- Add docker vars (#15619)

- Modified Azure refresh token logic
2025-12-24 14:08:45 +00:00 · 2024-03-20 11:47:25 +05:30 · 2024-03-20 11:47:25 +05:30 · e8f8271b77
commit e8f8271b77
parent ad6c823675
8 changed files with 225 additions and 2 deletions
--- a/conf/openmetadata.yaml
+++ b/conf/openmetadata.yaml
@ -188,6 +188,9 @@ authenticationConfiguration:
    callbackUrl: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
    serverUrl: ${OIDC_SERVER_URL:-"http://localhost:8585"}
    clientAuthenticationMethod: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+    tenant: ${OIDC_TENANT:-""}
+    maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""}
+    customParams: ${OIDC_CUSTOM_PARAMS:-{}}
  samlConfiguration:
    debugMode: ${SAML_DEBUG_MODE:-false}
    idp:
--- a/docker/development/docker-compose-postgres.yml
+++ b/docker/development/docker-compose-postgres.yml
@ -99,6 +99,23 @@ services:
      AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""}
      AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
      AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+      AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public}
+      #For OIDC Authentication, when client is confidential
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""}
+      OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc.
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""}
+      OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"}
+      OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""}
+      OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true}
+      OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"}
+      OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"}
+      OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true}
+      OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
+      OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"}
+      OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+      OIDC_TENANT: ${OIDC_TENANT:-""}
+      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
+      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -293,6 +310,23 @@ services:
      AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""}
      AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
      AUTHENTICATION_ENABLE_SELF_SIGNUP : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+      AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public}
+      #For OIDC Authentication, when client is confidential
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""}
+      OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc.
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""}
+      OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"}
+      OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""}
+      OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true}
+      OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"}
+      OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"}
+      OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true}
+      OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
+      OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"}
+      OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+      OIDC_TENANT: ${OIDC_TENANT:-""}
+      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
+      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/docker/development/docker-compose.yml
+++ b/docker/development/docker-compose.yml
@ -98,6 +98,23 @@ services:
      AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""}
      AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
      AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+      AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public}
+      #For OIDC Authentication, when client is confidential
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""}
+      OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc.
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""}
+      OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"}
+      OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""}
+      OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true}
+      OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"}
+      OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"}
+      OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true}
+      OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
+      OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"}
+      OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+      OIDC_TENANT: ${OIDC_TENANT:-""}
+      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
+      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -289,6 +306,23 @@ services:
      AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""}
      AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
      AUTHENTICATION_ENABLE_SELF_SIGNUP : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+      AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public}
+      #For OIDC Authentication, when client is confidential
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""}
+      OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc.
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""}
+      OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"}
+      OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""}
+      OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true}
+      OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"}
+      OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"}
+      OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true}
+      OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
+      OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"}
+      OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+      OIDC_TENANT: ${OIDC_TENANT:-""}
+      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
+      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml
+++ b/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml
@ -42,6 +42,23 @@ services:
      AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""}
      AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
      AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+      AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public}
+      #For OIDC Authentication, when client is confidential
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""}
+      OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc.
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""}
+      OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"}
+      OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""}
+      OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true}
+      OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"}
+      OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"}
+      OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true}
+      OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
+      OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"}
+      OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+      OIDC_TENANT: ${OIDC_TENANT:-""}
+      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
+      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -232,6 +249,23 @@ services:
      AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""}
      AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
      AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+      AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public}
+      #For OIDC Authentication, when client is confidential
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""}
+      OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc.
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""}
+      OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"}
+      OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""}
+      OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true}
+      OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"}
+      OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"}
+      OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true}
+      OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
+      OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"}
+      OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+      OIDC_TENANT: ${OIDC_TENANT:-""}
+      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
+      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/docker/docker-compose-quickstart/docker-compose-postgres.yml
+++ b/docker/docker-compose-quickstart/docker-compose-postgres.yml
@ -90,6 +90,23 @@ services:
      AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""}
      AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
      AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+      AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public}
+      #For OIDC Authentication, when client is confidential
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""}
+      OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc.
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""}
+      OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"}
+      OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""}
+      OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true}
+      OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"}
+      OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"}
+      OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true}
+      OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
+      OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"}
+      OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+      OIDC_TENANT: ${OIDC_TENANT:-""}
+      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
+      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -280,6 +297,23 @@ services:
      AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""}
      AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
      AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+      AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public}
+      #For OIDC Authentication, when client is confidential
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""}
+      OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc.
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""}
+      OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"}
+      OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""}
+      OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true}
+      OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"}
+      OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"}
+      OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true}
+      OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
+      OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"}
+      OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+      OIDC_TENANT: ${OIDC_TENANT:-""}
+      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
+      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/docker/docker-compose-quickstart/docker-compose.yml
+++ b/docker/docker-compose-quickstart/docker-compose.yml
@ -88,6 +88,23 @@ services:
      AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""}
      AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
      AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+      AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public}
+      #For OIDC Authentication, when client is confidential
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""}
+      OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc.
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""}
+      OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"}
+      OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""}
+      OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true}
+      OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"}
+      OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"}
+      OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true}
+      OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
+      OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"}
+      OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+      OIDC_TENANT: ${OIDC_TENANT:-""}
+      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
+      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
@ -278,6 +295,23 @@ services:
      AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""}
      AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
      AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
+      AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public}
+      #For OIDC Authentication, when client is confidential
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""}
+      OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc.
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""}
+      OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"}
+      OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""}
+      OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true}
+      OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"}
+      OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"}
+      OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true}
+      OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
+      OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"}
+      OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
+      OIDC_TENANT: ${OIDC_TENANT:-""}
+      OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""}
+      OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}}
      # For SAML Authentication
      # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false}
      # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""}
--- a/openmetadata-service/src/main/java/org/openmetadata/service/security/SecurityUtil.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/SecurityUtil.java
@ -17,6 +17,7 @@ import static org.openmetadata.service.security.AuthLoginServlet.OIDC_CREDENTIAL
 import static org.pac4j.core.util.CommonHelper.assertNotNull;
 import static org.pac4j.core.util.CommonHelper.isNotEmpty;

