DSP-24890 Adds OIDC configuration options

Adds OIDC configuration options to support Client Credentials Flow.

Author: tiagomlalves

common/src/main/java/com/datastax/oss/common/sink/config/AuthenticatorConfig.java

@@ -24,6 +24,8 @@
 import edu.umd.cs.findbugs.annotations.Nullable;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.nio.file.Path;
 import java.util.HashMap;
 import java.util.Map;
@@ -40,61 +42,10 @@ public class AuthenticatorConfig extends AbstractConfig {
   public static final String KEYTAB_OPT = "auth.gssapi.keyTab";
   public static final String PRINCIPAL_OPT = "auth.gssapi.principal";
   public static final String SERVICE_OPT = "auth.gssapi.service";
-
-  /*
-    # oidc_options:
-  #     # OIDC Authentication server url (required when "oidc" authentication scheme is used).
-  #     issuer: https://auth.example.com/realms/my-realm
-  #
-  #     # Array of accepted OIDC clients (by default all clients are accepted).
-  #     accepted_audience: []
-  #
-  #     # Access token claim used to identify the user in the database (by default the "preferred_username"
-  #     # claim is used). When defined, the claim must exist at the top-level of the access token's JWT.
-  #     user_name_claim:
-  #
-  #     # Array of claims used to identify the user roles in the database. For example, setting this
-  #     # configuration to "[ realm_roles.roles ]" will assume all OIDC realm roles. If the claim doesn't
-  #     # exist or does not identify an array of strings in the JWT, the setting will be ignored. Roles
-  #     # defined in these claims must be previously defined in the database such that any privilege grant
-  #     # is recognized and validated.
-  #     user_roles_claims: []
-  #
-  #     # Set to true to initiate a TLS encrypted connections. Defaults to false. If case of
-  #     # truststore_path being set, it will default to true.
-  #     use_tls: false
-  #
-  #     # Sets the keystore path with valid certificates to establish encrypted connections with the OIDC Server.
-  #     # When TLS is enabled, failure to set this option or an invalid path will result in an error.
-  #     truststore_path:
-  #     # Keystore password
-  #     truststore_password:
-  #     # Keystore type (JKS or PKCS12). By default, the trustore type is inferred from the keystore
-  #     # extension. For `.p12`, `.pkcs12`, or `.pfx` files, PKCS12 is used. For `.keystore` or
-  #     # `.jks` files, JKS is used. In case the keystore type cannot be inferred from the extension,
-  #     # this option must be set.
-  #     truststore_type: jks
-  #
-  #     # Compatibility option, allowing older drivers to use OIDC authentication via password
-  #     # authentication, by using a pre-configurable username and passing an OIDC JWT access token as
-  #     # password. Defaults to false.
-  #     # allow_token_via_password_authentication: false
-  #     # When the above option is true, it allows configuring the username which will be used
-  #     # to detect that an OIDC JWT access token is being sent as password.
-  #     # token_username: oauth-bearer
-     */
-
-  public static final String OIDC_ISSUER = "auth.oidc.issuer";
-  public static final String OIDC_ACCEPTED_AUDIENCE = "auth.oidc.accepted_audience";
-  public static final String OIDC_USER_NAME_CLAIM = "auth.oidc.user_name_claim";
-  public static final String OIDC_USER_ROLES_CLAIMS = "auth.oidc.user_roles_claims";
-  public static final String OIDC_USE_TLS = "auth.oidc.use_tls";
-  public static final String OIDC_TRUSTSTORE_PATH = "auth.oidc.truststore_path";
-  public static final String OIDC_TRUSTSTORE_PASSWORD = "auth.oidc.truststore_password";
-  public static final String OIDC_TRUSTSTORE_TYPE = "auth.oidc.truststore_type";
-  public static final String OIDC_ALLOW_TOKEN_VIA_PASSWORD_AUTHENTICATION =
-      "auth.oidc.allow_token_via_password_authentication";
-  public static final String OIDC_TOKEN_USERNAME = "auth.oidc.token_username";
+  public static final String OIDC_ISSUER_OPT = "auth.oidc.issuer";
+  public static final String OIDC_CLIENT_ID_OPT = "auth.oidc.client_id";
+  public static final String OIDC_CLIENT_SECRET_OPT = "auth.oidc.client_secret";
+  public static final String OIDC_USE_TLS_OPT = "auth.oidc.use_tls";
 
