fix(oidc): apply acr values to redirect url (#11447)

datahub-project · Sep 20, 2024 · a754d52 · a754d52
1 parent b17d776
commit a754d52
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 1 deletion.
diff --git a/datahub-frontend/app/auth/sso/oidc/OidcConfigs.java b/datahub-frontend/app/auth/sso/oidc/OidcConfigs.java
@@ -243,6 +243,9 @@ public Builder from(final com.typesafe.config.Config configs, final String ssoSe
             Optional.ofNullable(getOptional(configs, OIDC_PREFERRED_JWS_ALGORITHM, null));
       }
 
+      grantType = Optional.ofNullable(getOptional(configs, OIDC_GRANT_TYPE, null));
+      acrValues = Optional.ofNullable(getOptional(configs, OIDC_ACR_VALUES, null));
+
       return this;
     }
 

diff --git a/datahub-frontend/app/auth/sso/oidc/custom/CustomOidcClient.java b/datahub-frontend/app/auth/sso/oidc/custom/CustomOidcClient.java
@@ -18,7 +18,7 @@ public CustomOidcClient(final OidcConfiguration configuration) {
   protected void clientInit() {
     CommonHelper.assertNotNull("configuration", getConfiguration());
     getConfiguration().init();
-    defaultRedirectionActionBuilder(new OidcRedirectionActionBuilder(getConfiguration(), this));
+    defaultRedirectionActionBuilder(new CustomOidcRedirectionActionBuilder(getConfiguration(), this));
     defaultCredentialsExtractor(new OidcExtractor(getConfiguration(), this));
     defaultAuthenticator(new CustomOidcAuthenticator(this));
     defaultProfileCreator(new OidcProfileCreator<>(getConfiguration(), this));

diff --git a/datahub-frontend/app/auth/sso/oidc/custom/CustomOidcRedirectionActionBuilder.java b/datahub-frontend/app/auth/sso/oidc/custom/CustomOidcRedirectionActionBuilder.java
@@ -0,0 +1,46 @@
+package auth.sso.oidc.custom;
+
+import java.util.Map;
+import java.util.Optional;
+import org.pac4j.core.context.WebContext;
+import org.pac4j.core.exception.http.RedirectionAction;
+import org.pac4j.core.exception.http.RedirectionActionHelper;
+import org.pac4j.oidc.client.OidcClient;
+import org.pac4j.oidc.config.OidcConfiguration;
+import org.pac4j.oidc.redirect.OidcRedirectionActionBuilder;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+public class CustomOidcRedirectionActionBuilder extends OidcRedirectionActionBuilder {
+
+  private static final Logger logger = LoggerFactory.getLogger(OidcRedirectionActionBuilder.class);
+  public CustomOidcRedirectionActionBuilder(OidcConfiguration configuration, OidcClient client) {
+    super(configuration, client);
+  }
+
+  @Override
+  public Optional<RedirectionAction> getRedirectionAction(WebContext context) {
+    Map<String, String> params = this.buildParams();
+    String computedCallbackUrl = this.client.computeFinalCallbackUrl(context);
+    params.put("redirect_uri", computedCallbackUrl);
+    this.addStateAndNonceParameters(context, params);
+    if (this.configuration.getMaxAge() != null) {
+      params.put("max_age", this.configuration.getMaxAge().toString());
+    }
+
+    String location = this.buildAuthenticationRequestUrl(params);
+
+    logger.debug("Custom parameters: {}", this.configuration.getCustomParams());
+
+    String acrValues = this.configuration.getCustomParam("acr_values");
+
+    if (acrValues != null && !location.contains("acr_values=")) {
+      location += (location.contains("?") ? "&" : "?") + "acr_values=" + acrValues;
+    }
+
+    logger.debug("Authentication request url: {}", location);
+    return Optional.of(RedirectionActionHelper.buildRedirectUrlAction(context, location));
+  }
+
+}