UI improvements and critical bug fixes for SSO configuration

openmetadata-service/src/main/java/org/openmetadata/service/resources/system/SystemResource.java

@@ -41,6 +41,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.openmetadata.common.utils.CommonUtil;
 import org.openmetadata.schema.api.search.SearchSettings;
+import org.openmetadata.schema.api.security.AuthenticationConfiguration;
 import org.openmetadata.schema.auth.EmailRequest;
 import org.openmetadata.schema.configuration.EntityRulesSettings;
 import org.openmetadata.schema.configuration.SecurityConfiguration;
@@ -71,6 +72,7 @@
 import org.openmetadata.service.secrets.masker.PasswordEntityMasker;
 import org.openmetadata.service.security.Authorizer;
 import org.openmetadata.service.security.JwtFilter;
+import org.openmetadata.service.security.SecurityUtil;
 import org.openmetadata.service.security.auth.SecurityConfigurationManager;
 import org.openmetadata.service.security.policyevaluator.OperationContext;
 import org.openmetadata.service.security.policyevaluator.ResourceContext;
@@ -641,11 +643,14 @@ public Response updateSecurityConfig(
     authorizer.authorizeAdmin(securityContext);
 
     try {
+      AuthenticationConfiguration authConfig = securityConfig.getAuthenticationConfiguration();
+
+      // Auto-populate publicKeyUrls for OIDC confidential clients before saving
+      systemRepository.autoPopulatePublicKeyUrlsIfNeeded(authConfig);
+
       // Update both configurations in a transaction
       Settings authSettings =
-          new Settings()
-              .withConfigType(AUTHENTICATION_CONFIGURATION)
-              .withConfigValue(securityConfig.getAuthenticationConfiguration());
+          new Settings().withConfigType(AUTHENTICATION_CONFIGURATION).withConfigValue(authConfig);
 
       Settings authzSettings =
           new Settings()
@@ -710,8 +715,10 @@ public Response patchSecurityConfig(
       SecurityConfiguration updatedConfig =
           JsonUtils.readValue(jsonString, SecurityConfiguration.class);
 
+      String currentUsername = SecurityUtil.getUserName(securityContext);
       SecurityValidationResponse validationResponse =
-          systemRepository.validateSecurityConfiguration(updatedConfig, applicationConfig);
+          systemRepository.validateSecurityConfiguration(
+              updatedConfig, applicationConfig, currentUsername);
 
       boolean isValidConfig =
           validationResponse.getStatus() == SecurityValidationResponse.Status.SUCCESS;
@@ -775,7 +782,9 @@ public Response patchSecurityConfig(
   public SecurityValidationResponse validateSecurityConfig(
       @Context SecurityContext securityContext, @Valid SecurityConfiguration securityConfig) {
     authorizer.authorizeAdmin(securityContext);
-    return systemRepository.validateSecurityConfiguration(securityConfig, applicationConfig);
+    String currentUsername = SecurityUtil.getUserName(securityContext);
+    return systemRepository.validateSecurityConfiguration(
+        securityConfig, applicationConfig, currentUsername);
   }
 
   @GET

openmetadata-service/src/main/java/org/openmetadata/service/security/auth/SecurityConfigurationManager.java

@@ -24,6 +24,7 @@
 import org.openmetadata.schema.api.security.ClientType;
 import org.openmetadata.schema.configuration.SecurityConfiguration;
 import org.openmetadata.schema.services.connections.metadata.AuthProvider;
+import org.openmetadata.service.Entity;
 import org.openmetadata.service.OpenMetadataApplication;
 import org.openmetadata.service.OpenMetadataApplicationConfig;
 import org.openmetadata.service.exception.AuthenticationException;
@@ -94,6 +95,13 @@ public void initialize(
   }
 
   public SecurityConfiguration getCurrentSecurityConfig() {
+    // Apply LDAP default values before returning to prevent JSON PATCH errors
+    // when updating fields that were previously null in the database
+    if (currentAuthConfig != null && currentAuthConfig.getLdapConfiguration() != null) {
+      Entity.getSystemRepository()
+          .ensureLdapConfigDefaultValues(currentAuthConfig.getLdapConfiguration());
+    }
+
     return new SecurityConfiguration()
         .withAuthenticationConfiguration(currentAuthConfig)
         .withAuthorizerConfiguration(currentAuthzConfig);

openmetadata-service/src/main/java/org/openmetadata/service/security/auth/validator/Auth0Validator.java

