[OIDC] Enhance OIDC Integration: Secure client secret handling and fix access token storage

desktop/conf.dist/hue.ini

@@ -828,6 +828,9 @@ tls=no
 # The client secret as relay party set in OpenID provider
 ## oidc_rp_client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
+# Execute this script to produce the oidc rp client secret. This will be used when 'oidc_rp_client_secret' is not set.
+## oidc_rp_client_script=
+
 # The OpenID provider authoriation endpoint
 ## oidc_op_authorization_endpoint=https://keycloak.example.com/auth/realms/Cloudera/protocol/openid-connect/auth
 

desktop/conf/pseudo-distributed.ini.tmpl

@@ -830,6 +830,9 @@
     # The client secret as relay party set in OpenID provider
     ## oidc_rp_client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
+    # Execute this script to produce the oidc rp client secret. This will be used when 'oidc_rp_client_secret' is not set.
+    ## oidc_rp_client_script=
+
     # The OpenID provider authoriation endpoint
     ## oidc_op_authorization_endpoint=https://keycloak.example.com/auth/realms/Cloudera/protocol/openid-connect/auth
 

desktop/core/src/desktop/auth/backend.py

@@ -827,7 +827,7 @@ def authenticate(self, *args, **kwargs):
 
     token_payload = {
       'client_id': self.OIDC_RP_CLIENT_ID,
-      'client_secret': self.OIDC_RP_CLIENT_SECRET,
+      'client_secret': self.OIDC_RP_CLIENT_SECRET or self.OIDC_RP_CLIENT_SECRET_SCRIPT,
       'grant_type': 'authorization_code',
       'code': code,
       'redirect_uri': absolutify(
@@ -849,6 +849,7 @@ def authenticate(self, *args, **kwargs):
     verified_id = self.verify_token(id_token, nonce=nonce)
 
     if verified_id:
+      self.save_access_tokens(access_token)
       self.save_refresh_tokens(refresh_token)
       user = self.get_or_create_user(access_token, id_token, verified_id)
       user = rewrite_user(user)
@@ -865,6 +866,12 @@ def filter_users_by_claims(self, claims):
       return self.UserModel.objects.none()
     return self.UserModel.objects.filter(username__iexact=username)
 
+  def save_access_tokens(self, access_token):
+    session = self.request.session
+
+    if import_from_settings('OIDC_STORE_ACCESS_TOKEN', False):
+      session['oidc_access_token'] = access_token
+
   def save_refresh_tokens(self, refresh_token):
     session = self.request.session
 
@@ -940,7 +947,7 @@ def logout(self, request, next_page):
     if access_token and refresh_token:
       oidc_logout_url = OIDC.LOGOUT_REDIRECT_URL.get()
       client_id = import_from_settings('OIDC_RP_CLIENT_ID')
-      client_secret = import_from_settings('OIDC_RP_CLIENT_SECRET')
+      client_secret = import_from_settings('OIDC_RP_CLIENT_SECRET') or import_from_settings('OIDC_RP_CLIENT_SECRET_SCRIPT')
       oidc_verify_ssl = import_from_settings('OIDC_VERIFY_SSL')
       form = {
         'client_id': client_id,

desktop/core/src/desktop/conf.py

@@ -1610,7 +1610,15 @@ def is_gunicorn_report_enabled():
       key="oidc_rp_client_secret",
       help=_("The client secret as relay party set in OpenID provider."),
       type=str,
-      default="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+      default=""
+    ),
+
+    OIDC_RP_CLIENT_SECRET_SCRIPT=Config(
+      key="oidc_rp_client_secret_script",
+      help=_("Execute this script to produce the oidc rp client secret.",
+             "This will be used when 'oidc_rp_client_secret' is not set."),
+      type=coerce_password_from_script,
+      default=None,
     ),
 
     OIDC_OP_AUTHORIZATION_ENDPOINT=Config(

desktop/core/src/desktop/settings.py

@@ -605,6 +605,7 @@ def is_oidc_configured():
   OIDC_RP_SIGN_ALGO = 'RS256'
   OIDC_RP_CLIENT_ID = desktop.conf.OIDC.OIDC_RP_CLIENT_ID.get()
   OIDC_RP_CLIENT_SECRET = desktop.conf.OIDC.OIDC_RP_CLIENT_SECRET.get()
+  OIDC_RP_CLIENT_SECRET_SCRIPT = desktop.conf.OIDC.OIDC_RP_CLIENT_SECRET_SCRIPT.get()
   OIDC_OP_AUTHORIZATION_ENDPOINT = desktop.conf.OIDC.OIDC_OP_AUTHORIZATION_ENDPOINT.get()
   OIDC_OP_TOKEN_ENDPOINT = desktop.conf.OIDC.OIDC_OP_TOKEN_ENDPOINT.get()
   OIDC_OP_USER_ENDPOINT = desktop.conf.OIDC.OIDC_OP_USER_ENDPOINT.get()