[DSIP-88][Auth] Enhancing Apache DolphinScheduler with Generalized OIDC Authentication#17340
Merged
SbloodyS merged 51 commits intoapache:devfrom Oct 20, 2025
Merged
Conversation
Introduces OIDC as a new authentication type in AuthenticationType and SecurityConfig. Adds OidcAuthenticator and related configuration classes to support OIDC providers, user mapping, and group-based roles. Includes unit tests for OIDC configuration and authenticator logic.
Introduces OIDC authentication support with provider configuration, auto-provisioning options, and admin group mapping. Adds 'base-url' and 'ui-url' properties for API and UI endpoints, and updates the database password.
Member
Introduces OIDC authentication endpoints and logic to LoginController, including provider listing, OIDC login redirection, and callback handling. Updates AppConfiguration to allow new OIDC-related paths. Adds comprehensive unit tests for OIDC authentication scenarios in LoginControllerOidcTest and extends LoginControllerTest with additional login validation cases.
...nscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/LoginController.java
Fixed
Show fixed
Hide fixed
...nscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/LoginController.java
Fixed
Show fixed
Hide fixed
...nscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/LoginController.java
Fixed
Show fixed
Hide fixed
...nscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/LoginController.java
Dismissed
Show dismissed
Hide dismissed
...-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/oidc/OidcAuthenticator.java
Fixed
Show fixed
Hide fixed
...-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/oidc/OidcAuthenticator.java
Fixed
Show fixed
Hide fixed
...-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/oidc/OidcAuthenticator.java
Fixed
Show fixed
Hide fixed
Contributor
Author
|
Can anyone help me identify or fix the error? |
|
Member
UT have been passed. |
|
This commit introduces the complete frontend flow for OIDC authentication. API Integration: Adds the service calls (getOidcProviders) and TypeScript types (OidcProvider) needed to communicate with the backend. Dynamic UI: The login page now fetches and dynamically renders a styled button for each configured OIDC provider. Redirect Handling: Implements the logic in use-login.ts to handle the callback from the OIDC provider, establishing a user session seamlessly. Styling & others: Includes custom SCSS for the login buttons and updates localization files with new text.
…for OIDC providers This commit addresses vulnerabilities, updates configuration examples, and resolves code quality issues flagged by CI in the OIDC implementation. - Security: - Sanitize `providerId` in `OidcAuthenticator` before logging to prevent log injection. - Validate `providerId` in `LoginController` to fix a trust boundary violation. - Refactor: - Removed unused `providerId` and `request` parameters from the OIDC callback method. - Feature: - Added an `iconUri` field to `OidcProviderConfig` to support custom provider icons on the login page. - Configuration: - Updated `application.yaml` to include the new `icon-uri` property in the Keycloak provider example, demonstrating the feature. - Improved the commented-out `issuer-uri` example for better use in containerized environments (e.g., Docker).
- Improves unit test coverage for the OIDC module by adding tests for failure scenarios, provider validation, and new fields like `iconUri`. - Adds a null check in `LoginController` to gracefully redirect if the OIDC authorization URL fails to generate.
Expanded OIDC login API test coverage with additional negative and edge case scenarios, improved assertions, and refactored test structure. Updated OidcLoginPage to decouple from LoginPage and added helper methods for negative testing. Docker Compose and Keycloak realm export were updated for improved health checks, initialization, and OIDC configuration to support more robust integration testing.
…n Docker test environment
Refactored the OIDC API test environment and the `OidcLoginAPITest` class to improve stability, precision, and alignment with project best practices. Environment Changes: - Updated `docker-compose.yaml` to use the `apache/dolphinscheduler-standalone-server:ci` image. - Removed the external MySQL and Zookeeper services and the test now leverages the default H2 database and embedded Zookeeper from the standalone server, simplifying the setup and increasing execution speed. Test Logic Improvements: - Added `@Slf4j` for logging in `OidcLoginAPITest`. - Made the assertion in `testLoginEndpointDisabledInOidcMode` more precise by checking for a specific "HTTP 401 Unauthorized" status code instead of a generic non-200 response.
