Tenants that use an authentication server supporting OAuth 2.0 can connect to external systems. This enables single sign-on (SSO) and integrates basic employee information. This topic describes the standard protocol for OAuth 2.0 authentication servers.
Background information
OAuth 2.0 is a framework for authorization. Unlike OAuth 1.0, it does not use encrypted signatures or key exchange to authenticate requests. OAuth 2.0 uses access tokens to grant applications access to user resources. It supports multiple grant types, such as authorization code, client credentials, password credentials, and implicit grant. Dataphin currently supports only the authorization code grant type, which is the most common. Compared to OAuth 1.0, OAuth 2.0 simplifies the authorization flow, improves security and scalability, and provides a better user experience.
Usage notes
Users can access Dataphin through authentication. After a user is authenticated, they are added to all tenants except for the metadata warehouse tenant.
However, Dataphin does not automatically add a user as a member to a tenant. The tenant's system administrator must add the user manually.
Integration plan
Prerequisites
Register an application with your OAuth service provider (SP) to obtain a client ID and client secret. This information is used for application identity verification and authorization.
Configuration item
Required
Description
client ID
Yes
The client ID that identifies the client.
client secret
Yes
The client secret used for identity verification.
Create a configuration file in JSON format and encode it using Base64.
Create the configuration file
Create the JSON configuration file
Note: Replace the configuration items in the following JSON file template with your actual information.
{
"client":{
"registrationId":"dataphin",
"clientId":"dataphin",
"clientSecret":"XXXXX",
"clientAuthMethod":"basic",
"scopes":[
"read",
"write",
"trust"
],
"tokenUri":"https:\/\/*****.*******.com\/oauthserver\/*****\/token",
"authorizationUri":"https:\/\/*****.*******.com\/oauthserver\/*****\/authorize",
"userInfoUri":"https:\/\/*****.*******.com\/oauthserver\/me",
"redirectUriTemplate":"{baseUrl}\/login\/oauth2\/code\/{registrationId}",
"userNameAttributeName":"username",
"clientName":"dataphin",
"logoutUriTemplate":"https:\/\/*****.*******.com\/oauthserver\/logout?username={0}",
"logoutMethod":"get",
"logoutParamNames":"email",
"logoutAuthorizationTemplate":"Bearer {0}",
"logoutAuthorizationParamNames":"accessToken"
},
"user":{
"idAttributeName":"userid",
"displayNameAttributeName":"username",
"realNameAttributeName":"realname",
"emailAttributeName":"email",
"mobilePhoneAttributeName":"mobilePhone"
}
}Configuration name | Description | Example value |
registrationId | A string that distinguishes different client applications. In OAuth 2.0, registrationId is typically the same as clientId and is used to identify the client application. | dataphin |
clientId | The registered client ID. | dataphin |
clientSecret | The registered client secret. | your_client_secret |
clientAuthMethod | The authentication method for the registered application. | basic |
scopes | The authorization information of the customer's identity provider (IdP). | read, write, trust |
tokenUri | The endpoint for obtaining a token. | https://*****.*****.com/oauthserver/*****/token |
authorizationUri | The authentication endpoint. | https://*****.*****.com/oauthserver/*****/authorize |
userInfoUri | The endpoint for obtaining user information. | https://*****.*****.com/oauthserver/me |
jwkSetUri | The endpoint for obtaining the public key.
| https://*****.*****.com/49d65996-*****-4f8d-920f-*****/discovery/v2.0/keys |
redirectUriTemplate | The webhook address for Dataphin. Do not modify this value. | {baseUrl}/login/oauth2/code/{registrationId} |
userNameAttributeName | The property name for the username in the user information returned by the IdP. | username |
idAttributeName | The field name for the ID in the user information returned by the IdP. This name is used to uniquely identify the user in Dataphin. | userid |
clientName | The name of the client. Set this to the same value as registrationId. | dataphin |
logoutUriTemplate | The logout URL. Query parameters are supported. | https://*****.*****.com/*****/logout?username={0} |
logoutMethod | The logout method. Valid values are get and redirect. | get |
logoutParamNames | The names of the parameters included during logout. These are used to fill the placeholders in logoutUriTemplate. | |
logoutAuthorizationTemplate | The authentication information included during logout. | Bearer {0} |
logoutAuthorizationParamNames | Similar to logoutParamNames. Variable substitution is supported. | accessToken |
displayNameAttributeName | The field name for the user's display name in the user information returned by the IdP. | username |
realNameAttributeName | The field name for the user's real name in the user information returned by the IdP. | realname |
emailAttributeName | The field name for the user's email in the user information returned by the IdP. | |
mobilePhoneAttributeName | The field name for the user's mobile phone number in the user information returned by the IdP. | mobilePhone |
Base64-encode the JSON configuration information
Save the JSON configuration information in a text file with the .json extension.
If you use macOS, perform Base64 encoding as follows.
Open the Terminal application.
Run the following command to perform Base64 encoding:
cat OAuth_config.json | base64.
If you use Windows, use PowerShell or the command prompt to perform Base64 encoding.
The following is an example of Base64 encoding in PowerShell:
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("OAuth_config.json")) > encodedOAuth_config.txt.To encode in the command prompt, run the following command:
certutil -encode OAuth_config.json encodedOAuth_config.txt.
Configure authentication information in Dataphin
Provide the following configuration information to the Dataphin operations and maintenance (O&M) engineer.
dataphin.sso.provider.session=com.alibaba.dataphin.sso.provider.thirdpart.oauth.session.DataphinOauth2SessionProvider
dataphin.sso.provider.account=com.alibaba.dataphin.sso.provider.thirdpart.oauth.account.DataphinOauth2AccountProvider
dataphin.security.thirdpartoauth2.encodedProperties = 'The content of the Base64-encoded OAuth2 JSON configuration file'Switching authentication systems for existing users
The Dataphin userTable stores the user's source ID (source_user_id) and the Dataphin user ID (user_id). In Dataphin operations, user_id serves as the user identifier, and source_user_id is used to transform user information.
After a user logs on to the identity provider (IdP), their source_user_id is sent to Dataphin. Dataphin uses the userTable to transform the source_user_id into the corresponding user_id.
When you switch authentication systems for existing users, you must update the source_user_id. This allows users from the new system to be directly mapped to their corresponding members in Dataphin.
For example, a customer switches from the Alibaba Cloud logon system to Microsoft Active Directory (AD). The Alibaba Cloud ID of a Dataphin super administrator named Xiaoming must be replaced with their Microsoft AD ID.
The mapping table must contain at least two columns: fromId and toId. fromId is the user ID from the previous IdP. toId is the user ID from the new IdP.
Users whose IDs are not updated can no longer access Dataphin. If these users own permissions, such as being an approver, business operations may be affected. When you update user IDs, carefully check the mapping table to prevent omissions or errors.
Username
fromId
toId
Xiaoming
aliyun123
ms_ad_124
SuperAdmin
aliyun666
ms_ad_666