Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(React SSO): Support simple OIDC authentication in React #2190

Merged
merged 5 commits into from
Mar 11, 2021
Merged

feat(React SSO): Support simple OIDC authentication in React #2190

merged 5 commits into from
Mar 11, 2021

Conversation

jjoyce0510
Copy link
Collaborator

@jjoyce0510 jjoyce0510 commented Mar 8, 2021
edited
Loading

Scope
This change impacts on the React application / GQL API served from datahub-frontend

Changes
This PR introduces changes required to support OIDC authentication in the DataHub React app. We build on top of Pac4j, a popular authentication + security library for Java. This will permit us to extend to support other auth methods like LDAP direct, SAML, among others as we evolve the app.

I've enabled this flow via the introduction of a new "/authenticate" endpoint in the Play server which the React application delegates to in order to perform authentication. In essence, this endpoint provides server-driven instruction about how to handle the auth flow. In cases where OIDC is not enabled, a simple redirect to the traditional JAAS login experience is performed. In cases where OIDC is enabled, a redirect to the configured Identity Provider is issued if the current request is not authenticated. This initiates an indirect flow wherein the Identity Provider is delegated auth responsibility, and redirects back to DataHub on successful authentication of an end user. DataHub subsequently fetches the user's profile attributes and extracts a DataHub username from this information. Finally, DataHub sets 2 authentication cookies, one visible within the client app and another invisible.

A major change introduces in this PR is removal of the LogIn mutation from the GQL API exposed within datahub-frontend. Now, the entire GQL API is protected by an authentication blanket. This makes is easier for the server to drive the authentication experience based on how it is configured and ensures that the GQL is completely secure.

For detailed information about configuring OIDC auth, see react-oidc.md.

Validation
The OIDC flow has been E2E validated using Okta & Google.

Checklist

  • The PR conforms to DataHub's Contributing Guideline (particularly Commit Message Format)
  • Links to related issues (if applicable)
  • Tests for the changes have been added/updated (if applicable)
  • Docs related to the changes have been added/updated (if applicable)

@shirshanka
Copy link
Contributor

@jjoyce0510 : just flagging that there are a few conflicts you need to rebase for.

@shirshanka shirshanka added this to the v0.7.0 milestone Mar 10, 2021
shirshanka
shirshanka approved these changes Mar 11, 2021
View reviewed changes
Copy link
Contributor

@shirshanka shirshanka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM!
Excited to see this landing :)

@shirshanka shirshanka merged commit 08616cc into datahub-project:master Mar 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gabe-lyons gabe-lyons gabe-lyons approved these changes

@shirshanka shirshanka shirshanka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.7.0
Development

Successfully merging this pull request may close these issues.
3 participants
@jjoyce0510 @shirshanka @gabe-lyons