[PR] feat(OIDC Authentication): Implemented Generalized OIDC Support for M… [dolphinscheduler]

via GitHub Tue, 01 Apr 2025 09:35:12 -0700


namanONcode opened a new pull request, #17102:
URL: https://github.com/apache/dolphinscheduler/pull/17102

…ulti-IdP Integration

### Summary:

This commit introduces a refactored authentication module to enhance OIDC
support in Apache DolphinScheduler. It enables compatibility with multiple
Identity Providers (IdPs) like Keycloak, Dex, OAuth Proxy, Feishu, and WeChat
Work. The existing Casdoor-based SSO implementation has been decoupled,
allowing a pluggable OIDC Provider adapter layer.

### Core Differences between OIDC and OAuth2:

- **OIDC (OpenID Connect)** builds on OAuth2 by adding authentication
capabilities via ID Tokens.
- **OAuth2** is primarily for authorization (Access Tokens), while **OIDC**
provides identity verification (ID Tokens).
- This implementation ensures that DolphinScheduler supports both
authentication (OIDC) and authorization (OAuth2).

### Justification for Generalized OIDC Support:

- Enables seamless integration with enterprise IdPs (e.g., Keycloak, Dex,
Feishu, WeChat Work).
- Enhances security by standardizing authentication flows across multiple
providers.
- Eliminates reliance on Casdoor as a single authentication provider,
reducing vendor lock-in.

---

### Implementation Plan & Technical Design:

1. **Refactored Authentication Module:**

- Introduced an **OIDC authentication service** using **Spring Security +
OAuth2 Client**.
- Decoupled existing Casdoor authentication into a pluggable provider
structure.

2. **Multi-IdP Adapter Layer:**

- Implemented an **OIDC Provider adapter** that dynamically loads
configurations for different IdPs.
- Supports JSON/YAML-based configuration to enable flexible provider
switching.

3. **New OIDC Endpoints:**

- `/auth/oidc/login` → Initiates OIDC authentication.
- `/auth/oidc/callback` → Handles authentication response and token
validation.

4. **Development Phases Completed:**

- ✅ Research and analysis of the existing authentication module.
- ✅ Implemented core OIDC authentication logic.
- ✅ Added support for multi-IdP adaptation (Keycloak, Dex, Feishu, etc.).
- ✅ Ensured compatibility with LDAP & OAuth2.
- ✅ Initial documentation for configuration setup.

---

### Modified Files:

-
`dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/auth/oidc/OidcAuthenticationService.java`

- Added OIDC authentication logic and token validation.

- `dolphinscheduler-api/src/main/resources/application.yml`

Added OIDC provider configurations for multi-IdP support.

-
`dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/controller/AuthController.java`

- New OIDC authentication endpoints (`/auth/oidc/login` and
`/auth/oidc/callback`).

-
`dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/config/SecurityConfig.java`

- Integrated Spring Security OAuth2 Client for managing OIDC
authentication flows.

---

Co-authored-by: Naman Jain

Email : [[email protected]](mailto\:[email protected])

---

## Purpose of the pull request

## Brief change log

## Verify this pull request

This pull request is code cleanup without any test coverage.

*(or)*

This pull request is already covered by existing tests, such as *(please
describe tests)*.

(or)

This change added tests and can be verified as follows:

(or)

## Pull Request Notice
[Pull Request
Notice](https://github.com/apache/dolphinscheduler/blob/dev/docs/docs/en/contribute/join/pull-request.md)

If your pull request contains incompatible change, you should also add it to
`docs/docs/en/guide/upgrade/incompatible.md`

--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[PR] feat(OIDC Authentication): Implemented Generalized OIDC Support for M… [dolphinscheduler]

Reply via email to