feat(auth): add grant type and acr values to OIDC configs

datahub-project · Jun 27, 2024 · 35be1fb · 35be1fb
1 parent 1ae5bfc
commit 35be1fb
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/datahub-frontend/app/auth/sso/oidc/OidcConfigs.java b/datahub-frontend/app/auth/sso/oidc/OidcConfigs.java
@@ -163,6 +163,8 @@ public Builder from(final com.typesafe.config.Config configs) {
       responseType = getOptional(configs, OIDC_RESPONSE_TYPE);
       responseMode = getOptional(configs, OIDC_RESPONSE_MODE);
       useNonce = getOptional(configs, OIDC_USE_NONCE).map(Boolean::parseBoolean);
+      grantType = getOptional(configs, OIDC_GRANT_TYPE, DEFAULT_OIDC_GRANT_TYPE);
+      acrValues = getOptional(configs, OIDC_ACR_VALUES, DEFAULT_OIDC_ACR_VALUES);
       customParamResource = getOptional(configs, OIDC_CUSTOM_PARAM_RESOURCE);
       readTimeout = getOptional(configs, OIDC_READ_TIMEOUT, DEFAULT_OIDC_READ_TIMEOUT);
       extractJwtAccessTokenClaims =

diff --git a/datahub-frontend/app/auth/sso/oidc/OidcProvider.java b/datahub-frontend/app/auth/sso/oidc/OidcProvider.java
@@ -48,7 +48,7 @@ public SsoProtocol protocol() {
     return SsoProtocol.OIDC;
   }
 
-  private Client<OidcCredentials> createPac4jClient() {
+  private Client<OidcCredentials, OidcProfile> createPac4jClient() {
     final OidcConfiguration oidcConfiguration = new OidcConfiguration();
     oidcConfiguration.setClientId(_oidcConfigs.getClientId());
     oidcConfiguration.setSecret(_oidcConfigs.getClientSecret());
@@ -75,6 +75,7 @@ private Client<OidcCredentials> createPac4jClient() {
               oidcConfiguration.setPreferredJwsAlgorithm(preferred);
             });
 
+    oidcConfiguration.setCustomParams(ImmutableMap.of("grant_type", _oidcConfigs.getGrantType(), "acr_values", _oidcConfigs.getAcrValues()));
     final CustomOidcClient oidcClient = new CustomOidcClient(oidcConfiguration);
     oidcClient.setName(OIDC_CLIENT_NAME);
     oidcClient.setCallbackUrl(

diff --git a/datahub-frontend/conf/application.conf b/datahub-frontend/conf/application.conf
@@ -187,6 +187,9 @@ auth.oidc.readTimeout = ${?AUTH_OIDC_READ_TIMEOUT}
 auth.oidc.extractJwtAccessTokenClaims = ${?AUTH_OIDC_EXTRACT_JWT_ACCESS_TOKEN_CLAIMS} # Whether to extract claims from JWT access token.  Defaults to false.
 auth.oidc.preferredJwsAlgorithm = ${?AUTH_OIDC_PREFERRED_JWS_ALGORITHM} # Which jws algorithm to use
 
+auth.oidc.acrValues = ${?AUTH_OIDC_ACR_VALUES}
+auth.oidc.grantType = ${?AUTH_OIDC_GRANT_TYPE}
+
 #
 # By default, the callback URL that should be registered with the identity provider is computed as {$baseUrl}/callback/oidc.
 # For example, the default callback URL for a local deployment of DataHub would be "http://localhost:9002/callback/oidc".