@@ -285,10 +285,11 @@ private FieldError validatePublicKeyUrls(
       AuthenticationConfiguration authConfig, String auth0Domain) {
     try {
       List<String> publicKeyUrls = authConfig.getPublicKeyUrls();
+      // Skip validation if publicKeyUrls is empty - it's auto-populated for confidential clients
       if (publicKeyUrls == null || publicKeyUrls.isEmpty()) {
-        return ValidationErrorBuilder.createFieldError(
-            ValidationErrorBuilder.FieldPaths.AUTH_PUBLIC_KEY_URLS,
-            "Public key URLs are required for Auth0 clients");
+        LOG.debug(
+            "publicKeyUrls is empty, skipping validation (auto-populated for confidential clients)");
+        return null;
       }
 
       String expectedJwksUrl = auth0Domain + "/.well-known/jwks.json";

openmetadata-service/src/main/java/org/openmetadata/service/security/auth/validator/AzureAuthValidator.java

@@ -137,7 +137,7 @@ private FieldError validateAzureConfidentialClient(
         return tenantValidation;
       }
 
-      // Then validate against the discovery document
+      // Validate against the discovery document
       FieldError discoveryCheck =
           discoveryValidator.validateAgainstDiscovery(discoveryUri, authConfig, oidcConfig);
       if (discoveryCheck != null) {
@@ -357,9 +357,11 @@ private FieldError validatePublicKeyUrls(
       AuthenticationConfiguration authConfig, String tenantId) {
     try {
       List<String> publicKeyUrls = authConfig.getPublicKeyUrls();
+      // Skip validation if publicKeyUrls is empty - it's auto-populated for confidential clients
       if (publicKeyUrls == null || publicKeyUrls.isEmpty()) {
-        return ValidationErrorBuilder.createFieldError(
-            ValidationErrorBuilder.FieldPaths.AUTH_PUBLIC_KEY_URLS, "Public key urls are required");
+        LOG.debug(
+            "publicKeyUrls is empty, skipping validation (auto-populated for confidential clients)");
+        return null;
       }
 
       String expectedJwksUrl = AZURE_LOGIN_BASE + "/" + tenantId + "/discovery/v2.0/keys";

openmetadata-service/src/main/java/org/openmetadata/service/security/auth/validator/CognitoAuthValidator.java

@@ -223,10 +223,11 @@ private FieldError validatePublicKeyUrls(
       AuthenticationConfiguration authConfig, CognitoDetails cognitoDetails) {
     try {
       List<String> publicKeyUrls = authConfig.getPublicKeyUrls();
+      // Skip validation if publicKeyUrls is empty - it's auto-populated for confidential clients
       if (publicKeyUrls == null || publicKeyUrls.isEmpty()) {
-        return ValidationErrorBuilder.createFieldError(
-            ValidationErrorBuilder.FieldPaths.AUTH_PUBLIC_KEY_URLS,
-            "Public key URLs are required for Cognito clients");
+        LOG.debug(
+            "publicKeyUrls is empty, skipping validation (auto-populated for confidential clients)");
+        return null;
       }
 
       String expectedJwksUri =

openmetadata-service/src/main/java/org/openmetadata/service/security/auth/validator/CustomOidcValidator.java

@@ -221,10 +221,11 @@ private FieldError validateJwksEndpoint(String jwksUri, AuthenticationConfigurat
 
