This topic outlines how to integrate the OAuth 2.0 standard protocol with external systems for tenants that already have an authentication server supporting OAuth 2.0. The integration enables single sign-on and connects internal employee information seamlessly.
Background information
OAuth 2.0 is an authorization framework that simplifies the process compared to OAuth 1.0. It authorizes applications to access user resources using access tokens and supports multiple authorization types, including authorization code, client credentials, password credentials, and implicit authorization. OAuth 2.0 enhances security, extensibility, and user experience without the need for encrypted signatures or key exchanges.
Instructions for use
Dataphin supports user authentication to access its services. After successful authentication, the user is added to all tenants, except for the metadata warehouse tenant.
Dataphin does not automatically add members to tenants. The tenant's system administrator must manually add users.
Integration plan
Preparation before integration
Register an application on the OAuth service provider's website to obtain the client ID and client secret, which are essential for application authentication and authorization.
Configuration Item
Mandatory
Description
client ID
Yes
The unique identifier for the client.
client secret
Yes
The secret key for client authentication.
Create a JSON format configuration file and encode it using Base64.
Write configuration file
Write JSON format configuration file
Note: Replace the placeholders in the JSON file template below with the appropriate values.
{
"client":{
"registrationId":"dataphin",
"clientId":"dataphin",
"clientSecret":"XXXXX",
"clientAuthMethod":"basic",
"scopes":[
"read",
"write",
"trust"
],
"tokenUri":"https:\/\/*****.*******.com\/oauthserver\/*****\/token",
"authorizationUri":"https:\/\/*****.*******.com\/oauthserver\/*****\/authorize",
"userInfoUri":"https:\/\/*****.*******.com\/oauthserver\/me",
"redirectUriTemplate":"{baseUrl}\/login\/oauth2\/code\/{registrationId}",
"userNameAttributeName":"username",
"clientName":"dataphin",
"logoutUriTemplate":"https:\/\/*****.*******.com\/oauthserver\/logout?username={0}",
"logoutMethod":"get",
"logoutParamNames":"email",
"logoutAuthorizationTemplate":"Bearer {0}",
"logoutAuthorizationParamNames":"accessToken"
},
"user":{
"idAttributeName":"userid",
"displayNameAttributeName":"username",
"realNameAttributeName":"realname",
"emailAttributeName":"email",
"mobilePhoneAttributeName":"mobilePhone"
}
}Configuration Name | Configuration Description | Example Value |
registrationId | A unique string to identify different client applications, often the same as clientId. | dataphin |
clientId | The registered clientId. | dataphin |
clientSecret | The registered client secret. | your_client_secret |
clientAuthMethod | The application's authentication method. | basic |
scopes | The authorization scope for the IdP. | read, write, trust |
tokenUri | The endpoint for token retrieval. | https://*****.*****.com/oauthserver/*****/token |
authorizationUri | The endpoint for authorization. | https://*****.*****.com/oauthserver/*****/authorize |
userInfoUri | The endpoint for user information retrieval. | https://*****.*****.com/oauthserver/me |
jwkSetUri | The endpoint for public key retrieval.
| https://*****.*****.com/49d65996-*****-4f8d-920f-*****/discovery/v2.0/keys |
redirectUriTemplate | The fixed webhook address for Dataphin, which cannot be altered. | {baseUrl}/login/oauth2/code/{registrationId} |
userNameAttributeName | The attribute name for "username" in the IdP's returned user information. | username |
idAttributeName | The field name for the user's unique identifier in the IdP's returned user information. | userid |
clientName | The display name of the client, ideally matching the registrationId. | dataphin |
logoutUriTemplate | The URL template for logging out, which can include query parameters. | https://*****.*****.com/*****/logout?username={0} |
logoutMethod | The method for logging out, which can be either get or redirect. | get |
logoutParamNames | The parameter names used during logout to populate the placeholders in the logoutUriTemplate. | |
logoutAuthorizationTemplate | The authentication information required during logout. | Bearer {0} |
logoutAuthorizationParamNames | Corresponds to logoutParamNames and supports variable substitution. | accessToken |
displayNameAttributeName | The field name for the user's display name in the IdP's returned user information. | username |
realNameAttributeName | The field name for the user's real name in the IdP's returned user information. | realname |
emailAttributeName | The field name for the user's email in the IdP's returned user information. | |
mobilePhoneAttributeName | The field name for the user's mobile phone number in the IdP's returned user information. | mobilePhone |
Perform Base64 encoding on JSON format configuration information
Save the JSON configuration information in a text file with a .json extension.
To perform Base64 encoding on a Mac operating system, follow these steps.
Launch the terminal application.
Execute the command below to perform Base64 encoding:
cat OAuth_config.json | base64
For Windows operating systems, Base64 encoding can be performed using PowerShell or command prompt. Use the certutil command for this purpose.
Example of how to perform Base64 encoding in PowerShell:
Use the
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("OAuth_config.json")) > encodedOAuth_config.txtcommand to encode the "OAuth_config.json" file to Base64 and save the output to "encodedOAuth_config.txt".To perform Base64 encoding from the command prompt, use the following command:
Use the
certutil -encode OAuth_config.json encodedOAuth_config.txtcommand to encode the 'OAuth_config.json' file into the 'encodedOAuth_config.txt' file.
Dataphin configuration authentication information
Provide the following configuration information to Dataphin operation and maintenance personnel for setup.
dataphin.sso.provider.session=com.alibaba.dataphin.sso.provider.thirdpart.oauth.session.DataphinOauth2SessionProvider
dataphin.sso.provider.account=com.alibaba.dataphin.sso.provider.thirdpart.oauth.account.DataphinOauth2AccountProvider
dataphin.security.thirdpartoauth2.encodedProperties = 'Base64 encoded OAuth2 json configuration item file content'Switch authentication system for historical users
Dataphin's userTable stores both the source id (source_user_id) and Dataphin user_id (user_id). In business operations, user_id serves as the user identifier, while source_user_id is used for user information transformation.
When a user logs in to the IdP, carrying the source_user_id to Dataphin, Dataphin converts the source_user_id to user_id through the userTable, and the user conversion is completed.
To upgrade historical users, ensure the source_user_id is updated to match the new system's user identifiers, enabling direct mapping to Dataphin members.
For instance, if a customer transitions from Alibaba Cloud's login system to Microsoft AD and the super administrator in Dataphin is Xiaoming, Xiaoming's Alibaba Cloud id must be replaced with his Microsoft AD id.
The mapping table should include at least two columns: fromId and toId. The fromId column represents the id in the former IdP, and the toId column represents the id in the new IdP.
Unupdated users will lose access to Dataphin, potentially impacting business operations if they hold specific permissions, such as approval rights. Therefore, customers must carefully verify the mapping table to prevent omissions or errors during the update process.
Username
fromId
toId
Xiaoming
aliyun123
ms_ad_124
SuperAdmin
aliyun666
ms_ad_666