v1.4.x/deployment/security/azure/kubernetes.md b/openmetadata-docs/content/v1.4.x/deployment/security/azure/kubernetes.md index 7ceed278b12..ea54913ef02 100644 --- a/openmetadata-docs/content/v1.4.x/deployment/security/azure/kubernetes.md +++ b/openmetadata-docs/content/v1.4.x/deployment/security/azure/kubernetes.md @@ -31,4 +31,10 @@ openmetadata: callbackUrl: "http://localhost:8585/callback" ``` +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + {% partial file="/v1.4/deployment/configure-ingestion.md" /%} diff --git a/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/bare-metal.md b/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/bare-metal.md index 9737c5d0cf9..0f74850efa4 100644 --- a/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/bare-metal.md +++ b/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/bare-metal.md @@ -30,6 +30,12 @@ Then, - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below. - Update the `principalDomain` to your company domain name. +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + ```yaml authorizerConfiguration: className: "org.openmetadata.service.security.DefaultAuthorizer" diff --git a/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/docker.md b/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/docker.md index 40790c91d2f..7d0fa9e11d8 100644 --- a/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/docker.md +++ b/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/docker.md @@ -29,6 +29,12 @@ AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback ``` +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + ## 2. Start Docker ```commandline diff --git a/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/kubernetes.md b/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/kubernetes.md index 382a33f9119..34c9f77f30d 100644 --- a/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/kubernetes.md +++ b/openmetadata-docs/content/v1.4.x/deployment/security/keycloak/kubernetes.md @@ -31,4 +31,10 @@ openmetadata: callbackUrl: "http://localhost:8585/callback" ``` +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + {% partial file="/v1.4/deployment/configure-ingestion.md" /%} diff --git a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/bare-metal.md b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/bare-metal.md index 809d219ac71..c077b0814ed 100644 --- a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/bare-metal.md @@ -24,6 +24,12 @@ Then, - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below. - Update the `principalDomain` to your company domain name. +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + ```yaml authorizerConfiguration: className: "org.openmetadata.service.security.DefaultAuthorizer" diff --git a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/docker.md b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/docker.md index ad693f5c5e0..7aa95c41f48 100644 --- a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/docker.md +++ b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/docker.md @@ -28,6 +28,12 @@ AUTHENTICATION_CLIENT_ID={Client ID} # Update with your Client ID of Azure Appli AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback ``` +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + ## 2. Start Docker ```commandline diff --git a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/index.md b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/index.md index 65646f1f983..b13795d0843 100644 --- a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/index.md +++ b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/index.md @@ -44,6 +44,21 @@ Admin permissions are required to register the application on the Azure portal. - Provide a redirect URL as a `Single Page Application`. - Click on `Register`. +{% note %} + +- **SPA (Single Page Application):** + This type is designed for implicit flows. In this case, providing both the client ID and client secret will result in a failure because the implicit flow only requires the client ID for authentication. + +- **Web:** + This type is intended for confidential clients. If you select this option, you must provide both the client ID and client secret. Simply passing the client ID will cause the authorization process to fail, as the Authorization Code flow requires both credentials for successful authentication. + +### Recommendation: + +- Use the **Web** type for confidential clients that require both a client ID and secret. +- Use the **SPA** type for applications using implicit flows where only a client ID is needed. + +{% /note %} + {% image src="/images/v1.5/deployment/security/azure/create-app-3.png" alt="create-app" /%} ### Step 3: Where to Find the Credentials diff --git a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/kubernetes.md b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/kubernetes.md index 2a318cd3e86..d6cb35ff0e7 100644 --- a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/azure/kubernetes.md @@ -31,4 +31,10 @@ openmetadata: callbackUrl: "http://localhost:8585/callback" ``` +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + {% partial file="/v1.5/deployment/configure-ingestion.md" /%} diff --git a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/bare-metal.md b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/bare-metal.md index dd5a032def9..982791a5fff 100644 --- a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/bare-metal.md +++ b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/bare-metal.md @@ -30,6 +30,12 @@ Then, - Update `authorizerConfiguration` to add login names of the admin users in `adminPrincipals` section as shown below. - Update the `principalDomain` to your company domain name. +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + ```yaml authorizerConfiguration: className: "org.openmetadata.service.security.DefaultAuthorizer" diff --git a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/docker.md b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/docker.md index 1edac57742c..87dcb813734 100644 --- a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/docker.md +++ b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/docker.md @@ -29,6 +29,12 @@ AUTHENTICATION_CLIENT_ID=open-metadata # Update with your Client ID AUTHENTICATION_CALLBACK_URL=http://localhost:8585/callback ``` +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + ## 2. Start Docker ```commandline diff --git a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/kubernetes.md b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/kubernetes.md index f61f424f45f..0166dcbbd66 100644 --- a/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/kubernetes.md +++ b/openmetadata-docs/content/v1.5.x-SNAPSHOT/deployment/security/keycloak/kubernetes.md @@ -31,4 +31,10 @@ openmetadata: callbackUrl: "http://localhost:8585/callback" ``` +{% note %} + +Altering the order of claims in `jwtPrincipalClaims` may lead to problems when matching a user from a token with an existing user in the system. The mapping process relies on the specific order of claims, so changing it can result in inconsistencies or authentication failures, as the system cannot ensure correct user mapping with a new claim order. + +{% /note %} + {% partial file="/v1.5/deployment/configure-ingestion.md" /%}