       // Verify publicKeyUrls is configured and contains the JWKS URI
       List<String> publicKeyUrls = authConfig.getPublicKeyUrls();
+      // Skip validation if publicKeyUrls is empty - it's auto-populated for confidential clients
       if (publicKeyUrls == null || publicKeyUrls.isEmpty()) {
-        return ValidationErrorBuilder.createFieldError(
-            ValidationErrorBuilder.FieldPaths.AUTH_PUBLIC_KEY_URLS,
-            "publicKeyUrls is required. Please configure it with the JWKS URI: " + jwksUri);
+        LOG.debug(
+            "publicKeyUrls is empty, skipping validation (auto-populated for confidential clients)");
+        return null;
       }
 
       // Check if the JWKS URI from discovery is in publicKeyUrls

openmetadata-service/src/main/java/org/openmetadata/service/security/auth/validator/OidcDiscoveryValidator.java

@@ -4,6 +4,7 @@
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
@@ -325,4 +326,51 @@ private String determineFieldPathFromErrors(List<String> errors) {
     // Default to discovery URI for general OIDC configuration errors
     return ValidationErrorBuilder.FieldPaths.OIDC_DISCOVERY_URI;
   }
+
+  /**
+   * Auto-populates publicKeyUrls from OIDC discovery document if not already set
+   *
+   * @param discoveryUri The OIDC discovery URI
+   * @param authConfig The authentication configuration to populate
+   * @throws Exception if discovery document cannot be fetched or parsed
+   */
+  public void autoPopulatePublicKeyUrls(String discoveryUri, AuthenticationConfiguration authConfig)
+      throws Exception {
+
+    // Skip if publicKeyUrls already populated
+    if (authConfig.getPublicKeyUrls() != null && !authConfig.getPublicKeyUrls().isEmpty()) {
+      LOG.debug("publicKeyUrls already set, skipping auto-population");
+      return;
+    }
+
+    if (nullOrEmpty(discoveryUri)) {
+      throw new IOException("Discovery URI is required for auto-populating publicKeyUrls");
+    }
+
+    // Fetch discovery document
+    ValidationHttpUtil.HttpResponseData response = ValidationHttpUtil.safeGet(discoveryUri);
+    if (response.getStatusCode() != 200) {
+      throw new IOException(
+          "Failed to fetch discovery document from: "
+              + discoveryUri
+              + " (HTTP "
+              + response.getStatusCode()
+              + ")");
+    }
+
+    // Parse and extract jwks_uri
+    JsonNode discoveryDoc = OBJECT_MAPPER.readTree(response.getBody());
+    if (!discoveryDoc.has("jwks_uri")) {
+      throw new IOException("Discovery document missing required 'jwks_uri' field");
+    }
+
+    String jwksUri = discoveryDoc.get("jwks_uri").asText();
+    if (nullOrEmpty(jwksUri)) {
+      throw new IOException("Discovery document contains empty 'jwks_uri' field");
+    }
+
+    // Auto-populate publicKeyUrls
+    authConfig.setPublicKeyUrls(List.of(jwksUri));
+    LOG.debug("Auto-populated publicKeyUrls from discovery document: {}", jwksUri);
+  }
 }

openmetadata-service/src/main/java/org/openmetadata/service/security/auth/validator/OktaAuthValidator.java

@@ -96,7 +96,6 @@ private FieldError validateOktaConfidentialClient(
       }
 
       // Step 3: Validate against OIDC discovery document (scopes, response types, etc.)
-      //   String discoveryUri = oktaDomain + OKTA_WELL_KNOWN_PATH;
       FieldError discoveryCheck =
           discoveryValidator.validateAgainstDiscovery(
               oidcConfig.getDiscoveryUri(), authConfig, oidcConfig);
@@ -234,8 +233,11 @@ private FieldError validatePublicKeyUrls(
       AuthenticationConfiguration authConfig, String oktaDomain, @Nullable String discoveryUri) {
     try {
       List<String> publicKeyUrls = authConfig.getPublicKeyUrls();
+      // Skip validation if publicKeyUrls is empty - it's auto-populated for confidential clients
       if (publicKeyUrls == null || publicKeyUrls.isEmpty()) {
-        throw new IllegalArgumentException("Public key URLs are required");
+        LOG.debug(
+            "publicKeyUrls is empty, skipping validation (auto-populated for confidential clients)");
+        return null;
       }
 
       // Determine expected JWKS URL based on client type