[Fix-20125] OIDC: Allow max_age to be optional (#20721)

* Make Max Age Optional * spotless fix
2025-06-27 04:22:05 +00:00 · 2025-04-09 15:09:57 +05:30 · 2025-04-09 15:09:57 +05:30 · 3a01ad7da5
commit 3a01ad7da5
parent 6db8454649
10 changed files with 27 additions and 1 deletions
--- a/conf/openmetadata.yaml
+++ b/conf/openmetadata.yaml
@ -214,6 +214,7 @@ authenticationConfiguration:
    maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""}
    tokenValidity: ${OIDC_OM_REFRESH_TOKEN_VALIDITY:-"3600"} # in seconds
    customParams: ${OIDC_CUSTOM_PARAMS:-}
+    maxAge: ${OIDC_MAX_AGE:-"0"}
  samlConfiguration:
    debugMode: ${SAML_DEBUG_MODE:-false}
    idp:
--- a/docker/development/docker-compose-gcp.yml
+++ b/docker/development/docker-compose-gcp.yml
@ -120,6 +120,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -331,6 +332,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/docker/development/docker-compose-postgres.yml
+++ b/docker/development/docker-compose-postgres.yml
@ -118,6 +118,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -334,6 +335,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/docker/development/docker-compose.yml
+++ b/docker/development/docker-compose.yml
@ -116,6 +116,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -329,6 +330,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml
+++ b/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml
@ -61,6 +61,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -272,6 +273,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/docker/docker-compose-quickstart/docker-compose-postgres.yml
+++ b/docker/docker-compose-quickstart/docker-compose-postgres.yml
@ -109,6 +109,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -320,6 +321,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/docker/docker-compose-quickstart/docker-compose.yml
+++ b/docker/docker-compose-quickstart/docker-compose.yml
@ -107,6 +107,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -318,6 +319,7 @@ services:
      OIDC_TENANT: ${OIDC_TENANT:-""}
      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
+      OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationCodeFlowHandler.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationCodeFlowHandler.java
@ -128,6 +128,7 @@ public class AuthenticationCodeFlowHandler {
  private final ClientAuthentication clientAuthentication;
  private final String principalDomain;
  private final int tokenValidity;
+  private final String maxAge;

  public AuthenticationCodeFlowHandler(
      AuthenticationConfiguration authenticationConfiguration,
@ -153,6 +154,7 @@ public class AuthenticationCodeFlowHandler {
    validatePrincipalClaimsMapping(claimsMapping);
    this.principalDomain = authorizerConfiguration.getPrincipalDomain();
    this.tokenValidity = authenticationConfiguration.getOidcConfiguration().getTokenValidity();
+    this.maxAge = authenticationConfiguration.getOidcConfiguration().getMaxAge();
  }

  private OidcClient buildOidcClient(OidcClientConfig clientConfig) {
@ -269,7 +271,10 @@ public class AuthenticationCodeFlowHandler {
        } else {
          params.put(OidcConfiguration.PROMPT, "login");
        }
-        params.put(OidcConfiguration.MAX_AGE, "0");
+
+        if (!nullOrEmpty(maxAge)) {
+          params.put(OidcConfiguration.MAX_AGE, maxAge);
+        }

        String location = buildLoginAuthenticationRequestUrl(params);
        LOG.debug("Authentication request url: {}", location);
--- a/openmetadata-spec/src/main/resources/json/schema/security/client/oidcClientConfig.json
+++ b/openmetadata-spec/src/main/resources/json/schema/security/client/oidcClientConfig.json
@ -77,6 +77,10 @@
    "callbackUrl": {
      "description": "Callback Url.",
      "type": "string"
+    },
+    "maxAge": {
+      "description": "Validity for the JWT Token created from SAML Response",
+      "type": "string"
    }
  },
  "additionalProperties": false
--- a/openmetadata-ui/src/main/resources/ui/src/generated/security/client/oidcClientConfig.ts
+++ b/openmetadata-ui/src/main/resources/ui/src/generated/security/client/oidcClientConfig.ts
@ -38,6 +38,10 @@ export interface OidcClientConfig {
     * Client ID.
     */
    id?: string;
+    /**
+     * Validity for the JWT Token created from SAML Response
+     */
+    maxAge?: string;
    /**
     * Max Clock Skew
     */