Update OIDCConfig with scope information (#13973)

Allow users to provide custom scope through OIDC configuration
2023-03-28 14:50:00 +05:30 · 2023-03-28 14:50:00 +05:30 · e8e8082573
parent d5b1b5bc8e
commit e8e8082573
4 changed files with 22 additions and 3 deletions
--- a/docs/development/extensions-core/druid-pac4j.md
+++ b/docs/development/extensions-core/druid-pac4j.md
@ -54,3 +54,4 @@ druid.auth.authenticator.jwt.type=jwt
 |`druid.auth.pac4j.oidc.clientSecret`|OAuth Client Application secret. It can be provided as plaintext string or The [Password Provider](../../operations/password-provider.md).|none|Yes|
 |`druid.auth.pac4j.oidc.discoveryURI`|discovery URI for fetching OP metadata [see this](http://openid.net/specs/openid-connect-discovery-1_0.html).|none|Yes|
 |`druid.auth.pac4j.oidc.oidcClaim`|[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) that will be extracted from the ID Token after validation.|name|No|
+|`druid.auth.pac4j.oidc.scope`| scope is used by an application during authentication to authorize access to a user's details                                                                                                       |`openid profile email`|No
--- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java
+++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java
@ -24,6 +24,8 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.common.base.Preconditions;
 import org.apache.druid.metadata.PasswordProvider;

+import javax.annotation.Nullable;
+
 public class OIDCConfig
 {
  private final String DEFAULT_SCOPE = "name";
@ -39,18 +41,23 @@ public class OIDCConfig
  @JsonProperty
  private final String oidcClaim;

+  @JsonProperty
+  private final String scope;
+
  @JsonCreator
  public OIDCConfig(
      @JsonProperty("clientID") String clientID,
      @JsonProperty("clientSecret") PasswordProvider clientSecret,
      @JsonProperty("discoveryURI") String discoveryURI,
-      @JsonProperty("oidcClaim") String oidcClaim
+      @JsonProperty("oidcClaim") String oidcClaim,
+      @JsonProperty("scope") @Nullable String scope
  )
  {
    this.clientID = Preconditions.checkNotNull(clientID, "null clientID");
    this.clientSecret = Preconditions.checkNotNull(clientSecret, "null clientSecret");
    this.discoveryURI = Preconditions.checkNotNull(discoveryURI, "null discoveryURI");
    this.oidcClaim = oidcClaim == null ? DEFAULT_SCOPE : oidcClaim;
+    this.scope = scope;
  }

  @JsonProperty
@ -76,4 +83,10 @@ public class OIDCConfig
  {
    return oidcClaim;
  }
+
+  @JsonProperty
+  public String getScope()
+  {
+    return scope;
+  }
 }
--- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
+++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
@ -130,6 +130,7 @@ public class Pac4jAuthenticator implements Authenticator
    oidcConf.setClientId(oidcConfig.getClientID());
    oidcConf.setSecret(oidcConfig.getClientSecret().getPassword());
    oidcConf.setDiscoveryURI(oidcConfig.getDiscoveryURI());
+    oidcConf.setScope(oidcConfig.getScope());
    oidcConf.setExpireSessionWithToken(true);
    oidcConf.setUseNonce(true);
    oidcConf.setReadTimeout(Ints.checkedCast(pac4jCommonConfig.getReadTimeout().getMillis()));
--- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java
+++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java
@ -33,7 +33,8 @@ public class OIDCConfigTest
    String jsonStr = "{\n"
                     + "  \"clientID\": \"testid\",\n"
                     + "  \"clientSecret\": \"testsecret\",\n"
-                     + "  \"discoveryURI\": \"testdiscoveryuri\"\n"
+                     + "  \"discoveryURI\": \"testdiscoveryuri\",\n"
+                     + "  \"scope\": \"testscope\"\n"
                     + "}\n";

    OIDCConfig conf = jsonMapper.readValue(
@ -44,6 +45,7 @@ public class OIDCConfigTest
    Assert.assertEquals("testsecret", conf.getClientSecret().getPassword());
    Assert.assertEquals("testdiscoveryuri", conf.getDiscoveryURI());
    Assert.assertEquals("name", conf.getOidcClaim());
+    Assert.assertEquals("testscope", conf.getScope());
  }

  @Test
@ -55,7 +57,8 @@ public class OIDCConfigTest
                     + "  \"clientID\": \"testid\",\n"
                     + "  \"clientSecret\": \"testsecret\",\n"
                     + "  \"discoveryURI\": \"testdiscoveryuri\",\n"
-                     + "  \"oidcClaim\": \"email\"\n"
+                     + "  \"oidcClaim\": \"email\",\n"
+                     + "  \"scope\": \"testscope\"\n"
                     + "}\n";

    OIDCConfig conf = jsonMapper.readValue(
@ -67,5 +70,6 @@ public class OIDCConfigTest
    Assert.assertEquals("testsecret", conf.getClientSecret().getPassword());
    Assert.assertEquals("testdiscoveryuri", conf.getDiscoveryURI());
    Assert.assertEquals("email", conf.getOidcClaim());
+    Assert.assertEquals("testscope", conf.getScope());
  }
 }