yujunjun/datahub
2
0
Fork 0
mirror of https://github.com/datahub-project/datahub.git synced 2025-11-12 09:23:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add support for different oidc client authentication methods (#2691)

Browse Source
This commit is contained in:
Peter Mortier 2021-06-16 18:19:47 +02:00 committed by GitHub
parent 5b595b4c9e
commit a0579321b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
datahub-frontend/app/react/auth/AuthModule.java
View File

@ -107,6 +107,7 @@ public class AuthModule extends AbstractModule {
oidcConfiguration.setClientId(_oidcConfigs.getClientId()); oidcConfiguration.setClientId(_oidcConfigs.getClientId());
oidcConfiguration.setSecret(_oidcConfigs.getClientSecret()); oidcConfiguration.setSecret(_oidcConfigs.getClientSecret());
oidcConfiguration.setDiscoveryURI(_oidcConfigs.getDiscoveryUri()); oidcConfiguration.setDiscoveryURI(_oidcConfigs.getDiscoveryUri());
oidcConfiguration.setClientAuthenticationMethodAsString(_oidcConfigs.getClientAuthenticationMethod());
oidcConfiguration.setScope(_oidcConfigs.getScope()); oidcConfiguration.setScope(_oidcConfigs.getScope());
final OidcClient oidcClient = new OidcClient(oidcConfiguration); final OidcClient oidcClient = new OidcClient(oidcConfiguration);

11
datahub-frontend/app/react/auth/OidcConfigs.java
View File

@ -21,6 +21,7 @@ public class OidcConfigs {
public static final String OIDC_USERNAME_CLAIM_REGEX_CONFIG_PATH = "auth.oidc.userNameClaimRegex"; public static final String OIDC_USERNAME_CLAIM_REGEX_CONFIG_PATH = "auth.oidc.userNameClaimRegex";
public static final String OIDC_SCOPE_CONFIG_PATH = "auth.oidc.scope"; public static final String OIDC_SCOPE_CONFIG_PATH = "auth.oidc.scope";
public static final String OIDC_CLIENT_NAME_CONFIG_PATH = "auth.oidc.clientName"; public static final String OIDC_CLIENT_NAME_CONFIG_PATH = "auth.oidc.clientName";
public static final String OIDC_CLIENT_AUTHENTICATION_METHOD_CONFIG_PATH = "auth.oidc.clientAuthenticationMethod";
/** /**
* Default values * Default values
@ -29,6 +30,7 @@ public class OidcConfigs {
private static final String DEFAULT_OIDC_USERNAME_CLAIM_REGEX = "(.*)"; private static final String DEFAULT_OIDC_USERNAME_CLAIM_REGEX = "(.*)";
private static final String DEFAULT_OIDC_SCOPE = "openid profile email"; private static final String DEFAULT_OIDC_SCOPE = "openid profile email";
private static final String DEFAULT_OIDC_CLIENT_NAME = "oidc"; private static final String DEFAULT_OIDC_CLIENT_NAME = "oidc";
private static final String DEFAULT_OIDC_CLIENT_AUTHENTICATION_METHOD = "client_secret_basic";
private String _clientId; private String _clientId;
private String _clientSecret; private String _clientSecret;
@ -37,6 +39,7 @@ public class OidcConfigs {
private String _userNameClaimRegex; private String _userNameClaimRegex;
private String _scope; private String _scope;
private String _clientName; private String _clientName;
private String _clientAuthenticationMethod;
private Boolean _isEnabled = false; private Boolean _isEnabled = false;
@ -70,6 +73,10 @@ public class OidcConfigs {
configs, configs,
OIDC_CLIENT_NAME_CONFIG_PATH, OIDC_CLIENT_NAME_CONFIG_PATH,
DEFAULT_OIDC_CLIENT_NAME); DEFAULT_OIDC_CLIENT_NAME);
_clientAuthenticationMethod = getOptional(
configs,
OIDC_CLIENT_AUTHENTICATION_METHOD_CONFIG_PATH,
DEFAULT_OIDC_CLIENT_AUTHENTICATION_METHOD);
} }
} }
@ -105,6 +112,10 @@ public class OidcConfigs {
return _clientName; return _clientName;
} }
public String getClientAuthenticationMethod() {
return _clientAuthenticationMethod;
}
private String getRequired(final com.typesafe.config.Config configs, final String path) { private String getRequired(final com.typesafe.config.Config configs, final String path) {
if (!configs.hasPath(path)) { if (!configs.hasPath(path)) {
throw new IllegalArgumentException( throw new IllegalArgumentException(

