datahub-project · jjoyce0510 · Jun 13, 2022 · Apr 20, 2022 · Apr 21, 2022 · Apr 21, 2022
diff --git a/datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java b/datahub-frontend/app/auth/sso/oidc/OidcAuthorizationGenerator.java
@@ -0,0 +1,50 @@
+package auth.sso.oidc;
+
+import java.util.Map.Entry;
+
+import org.pac4j.core.authorization.generator.AuthorizationGenerator;
+import org.pac4j.core.context.WebContext;
+import org.pac4j.core.profile.AttributeLocation;
+import org.pac4j.core.profile.CommonProfile;
+import org.pac4j.core.profile.definition.ProfileDefinition;
+import org.pac4j.oidc.profile.OidcProfile;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTParser;
+
+public class OidcAuthorizationGenerator implements AuthorizationGenerator {
+
+    private static final Logger logger = LoggerFactory.getLogger(OidcAuthorizationGenerator.class);
+
+    private final ProfileDefinition profileDef;
+
+    private final OidcConfigs oidcConfigs;
+
+    public OidcAuthorizationGenerator(final ProfileDefinition profileDef, final OidcConfigs oidcConfigs) {
+        this.profileDef = profileDef;
+        this.oidcConfigs = oidcConfigs;
+    }
+
+    @Override
+    public CommonProfile generate(WebContext context, CommonProfile profile) {
+        if (oidcConfigs.getExtractJwtAccessTokenClaims().orElse(false)) {
+            try {
+                final JWT jwt = JWTParser.parse(((OidcProfile) profile).getAccessToken().getValue());
+
+                for (final Entry<String, Object> entry : jwt.getJWTClaimsSet().getClaims().entrySet()) {
+                    final String claimName = entry.getKey();
+                    if (profile.getAttribute(claimName) == null) {
+                        profileDef.convertAndAdd(profile, AttributeLocation.PROFILE_ATTRIBUTE, claimName, entry.getValue());
+                    }
+                }
+            } catch (Exception e) {
+                logger.warn("Cannot parse access token claims", e);
+            }
+        }
+
+        return profile;
+    }
+
+}
diff --git a/datahub-frontend/app/auth/sso/oidc/OidcConfigs.java b/datahub-frontend/app/auth/sso/oidc/OidcConfigs.java
@@ -37,6 +37,7 @@ public class OidcConfigs extends SsoConfigs {
     public static final String OIDC_USE_NONCE = "auth.oidc.useNonce";
     public static final String OIDC_CUSTOM_PARAM_RESOURCE = "auth.oidc.customParam.resource";
     public static final String OIDC_READ_TIMEOUT = "auth.oidc.readTimeout";
+    public static final String OIDC_EXTRACT_JWT_ACCESS_TOKEN_CLAIMS = "auth.oidc.extractJwtAccessTokenClaims";
 
     /**
      * Default values
@@ -69,6 +70,7 @@ public class OidcConfigs extends SsoConfigs {
     private Optional<Boolean> useNonce;
     private Optional<String> customParamResource;
     private String readTimeout;
+    private Optional<Boolean> extractJwtAccessTokenClaims;
 
     public OidcConfigs(final com.typesafe.config.Config configs) {
         super(configs);
@@ -94,5 +96,6 @@ public OidcConfigs(final com.typesafe.config.Config configs) {
         useNonce = getOptional(configs, OIDC_USE_NONCE).map(Boolean::parseBoolean);
         customParamResource = getOptional(configs, OIDC_CUSTOM_PARAM_RESOURCE);
         readTimeout = getOptional(configs, OIDC_READ_TIMEOUT, DEFAULT_OIDC_READ_TIMEOUT);
+        extractJwtAccessTokenClaims = getOptional(configs, OIDC_EXTRACT_JWT_ACCESS_TOKEN_CLAIMS).map(Boolean::parseBoolean);
     }
 }
diff --git a/datahub-frontend/app/auth/sso/oidc/OidcProvider.java b/datahub-frontend/app/auth/sso/oidc/OidcProvider.java
@@ -9,6 +9,7 @@
 import org.pac4j.oidc.config.OidcConfiguration;
 import org.pac4j.oidc.credentials.OidcCredentials;
 import org.pac4j.oidc.profile.OidcProfile;
+import org.pac4j.oidc.profile.OidcProfileDefinition;
 
 
 /**
@@ -70,6 +71,7 @@ private Client<OidcCredentials, OidcProfile> createPac4jClient() {
     oidcClient.setName(OIDC_CLIENT_NAME);
     oidcClient.setCallbackUrl(_oidcConfigs.getAuthBaseUrl() + _oidcConfigs.getAuthBaseCallbackPath());
     oidcClient.setCallbackUrlResolver(new PathParameterCallbackUrlResolver());
+    oidcClient.addAuthorizationGenerator(new OidcAuthorizationGenerator(new OidcProfileDefinition(), _oidcConfigs));
     return oidcClient;
   }
 }
diff --git a/datahub-frontend/app/auth/sso/oidc/custom/CustomOidcClient.java b/datahub-frontend/app/auth/sso/oidc/custom/CustomOidcClient.java
@@ -9,7 +9,6 @@
 import org.pac4j.oidc.profile.creator.OidcProfileCreator;
 import org.pac4j.oidc.redirect.OidcRedirectActionBuilder;
 
-
 public class CustomOidcClient extends OidcClient<OidcProfile, OidcConfiguration> {
 
   public CustomOidcClient(final OidcConfiguration configuration) {

diff --git a/datahub-frontend/conf/application.conf b/datahub-frontend/conf/application.conf
@@ -139,6 +139,7 @@ auth.oidc.responseMode = ${?AUTH_OIDC_RESPONSE_MODE}
 auth.oidc.useNonce = ${?AUTH_OIDC_USE_NONCE}
 auth.oidc.customParam.resource = ${?AUTH_OIDC_CUSTOM_PARAM_RESOURCE}
 auth.oidc.readTimeout = ${?AUTH_OIDC_READ_TIMEOUT}
+auth.oidc.extractJwtAccessTokenClaims = ${?AUTH_OIDC_EXTRACT_JWT_ACCESS_TOKEN_CLAIMS} # Whether to extract claims from JWT access token.  Defaults to false.
 
 #
 # By default, the callback URL that should be registered with the identity provider is computed as {$baseUrl}/callback/oidc.