   private static final Logger log = LoggerFactory.getLogger(AuthenticatorConfig.class);
   public static final ConfigDef CONFIG_DEF =
@@ -137,72 +88,29 @@ public class AuthenticatorConfig extends AbstractConfig {
               ConfigDef.Importance.HIGH,
               "SASL service name to use for GSSAPI provider authentication")
           .define(
-              OIDC_ISSUER,
+              OIDC_ISSUER_OPT,
               ConfigDef.Type.STRING,
               "",
               ConfigDef.Importance.HIGH,
               "OIDC Authentication server url")
           .define(
-              OIDC_ACCEPTED_AUDIENCE,
-              ConfigDef.Type.LIST,
-              "",
-              ConfigDef.Importance.HIGH,
-              "Array of accepted OIDC clients")
-          .define(
-              OIDC_USER_NAME_CLAIM,
+              OIDC_CLIENT_ID_OPT,
               ConfigDef.Type.STRING,
-              "preferred_username",
-              ConfigDef.Importance.HIGH,
-              "Access token claim used to identify the user in the database")
-          .define(
-              OIDC_USER_ROLES_CLAIMS,
-              ConfigDef.Type.LIST,
               "",
               ConfigDef.Importance.HIGH,
-              "Array of claims used to identify the user roles in the database")
+              "OIDC Client Id to use for authentication")
           .define(
-              OIDC_USE_TLS,
-              ConfigDef.Type.BOOLEAN,
-              false,
-              ConfigDef.Importance.HIGH,
-              "Set to true to initiate a TLS encrypted connections. Defaults to false. If case of "
-                  + "truststore_path being set, it will default to true.")
-          .define(
-              OIDC_TRUSTSTORE_PATH,
-              ConfigDef.Type.STRING,
-              "",
-              ConfigDef.Importance.HIGH,
-              "Sets the keystore path with valid certificates to establish encrypted connections with the OIDC Server.")
-          .define(
-              OIDC_TRUSTSTORE_PASSWORD,
+              OIDC_CLIENT_SECRET_OPT,
               ConfigDef.Type.PASSWORD,
               "",
               ConfigDef.Importance.HIGH,
-              "Keystore password")
+              "OIDC Client Secret to use for authentication")
           .define(
-              OIDC_TRUSTSTORE_TYPE,
-              ConfigDef.Type.STRING,
-              "jks",
-              ConfigDef.Importance.HIGH,
-              "Keystore type (JKS or PKCS12). By default, the trustore type is inferred from the keystore "
-                  + "extension. For `.p12`, `.pkcs12`, or `.pfx` files, PKCS12 is used. For `.keystore` or "
-                  + "`.jks` files, JKS is used. In case the keystore type cannot be inferred from the extension, "
-                  + "this option must be set.")
-          .define(
-              OIDC_ALLOW_TOKEN_VIA_PASSWORD_AUTHENTICATION,
+              OIDC_USE_TLS_OPT,
               ConfigDef.Type.BOOLEAN,
               false,
               ConfigDef.Importance.HIGH,
-              "Compatibility option, allowing older drivers to use OIDC authentication via password "
-                  + "authentication, by using a pre-configurable username and passing an OIDC JWT access token as "
-                  + "password.")
-          .define(
-              OIDC_TOKEN_USERNAME,
-              ConfigDef.Type.STRING,
-              "oauth-bearer",
-              ConfigDef.Importance.HIGH,
-              "When the above option is true, it allows configuring the username which will be used "
-                  + "to detect that an OIDC JWT access token is being sent as password.");
+              "Set to true to initiate a TLS encrypted connections. Defaults to false.");
 