… issues
This commit includes a series of refactors and fixes to the OIDC authentication module in the API, as well as a formatting fix for the UI.
Backend (`dolphinscheduler-api`):
- LoginController:
- Switched from field injection to constructor injection for all dependencies to align with modern Spring best practices and improve testability.
- Added a leading slash to OIDC endpoint mappings (`/oidc-providers`, `/login/oauth2/code/{providerId}`) for consistency across the application.
- Resolved a SonarQube warning by binding the `{providerId}` path variable in the OIDC callback handler and using it to validate the `state` parameter, enhancing security.
- OidcAuthenticator:
- Eliminated duplicated string literals by introducing constants for the "email" attribute and the log sanitization regex, resolving high-impact SonarQube issues.
Frontend (`dolphinscheduler-ui`):
- Code Formatting:
- Executed `pnpm run lint` to correct code style and formatting issues, ensuring the frontend build passes all CI checks.
Added specific OIDC error statuses to the Status enum and improved error handling in OidcAuthenticator for token exchange and ID token validation. Refactored SecurityConfig and OidcAuthenticator to use constructor-based dependency injection for OIDC configuration and UsersService, ensuring required beans are present for OIDC authentication.
Expanded authentication documentation to include OIDC (OpenID Connect) support, detailing configuration steps for various providers and local development with Keycloak. Added a new guide for setting up a local OIDC environment and updated API test README with instructions for running OIDC-related API tests using Docker and Testcontainers.
Refactored OIDC authentication to use ApiConfig for base and UI URLs, improving configuration consistency. Enhanced logging by sanitizing sensitive state and provider IDs. Updated documentation for OIDC setup, removed unused constructor in HttpResponse, and added OidcLoginAPITest to the API test workflow.
Adds a null check for missing OIDC providers in OidcAuthenticator to prevent errors. Updates related tests to mock ApiConfig instead of using a @value property, and adjusts test setup accordingly. Also updates OidcLoginPage to use an empty HashMap for request parameters.
75bd2ab to
10a6edd
Compare
Member
|
Can it safe to place this in 3.3.2? |
…tusaryan/dolphinscheduler into feature/17171-oidc-core-backend
This commit resolves a proper role synchronization logic and adds a comprehensive API test suite to validate the entire OIDC feature.
The solution involved these changes:
1. Implement Role Synchronization on Every Login:
- The logic in `OidcAuthenticator` has been refactored to check and update a user's role on every login, not just on initial creation. This ensures the OIDC provider remains the single source of truth for user roles.
- A new, simplified `updateUser(User user)` method was added to the `UsersService` layer to support this synchronization in a clean, decoupled manner.
2. Fix Configuration Property Loading:
- A subtle but critical bug was fixed where nested OIDC configuration properties (specifically security.authentication.oidc.user.admin-group-mapping) were not being loaded from application.yaml.
- This was resolved by adding the `@NestedConfigurationProperty` annotation in `OidcConfigProperties`, which is the standard Spring Boot practice for ensuring nested configuration objects are correctly populated.
3. Improved OIDC API Test Suite:
- The test suite provides coverage for:
- Correct redirect behavior for valid and invalid providers.
- Graceful handling of OIDC callback errors and malformed requests.
- Security policy enforcement (verifying password login is disabled in OIDC mode).
- A full, successful login simulation for a general user to ensure no regressions.
4. Other improvements include:
- Replaced the sanitizeForLogging method in OidcAuthenticator with the existing RegexUtils.escapeNRT method to promote code reuse and remove redundant code.
- API test cleanup: Introduce enums to replace scattered hardcoded delimiters and HTML entity constants. Apply replacements only where they improved clarity and maintainability.
This commit resolves a critical issue where OIDC user roles were not correctly assigned or updated. It introduces robust role synchronization on every login, adds a test to check Admin User Successfull Login in API test, and improves the developer documentation. Change Log: 1. Fix Role Synchronization bug in OidcAuthenticator: The logic in `OidcAuthenticator` has been refactored to check and update a user's role on every login, not just on initial creation. This ensures the OIDC provider remains the single source of truth for user roles and closes a security vulnerability where role de-provisioning was ignored. 2. Enhance OIDC API Test to coverage a full, successful login simulation for admin users. 3. Updated the development documentation to use the Maven Wrapper (`./mvnw`) instead of the local `mvn` command. This ensures all contributors use the same Maven version as the project, reducing version compatibility issues and developer setup overhead.
...-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/oidc/OidcAuthenticator.java
Dismissed
Show dismissed
Hide dismissed
...-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/oidc/OidcAuthenticator.java
Dismissed
Show dismissed
Hide dismissed
...-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/oidc/OidcAuthenticator.java
Dismissed
Show dismissed
Hide dismissed
...-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/oidc/OidcAuthenticator.java
Dismissed
Show dismissed
Hide dismissed
|
Gallardot
approved these changes
Oct 17, 2025
zhongjiajie
approved these changes
Oct 18, 2025
davidzollo
pushed a commit
to davidzollo/dolphinscheduler
that referenced
this pull request
Oct 27, 2025
…DC Authentication (apache#17340)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose of the pull request
This pull request introduces end-to-end support for OIDC (OpenID Connect) authentication, as outlined in DSIP-88. This feature enhances Apache DolphinScheduler by allowing users to log in via configured external identity providers like Keycloak, Okta, Google, etc.
This single, comprehensive PR delivers the complete feature, including:
OidcAuthenticatorservice to handle all OIDC protocol interactions.By enabling this, DolphinScheduler becomes more accessible and secure for enterprise environments that rely on centralized identity management.
Closes: #17171
Brief change log
It covers the implementation of the OIDC feature across the backend, frontend, and testing modules.
Core Backend & API
OidcConfigProperties,OidcProviderConfig,OidcUserConfig) to load OIDC settings fromapplication.yaml.OidcAuthenticatorclass using the Nimbus SDK to handle OIDC discovery, token exchange, and user information retrieval.LoginControllerto manage the OIDC flow:/oidc-providers: Exposes the list of configured providers to the UI./oauth2/authorization/{providerId}: Initiates the login flow and redirects users./login/oauth2/code/{providerId}: Handles the callback from the IdP to create a user session.AuthenticationType.javaandSecurityConfig.javato register OIDC as a new authentication method.AppConfiguration.javato exclude the new OIDC endpoints from the login interceptor, allowing unauthenticated access for the login process.Frontend UI
getOidcProvidersfunction andOidcProvidertype definition in the service layer to fetch and handle provider data from the backend.use-login.tshook to fetch providers on page load and to process the post-login callback by validating thesessionIdfrom the URL.index.tsxlogin page now dynamically renders a styled button for each OIDC provider, complete with the provider's logo (iconUri) and an interactive hover effect defined inindex.module.scss.API & Integration Tests
OidcLoginAPITest.java, to validate the entire OIDC login lifecycle.docker-compose.yamlandrealm-export.json) that automatically sets up a Keycloak instance as the OIDC provider for realistic integration testing.HttpResponseentity was updated to capture response headers, which is essential for validating the HTTP redirects in the OIDC flow.Verify this pull request
This change is covered by both new automated tests and can be verified manually.
Automated Tests:
OidcAuthenticatorTest,LoginControllerOidcTest, etc.) has been added to verify the core backend logic.OidcLoginAPITest) has been added to validate the full API flow against a live Keycloak instance.Manual Verification Steps:
application.yaml.dolphinscheduler-uiservice.Pull Request Notice
Pull Request Notice
If your pull request contains incompatible change, you should also add it to
docs/docs/en/guide/upgrade/incompatible.md