From e8f8271b77ba189d6b6beafb9d1c5cee5ba92f84 Mon Sep 17 00:00:00 2001 From: Mohit Yadav <105265192+mohityadav766@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:47:25 +0530 Subject: [PATCH] - Add docker vars (#15619) - Modified Azure refresh token logic --- conf/openmetadata.yaml | 3 ++ .../development/docker-compose-postgres.yml | 34 ++++++++++++ docker/development/docker-compose.yml | 34 ++++++++++++ .../docker-compose-openmetadata.yml | 34 ++++++++++++ .../docker-compose-postgres.yml | 34 ++++++++++++ .../docker-compose.yml | 34 ++++++++++++ .../service/security/SecurityUtil.java | 53 ++++++++++++++++++- .../resources/openmetadata-secure-test.yaml | 1 + 8 files changed, 225 insertions(+), 2 deletions(-) diff --git a/conf/openmetadata.yaml b/conf/openmetadata.yaml index c570d546398..72cd6e300d5 100644 --- a/conf/openmetadata.yaml +++ b/conf/openmetadata.yaml @@ -188,6 +188,9 @@ authenticationConfiguration: callbackUrl: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} serverUrl: ${OIDC_SERVER_URL:-"http://localhost:8585"} clientAuthenticationMethod: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + tenant: ${OIDC_TENANT:-""} + maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""} + customParams: ${OIDC_CUSTOM_PARAMS:-{}} samlConfiguration: debugMode: ${SAML_DEBUG_MODE:-false} idp: diff --git a/docker/development/docker-compose-postgres.yml b/docker/development/docker-compose-postgres.yml index 01eaf3cb07f..19418d76467 100644 --- a/docker/development/docker-compose-postgres.yml +++ b/docker/development/docker-compose-postgres.yml @@ -99,6 +99,23 @@ services: AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -293,6 +310,23 @@ services: AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_ENABLE_SELF_SIGNUP : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/docker/development/docker-compose.yml b/docker/development/docker-compose.yml index 09baf7809de..2a2e91dc149 100644 --- a/docker/development/docker-compose.yml +++ b/docker/development/docker-compose.yml @@ -98,6 +98,23 @@ services: AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -289,6 +306,23 @@ services: AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_ENABLE_SELF_SIGNUP : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml b/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml index 2ac1cf9bb9d..13a3a51f6fb 100644 --- a/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml +++ b/docker/docker-compose-openmetadata/docker-compose-openmetadata.yml @@ -42,6 +42,23 @@ services: AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -232,6 +249,23 @@ services: AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/docker/docker-compose-quickstart/docker-compose-postgres.yml b/docker/docker-compose-quickstart/docker-compose-postgres.yml index 9cd0d99a546..82f9e03141f 100644 --- a/docker/docker-compose-quickstart/docker-compose-postgres.yml +++ b/docker/docker-compose-quickstart/docker-compose-postgres.yml @@ -90,6 +90,23 @@ services: AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -280,6 +297,23 @@ services: AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/docker/docker-compose-quickstart/docker-compose.yml b/docker/docker-compose-quickstart/docker-compose.yml index c0647108af6..a3baeb591f0 100644 --- a/docker/docker-compose-quickstart/docker-compose.yml +++ b/docker/docker-compose-quickstart/docker-compose.yml @@ -88,6 +88,23 @@ services: AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} @@ -278,6 +295,23 @@ services: AUTHENTICATION_CALLBACK_URL: ${AUTHENTICATION_CALLBACK_URL:-""} AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]} AUTHENTICATION_ENABLE_SELF_SIGNUP: ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true} + AUTHENTICATION_CLIENT_TYPE: ${AUTHENTICATION_CLIENT_TYPE:-public} + #For OIDC Authentication, when client is confidential + OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-""} + OIDC_TYPE: ${OIDC_TYPE:-""} # google, azure etc. + OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-""} + OIDC_SCOPE: ${OIDC_SCOPE:-"openid email profile"} + OIDC_DISCOVERY_URI: ${OIDC_DISCOVERY_URI:-""} + OIDC_USE_NONCE: ${OIDC_USE_NONCE:-true} + OIDC_PREFERRED_JWS: ${OIDC_PREFERRED_JWS:-"RS256"} + OIDC_RESPONSE_TYPE: ${OIDC_RESPONSE_TYPE:-"code"} + OIDC_DISABLE_PKCE: ${OIDC_DISABLE_PKCE:-true} + OIDC_CALLBACK: ${OIDC_CALLBACK:-"http://localhost:8585/callback"} + OIDC_SERVER_URL: ${OIDC_SERVER_URL:-"http://localhost:8585"} + OIDC_CLIENT_AUTH_METHOD: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"} + OIDC_TENANT: ${OIDC_TENANT:-""} + OIDC_MAX_CLOCK_SKEW: ${OIDC_MAX_CLOCK_SKEW:-""} + OIDC_CUSTOM_PARAMS: ${OIDC_CUSTOM_PARAMS:-{}} # For SAML Authentication # SAML_DEBUG_MODE: ${SAML_DEBUG_MODE:-false} # SAML_IDP_ENTITY_ID: ${SAML_IDP_ENTITY_ID:-""} diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/security/SecurityUtil.java b/openmetadata-service/src/main/java/org/openmetadata/service/security/SecurityUtil.java index ca19a457369..605a8e6a1cd 100644 --- a/openmetadata-service/src/main/java/org/openmetadata/service/security/SecurityUtil.java +++ b/openmetadata-service/src/main/java/org/openmetadata/service/security/SecurityUtil.java @@ -17,6 +17,7 @@ import static org.openmetadata.service.security.AuthLoginServlet.OIDC_CREDENTIAL import static org.pac4j.core.util.CommonHelper.assertNotNull; import static org.pac4j.core.util.CommonHelper.isNotEmpty; +import com.fasterxml.jackson.core.type.TypeReference; import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableMap.Builder; import com.nimbusds.jose.JOSEException; @@ -29,7 +30,13 @@ import com.nimbusds.oauth2.sdk.auth.ClientSecretPost; import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT; import com.nimbusds.oauth2.sdk.auth.Secret; import com.nimbusds.oauth2.sdk.id.ClientID; +import com.nimbusds.oauth2.sdk.token.BearerAccessToken; +import java.io.BufferedWriter; import java.io.IOException; +import java.io.OutputStreamWriter; +import java.net.HttpURLConnection; +import java.net.URL; +import java.nio.charset.StandardCharsets; import java.security.Principal; import java.security.PrivateKey; import java.text.ParseException; @@ -37,6 +44,7 @@ import java.time.Instant; import java.util.Arrays; import java.util.Collection; import java.util.Date; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Optional; @@ -51,8 +59,11 @@ import lombok.extern.slf4j.Slf4j; import org.openmetadata.common.utils.CommonUtil; import org.openmetadata.schema.security.client.OidcClientConfig; import org.openmetadata.service.OpenMetadataApplicationConfig; +import org.openmetadata.service.util.JsonUtils; +import org.pac4j.core.context.HttpConstants; import org.pac4j.core.exception.TechnicalException; import org.pac4j.core.util.CommonHelper; +import org.pac4j.core.util.HttpUtils; import org.pac4j.oidc.client.AzureAd2Client; import org.pac4j.oidc.client.GoogleOidcClient; import org.pac4j.oidc.client.OidcClient; @@ -371,11 +382,49 @@ public final class SecurityUtil { if (SecurityUtil.isCredentialsExpired(credentials)) { LOG.debug("Expired credentials found, trying to renew."); profilesUpdated = true; - OidcAuthenticator authenticator = new OidcAuthenticator(client.getConfiguration(), client); - authenticator.refresh(credentials); + if (client.getConfiguration() + instanceof AzureAd2OidcConfiguration azureAd2OidcConfiguration) { + refreshAccessTokenAzureAd2Token(azureAd2OidcConfiguration, credentials); + } else { + OidcAuthenticator authenticator = new OidcAuthenticator(client.getConfiguration(), client); + authenticator.refresh(credentials); + } } if (profilesUpdated) { request.getSession().setAttribute(OIDC_CREDENTIAL_PROFILE, credentials); } } + + private static void refreshAccessTokenAzureAd2Token( + AzureAd2OidcConfiguration azureConfig, OidcCredentials azureAdProfile) { + HttpURLConnection connection = null; + try { + Map headers = new HashMap<>(); + headers.put( + HttpConstants.CONTENT_TYPE_HEADER, HttpConstants.APPLICATION_FORM_ENCODED_HEADER_VALUE); + headers.put(HttpConstants.ACCEPT_HEADER, HttpConstants.APPLICATION_JSON); + // get the token endpoint from discovery URI + URL tokenEndpointURL = azureConfig.findProviderMetadata().getTokenEndpointURI().toURL(); + connection = HttpUtils.openPostConnection(tokenEndpointURL, headers); + + BufferedWriter out = + new BufferedWriter( + new OutputStreamWriter(connection.getOutputStream(), StandardCharsets.UTF_8)); + out.write(azureConfig.makeOauth2TokenRequest(azureAdProfile.getRefreshToken().getValue())); + out.close(); + + int responseCode = connection.getResponseCode(); + if (responseCode != 200) { + throw new TechnicalException( + "request for access token failed: " + HttpUtils.buildHttpErrorMessage(connection)); + } + var body = HttpUtils.readBody(connection); + Map res = JsonUtils.readValue(body, new TypeReference<>() {}); + azureAdProfile.setAccessToken(new BearerAccessToken((String) res.get("access_token"))); + } catch (final IOException e) { + throw new TechnicalException(e); + } finally { + HttpUtils.closeConnection(connection); + } + } } diff --git a/openmetadata-service/src/test/resources/openmetadata-secure-test.yaml b/openmetadata-service/src/test/resources/openmetadata-secure-test.yaml index 332d6c5510b..1a6027d3c88 100644 --- a/openmetadata-service/src/test/resources/openmetadata-secure-test.yaml +++ b/openmetadata-service/src/test/resources/openmetadata-secure-test.yaml @@ -140,6 +140,7 @@ authorizerConfiguration: - "all" authenticationConfiguration: + clientType: "public" provider: "basic" providerName: "" publicKeyUrls: