Authentication via OAuth 2.0 in Hue

thomas.shannon · April 30, 2020, 6:35pm

Hello,

I am looking to implement OAuth in my Hue application. The service I am interacting with uses OAuth 2.0, but it seems that Hue is only shipped with OAuth 1.0. Is there an easy way to make Hue work with OAuth 2.0? Any resources or recommendations would be helpful.

Thanks,
Tom

Romain · April 30, 2020, 7:22pm

On top of OAuth2 Hue ships with an OpenId backend: OIDCBackend?

github.com

cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L351


# - desktop.auth.backend.AllowFirstUserDjangoBackend
#     (Default. Fist login becomes and admin, then relies on user accounts)
# - django.contrib.auth.backends.ModelBackend (entirely Django backend)
# - desktop.auth.backend.AllowAllBackend (allows everyone)
# - desktop.auth.backend.LdapBackend
# - desktop.auth.backend.PamBackend
# - desktop.auth.backend.SpnegoDjangoBackend
# - desktop.auth.backend.KnoxSpnegoDjangoBackend
# - desktop.auth.backend.RemoteUserDjangoBackend
# - libsaml.backend.SAML2Backend
# - desktop.auth.backend.OIDCBackend (New oauth, support Twitter, Facebook, Google+ and Linkedin
# Multiple Authentication backend combinations are supported by specifying a comma-separated list in order of priority.
## backend=desktop.auth.backend.AllowFirstUserDjangoBackend


# Class which defines extra accessor methods for User objects.
## user_aug=desktop.auth.backend.DefaultUserAugmentor


# The service to use when querying PAM.
## pam_service=login


# When using the desktop.auth.backend.RemoteUserDjangoBackend, this sets

github.com

cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L744


  ## request_token_url=https://api.twitter.com/oauth/request_token


  # The Access token URL
  ## access_token_url=https://api.twitter.com/oauth/access_token


  # The Authorize URL
  ## authenticate_url=https://api.twitter.com/oauth/authorize


# Configuration options for using OIDCBackend (Core) login for SSO
# ------------------------------------------------------------------------
[[oidc]]
  # The client ID as relay party set in OpenID provider
  ## oidc_rp_client_id=XXXXXXXXXXXXXXXXXXXXX


  # The client secret as relay party set in OpenID provider
  ## oidc_rp_client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


  # The OpenID provider authoriation endpoint
  ## oidc_op_authorization_endpoint=https://keycloak.example.com/auth/realms/Cloudera/protocol/openid-connect/auth


  # The OpenID provider token endpoint

(the OAuth 1.0 are indeed “dead” at this point in time)

thomas.shannon · April 30, 2020, 8:51pm

Sweet! That seems to put me in the right direction. It tried to submit a request to the authorize URL, but sent a redirect URI something like this: https://example.com/oidc/callback in the request.

Is there a way for me to change this redirect URI to be just something like: https://example.com without the /oidc/callback in the URI?

I tried uncommenting and editing the line below, as well as restarting Hue but it made no difference.

github.com

cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L770


# The OpenID provider signing key in PEM or DER format
## oidc_rp_idp_sign_key=/path/to/key_file


# The OpenID provider authoriation endpoint
## oidc_op_jwks_endpoint=https://keycloak.example.com/auth/realms/Cloudera/protocol/openid-connect/certs


# Whether Hue as OpenID Connect client verify SSL cert
## oidc_verify_ssl=true


# As relay party Hue URL path to redirect to after login
## login_redirect_url=https://localhost:8888/oidc/callback/


# The OpenID provider URL path to redirect to after logout
## logout_redirect_url=https://keycloak.example.com/auth/realms/cloudera/protocol/openid-connect/logout


# As relay party Hue URL path to redirect to after login
## login_redirect_url_failure=https://localhost:8888/hue/oidc_failed/


# Create a new user from OpenID Connect on login if it doesn't exist
## create_users_on_login=true

If not, I will just have to tell the OAuth service we are using to change the redirect URI to https://example.com/oidc/callback to adhere to this issue, but wanted to see if you had any suggestions before doing that.