From 21f745a8887307277a2e0daaf8d16888e388bf35 Mon Sep 17 00:00:00 2001
From: Sonia Park <sonia@Sonias-MacBook-Air.local>
Date: Wed, 4 Jun 2025 12:50:30 +0900
Subject: [PATCH 1/3] add oidc_rp_client_secret_script config

---
 desktop/conf.dist/hue.ini                |  3 +++
 desktop/conf/pseudo-distributed.ini.tmpl |  3 +++
 desktop/core/src/desktop/auth/backend.py |  4 ++--
 desktop/core/src/desktop/conf.py         | 10 +++++++++-
 desktop/core/src/desktop/settings.py     |  1 +
 5 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/desktop/conf.dist/hue.ini b/desktop/conf.dist/hue.ini
index 26891840de5..61ff6c8af01 100644
--- a/desktop/conf.dist/hue.ini
+++ b/desktop/conf.dist/hue.ini
@@ -828,6 +828,9 @@ tls=no
 # The client secret as relay party set in OpenID provider
 ## oidc_rp_client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
+# Execute this script to produce the oidc rp client secret. This will be used when 'oidc_rp_client_secret' is not set.
+## oidc_rp_client_script=
+
 # The OpenID provider authoriation endpoint
 ## oidc_op_authorization_endpoint=https://keycloak.example.com/auth/realms/Cloudera/protocol/openid-connect/auth
 
diff --git a/desktop/conf/pseudo-distributed.ini.tmpl b/desktop/conf/pseudo-distributed.ini.tmpl
index fabc3c72083..078b795c9bf 100644
--- a/desktop/conf/pseudo-distributed.ini.tmpl
+++ b/desktop/conf/pseudo-distributed.ini.tmpl
@@ -830,6 +830,9 @@
     # The client secret as relay party set in OpenID provider
     ## oidc_rp_client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
+    # Execute this script to produce the oidc rp client secret. This will be used when 'oidc_rp_client_secret' is not set.
+    ## oidc_rp_client_script=
+
     # The OpenID provider authoriation endpoint
     ## oidc_op_authorization_endpoint=https://keycloak.example.com/auth/realms/Cloudera/protocol/openid-connect/auth
 
diff --git a/desktop/core/src/desktop/auth/backend.py b/desktop/core/src/desktop/auth/backend.py
index 36e9734bc1f..4a826127941 100644
--- a/desktop/core/src/desktop/auth/backend.py
+++ b/desktop/core/src/desktop/auth/backend.py
@@ -827,7 +827,7 @@ def authenticate(self, *args, **kwargs):
 
     token_payload = {
       'client_id': self.OIDC_RP_CLIENT_ID,
-      'client_secret': self.OIDC_RP_CLIENT_SECRET,
+      'client_secret': self.OIDC_RP_CLIENT_SECRET or self.OIDC_RP_CLIENT_SECRET_SCRIPT,
       'grant_type': 'authorization_code',
       'code': code,
       'redirect_uri': absolutify(
@@ -940,7 +940,7 @@ def logout(self, request, next_page):
     if access_token and refresh_token:
       oidc_logout_url = OIDC.LOGOUT_REDIRECT_URL.get()
       client_id = import_from_settings('OIDC_RP_CLIENT_ID')
-      client_secret = import_from_settings('OIDC_RP_CLIENT_SECRET')
+      client_secret = import_from_settings('OIDC_RP_CLIENT_SECRET') or import_from_settings('OIDC_RP_CLIENT_SECRET_SCRIPT')
       oidc_verify_ssl = import_from_settings('OIDC_VERIFY_SSL')
       form = {
         'client_id': client_id,
diff --git a/desktop/core/src/desktop/conf.py b/desktop/core/src/desktop/conf.py
index 63954bdd1ae..8bb09dc8fec 100644
--- a/desktop/core/src/desktop/conf.py
+++ b/desktop/core/src/desktop/conf.py
@@ -1610,7 +1610,15 @@ def is_gunicorn_report_enabled():
       key="oidc_rp_client_secret",
       help=_("The client secret as relay party set in OpenID provider."),
       type=str,
-      default="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+      default=""
+    ),
+
+    OIDC_RP_CLIENT_SECRET_SCRIPT=Config(
+      key="oidc_rp_client_secret_script",
+      help=_("Execute this script to produce the oidc rp client secret.",
+             "This will be used when 'oidc_rp_client_secret' is not set."),
+      type=coerce_password_from_script,
+      default=None,
     ),
 
     OIDC_OP_AUTHORIZATION_ENDPOINT=Config(
diff --git a/desktop/core/src/desktop/settings.py b/desktop/core/src/desktop/settings.py
index 6823578c990..ab274b0d35e 100644
--- a/desktop/core/src/desktop/settings.py
+++ b/desktop/core/src/desktop/settings.py
@@ -605,6 +605,7 @@ def is_oidc_configured():
   OIDC_RP_SIGN_ALGO = 'RS256'
   OIDC_RP_CLIENT_ID = desktop.conf.OIDC.OIDC_RP_CLIENT_ID.get()
   OIDC_RP_CLIENT_SECRET = desktop.conf.OIDC.OIDC_RP_CLIENT_SECRET.get()
+  OIDC_RP_CLIENT_SECRET_SCRIPT = desktop.conf.OIDC.OIDC_RP_CLIENT_SECRET_SCRIPT.get()
   OIDC_OP_AUTHORIZATION_ENDPOINT = desktop.conf.OIDC.OIDC_OP_AUTHORIZATION_ENDPOINT.get()
   OIDC_OP_TOKEN_ENDPOINT = desktop.conf.OIDC.OIDC_OP_TOKEN_ENDPOINT.get()
   OIDC_OP_USER_ENDPOINT = desktop.conf.OIDC.OIDC_OP_USER_ENDPOINT.get()

From 5f49340a31580e0f4d029af24ad4acb30ccd127c Mon Sep 17 00:00:00 2001
From: Sonia Park <sonia@Sonias-MacBook-Air.local>
Date: Wed, 4 Jun 2025 12:53:05 +0900
Subject: [PATCH 2/3] fix bug: save access token to login with oidc provider

---
 desktop/core/src/desktop/auth/backend.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/desktop/core/src/desktop/auth/backend.py b/desktop/core/src/desktop/auth/backend.py
index 4a826127941..54d1963c777 100644
--- a/desktop/core/src/desktop/auth/backend.py
+++ b/desktop/core/src/desktop/auth/backend.py
@@ -849,6 +849,7 @@ def authenticate(self, *args, **kwargs):
     verified_id = self.verify_token(id_token, nonce=nonce)
 
     if verified_id:
+      self.save_access_tokens(access_token)
       self.save_refresh_tokens(refresh_token)
       user = self.get_or_create_user(access_token, id_token, verified_id)
       user = rewrite_user(user)
@@ -865,6 +866,12 @@ def filter_users_by_claims(self, claims):
       return self.UserModel.objects.none()
     return self.UserModel.objects.filter(username__iexact=username)
 
+  def save_access_tokens(self, access_token):
+    session = self.request.session
+
+    if import_from_settings('OIDC_STORE_ACCESS_TOKEN', False):
+      session['oidc_access_token'] = access_token
+
   def save_refresh_tokens(self, refresh_token):
     session = self.request.session
 

From 7ef9326556d1add97e428f807a57d06ba2831014 Mon Sep 17 00:00:00 2001
From: Sonia Park <sonia@Sonias-MacBook-Air.local>
Date: Thu, 5 Jun 2025 09:40:12 +0900
Subject: [PATCH 3/3] fix typo

---
 desktop/conf.dist/hue.ini                | 2 +-
 desktop/conf/pseudo-distributed.ini.tmpl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/desktop/conf.dist/hue.ini b/desktop/conf.dist/hue.ini
index 61ff6c8af01..fb29d177a6c 100644
--- a/desktop/conf.dist/hue.ini
+++ b/desktop/conf.dist/hue.ini
@@ -829,7 +829,7 @@ tls=no
 ## oidc_rp_client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
 # Execute this script to produce the oidc rp client secret. This will be used when 'oidc_rp_client_secret' is not set.
-## oidc_rp_client_script=
+## oidc_rp_client_secret_script=
 
 # The OpenID provider authoriation endpoint
 ## oidc_op_authorization_endpoint=https://keycloak.example.com/auth/realms/Cloudera/protocol/openid-connect/auth
diff --git a/desktop/conf/pseudo-distributed.ini.tmpl b/desktop/conf/pseudo-distributed.ini.tmpl
index 078b795c9bf..3f5c0d6344b 100644
--- a/desktop/conf/pseudo-distributed.ini.tmpl
+++ b/desktop/conf/pseudo-distributed.ini.tmpl
@@ -831,7 +831,7 @@
     ## oidc_rp_client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
     # Execute this script to produce the oidc rp client secret. This will be used when 'oidc_rp_client_secret' is not set.
-    ## oidc_rp_client_script=
+    ## oidc_rp_client_secret_script=
 
     # The OpenID provider authoriation endpoint
     ## oidc_op_authorization_endpoint=https://keycloak.example.com/auth/realms/Cloudera/protocol/openid-connect/auth