From e8e808257336c2c4eb07915bb457024a5d3c8749 Mon Sep 17 00:00:00 2001 From: Rishabh Singh <6513075+findingrish@users.noreply.github.com> Date: Tue, 28 Mar 2023 14:50:00 +0530 Subject: [PATCH] Update OIDCConfig with scope information (#13973) Allow users to provide custom scope through OIDC configuration --- docs/development/extensions-core/druid-pac4j.md | 1 + .../apache/druid/security/pac4j/OIDCConfig.java | 15 ++++++++++++++- .../druid/security/pac4j/Pac4jAuthenticator.java | 1 + .../druid/security/pac4j/OIDCConfigTest.java | 8 ++++++-- 4 files changed, 22 insertions(+), 3 deletions(-) diff --git a/docs/development/extensions-core/druid-pac4j.md b/docs/development/extensions-core/druid-pac4j.md index 54833f7a647..cdd2ab0cf05 100644 --- a/docs/development/extensions-core/druid-pac4j.md +++ b/docs/development/extensions-core/druid-pac4j.md @@ -54,3 +54,4 @@ druid.auth.authenticator.jwt.type=jwt |`druid.auth.pac4j.oidc.clientSecret`|OAuth Client Application secret. It can be provided as plaintext string or The [Password Provider](../../operations/password-provider.md).|none|Yes| |`druid.auth.pac4j.oidc.discoveryURI`|discovery URI for fetching OP metadata [see this](http://openid.net/specs/openid-connect-discovery-1_0.html).|none|Yes| |`druid.auth.pac4j.oidc.oidcClaim`|[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) that will be extracted from the ID Token after validation.|name|No| +|`druid.auth.pac4j.oidc.scope`| scope is used by an application during authentication to authorize access to a user's details |`openid profile email`|No diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java index 0bc30fd9106..37618141655 100644 --- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java +++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java @@ -24,6 +24,8 @@ import com.fasterxml.jackson.annotation.JsonProperty; import com.google.common.base.Preconditions; import org.apache.druid.metadata.PasswordProvider; +import javax.annotation.Nullable; + public class OIDCConfig { private final String DEFAULT_SCOPE = "name"; @@ -39,18 +41,23 @@ public class OIDCConfig @JsonProperty private final String oidcClaim; + @JsonProperty + private final String scope; + @JsonCreator public OIDCConfig( @JsonProperty("clientID") String clientID, @JsonProperty("clientSecret") PasswordProvider clientSecret, @JsonProperty("discoveryURI") String discoveryURI, - @JsonProperty("oidcClaim") String oidcClaim + @JsonProperty("oidcClaim") String oidcClaim, + @JsonProperty("scope") @Nullable String scope ) { this.clientID = Preconditions.checkNotNull(clientID, "null clientID"); this.clientSecret = Preconditions.checkNotNull(clientSecret, "null clientSecret"); this.discoveryURI = Preconditions.checkNotNull(discoveryURI, "null discoveryURI"); this.oidcClaim = oidcClaim == null ? DEFAULT_SCOPE : oidcClaim; + this.scope = scope; } @JsonProperty @@ -76,4 +83,10 @@ public class OIDCConfig { return oidcClaim; } + + @JsonProperty + public String getScope() + { + return scope; + } } diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java index 2ca500020f6..b63fcdf7277 100644 --- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java +++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java @@ -130,6 +130,7 @@ public class Pac4jAuthenticator implements Authenticator oidcConf.setClientId(oidcConfig.getClientID()); oidcConf.setSecret(oidcConfig.getClientSecret().getPassword()); oidcConf.setDiscoveryURI(oidcConfig.getDiscoveryURI()); + oidcConf.setScope(oidcConfig.getScope()); oidcConf.setExpireSessionWithToken(true); oidcConf.setUseNonce(true); oidcConf.setReadTimeout(Ints.checkedCast(pac4jCommonConfig.getReadTimeout().getMillis())); diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java index b5d4119c293..c4192c020df 100644 --- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java +++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java @@ -33,7 +33,8 @@ public class OIDCConfigTest String jsonStr = "{\n" + " \"clientID\": \"testid\",\n" + " \"clientSecret\": \"testsecret\",\n" - + " \"discoveryURI\": \"testdiscoveryuri\"\n" + + " \"discoveryURI\": \"testdiscoveryuri\",\n" + + " \"scope\": \"testscope\"\n" + "}\n"; OIDCConfig conf = jsonMapper.readValue( @@ -44,6 +45,7 @@ public class OIDCConfigTest Assert.assertEquals("testsecret", conf.getClientSecret().getPassword()); Assert.assertEquals("testdiscoveryuri", conf.getDiscoveryURI()); Assert.assertEquals("name", conf.getOidcClaim()); + Assert.assertEquals("testscope", conf.getScope()); } @Test @@ -55,7 +57,8 @@ public class OIDCConfigTest + " \"clientID\": \"testid\",\n" + " \"clientSecret\": \"testsecret\",\n" + " \"discoveryURI\": \"testdiscoveryuri\",\n" - + " \"oidcClaim\": \"email\"\n" + + " \"oidcClaim\": \"email\",\n" + + " \"scope\": \"testscope\"\n" + "}\n"; OIDCConfig conf = jsonMapper.readValue( @@ -67,5 +70,6 @@ public class OIDCConfigTest Assert.assertEquals("testsecret", conf.getClientSecret().getPassword()); Assert.assertEquals("testdiscoveryuri", conf.getDiscoveryURI()); Assert.assertEquals("email", conf.getOidcClaim()); + Assert.assertEquals("testscope", conf.getScope()); } }