feat: support additional OIDC parameters (#1567)

Co-authored-by: Sparkle <[email protected]>
pingcap · Oct 10, 2023 · e1ded02 · e1ded02
1 parent 38109d4
commit e1ded02
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 3 deletions.
diff --git a/pkg/apiserver/user/sso/service.go b/pkg/apiserver/user/sso/service.go
@@ -325,14 +325,20 @@ func (s *Service) buildOAuth2Config(redirectURL string) (*oauth2.Config, error)
 	if !dc.SSO.CoreConfig.Enabled {
 		return nil, ErrBadConfig.New("SSO is not enabled")
 	}
+	scopes := []string{"openid", "profile", "email"}
+	if len(dc.SSO.CoreConfig.Scopes) > 0 {
+		userSupplied := strings.Split(dc.SSO.CoreConfig.Scopes, " ")
+		scopes = append(scopes, userSupplied...)
+	}
 	return &oauth2.Config{
-		ClientID:    dc.SSO.CoreConfig.ClientID,
-		RedirectURL: redirectURL,
+		ClientID:     dc.SSO.CoreConfig.ClientID,
+		ClientSecret: dc.SSO.CoreConfig.ClientSecret,
+		RedirectURL:  redirectURL,
 		Endpoint: oauth2.Endpoint{
 			AuthURL:  dc.SSO.AuthURL,
 			TokenURL: dc.SSO.TokenURL,
 		},
-		Scopes: []string{"openid", "profile", "email"},
+		Scopes: scopes,
 	}, nil
 }
 

diff --git a/pkg/config/dynamic_config.go b/pkg/config/dynamic_config.go
@@ -47,7 +47,9 @@ type ProfilingConfig struct {
 type SSOCoreConfig struct {
 	Enabled      bool   `json:"enabled"`
 	ClientID     string `json:"client_id"`
+	ClientSecret string `json:"client_secret"`
 	DiscoveryURL string `json:"discovery_url"`
+	Scopes       string `json:"scopes"`
 	IsReadOnly   bool   `json:"is_read_only"`
 }
 

diff --git a/ui/packages/tidb-dashboard-client/src/client/api/models/config-ssocore-config.ts b/ui/packages/tidb-dashboard-client/src/client/api/models/config-ssocore-config.ts
@@ -26,6 +26,12 @@ export interface ConfigSSOCoreConfig {
      * @memberof ConfigSSOCoreConfig
      */
     'client_id'?: string;
+    /**
+     * 
+     * @type {string}
+     * @memberof ConfigSSOCoreConfig
+     */
+    'client_secret'?: string;
     /**
      * 
      * @type {string}
@@ -44,5 +50,11 @@ export interface ConfigSSOCoreConfig {
      * @memberof ConfigSSOCoreConfig
      */
     'is_read_only'?: boolean;
+    /**
+     * 
+     * @type {string}
+     * @memberof ConfigSSOCoreConfig
+     */
+    'scopes'?: string;
 }
 
diff --git a/ui/packages/tidb-dashboard-client/swagger/spec.json b/ui/packages/tidb-dashboard-client/swagger/spec.json
@@ -3828,6 +3828,9 @@
                 "client_id": {
                     "type": "string"
                 },
+                "client_secret": {
+                    "type": "string"
+                },
                 "discovery_url": {
                     "type": "string"
                 },
@@ -3836,6 +3839,9 @@
                 },
                 "is_read_only": {
                     "type": "boolean"
+                },
+                "scopes": {
+                    "type": "string"
                 }
             }
         },

diff --git a/ui/packages/tidb-dashboard-lib/src/apps/UserProfile/components/Form.SSO.tsx b/ui/packages/tidb-dashboard-lib/src/apps/UserProfile/components/Form.SSO.tsx
@@ -257,6 +257,27 @@ export function SSOForm() {
                     style={DEFAULT_FORM_ITEM_STYLE}
                   />
                 </Form.Item>
+                <Form.Item
+                  name="client_secret"
+                  label={t('user_profile.sso.form.client_secret')}
+                  rules={[{ required: false }]}
+                >
+                  <Input
+                    disabled={!isWriteable}
+                    style={DEFAULT_FORM_ITEM_STYLE}
+                  />
+                </Form.Item>
+                <Form.Item
+                  name="scopes"
+                  label={t('user_profile.sso.form.scopes')}
+                  rules={[{ required: false }]}
+                >
+                  <Input
+                    disabled={!isWriteable}
+                    style={DEFAULT_FORM_ITEM_STYLE}
+                    placeholder="openid profile email"
+                  />
+                </Form.Item>
                 <Form.Item
                   name="discovery_url"
                   label={t('user_profile.sso.form.discovery_url')}

diff --git a/ui/packages/tidb-dashboard-lib/src/apps/UserProfile/translations/en.yaml b/ui/packages/tidb-dashboard-lib/src/apps/UserProfile/translations/en.yaml
@@ -6,6 +6,8 @@ user_profile:
       extra: OIDC based SSO is supported
     form:
       client_id: OIDC Client ID
+      client_secret: OIDC Client Secret
+      scopes: Additional OIDC Scopes (space-separated)
       discovery_url: OIDC Discovery URL
       is_read_only: Sign in as read-only privilege
       user:

diff --git a/ui/packages/tidb-dashboard-lib/src/apps/UserProfile/translations/zh.yaml b/ui/packages/tidb-dashboard-lib/src/apps/UserProfile/translations/zh.yaml
@@ -6,6 +6,8 @@ user_profile:
       extra: 支持基于 OIDC 的 SSO 登录
     form:
       client_id: OIDC Client ID
+      client_secret: OIDC Client Secret
+      scopes: 附加 OIDC Scope（空格分隔）
       discovery_url: OIDC Discovery URL
       is_read_only: 以只读权限登录
       user:

diff --git a/ui/packages/tidb-dashboard-lib/src/client/models.ts b/ui/packages/tidb-dashboard-lib/src/client/models.ts
@@ -236,6 +236,12 @@ export interface ConfigSSOCoreConfig {
      * @memberof ConfigSSOCoreConfig
      */
     'client_id'?: string;
+    /**
+     * 
+     * @type {string}
+     * @memberof ConfigSSOCoreConfig
+     */
+    'client_secret'?: string;
     /**
      * 
      * @type {string}
@@ -254,6 +260,12 @@ export interface ConfigSSOCoreConfig {
      * @memberof ConfigSSOCoreConfig
      */
     'is_read_only'?: boolean;
+    /**
+     * 
+     * @type {string}
+     * @memberof ConfigSSOCoreConfig
+     */
+    'scopes'?: string;
 }