+import com.fasterxml.jackson.core.type.TypeReference;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableMap.Builder;
 import com.nimbusds.jose.JOSEException;
@ -29,7 +30,13 @@ import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
 import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
 import com.nimbusds.oauth2.sdk.auth.Secret;
 import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
+import java.io.BufferedWriter;
 import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.security.Principal;
 import java.security.PrivateKey;
 import java.text.ParseException;
@ -37,6 +44,7 @@ import java.time.Instant;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@ -51,8 +59,11 @@ import lombok.extern.slf4j.Slf4j;
 import org.openmetadata.common.utils.CommonUtil;
 import org.openmetadata.schema.security.client.OidcClientConfig;
 import org.openmetadata.service.OpenMetadataApplicationConfig;
+import org.openmetadata.service.util.JsonUtils;
+import org.pac4j.core.context.HttpConstants;
 import org.pac4j.core.exception.TechnicalException;
 import org.pac4j.core.util.CommonHelper;
+import org.pac4j.core.util.HttpUtils;
 import org.pac4j.oidc.client.AzureAd2Client;
 import org.pac4j.oidc.client.GoogleOidcClient;
 import org.pac4j.oidc.client.OidcClient;
@ -371,11 +382,49 @@ public final class SecurityUtil {
    if (SecurityUtil.isCredentialsExpired(credentials)) {
      LOG.debug("Expired credentials found, trying to renew.");
      profilesUpdated = true;
-      OidcAuthenticator authenticator = new OidcAuthenticator(client.getConfiguration(), client);
-      authenticator.refresh(credentials);
+      if (client.getConfiguration()
+          instanceof AzureAd2OidcConfiguration azureAd2OidcConfiguration) {
+        refreshAccessTokenAzureAd2Token(azureAd2OidcConfiguration, credentials);
+      } else {
+        OidcAuthenticator authenticator = new OidcAuthenticator(client.getConfiguration(), client);
+        authenticator.refresh(credentials);
+      }
    }
    if (profilesUpdated) {
      request.getSession().setAttribute(OIDC_CREDENTIAL_PROFILE, credentials);
    }
  }
+
+  private static void refreshAccessTokenAzureAd2Token(
+      AzureAd2OidcConfiguration azureConfig, OidcCredentials azureAdProfile) {
+    HttpURLConnection connection = null;
+    try {
+      Map<String, String> headers = new HashMap<>();
+      headers.put(
+          HttpConstants.CONTENT_TYPE_HEADER, HttpConstants.APPLICATION_FORM_ENCODED_HEADER_VALUE);
+      headers.put(HttpConstants.ACCEPT_HEADER, HttpConstants.APPLICATION_JSON);
+      // get the token endpoint from discovery URI
+      URL tokenEndpointURL = azureConfig.findProviderMetadata().getTokenEndpointURI().toURL();
+      connection = HttpUtils.openPostConnection(tokenEndpointURL, headers);
+
+      BufferedWriter out =
+          new BufferedWriter(
+              new OutputStreamWriter(connection.getOutputStream(), StandardCharsets.UTF_8));
+      out.write(azureConfig.makeOauth2TokenRequest(azureAdProfile.getRefreshToken().getValue()));
+      out.close();
+
+      int responseCode = connection.getResponseCode();
+      if (responseCode != 200) {
+        throw new TechnicalException(
+            "request for access token failed: " + HttpUtils.buildHttpErrorMessage(connection));
+      }
+      var body = HttpUtils.readBody(connection);
+      Map<String, Object> res = JsonUtils.readValue(body, new TypeReference<>() {});
+      azureAdProfile.setAccessToken(new BearerAccessToken((String) res.get("access_token")));
+    } catch (final IOException e) {
+      throw new TechnicalException(e);
+    } finally {
+      HttpUtils.closeConnection(connection);
+    }
+  }
 }
--- a/openmetadata-service/src/test/resources/openmetadata-secure-test.yaml
+++ b/openmetadata-service/src/test/resources/openmetadata-secure-test.yaml
@ -140,6 +140,7 @@ authorizerConfiguration:
    - "all"

 authenticationConfiguration:
+  clientType: "public"
  provider: "basic"
  providerName: ""
  publicKeyUrls: