Update OIDCConfig with scope information (#13973)

Allow users to provide custom scope through OIDC configuration
apache · Mar 28, 2023 · e8e8082 · e8e8082
1 parent d5b1b5b
commit e8e8082
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 3 deletions.
diff --git a/docs/development/extensions-core/druid-pac4j.md b/docs/development/extensions-core/druid-pac4j.md
@@ -54,3 +54,4 @@ druid.auth.authenticator.jwt.type=jwt
 |`druid.auth.pac4j.oidc.clientSecret`|OAuth Client Application secret. It can be provided as plaintext string or The [Password Provider](../../operations/password-provider.md).|none|Yes|
 |`druid.auth.pac4j.oidc.discoveryURI`|discovery URI for fetching OP metadata [see this](http://openid.net/specs/openid-connect-discovery-1_0.html).|none|Yes|
 |`druid.auth.pac4j.oidc.oidcClaim`|[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) that will be extracted from the ID Token after validation.|name|No|
+|`druid.auth.pac4j.oidc.scope`| scope is used by an application during authentication to authorize access to a user's details                                                                                                       |`openid profile email`|No
diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/OIDCConfig.java
@@ -24,6 +24,8 @@
 import com.google.common.base.Preconditions;
 import org.apache.druid.metadata.PasswordProvider;
 
+import javax.annotation.Nullable;
+
 public class OIDCConfig
 {
   private final String DEFAULT_SCOPE = "name";
@@ -39,18 +41,23 @@ public class OIDCConfig
   @JsonProperty
   private final String oidcClaim;
 
+  @JsonProperty
+  private final String scope;
+
   @JsonCreator
   public OIDCConfig(
       @JsonProperty("clientID") String clientID,
       @JsonProperty("clientSecret") PasswordProvider clientSecret,
       @JsonProperty("discoveryURI") String discoveryURI,
-      @JsonProperty("oidcClaim") String oidcClaim
+      @JsonProperty("oidcClaim") String oidcClaim,
+      @JsonProperty("scope") @Nullable String scope
   )
   {
     this.clientID = Preconditions.checkNotNull(clientID, "null clientID");
     this.clientSecret = Preconditions.checkNotNull(clientSecret, "null clientSecret");
     this.discoveryURI = Preconditions.checkNotNull(discoveryURI, "null discoveryURI");
     this.oidcClaim = oidcClaim == null ? DEFAULT_SCOPE : oidcClaim;
+    this.scope = scope;
   }
 
   @JsonProperty
@@ -76,4 +83,10 @@ public String getOidcClaim()
   {
     return oidcClaim;
   }
+
+  @JsonProperty
+  public String getScope()
+  {
+    return scope;
+  }
 }
diff --git a/...ns-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java b/...ns-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
@@ -130,6 +130,7 @@ private Config createPac4jConfig(OIDCConfig oidcConfig)
     oidcConf.setClientId(oidcConfig.getClientID());
     oidcConf.setSecret(oidcConfig.getClientSecret().getPassword());
     oidcConf.setDiscoveryURI(oidcConfig.getDiscoveryURI());
+    oidcConf.setScope(oidcConfig.getScope());
     oidcConf.setExpireSessionWithToken(true);
     oidcConf.setUseNonce(true);
     oidcConf.setReadTimeout(Ints.checkedCast(pac4jCommonConfig.getReadTimeout().getMillis()));

diff --git a/...nsions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java b/...nsions-core/druid-pac4j/src/test/java/org/apache/druid/security/pac4j/OIDCConfigTest.java
@@ -33,7 +33,8 @@ public void testSerde() throws Exception
     String jsonStr = "{\n"
                      + "  \"clientID\": \"testid\",\n"
                      + "  \"clientSecret\": \"testsecret\",\n"
-                     + "  \"discoveryURI\": \"testdiscoveryuri\"\n"
+                     + "  \"discoveryURI\": \"testdiscoveryuri\",\n"
+                     + "  \"scope\": \"testscope\"\n"
                      + "}\n";
 
     OIDCConfig conf = jsonMapper.readValue(
@@ -44,6 +45,7 @@ public void testSerde() throws Exception
     Assert.assertEquals("testsecret", conf.getClientSecret().getPassword());
     Assert.assertEquals("testdiscoveryuri", conf.getDiscoveryURI());
     Assert.assertEquals("name", conf.getOidcClaim());
+    Assert.assertEquals("testscope", conf.getScope());
   }
 
   @Test
@@ -55,7 +57,8 @@ public void testSerdeWithoutDefaults() throws Exception
                      + "  \"clientID\": \"testid\",\n"
                      + "  \"clientSecret\": \"testsecret\",\n"
                      + "  \"discoveryURI\": \"testdiscoveryuri\",\n"
-                     + "  \"oidcClaim\": \"email\"\n"
+                     + "  \"oidcClaim\": \"email\",\n"
+                     + "  \"scope\": \"testscope\"\n"
                      + "}\n";
 
     OIDCConfig conf = jsonMapper.readValue(
@@ -67,5 +70,6 @@ public void testSerdeWithoutDefaults() throws Exception
     Assert.assertEquals("testsecret", conf.getClientSecret().getPassword());
     Assert.assertEquals("testdiscoveryuri", conf.getDiscoveryURI());
     Assert.assertEquals("email", conf.getOidcClaim());
+    Assert.assertEquals("testscope", conf.getScope());
   }
 }