Comments (11)
Hi @mavenzer
Implemented in #1611
We added new boolean variable pkce, so, you need to specify AUTH_OAUTH2_CLIENT_MOBILESSO_PKCE
We will try to release this feature during current week.
We tested it locally using keycloak with this config
keycloak:
provider: 'keycloak'
client-id: 'odd-platform'
client-secret:
scope:
- openid
client-name: 'odd-platform'
redirect-uri: 'http://localhost:8080/login/oauth2/code/keycloak'
issuer-uri: 'http://localhost:8081/realms/odd-login'
user-name-attribute: preferred_username
admin-attribute: preferred_username
admin-principals: admin
pkce : true
from odd-platform.
Hi @mavenzer
auth.oauth2.client.{client-id}.redirect-uri. Redirect URL. Must be defined as {domain}/login/oauth2/code/{client-id}
but you defined as
AUTH_OAUTH2_CLIENT_MOBILESSO_REDIRECT_URI= "https://omegastar.kalix.testserver.alexnet.com/login"
More info here - https://docs.opendatadiscovery.org/configuration-and-deployment/enable-security/authentication/oauth2-oidc#other-oidc-providers
from odd-platform.
Hi @mavenzer , thank you for your feedback.
Currently, we are not supporting authentication using PKCE.
Could you please let us know?
- Do you have any workarounds for this?
- Do you have any time limits on how long you can use client_secret instead of PKCE? We will try to prioritise the implementation of this.
Also could you please provide some logs from odd-platform.
from odd-platform.
Hi @Vladysl,
There is nothing specific in the logs(I'm attaching the logs below)
So by policy our SSO doesn't support client secret, and currently only PKCE is supported.
We are also looking into the implementation of LDAP.
PLatform LOGS
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v3.1.0)
2024-02-05T16:18:52.592Z INFO 1 --- [ main] o.o.oddplatform.ODDPlatformApplication : Starting ODDPlatformApplication using Java 17.0.2 with PID 1 (/app/classes started by 1005330000 in /app)
2024-02-05T16:18:52.596Z INFO 1 --- [ main] o.o.oddplatform.ODDPlatformApplication : No active profile set, falling back to 1 default profile: "default"
2024-02-05T16:18:56.495Z INFO 1 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Multiple Spring Data modules found, entering strict repository configuration mode
2024-02-05T16:18:56.498Z INFO 1 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data Redis repositories in DEFAULT mode.
2024-02-05T16:18:56.721Z INFO 1 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 213 ms. Found 0 Redis repository interfaces.
2024-02-05T16:18:59.720Z INFO 1 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting...
2024-02-05T16:19:00.195Z INFO 1 --- [ main] com.zaxxer.hikari.pool.HikariPool : HikariPool-1 - Added connection org.postgresql.jdbc.PgConnection@7455204c
2024-02-05T16:19:00.197Z INFO 1 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed.
2024-02-05T16:19:00.400Z INFO 1 --- [ main] o.f.core.internal.command.DbValidate : Successfully validated 86 migrations (execution time 00:00.170s)
2024-02-05T16:19:00.411Z INFO 1 --- [ main] o.f.core.internal.command.DbMigrate : Current version of schema "public": 0.0.86
2024-02-05T16:19:00.412Z WARN 1 --- [ main] o.f.core.internal.command.DbMigrate : Schema "public" has a version (0.0.86) that is newer than the latest available migration (0.0.85) !
2024-02-05T16:19:00.413Z INFO 1 --- [ main] o.f.core.internal.command.DbMigrate : Schema "public" is up to date. No migration necessary.
