feat(oidc): add options for preferred jws algorithm (#7245)

datahub-project · Feb 8, 2023 · fcc9dbb · fcc9dbb
1 parent b0d9d21
commit fcc9dbb
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 0 deletions.
diff --git a/datahub-frontend/app/auth/AuthUtils.java b/datahub-frontend/app/auth/AuthUtils.java
@@ -42,6 +42,7 @@ public class AuthUtils {
     public static final String SYSTEM_CLIENT_SECRET_CONFIG_PATH = "systemClientSecret";
 
     public static final String SESSION_TTL_CONFIG_PATH = "auth.session.ttlInHours";
+
     public static final Integer DEFAULT_SESSION_TTL_HOURS = 720;
     public static final CorpuserUrn DEFAULT_ACTOR_URN = new CorpuserUrn("datahub");
 

diff --git a/datahub-frontend/app/auth/sso/oidc/OidcConfigs.java b/datahub-frontend/app/auth/sso/oidc/OidcConfigs.java
@@ -38,6 +38,7 @@ public class OidcConfigs extends SsoConfigs {
     public static final String OIDC_CUSTOM_PARAM_RESOURCE = "auth.oidc.customParam.resource";
     public static final String OIDC_READ_TIMEOUT = "auth.oidc.readTimeout";
     public static final String OIDC_EXTRACT_JWT_ACCESS_TOKEN_CLAIMS = "auth.oidc.extractJwtAccessTokenClaims";
+    public static final String OIDC_PREFERRED_JWS_ALGORITHM = "auth.oidc.preferredJwsAlgorithm";
 
     /**
      * Default values
@@ -71,6 +72,7 @@ public class OidcConfigs extends SsoConfigs {
     private Optional<String> customParamResource;
     private String readTimeout;
     private Optional<Boolean> extractJwtAccessTokenClaims;
+    private Optional<String> preferredJwsAlgorithm;
 
     public OidcConfigs(final com.typesafe.config.Config configs) {
         super(configs);
@@ -97,5 +99,6 @@ public OidcConfigs(final com.typesafe.config.Config configs) {
         customParamResource = getOptional(configs, OIDC_CUSTOM_PARAM_RESOURCE);
         readTimeout = getOptional(configs, OIDC_READ_TIMEOUT, DEFAULT_OIDC_READ_TIMEOUT);
         extractJwtAccessTokenClaims = getOptional(configs, OIDC_EXTRACT_JWT_ACCESS_TOKEN_CLAIMS).map(Boolean::parseBoolean);
+        preferredJwsAlgorithm = Optional.ofNullable(getOptional(configs, OIDC_PREFERRED_JWS_ALGORITHM, null));
     }
 }
diff --git a/datahub-frontend/app/auth/sso/oidc/OidcProvider.java b/datahub-frontend/app/auth/sso/oidc/OidcProvider.java
@@ -65,6 +65,10 @@ private Client<OidcCredentials> createPac4jClient() {
     _oidcConfigs.getUseNonce().ifPresent(oidcConfiguration::setUseNonce);
     _oidcConfigs.getCustomParamResource()
         .ifPresent(value -> oidcConfiguration.setCustomParams(ImmutableMap.of("resource", value)));
+    _oidcConfigs.getPreferredJwsAlgorithm().ifPresent(preferred -> {
+      log.info("Setting preferredJwsAlgorithm: " + preferred);
+      oidcConfiguration.setPreferredJwsAlgorithm(preferred);
+    });
 
     final CustomOidcClient oidcClient = new CustomOidcClient(oidcConfiguration);
     oidcClient.setName(OIDC_CLIENT_NAME);

diff --git a/datahub-frontend/conf/application.conf b/datahub-frontend/conf/application.conf
@@ -169,6 +169,7 @@ auth.oidc.useNonce = ${?AUTH_OIDC_USE_NONCE}
 auth.oidc.customParam.resource = ${?AUTH_OIDC_CUSTOM_PARAM_RESOURCE}
 auth.oidc.readTimeout = ${?AUTH_OIDC_READ_TIMEOUT}
 auth.oidc.extractJwtAccessTokenClaims = ${?AUTH_OIDC_EXTRACT_JWT_ACCESS_TOKEN_CLAIMS} # Whether to extract claims from JWT access token.  Defaults to false.
+auth.oidc.preferredJwsAlgorithm = ${?AUTH_OIDC_PREFERRED_JWS_ALGORITHM} # Which jws algorithm to use
 
 #
 # By default, the callback URL that should be registered with the identity provider is computed as {$baseUrl}/callback/oidc.

diff --git a/docs/authentication/guides/sso/configure-oidc-react.md b/docs/authentication/guides/sso/configure-oidc-react.md
@@ -137,6 +137,10 @@ AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD=authentication-method
   is `client_secret_basic`, which uses HTTP Basic authentication. Another option is `client_secret_post`, which includes the client_id and secret_id
   as form parameters in the HTTP POST request. For more info, see [OAuth 2.0 Client Authentication](https://darutk.medium.com/oauth-2-0-client-authentication-4b5f929305d4)
 
+Additional OIDC Options:
+
+- `AUTH_OIDC_PREFERRED_JWS_ALGORITHM` - Can be used to select a preferred signing algorithm for id tokens. Examples include: `RS256` or `HS256`. If
+your IdP includes `none` before `RS256`/`HS256` in the list of signing algorithms, then this value **MUST** be set.
 
 ##### User & Group Provisioning (JIT Provisioning)