feat(auth): grant type and acr values custom oidc parameters support

datahub-project · Aug 7, 2024 · 2b856e1 · 2b856e1
1 parent 900c259
commit 2b856e1
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 3 deletions.
diff --git a/datahub-frontend/app/auth/sso/oidc/OidcConfigs.java b/datahub-frontend/app/auth/sso/oidc/OidcConfigs.java
@@ -41,6 +41,8 @@ public class OidcConfigs extends SsoConfigs {
   public static final String OIDC_EXTRACT_JWT_ACCESS_TOKEN_CLAIMS =
       "auth.oidc.extractJwtAccessTokenClaims";
   public static final String OIDC_PREFERRED_JWS_ALGORITHM = "auth.oidc.preferredJwsAlgorithm";
+  public static final String OIDC_GRANT_TYPE = "auth.oidc.grantType";
+  public static final String OIDC_ACR_VALUES = "auth.oidc.acrValues";
 
   /** Default values */
   private static final String DEFAULT_OIDC_USERNAME_CLAIM = "email";
@@ -75,7 +77,9 @@ public class OidcConfigs extends SsoConfigs {
   private final Optional<String> customParamResource;
   private final String readTimeout;
   private final Optional<Boolean> extractJwtAccessTokenClaims;
-  private Optional<String> preferredJwsAlgorithm;
+  private final Optional<String> preferredJwsAlgorithm;
+  private final Optional<String> grantType;
+  private final Optional<String> acrValues;
 
   public OidcConfigs(Builder builder) {
     super(builder);
@@ -98,6 +102,8 @@ public OidcConfigs(Builder builder) {
     this.readTimeout = builder.readTimeout;
     this.extractJwtAccessTokenClaims = builder.extractJwtAccessTokenClaims;
     this.preferredJwsAlgorithm = builder.preferredJwsAlgorithm;
+    this.acrValues = builder.acrValues;
+    this.grantType = builder.grantType;
   }
 
   public static class Builder extends SsoConfigs.Builder<Builder> {
@@ -123,6 +129,8 @@ public static class Builder extends SsoConfigs.Builder<Builder> {
     private String readTimeout = DEFAULT_OIDC_READ_TIMEOUT;
     private Optional<Boolean> extractJwtAccessTokenClaims = Optional.empty();
     private Optional<String> preferredJwsAlgorithm = Optional.empty();
+    private Optional<String> grantType = Optional.empty();
+    private Optional<String> acrValues = Optional.empty();
 
     public Builder from(final com.typesafe.config.Config configs) {
       super.from(configs);
@@ -169,6 +177,8 @@ public Builder from(final com.typesafe.config.Config configs) {
           getOptional(configs, OIDC_EXTRACT_JWT_ACCESS_TOKEN_CLAIMS).map(Boolean::parseBoolean);
       preferredJwsAlgorithm =
           Optional.ofNullable(getOptional(configs, OIDC_PREFERRED_JWS_ALGORITHM, null));
+      grantType = Optional.ofNullable(getOptional(configs, OIDC_GRANT_TYPE, null));
+      acrValues = Optional.ofNullable(getOptional(configs, OIDC_ACR_VALUES, null));
       return this;
     }
 

diff --git a/datahub-frontend/app/auth/sso/oidc/OidcProvider.java b/datahub-frontend/app/auth/sso/oidc/OidcProvider.java
@@ -3,6 +3,8 @@
 import auth.sso.SsoProvider;
 import auth.sso.oidc.custom.CustomOidcClient;
 import com.google.common.collect.ImmutableMap;
+import java.util.HashMap;
+import java.util.Map;
 import lombok.extern.slf4j.Slf4j;
 import org.pac4j.core.client.Client;
 import org.pac4j.core.http.callback.PathParameterCallbackUrlResolver;
@@ -64,9 +66,19 @@ private Client<OidcCredentials> createPac4jClient() {
     _oidcConfigs.getResponseType().ifPresent(oidcConfiguration::setResponseType);
     _oidcConfigs.getResponseMode().ifPresent(oidcConfiguration::setResponseMode);
     _oidcConfigs.getUseNonce().ifPresent(oidcConfiguration::setUseNonce);
+    Map<String, String> customParamsMap = new HashMap<>();
     _oidcConfigs
         .getCustomParamResource()
-        .ifPresent(value -> oidcConfiguration.setCustomParams(ImmutableMap.of("resource", value)));
+        .ifPresent(value -> customParamsMap.put("resource", value));
+    _oidcConfigs
+        .getGrantType()
+        .ifPresent(value -> customParamsMap.put("grant_type", value));
+    _oidcConfigs
+        .getAcrValues()
+        .ifPresent(value -> customParamsMap.put("acr_values", value));
+    if (!customParamsMap.isEmpty()) {
+      oidcConfiguration.setCustomParams(customParamsMap);
+    }
     _oidcConfigs
         .getPreferredJwsAlgorithm()
         .ifPresent(

diff --git a/datahub-frontend/conf/application.conf b/datahub-frontend/conf/application.conf
@@ -1,4 +1,4 @@
-# This is the main configuration file for the application.
+datahub-frontend/conf/application.conf# This is the main configuration file for the application.
 # ~~~~~
 
 # Secret key
@@ -186,6 +186,8 @@ auth.oidc.customParam.resource = ${?AUTH_OIDC_CUSTOM_PARAM_RESOURCE}
 auth.oidc.readTimeout = ${?AUTH_OIDC_READ_TIMEOUT}
 auth.oidc.extractJwtAccessTokenClaims = ${?AUTH_OIDC_EXTRACT_JWT_ACCESS_TOKEN_CLAIMS} # Whether to extract claims from JWT access token.  Defaults to false.
 auth.oidc.preferredJwsAlgorithm = ${?AUTH_OIDC_PREFERRED_JWS_ALGORITHM} # Which jws algorithm to use
+auth.oidc.acrValues = ${?AUTH_OIDC_ACR_VALUES}
+auth.oidc.grantType = ${?AUTH_OIDC_GRANT_TYPE}
 
 #
 # By default, the callback URL that should be registered with the identity provider is computed as {$baseUrl}/callback/oidc.