diff --git a/datahub-frontend/app/react/auth/AuthModule.java b/datahub-frontend/app/react/auth/AuthModule.java index b7c8a35f63..be76efb025 100644 --- a/datahub-frontend/app/react/auth/AuthModule.java +++ b/datahub-frontend/app/react/auth/AuthModule.java @@ -107,6 +107,7 @@ public class AuthModule extends AbstractModule { oidcConfiguration.setClientId(_oidcConfigs.getClientId()); oidcConfiguration.setSecret(_oidcConfigs.getClientSecret()); oidcConfiguration.setDiscoveryURI(_oidcConfigs.getDiscoveryUri()); + oidcConfiguration.setClientAuthenticationMethodAsString(_oidcConfigs.getClientAuthenticationMethod()); oidcConfiguration.setScope(_oidcConfigs.getScope()); final OidcClient oidcClient = new OidcClient(oidcConfiguration); diff --git a/datahub-frontend/app/react/auth/OidcConfigs.java b/datahub-frontend/app/react/auth/OidcConfigs.java index 9679c735f2..1cbfb15631 100644 --- a/datahub-frontend/app/react/auth/OidcConfigs.java +++ b/datahub-frontend/app/react/auth/OidcConfigs.java @@ -21,6 +21,7 @@ public class OidcConfigs { public static final String OIDC_USERNAME_CLAIM_REGEX_CONFIG_PATH = "auth.oidc.userNameClaimRegex"; public static final String OIDC_SCOPE_CONFIG_PATH = "auth.oidc.scope"; public static final String OIDC_CLIENT_NAME_CONFIG_PATH = "auth.oidc.clientName"; + public static final String OIDC_CLIENT_AUTHENTICATION_METHOD_CONFIG_PATH = "auth.oidc.clientAuthenticationMethod"; /** * Default values @@ -29,6 +30,7 @@ public class OidcConfigs { private static final String DEFAULT_OIDC_USERNAME_CLAIM_REGEX = "(.*)"; private static final String DEFAULT_OIDC_SCOPE = "openid profile email"; private static final String DEFAULT_OIDC_CLIENT_NAME = "oidc"; + private static final String DEFAULT_OIDC_CLIENT_AUTHENTICATION_METHOD = "client_secret_basic"; private String _clientId; private String _clientSecret; @@ -37,6 +39,7 @@ public class OidcConfigs { private String _userNameClaimRegex; private String _scope; private String _clientName; + private String _clientAuthenticationMethod; private Boolean _isEnabled = false; @@ -70,6 +73,10 @@ public class OidcConfigs { configs, OIDC_CLIENT_NAME_CONFIG_PATH, DEFAULT_OIDC_CLIENT_NAME); + _clientAuthenticationMethod = getOptional( + configs, + OIDC_CLIENT_AUTHENTICATION_METHOD_CONFIG_PATH, + DEFAULT_OIDC_CLIENT_AUTHENTICATION_METHOD); } } @@ -105,6 +112,10 @@ public class OidcConfigs { return _clientName; } + public String getClientAuthenticationMethod() { + return _clientAuthenticationMethod; + } + private String getRequired(final com.typesafe.config.Config configs, final String path) { if (!configs.hasPath(path)) { throw new IllegalArgumentException( diff --git a/datahub-frontend/conf/application.conf b/datahub-frontend/conf/application.conf index c36e65005c..5e2aaf7d20 100644 --- a/datahub-frontend/conf/application.conf +++ b/datahub-frontend/conf/application.conf @@ -118,6 +118,7 @@ auth.baseUrl = ${?AUTH_OIDC_BASE_URL} # The base URL associated with your DataHu auth.oidc.userNameClaim = ${?AUTH_OIDC_USER_NAME_CLAIM} # The attribute / claim used to derive the DataHub username. Defaults to "preferred_username". auth.oidc.userNameClaimRegex = ${?AUTH_OIDC_USER_NAME_CLAIM_REGEX} # The regex used to parse the DataHub username from the user name claim. Defaults to (.*) (all) auth.oidc.scope = ${?AUTH_OIDC_SCOPE} # String representing the requested scope from the IdP. Defaults to "oidc email profile" +auth.oidc.clientAuthenticationMethod = ${?AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD} # Which authentication method to use to pass credentials (clientId and clientSecret) to the token endpoint: Defaults to "client_secret_basic" # # By default, the callback URL that should be registered with the identity provider is computed as {$baseUrl}/callback/oidc. # For example, the default callback URL for a local deployment of DataHub would be "http://localhost:9002/callback/oidc". diff --git a/docs/how/configure-oidc-react.md b/docs/how/configure-oidc-react.md index f62aa7cb4f..7398df72e6 100644 --- a/docs/how/configure-oidc-react.md +++ b/docs/how/configure-oidc-react.md @@ -81,6 +81,7 @@ you to specify the OIDC scopes requested & how the DataHub username is parsed fr AUTH_OIDC_USER_NAME_CLAIM=your-custom-claim AUTH_OIDC_USER_NAME_CLAIM_REGEX=your-custom-regex AUTH_OIDC_SCOPE=your-custom-scope +AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD=authentication-method ``` - `AUTH_OIDC_USER_NAME_CLAIM`: The attribute that will contain the username used on the DataHub platform. By default, this is "preferred_username" provided @@ -90,7 +91,10 @@ the userNameClaim field will contain an email address, and we want to omit the d regex to do so. (e.g. `([^@]+)`) - `AUTH_OIDC_SCOPE`: a string representing the scopes to be requested from the identity provider, granted by the end user. For more info, see [OpenID Connect Scopes](https://auth0.com/docs/scopes/openid-connect-scopes). - +- `AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD`: a string representing the token authentication method to use with the identity provider. Default value +is `client_secret_basic`, which uses HTTP Basic authentication. Another option is `client_secret_post`, which includes the client_id and secret_id +as form parameters in the HTTP POST request. For more info, see [OAuth 2.0 Client Authentication](https://darutk.medium.com/oauth-2-0-client-authentication-4b5f929305d4) + Once configuration has been updated, `datahub-frontend-react` will need to be restarted to pick up the new environment variables: ```