2024-02-05T16:19:04.282Z INFO 1 --- [ main] org.reflections.Reflections : Reflections took 94 ms to scan 1 urls, producing 2 keys and 58 values
2024-02-05T16:19:06.021Z INFO 1 --- [ main] ctiveUserDetailsServiceAutoConfiguration :
Using generated security password: 4c22e6bc-7f86-43aa-91d8-6a5fd1ff910d
2024-02-05T16:19:08.197Z INFO 1 --- [ main] o.s.b.a.e.web.EndpointLinksResolver : Exposing 4 endpoint(s) beneath base path '/actuator'
2024-02-05T16:19:09.314Z INFO 1 --- [ main] o.s.b.web.embedded.netty.NettyWebServer : Netty started on port 8080
2024-02-05T16:19:09.403Z INFO 1 --- [ main] o.o.oddplatform.ODDPlatformApplication : Started ODDPlatformApplication in 17.703 seconds (process running for 18.38)
2024-02-05T16:27:31.850Z INFO 1 --- [tor-tcp-epoll-1] org.jooq.Constants :
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@ @@ @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@
@@@@@@@@@@@@@@@@ @@ @@ @@@@@@@@@@
@@@@@@@@@@ @@@@ @@ @@ @@@@@@@@@@
@@@@@@@@@@ @@ @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@ @@ @@@@@@@@@@
@@@@@@@@@@ @@ @@ @@@@ @@@@@@@@@@
@@@@@@@@@@ @@ @@ @@@@ @@@@@@@@@@
@@@@@@@@@@ @@ @ @ @@@@@@@@@@
@@@@@@@@@@ @@ @@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Thank you for using jOOQ 3.18.4
2024-02-05T16:27:31.851Z INFO 1 --- [tor-tcp-epoll-1] org.jooq.Constants :
jOOQ tip of the day: In order to improve cardinality estimates, it can be valuable to auto-inline bind variables on certain columns, e.g. on enum types: https://www.jooq.org/doc/latest/manual/sql-building/dsl-context/custom-settings/settings-auto-inline-bind-values/
2024-02-05T16:34:09.467Z INFO 1 --- [ scheduling-1] o.j.i.D.logVersionSupport : Version : Database version is supported by dialect POSTGRES: 15.3
from odd-platform.
Thanks @Vladysl for implementing it. One question which I wanted to asked whenever we are pulling the updated images:
To confirm we need to add two env variable in the deployment manifest :
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_CODE_CHALLENGE
value: "RANDOM_STRING_GENERATED_HASHES"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_CHALLENGE_METHOD
value: "S256"
Or do we need to add any other values as well?
from odd-platform.
Hi @mavenzer we are using spring boot and according to documentation
when you pass client-secret as empty string and specify AUTH_OAUTH2_CLIENT_MOBILESSO_PKCE=true.
We will apply PKCE. We are not controlling any CHALLENGE_METHOD or CODE_CHALLENGE.
In our case with keycloak it was enough to perform authorization
Also for keycloak we specified Challenge Method = S256
If you have any specific cases, could you please describe them?
Example
auth page:
Invalid creds:
Valid creds:
from odd-platform.
Thanks a lot for the explanation. @Vladysl is it possible for you to release an intermediate release(Image release) to test the connection to our auth servers with PKCE.
from odd-platform.
@mavenzer @Vladysl the latest minor release with pkce
https://github.com/opendatadiscovery/odd-platform/pkgs/container/odd-platform/176555201?tag=0.23.1
from odd-platform.
Thanks a lot for the minor release. Really appreciate the efforts @AndreyNenashev @Vladysl .
from odd-platform.
