How to use OIDC classes

[mousumi16]

@cdmikechen Please give a sample code on how to use the newly added OIDC feature in apache submarine. claimsMap.put("jti", sysUser.getId()); // TODO(cdmikechen) By default the simple token is used, // in other cases such as ldap it may need to be returned as an interface String token = SimpleLoginConfig.getJwtGenerator().generate(claimsMap);

    sysUser.setToken(token);

the above code comment is added with OIDC feature. What does this mean and how the OIDC login is going to work? where to provide the client id n secret details to connect to Keycloak ?

Please guide on this.

[cdmikechen]

@mousumi16 Hi~ After enabled oidc, the rest api can directly add the oidc token into the header, or when logging in, the submarine will automatically jump to the SSO page (such as the login address of keycloak). Specific design ideas can be found here https://submarine.apache.org/docs/next/designDocs/wip-designs/security-implementation. You need to add the relevant configurations to the submarine server. In addition, here is a related test case for reference: https://github.com/apache/submarine/blob/master/submarine-server/server-core/src/test/java/org/apache/submarine/server/security/oidc/SubmarineAuthOidcTest.java

[cdmikechen]

We are working on an operator upgrade. After we upgrade operator to v3, you can add this envs to CR to support OIDC:

spec:
  server:
    env:
      - name: SUBMARINE_AUTH_TYPE
        value: oidc
      - name: SUBMARINE_AUTH_OIDC_CLIENT_ID
        value: "${YOUR_CLIENT_ID}"
      - name: SUBMARINE_AUTH_OIDC_CLIENT_SECRET
        value: "${YOUR_CLIENT_SECRET}"
      - name: SUBMARINE_AUTH_OIDC_DISCOVER_URI
        value: "${YOUR_DISCOVER_URI}"

[mousumi16]

Hi @cdmikechen ,

When are you going to release the v3 to support OIDC? And in the LoginRestApi class, SimpleLoginConfig is used to generate the token. So in this case its not using the OIDC , please let me know , how to invoke the OIDC classes. I have seen OidcConfig class , the client id , secret should be added in this class? If you can add a help file on the OIDC classes and how to use them that will be really helpfull.

Thanks Mousumi

[cdmikechen]

@mousumi16 The status of the documentation for the authentication section is still WIP and we should be working on it in the near future before 0.8.0. SimpleLoginConfig or the token created by submarine is intended to support submarine's own login page. In the case of oidc, we can use the oidc token to access the rest api or sso login. The PR for operator-v3 https://github.com/apache/submarine/pull/1031 should be merged soon, probably next week.

[mousumi16]

Hi @cdmikechen , I have checked the PR https://github.com/apache/submarine/pull/1031 , it doesnt have any changes related to OIDC. And how the existing classes added for OIDC support are getting invoked? There is no relevant code in LoginRestApi class , which is using OIDC classes from org.apache.submarine.server.security.oidc package. I needed one use case of the classes added under the package org.apache.submarine.server.security.oidc . The env file which you have mentioned above , that is also not present in the pr https://github.com/apache/submarine/pull/1031. I dont have any clarity on this. Please let me know if I need to get in touch anyone regarding this.

Thanks Mousumi

[cdmikechen]

@mousumi16 This PR is for upgrading operator-v2 to v3. Within submarine, cluster configuration is supported based on environments (for example, the environment for submarine.server.port is SUBMARINE_SERVER_PORT). This related PR codes is handled here:

https://github.com/apache/submarine/blob/9347fe5df6ac0e579df7b75421578eedb5342545/submarine-cloud-v3/controllers/submarine_server.go#L98-L102

We use pac4j to handle the authentication of oidc, using a method that mainly makes use of a Filter to check the token. If you want to add your own authentication, you can see if pac4j supports your authentication service and add a corresponding filter.

[mousumi16]

Hi @cdmikechen ,

Can you please tell me the config file details , for connecting with OIDC? where I can provide below details: CLIENT_ID CLIENT_SECRET DISCOVER_URI LOGOUT_REDIRECT_URI

Thanks Mousumi