diff --git a/conf/openmetadata.yaml b/conf/openmetadata.yaml index b0a91094e4e..ee7a04f547f 100644 --- a/conf/openmetadata.yaml +++ b/conf/openmetadata.yaml @@ -214,6 +214,7 @@ authenticationConfiguration: maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""} tokenValidity: ${OIDC_OM_REFRESH_TOKEN_VALIDITY:-"3600"} # in seconds customParams: ${OIDC_CUSTOM_PARAMS:-} + maxAge: ${OIDC_MAX_AGE:-"0"} samlConfiguration: debugMode: ${SAML_DEBUG_MODE:-false} idp: diff --git a/docker/development/docker-compose-gcp.yml b/docker/development/docker-compose-gcp.yml index 1bd48f57655..1703aa21c29 100644 --- a/docker/development/docker-compose-gcp.yml +++ b/docker/development/docker-compose-gcp.yml @@ -120,6 +120,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -331,6 +332,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/docker/development/docker-compose-postgres.yml b/docker/development/docker-compose-postgres.yml index da8b607d155..e30c075498a 100644 --- a/docker/development/docker-compose-postgres.yml +++ b/docker/development/docker-compose-postgres.yml @@ -118,6 +118,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -334,6 +335,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/docker/development/docker-compose.yml b/docker/development/docker-compose.yml index 3894a9c6266..3456c343a86 100644 --- a/docker/development/docker-compose.yml +++ b/docker/development/docker-compose.yml @@ -116,6 +116,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -329,6 +330,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml b/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml index 676cc3459eb..2c8f982d1f8 100644 --- a/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml +++ b/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml @@ -61,6 +61,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -272,6 +273,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/docker/docker-compose-quickstart/docker-compose-postgres.yml b/docker/docker-compose-quickstart/docker-compose-postgres.yml index 96bf07a3976..dc38261e418 100644 --- a/docker/docker-compose-quickstart/docker-compose-postgres.yml +++ b/docker/docker-compose-quickstart/docker-compose-postgres.yml @@ -109,6 +109,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -320,6 +321,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/docker/docker-compose-quickstart/docker-compose.yml b/docker/docker-compose-quickstart/docker-compose.yml index b9cbba3d4f3..917f13d22ae 100644 --- a/docker/docker-compose-quickstart/docker-compose.yml +++ b/docker/docker-compose-quickstart/docker-compose.yml @@ -107,6 +107,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -318,6 +319,7 @@ services: OIDC_TENANT: ${OIDC_TENANT:-""} OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} + OIDC_MAX_AGE: ${OIDC_MAX_AGE:-"0"} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationCodeFlowHandler.java b/openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationCodeFlowHandler.java index e6004cd5b6e..f6c073ea033 100644 --- a/openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationCodeFlowHandler.java +++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/AuthenticationCodeFlowHandler.java @@ -128,6 +128,7 @@ public class AuthenticationCodeFlowHandler { private final ClientAuthentication clientAuthentication; private final String principalDomain; private final int tokenValidity; + private final String maxAge; public AuthenticationCodeFlowHandler( AuthenticationConfiguration authenticationConfiguration, @@ -153,6 +154,7 @@ public class AuthenticationCodeFlowHandler { validatePrincipalClaimsMapping(claimsMapping); this.principalDomain = authorizerConfiguration.getPrincipalDomain(); this.tokenValidity = authenticationConfiguration.getOidcConfiguration().getTokenValidity(); + this.maxAge = authenticationConfiguration.getOidcConfiguration().getMaxAge(); } private OidcClient buildOidcClient(OidcClientConfig clientConfig) { @@ -269,7 +271,10 @@ public class AuthenticationCodeFlowHandler { } else { params.put(OidcConfiguration.PROMPT, "login"); } - params.put(OidcConfiguration.MAX_AGE, "0"); + + if (!nullOrEmpty(maxAge)) { + params.put(OidcConfiguration.MAX_AGE, maxAge); + } String location = buildLoginAuthenticationRequestUrl(params); LOG.debug("Authentication request url: {}", location); diff --git a/openmetadata-spec/src/main/resources/json/schema/security/client/oidcClientConfig.json b/openmetadata-spec/src/main/resources/json/schema/security/client/oidcClientConfig.json index 528da87ac36..9c251540496 100644 --- a/openmetadata-spec/src/main/resources/json/schema/security/client/oidcClientConfig.json +++ b/openmetadata-spec/src/main/resources/json/schema/security/client/oidcClientConfig.json @@ -77,6 +77,10 @@ "callbackUrl": { "description": "Callback Url.", "type": "string" + }, + "maxAge": { + "description": "Validity for the JWT Token created from SAML Response", + "type": "string" } }, "additionalProperties": false diff --git a/openmetadata-ui/src/main/resources/ui/src/generated/security/client/oidcClientConfig.ts b/openmetadata-ui/src/main/resources/ui/src/generated/security/client/oidcClientConfig.ts index ce9db511b09..2d440e3e519 100644 --- a/openmetadata-ui/src/main/resources/ui/src/generated/security/client/oidcClientConfig.ts +++ b/openmetadata-ui/src/main/resources/ui/src/generated/security/client/oidcClientConfig.ts @@ -38,6 +38,10 @@ export interface OidcClientConfig { * Client ID. */ id?: string; + /** + * Validity for the JWT Token created from SAML Response + */ + maxAge?: string; /** * Max Clock Skew */