Hi @Vladysl,
I have applied the same configs as mentioned by you:
apiVersion: apps/v1
kind: Deployment
metadata:
name: odd-helm-odd-platform
labels:
helm.sh/chart: odd-platform-0.1.6
app.kubernetes.io/name: odd-platform-test
app.kubernetes.io/instance: odd-helm-v1
app.kubernetes.io/version: "latest"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: odd-platform-test
app.kubernetes.io/instance: odd-helm-v1
template:
metadata:
labels:
app.kubernetes.io/name: odd-platform-test
app.kubernetes.io/instance: odd-helm-v1
spec:
serviceAccountName: odd-helm-v1-odd-platform-test
securityContext: {}
containers:
- name: odd-platform
securityContext: {}
image: "odd-platform:0.23.1"
imagePullPolicy: IfNotPresent
env:
- name: SPRING_DATASOURCE_URL
value: "jdbc:postgresql://odd-postgresql.alex-testing-geting-cluster.svc.cluster.local/postgres"
- name: SPRING_DATASOURCE_USERNAME
value: postgres
- name: SPRING_DATASOURCE_PASSWORD
valueFrom:
secretKeyRef:
name: odd-postgresql
key: postgres-password
- name : AUTH_TYPE
value: "OAUTH2"
- name : AUTH_OAUTH2_CLIENT_MOBILESSO_PROVIDER
value: "mobilesso"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_CLIENT_ID
value: "CLIENT_ID_TESTING_ODD"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_PKCE
value: "true"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_CODE_CHALLENGE_METHOD
value: "S256"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_SCOPE
value: "openid,email"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_REDIRECT_URI
value: "https://omegastar.kalix.testserver.alexnet.com/login"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_CLIENT_NAME
value: "MobileSSO"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_ISSUER_URI
value: "https://generic-v1-test-kalix.com/FedBroker"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_USER_NAME_ATTRIBUTE
value: "email"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_ADMIN_ATTRIBUTE
value: "email"
- name: AUTH_OAUTH2_CLIENT_MOBILESSO_ADMIN_PRINCIPALS
value: "[email protected]"
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: /actuator/health
port: 8080
initialDelaySeconds: 30
readinessProbe:
httpGet:
path: /actuator/health
port: 8080
initialDelaySeconds: 60
timeoutSeconds: 30
resources: {}
volumeMounts: []
volumes: []
Whenever I'm going to the URL(https://omegastar.kalix.testserver.alexnet.com/login) entering the password and username its returning with it's failing back to the same state(https://omegastar.kalix.testserver.alexnet.com/login?code=YSasasasASAXTSF7nf6YASASKLANSw50K4sWsC7LiDQmwfWd8kjESwAAAEs&state=cb5ace6d96e64530838fd2a6808b37b9) But not able to see the ODD-Interface
Any possible thing which I'm missing in the configs ?
Best Regards
from odd-platform.
Thanks a lot!
from odd-platform.
Related Issues (20)
- [DATA MODELING. RELATIOSHIPS] Hide "Lineage" tab for Data Entity "Relationship"
- [GENAI. ONBOARDING ASSISTANT] Create GenAI views
- [DATA MODELING. QUERY EXAMPLES] Add possibility to link Query Examples with Data Entity type “Relationship”
- Activity dashboard for the Admin users to track the DAU's MAU's in ODD platform HOT 2
- Filter on Activities doesn't work properly for Users
- [BUSINESS TERMS] Make a "Definition" field as a rich text with possibility to use referernces to Terms HOT 1
- [DATA MODELING. QUERY EXAMPLES. BUSINESS TERMS] Link Query Examples to Terms HOT 1
- Readiness probe and Liveness Probe Failing in the Helm Deployment with statuscode: 503 HOT 9
- Not seeing GLUE integration HOT 1
- [DATA LINEAGE. DATA MODELING] Investigate if we could utilize https://reactflow.dev/ to create Global Data Lineage and Vizualization for Data Modeling
- Additional variables in DB urls cannot be parsed for lookup tables DB configuration HOT 1
- DatasetFields duplicate ODDRN
- when auth.type = LOGIN_FORM new collector cannot create datasource
- [DATA CATALOG] Add filter in Catalog to filter out Stale entities.
- Redshift: Failed to load metadata for tables: 1 validation error for DataEntity owner HOT 2
- Dataset (Structure Tab) Search Not Finding Business Names / Descriptions
- Spellcheck Integration
- Tags / Filterable Datasets
- Last Modified Option Within API Calls
- Lookup Policy cannot be added using UI
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from odd-platform.