Add per-domain OAuth (Google, GitHub) provider support#12702
Add per-domain OAuth (Google, GitHub) provider support#12702Damans227 wants to merge 40 commits intoapache:mainfrom
Conversation
…entication checks
…nid' in columns and details
…nhance user verification
…ls for improved readability and consistency
|
@blueorangutan package |
|
@Damans227 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 16931 |
|
@blueorangutan package |
|
@Damans227 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17098 |
api/src/main/java/org/apache/cloudstack/auth/UserOAuth2Authenticator.java
Outdated
Show resolved
Hide resolved
api/src/main/java/org/apache/cloudstack/auth/UserOAuth2Authenticator.java
Outdated
Show resolved
Hide resolved
api/src/main/java/org/apache/cloudstack/auth/UserOAuth2Authenticator.java
Outdated
Show resolved
Hide resolved
| * Verifies the code provided by provider and fetches email for a specific domain | ||
| * @return returns email | ||
| */ | ||
| String verifyCodeAndFetchEmail(String secretCode, Long domainId); |
There was a problem hiding this comment.
| String verifyCodeAndFetchEmail(String secretCode, Long domainId); | |
| String verifySecretCodeAndFetchEmail(String secretCode, Long domainId); |
There was a problem hiding this comment.
@sureshanaparti The domain-aware verifyCodeAndFetchEmail(String secretCode, Long domainId) is an overload of the pre-existing verifyCodeAndFetchEmail(String secretCode). If we rename only the new overload to verifySecretCodeAndFetchEmail, the two methods would have inconsistent names. Should we rename both for consistency?
engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
Outdated
Show resolved
Hide resolved
engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
Outdated
Show resolved
Hide resolved
framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java
Outdated
Show resolved
Hide resolved
...ors/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/ListOAuthProvidersCmd.java
Outdated
Show resolved
Hide resolved
...ors/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/ListOAuthProvidersCmd.java
Outdated
Show resolved
Hide resolved
...ors/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/ListOAuthProvidersCmd.java
Outdated
Show resolved
Hide resolved
...ors/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/ListOAuthProvidersCmd.java
Show resolved
Hide resolved
.../oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/RegisterOAuthProviderCmd.java
Outdated
Show resolved
Hide resolved
...th2/src/main/java/org/apache/cloudstack/oauth2/api/command/VerifyOAuthCodeAndGetUserCmd.java
Outdated
Show resolved
Hide resolved
...th2/src/main/java/org/apache/cloudstack/oauth2/api/command/VerifyOAuthCodeAndGetUserCmd.java
Outdated
Show resolved
Hide resolved
...rs/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/response/OauthProviderResponse.java
Outdated
Show resolved
Hide resolved
...rs/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/response/OauthProviderResponse.java
Outdated
Show resolved
Hide resolved
...user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/OAuth2AuthManager.java
Outdated
Show resolved
Hide resolved
|
|
||
| @Override | ||
| public Long resolveDomainId(Map<String, Object[]> params) { | ||
| final String[] domainIdArray = (String[])params.get(ApiConstants.DOMAIN_ID); |
There was a problem hiding this comment.
API cmd uses domainId - ApiConstants.DOMAIN__ID (camelcase param - not deprecated yet)
There was a problem hiding this comment.
@sureshanaparti Just looked into it, both getDomainIdFromParams and resolveDomainId look up ApiConstants.DOMAIN_ID ("domainid"). The API servlet lowercases param names, so DOMAIN__ID ("domainId") resolves correctly.
| if (Objects.nonNull(domain)) { | ||
| return domain.getId(); | ||
| } | ||
| } |
There was a problem hiding this comment.
check if you can use the below methods, and move get domain by path to a method (or can improve any existing method)
There was a problem hiding this comment.
@sureshanaparti Looked into the ApiServer methods. fetchDomainId only resolves by UUID, while resolveDomainId also handles domain path resolution. The closest existing combination would be fetchDomainId + DomainService.findDomainByIdOrPath, which is what OauthLoginAPIAuthenticatorCmd already uses. I could refactor resolveDomainId to delegate to those, but since OAuth2AuthManagerImpl doesn't have access to ApiServer, it would mean injecting DomainService instead of DomainDao. Would you prefer that approach, or is the current implementation acceptable?
|
@blueorangutan package |
|
@Damans227 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17268 |
Description
Add per-domain OAuth provider support. Allows OAuth providers (Google, GitHub) to be configured at the domain level with global fallback.
Design Doc
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Allow+OAuth+provider+per+domain
Types of changes
Screenshots and recording
Screen.Recording.2026-03-16.at.10.34.53.AM.mp4
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
How Has This Been Tested?
Manual testing with GitHub OAuth provider configured at domain level and global level, verifying domain-specific lookup with global fallback.