   @Nullable private final Path keyTabPath;
 
@@ -227,8 +135,23 @@ public AuthenticatorConfig(Map<String, String> authSettings) {
     }
 
     if (provider == Provider.OIDC) {
-      if (getString(OIDC_ISSUER).isEmpty()) {
-        throw new ConfigException(OIDC_ISSUER, "<empty>", "is required");
+      if (getString(OIDC_ISSUER_OPT).isEmpty()) {
+        throw new ConfigException(OIDC_ISSUER_OPT, "<empty>", "is required");
+      }
+
+      try {
+        new URI(getString(OIDC_ISSUER_OPT));
+      }
+      catch (URISyntaxException e) {
+        throw new ConfigException(
+            OIDC_ISSUER_OPT, getString(OIDC_ISSUER_OPT), "is not a valid URI: " + e.getMessage());
+      }
+
+      if (getString(OIDC_CLIENT_ID_OPT).isEmpty()) {
+        throw new ConfigException(OIDC_CLIENT_ID_OPT, "<empty>", "is required");
+      }
+      if (getPassword(OIDC_CLIENT_SECRET_OPT).value().isEmpty()) {
+        throw new ConfigException(OIDC_CLIENT_SECRET_OPT, "<empty>", "is required");
       }
     }
   }
@@ -268,14 +191,8 @@ private static Map<String, String> sanitizeAuthSettings(Map<String, String> auth
     }
 
     if ("OIDC".equals(provider)) {
-      // OIDC provider requires issuer to be set.
-      if (!mutated.containsKey(OIDC_ISSUER) || mutated.get(OIDC_ISSUER).isEmpty()) {
-        throw new ConfigException(OIDC_ISSUER, "<empty>", "is required for OIDC authentication");
-      }
-      // If truststore path is set, use TLS.
-      if (mutated.containsKey(OIDC_TRUSTSTORE_PATH)
-          && !mutated.get(OIDC_TRUSTSTORE_PATH).isEmpty()) {
-        mutated.put(OIDC_USE_TLS, "true");
+      if (!mutated.containsKey(OIDC_USE_TLS_OPT) || mutated.get(OIDC_USE_TLS_OPT).isEmpty()) {
+        mutated.put(OIDC_USE_TLS_OPT, "true");
       }
     }
 
@@ -356,6 +273,24 @@ public String getService() {
     return getString(SERVICE_OPT);
   }
 
+  public URI getOIDCIssuer() {
+    try {
+      return new URI(getString(OIDC_ISSUER_OPT));
+    }
+    catch (URISyntaxException e) {
+      // This should never happen because we validate the URI in the constructor.
+      return null;
+    }
+  }
+
+  public String getOIDCClientId() {
+    return getString(OIDC_CLIENT_ID_OPT);
+  }
+
+  public String getOIDCClientSecret() {
+    return getPassword(OIDC_CLIENT_SECRET_OPT).value();
+  }
+
   @Override
   public String toString() {
     return configToString(
@@ -367,16 +302,9 @@ public String toString() {
         KEYTAB_OPT,
         PRINCIPAL_OPT,
         SERVICE_OPT,
-        // OIDC opts
-        OIDC_ISSUER,
-        OIDC_ACCEPTED_AUDIENCE,
-        OIDC_USER_NAME_CLAIM,
-        OIDC_USE_TLS,
-        OIDC_TRUSTSTORE_PATH,
-        OIDC_TRUSTSTORE_PASSWORD,
-        OIDC_TRUSTSTORE_TYPE,
-        OIDC_ALLOW_TOKEN_VIA_PASSWORD_AUTHENTICATION,
-        OIDC_TOKEN_USERNAME);
+        OIDC_ISSUER_OPT,
+        OIDC_CLIENT_ID_OPT,
+        OIDC_CLIENT_SECRET_OPT);
   }
 
   public enum Provider {