bharos opened a new pull request, #7930:
URL: https://github.com/apache/gravitino/pull/7930
#7925 feat(oauth): implement OIDC authentication flow with automatic token
management
- Add OIDC login/logout components and event handlers
- Store JWT id_token for backend validation if access_token is opaque
- Support automatic silent token renewal and session cleanup
- Display user
- Gives provider agnostic login interface using OIDC
<!--
1. Title: [#<issue>] <type>(<scope>): <subject>
Examples:
- "[#123] feat(operator): support xxx"
- "[#233] fix: check null before access result in xxx"
- "[MINOR] refactor: fix typo in variable name"
- "[MINOR] docs: fix typo in README"
- "[#255] test: fix flaky test NameOfTheTest"
Reference: https://www.conventionalcommits.org/en/v1.0.0/
2. If the PR is unfinished, please mark this PR as draft.
-->
### What changes were proposed in this pull request?
This PR implements a provider-agnostic OIDC authentication flow for the
Gravitino web frontend.
- Adds OIDC login and logout components using oidc-client-ts
- Handles automatic token management, including silent token renewal and
session cleanup
- Stores the JWT token for backend validation
- Displays authenticated user information in the UI
### Why are the changes needed?
- Current OAuth login is limited, where clients need to provide
client_id,secret and scope explicitly which means all users need to know these
sensitive parameters and it's not a smooth login experience. OIDC helps with
one-click login using the sign-on provider
- Enables secure, standards-based authentication for Gravitino using OIDC
- Improves user experience with automatic token refresh and session
management
- Makes it easy to switch identity providers by updating configuration only
Fix: #7925
### Does this PR introduce _any_ user-facing change?
Yes:
- Users can now log in and log out using any OIDC-compliant provider
- The UI displays the authenticated user's name and status
- Authentication errors and logout messages are shown in the interface
### How was this patch tested?
Manual testing of login, logout, and token refresh flows with Azure AD
Verified that JWT tokens are stored and sent to the backend for validation
Confirmed that session cleanup and error handling work as expected
- Tested backward compatibility, ie. when provider is set to "generic" , it
still gives the old login UI with client_id,secret and scope
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
