You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by ab...@apache.org on 2023/03/28 09:20:14 UTC
[druid] branch master updated: Update OIDCConfig with scope information (#13973)
This is an automated email from the ASF dual-hosted git repository.
abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new e8e8082573 Update OIDCConfig with scope information (#13973)
e8e8082573 is described below
commit e8e808257336c2c4eb07915bb457024a5d3c8749
Author: Rishabh Singh <65...@users.noreply.github.com>
AuthorDate: Tue Mar 28 14:50:00 2023 +0530
Update OIDCConfig with scope information (#13973)
Allow users to provide custom scope through OIDC configuration
---
docs/development/extensions-core/druid-pac4j.md | 1 +
.../java/org/apache/druid/security/pac4j/OIDCConfig.java | 15 ++++++++++++++-
.../apache/druid/security/pac4j/Pac4jAuthenticator.java | 1 +
.../org/apache/druid/security/pac4j/OIDCConfigTest.java | 8 ++++++--
4 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/docs/development/extensions-core/druid-pac4j.md b/docs/development/extensions-core/druid-pac4j.md
index 54833f7a64..cdd2ab0cf0 100644
--- a/docs/development/extensions-core/druid-pac4j.md
+++ b/docs/development/extensions-core/druid-pac4j.md
@@ -54,3 +54,4 @@ druid.auth.authenticator.jwt.type=jwt
|`druid.auth.pac4j.oidc.clientSecret`|OAuth Client Application secret. It can be provided as plaintext string or The [Password Provider](../../operations/password-provider.md).|none|Yes|
|`druid.auth.pac4j.oidc.discoveryURI`|discovery URI for fetching OP metadata [see this](http://openid.net/specs/openid-connect-discovery-1_0.html).|none|Yes|
|`druid.auth.pac4j.oidc.oidcClaim`|[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) that will be extracted from the ID Token after validation.|name|No|
+|`druid.auth.pac4j.oidc.scope`| scope is used by an application during authentication to authorize access to a user's details |`openid profile email`|No
diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java
index 0bc30fd910..3761814165 100644
--- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java
+++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java
@@ -24,6 +24,8 @@ import com.fasterxml.jackson.annotation.JsonProperty;
import com.google.common.base.Preconditions;
import org.apache.druid.metadata.PasswordProvider;
+import javax.annotation.Nullable;
+
public class OIDCConfig
{
private final String DEFAULT_SCOPE = "name";
@@ -39,18 +41,23 @@ public class OIDCConfig
@JsonProperty
private final String oidcClaim;
+ @JsonProperty
+ private final String scope;
+
@JsonCreator
public OIDCConfig(
@JsonProperty("clientID") String clientID,
@JsonProperty("clientSecret") PasswordProvider clientSecret,
@JsonProperty("discoveryURI") String discoveryURI,
- @JsonProperty("oidcClaim") String oidcClaim
+ @JsonProperty("oidcClaim") String oidcClaim,
+ @JsonProperty("scope") @Nullable String scope
)
{
this.clientID = Preconditions.checkNotNull(clientID, "null clientID");
this.clientSecret = Preconditions.checkNotNull(clientSecret, "null clientSecret");
this.discoveryURI = Preconditions.checkNotNull(discoveryURI, "null discoveryURI");
this.oidcClaim = oidcClaim == null ? DEFAULT_SCOPE : oidcClaim;
+ this.scope = scope;
}
@JsonProperty
@@ -76,4 +83,10 @@ public class OIDCConfig
{
return oidcClaim;
}
+
+ @JsonProperty
+ public String getScope()
+ {
+ return scope;
+ }
}
diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
index 2ca500020f..b63fcdf727 100644
--- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
+++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
@@ -130,6 +130,7 @@ public class Pac4jAuthenticator implements Authenticator
oidcConf.setClientId(oidcConfig.getClientID());
oidcConf.setSecret(oidcConfig.getClientSecret().getPassword());
oidcConf.setDiscoveryURI(oidcConfig.getDiscoveryURI());
+ oidcConf.setScope(oidcConfig.getScope());
oidcConf.setExpireSessionWithToken(true);
oidcConf.setUseNonce(true);
oidcConf.setReadTimeout(Ints.checkedCast(pac4jCommonConfig.getReadTimeout().getMillis()));
diff --git a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java
index b5d4119c29..c4192c020d 100644
--- a/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java
+++ b/extensions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java
@@ -33,7 +33,8 @@ public class OIDCConfigTest
String jsonStr = "{\n"
+ " \"clientID\": \"testid\",\n"
+ " \"clientSecret\": \"testsecret\",\n"
- + " \"discoveryURI\": \"testdiscoveryuri\"\n"
+ + " \"discoveryURI\": \"testdiscoveryuri\",\n"
+ + " \"scope\": \"testscope\"\n"
+ "}\n";
OIDCConfig conf = jsonMapper.readValue(
@@ -44,6 +45,7 @@ public class OIDCConfigTest
Assert.assertEquals("testsecret", conf.getClientSecret().getPassword());
Assert.assertEquals("testdiscoveryuri", conf.getDiscoveryURI());
Assert.assertEquals("name", conf.getOidcClaim());
+ Assert.assertEquals("testscope", conf.getScope());
}
@Test
@@ -55,7 +57,8 @@ public class OIDCConfigTest
+ " \"clientID\": \"testid\",\n"
+ " \"clientSecret\": \"testsecret\",\n"
+ " \"discoveryURI\": \"testdiscoveryuri\",\n"
- + " \"oidcClaim\": \"email\"\n"
+ + " \"oidcClaim\": \"email\",\n"
+ + " \"scope\": \"testscope\"\n"
+ "}\n";
OIDCConfig conf = jsonMapper.readValue(
@@ -67,5 +70,6 @@ public class OIDCConfigTest
Assert.assertEquals("testsecret", conf.getClientSecret().getPassword());
Assert.assertEquals("testdiscoveryuri", conf.getDiscoveryURI());
Assert.assertEquals("email", conf.getOidcClaim());
+ Assert.assertEquals("testscope", conf.getScope());
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org