Add support for different oidc client authentication methods (#2691)

datahub-frontend/app/react/auth/AuthModule.java

@@ -107,6 +107,7 @@ public class AuthModule extends AbstractModule {
                 oidcConfiguration.setClientId(_oidcConfigs.getClientId());
                 oidcConfiguration.setSecret(_oidcConfigs.getClientSecret());
                 oidcConfiguration.setDiscoveryURI(_oidcConfigs.getDiscoveryUri());
+                oidcConfiguration.setClientAuthenticationMethodAsString(_oidcConfigs.getClientAuthenticationMethod());
                 oidcConfiguration.setScope(_oidcConfigs.getScope());
 
                 final OidcClient oidcClient = new OidcClient(oidcConfiguration);

datahub-frontend/app/react/auth/OidcConfigs.java

@@ -21,6 +21,7 @@ public class OidcConfigs {
     public static final String OIDC_USERNAME_CLAIM_REGEX_CONFIG_PATH = "auth.oidc.userNameClaimRegex";
     public static final String OIDC_SCOPE_CONFIG_PATH = "auth.oidc.scope";
     public static final String OIDC_CLIENT_NAME_CONFIG_PATH = "auth.oidc.clientName";
+    public static final String OIDC_CLIENT_AUTHENTICATION_METHOD_CONFIG_PATH = "auth.oidc.clientAuthenticationMethod";
 
     /**
      * Default values
@@ -29,6 +30,7 @@ public class OidcConfigs {
     private static final String DEFAULT_OIDC_USERNAME_CLAIM_REGEX = "(.*)";
     private static final String DEFAULT_OIDC_SCOPE = "openid profile email";
     private static final String DEFAULT_OIDC_CLIENT_NAME = "oidc";
+    private static final String DEFAULT_OIDC_CLIENT_AUTHENTICATION_METHOD = "client_secret_basic";
 
     private String _clientId;
     private String _clientSecret;
@@ -37,6 +39,7 @@ public class OidcConfigs {
     private String _userNameClaimRegex;
     private String _scope;
     private String _clientName;
+    private String _clientAuthenticationMethod;
 
     private Boolean _isEnabled = false;
 
@@ -70,6 +73,10 @@ public class OidcConfigs {
                     configs,
                     OIDC_CLIENT_NAME_CONFIG_PATH,
                     DEFAULT_OIDC_CLIENT_NAME);
+            _clientAuthenticationMethod = getOptional(
+                    configs,
+                    OIDC_CLIENT_AUTHENTICATION_METHOD_CONFIG_PATH,
+                    DEFAULT_OIDC_CLIENT_AUTHENTICATION_METHOD);
         }
     }
 
@@ -105,6 +112,10 @@ public class OidcConfigs {
         return _clientName;
     }
 
+    public String getClientAuthenticationMethod() {
+        return _clientAuthenticationMethod;
+    }
+
     private String getRequired(final com.typesafe.config.Config configs, final String path) {
         if (!configs.hasPath(path)) {
             throw new IllegalArgumentException(

datahub-frontend/conf/application.conf

@@ -118,6 +118,7 @@ auth.baseUrl = ${?AUTH_OIDC_BASE_URL} # The base URL associated with your DataHu
 auth.oidc.userNameClaim = ${?AUTH_OIDC_USER_NAME_CLAIM} # The attribute / claim used to derive the DataHub username. Defaults to "preferred_username".
 auth.oidc.userNameClaimRegex = ${?AUTH_OIDC_USER_NAME_CLAIM_REGEX} # The regex used to parse the DataHub username from the user name claim. Defaults to (.*) (all)
 auth.oidc.scope = ${?AUTH_OIDC_SCOPE} # String representing the requested scope from the IdP. Defaults to "oidc email profile"
+auth.oidc.clientAuthenticationMethod = ${?AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD} # Which authentication method to use to pass credentials (clientId and clientSecret) to the token endpoint: Defaults to "client_secret_basic"
 #
 # By default, the callback URL that should be registered with the identity provider is computed as {$baseUrl}/callback/oidc.
 # For example, the default callback URL for a local deployment of DataHub would be "http://localhost:9002/callback/oidc".

docs/how/configure-oidc-react.md

@@ -81,6 +81,7 @@ you to specify the OIDC scopes requested & how the DataHub username is parsed fr
 AUTH_OIDC_USER_NAME_CLAIM=your-custom-claim
 AUTH_OIDC_USER_NAME_CLAIM_REGEX=your-custom-regex
 AUTH_OIDC_SCOPE=your-custom-scope
+AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD=authentication-method
 ```
 
 - `AUTH_OIDC_USER_NAME_CLAIM`: The attribute that will contain the username used on the DataHub platform. By default, this is "preferred_username" provided
@@ -90,6 +91,9 @@ the userNameClaim field will contain an email address, and we want to omit the d
 regex to do so. (e.g. `([^@]+)`)
 - `AUTH_OIDC_SCOPE`: a string representing the scopes to be requested from the identity provider, granted by the end user. For more info,
   see [OpenID Connect Scopes](https://auth0.com/docs/scopes/openid-connect-scopes).
+- `AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD`: a string representing the token authentication method to use with the identity provider. Default value
+is `client_secret_basic`, which uses HTTP Basic authentication. Another option is `client_secret_post`, which includes the client_id and secret_id 
+as form parameters in the HTTP POST request. For more info, see [OAuth 2.0 Client Authentication](https://darutk.medium.com/oauth-2-0-client-authentication-4b5f929305d4)
 
 Once configuration has been updated, `datahub-frontend-react` will need to be restarted to pick up the new environment variables: