Channels
acryl-omnisend
advice-data-governance
advice-metadata-modeling
all-things-datahub-in-windows
all-things-deployment
announcements
authentication-authorization
chatter
column-level-lineage
contribute
contribute-datahub-blog
datahub-soda-test
demo-slack-notifications
design-business-glossary
design-data-product-entity
design-data-quality
design-datahub-documentation
design-dataset-access-requests
design-dataset-joins
feature-requests
flyte-datahub-integration
getting-started
github-activities
help-
i18n-community-contribution
ingestion
integration-alteryx-datahub
integration-azure-datahub
integration-dagster-datahub
integration-databricks-datahub
integration-datastudio-datahub
integration-iceberg-datahub
integration-powerbi-datahub
integration-prefect-datahub
integration-protobuf
integration-tableau-datahub
integration-vertica-datahub
introduce-yourself
jobs
metadata-day22-hackathon
muti-tenant-deployment
office-hours
openapi
plugins
show-and-tell
talk-data-product-management
troubleshoot
ui
Title
f
fresh-fish-73471
07/01/2021, 3:46 PMWe are trying to enable the OIDC (AWS cognito) authentication for dockerized Datahub
We followed the instructions given in the below link
https://datahubproject.io/docs/how/configure-oidc-react/
We have configured following properties from datahub/docker/datahub-frontend/env/docker.env
Required OIDC configs
AUTH_OIDC_ENABLED=true
AUTH_OIDC_CLIENT_ID=XXXXXXXX
AUTH_OIDC_CLIENT_SECRET=
#AUTH_OIDC_DISCOVERY_URI=https://xxxxxxxxxxxxxxxxxxxxxxxx/.well-known/openid-configuration
AUTH_OIDC_DISCOVERY_URI=https://xxxxxxxxxxxx.xxxxxxxxxxxxxxxx/openid-configuration
AUTH_OIDC_BASE_URL=https://XXXXXXXXX.com
Optional OIDC configs
AUTH_OIDC_USER_NAME_CLAIM=email
AUTH_OIDC_USER_NAME_CLAIM_REGEX=([^@]+)
AUTH_OIDC_SCOPE=openid
Uncomment to disable JAAS username / password authentication (enabled by defau lt)
AUTH_JAAS_ENABLED=false
But for some reasons redirection is not happening, instead it is taking us to default datahub login page
when we hit the base url.
Please let us know, if we are missing something
Thanks in advance.
b
big-carpet-38439
07/01/2021, 4:58 PMWill ping you directly!
m
most-pillow-90882
03/14/2022, 6:23 PM@big-carpet-38439 @fresh-fish-73471 Did you guys manage to get Cognito working? I’ve got login partially working, but logOut is broken
b
big-carpet-38439
03/14/2022, 6:30 PM@most-pillow-90882 What is happening on log out?
m
most-pillow-90882
03/14/2022, 6:33 PMRight now, nothing. Just goes back to home page with logged in user. Have tried disabling cacheing, etc.
For cognito app client, have set ’Allowed Singout Urls” to http://localhost:9002 and http://localhost:9002/logOut but neither working
Also, I’m in dev mode, if that helps
# Uncomment & populate these configs to enable OIDC SSO in React application.
# Required OIDC configs
AUTH_OIDC_ENABLED=true
AUTH_OIDC_CLIENT_ID= XXX
AUTH_OIDC_CLIENT_SECRET=XXX
AUTH_OIDC_DISCOVERY_URI=https://cognito-idp.us-east-1.amazonaws.com/XXX/.well-known/openid-configuration
AUTH_OIDC_BASE_URL=http://localhost:9002
# Optional OIDC configs
# AUTH_OIDC_USER_NAME_CLAIM=email
# AUTH_OIDC_USER_NAME_CLAIM_REGEX=([^@]+)
AUTH_OIDC_SCOPE=“openid profile email groups”
#AUTH_OIDC_CLIENT_AUTHENTICATION_METHOD = client_secret_post
# Optional Provisioning Configs
# AUTH_OIDC_JIT_PROVISIONING_ENABLED=true
# AUTH_OIDC_PRE_PROVISIONING_REQUIRED=false
AUTH_OIDC_EXTRACT_GROUPS_ENABLED=true
AUTH_OIDC_GROUPS_CLAIM=groups
# Uncomment to disable JAAS username / password authentication (enabled by default)
AUTH_JAAS_ENABLED=false
From Cognito app client
I also had some issues with login (had to delete the ?code sent with callback)
b
big-carpet-38439
03/14/2022, 11:14 PMCan you try this in incognito browser? This is very strange. Both login and logout should work... If you can send the contents of the open-id configuration URL it may help us triage
m
most-pillow-90882
03/15/2022, 4:00 PMSame issue in Incognito mode (tested both Chrome and Firefox). openId config url https://cognito-idp.us-east-1.amazonaws.com/us-east-1_pjck0hccL/.well-known/openid-configuration. Contents:
authorization_endpoint “https://sae-blk-test.auth.us-east-1.amazoncognito.com/oauth2/authorize”
id_token_signing_alg_values_supported
0 “RS256"
issuer “https://cognito-idp.us-east-1.amazonaws.com/us-east-1_pjck0hccL”
jwks_uri “https://cognito-idp.us-east-1.amazonaws.com/us-east-1_pjck0hccL/.well-known/jwks.json”
response_types_supported
0 “code”
1 “token”
scopes_supported
0 “openid”
1 “email”
2 “phone”
3 “profile”
subject_types_supported
0 “public”
token_endpoint “https://sae-blk-test.auth.us-east-1.amazoncognito.com/oauth2/token”
token_endpoint_auth_methods_supported
0 “client_secret_basic”
1 “client_secret_post”
userinfo_endpoint “https://sae-blk-test.auth.us-east-1.amazoncognito.com/oauth2/userInfo”
b
big-carpet-38439
03/15/2022, 5:31 PMThank you - will take a look today. Also, which version of DataHub are you using?
m
most-pillow-90882
03/15/2022, 7:50 PMLooks like 0..8.29 actually
I’ll try downgrading to 0.8.28 to see if fixes
b
big-carpet-38439
03/19/2022, 9:49 PMYeah so there's a known issue in 0.8.29 unforuntately with OIDC - can you try to use 0.8.30?
c
cuddly-butcher-39945
02/16/2023, 11:07 PMFWIW, this is the link that appears to work for the OIDC / React guide https://datahubproject.io/docs/authentication/guides/sso/configure-oidc-react/#configuring-oidc-in-react