1
datahub-frontend/conf/application.conf
View File

@ -118,6 +118,7 @@ auth.baseUrl = ${?AUTH_OIDC_BASE_URL} # The base URL associated with your DataHu
auth.oidc.userNameClaim = ${?AUTH_OIDC_USER_NAME_CLAIM} # The attribute / claim used to derive the DataHub username. Defaults to "preferred_username". auth.oidc.userNameClaim = ${?AUTH_OIDC_USER_NAME_CLAIM} # The attribute / claim used to derive the DataHub username. Defaults to "preferred_username".
auth.oidc.userNameClaimRegex = ${?AUTH_OIDC_USER_NAME_CLAIM_REGEX} # The regex used to parse the DataHub username from the user name claim. Defaults to (.*) (all) auth.oidc.userNameClaimRegex = ${?AUTH_OIDC_USER_NAME_CLAIM_REGEX} # The regex used to parse the DataHub username from the user name claim. Defaults to (.*) (all)
auth.oidc.scope = ${?AUTH_OIDC_SCOPE} # String representing the requested scope from the IdP. Defaults to "oidc email profile" auth.oidc.scope = ${?AUTH_OIDC_SCOPE} # String representing the requested scope from the IdP. Defaults to "oidc email profile"
auth.oidc.clientAuthenticationMethod = ${?AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD} # Which authentication method to use to pass credentials (clientId and clientSecret) to the token endpoint: Defaults to "client_secret_basic"
# #
# By default, the callback URL that should be registered with the identity provider is computed as {$baseUrl}/callback/oidc. # By default, the callback URL that should be registered with the identity provider is computed as {$baseUrl}/callback/oidc.
# For example, the default callback URL for a local deployment of DataHub would be "http://localhost:9002/callback/oidc". # For example, the default callback URL for a local deployment of DataHub would be "http://localhost:9002/callback/oidc".

4
docs/how/configure-oidc-react.md
View File

@ -81,6 +81,7 @@ you to specify the OIDC scopes requested & how the DataHub username is parsed fr
AUTH_OIDC_USER_NAME_CLAIM=your-custom-claim AUTH_OIDC_USER_NAME_CLAIM=your-custom-claim
AUTH_OIDC_USER_NAME_CLAIM_REGEX=your-custom-regex AUTH_OIDC_USER_NAME_CLAIM_REGEX=your-custom-regex
AUTH_OIDC_SCOPE=your-custom-scope AUTH_OIDC_SCOPE=your-custom-scope
AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD=authentication-method
``` ```
- `AUTH_OIDC_USER_NAME_CLAIM`: The attribute that will contain the username used on the DataHub platform. By default, this is "preferred_username" provided - `AUTH_OIDC_USER_NAME_CLAIM`: The attribute that will contain the username used on the DataHub platform. By default, this is "preferred_username" provided
@ -90,6 +91,9 @@ the userNameClaim field will contain an email address, and we want to omit the d
regex to do so. (e.g. `([^@]+)`) regex to do so. (e.g. `([^@]+)`)
- `AUTH_OIDC_SCOPE`: a string representing the scopes to be requested from the identity provider, granted by the end user. For more info, - `AUTH_OIDC_SCOPE`: a string representing the scopes to be requested from the identity provider, granted by the end user. For more info,
see [OpenID Connect Scopes](https://auth0.com/docs/scopes/openid-connect-scopes). see [OpenID Connect Scopes](https://auth0.com/docs/scopes/openid-connect-scopes).
- `AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD`: a string representing the token authentication method to use with the identity provider. Default value
is `client_secret_basic`, which uses HTTP Basic authentication. Another option is `client_secret_post`, which includes the client_id and secret_id
as form parameters in the HTTP POST request. For more info, see [OAuth 2.0 Client Authentication](https://darutk.medium.com/oauth-2-0-client-authentication-4b5f929305d4)
Once configuration has been updated, `datahub-frontend-react` will need to be restarted to pick up the new environment variables: Once configuration has been updated, `datahub-frontend-react` will need to be restarted to pick up the new environment variables: