— Proposal by YueNing Wang

Goal: Achieve seamless integration with enterprise-grade identity systems while maintaining the existing permission management framework.

About me

(Chongqing University of Posts and Telecommunications, Software Engineering | Ex-Frontend Intern @Bilibili | Full-Stack Enthusiast)

Wechat：yn-Bob

Email: [email protected]

Phone：13133432976

Open source experience：I contributed to the open-source blog project Ting-Library-Monorepo, primarily focusing on optimizing and fixing documentation styles. Additionally, in the Apache DolphinScheduler project, I submitted a PR (#17118) to resolve a related issue. For details, please refer to: https://github.com/apache/dolphinscheduler/pull/17118

Education：As a Software Engineering student at Chongqing University of Posts and Telecommunications, I specialize in full-stack development, with 7 months of frontend experience at Bilibili and additional internships in the field. My technical toolkit includes Java, Spring Boot, and hands-on experience building full-stack applications.

Part 1: Clarifying Basic Concepts

1. What is OIDC (OpenID Connect)?

• Definition: OIDC is an identity authentication protocol built on OAuth 2.0, used to verify user identities and retrieve basic user information.

• Core Components:

  • ID Token: A JWT containing user identity details (e.g., username, email).
  • UserInfo Endpoint: An API for fetching detailed user information.
  • Discovery Document: .well-known/openid-configuration, dynamically providing configuration.

• Workflow:

  sequenceDiagram
    User->>Client: Accesses application
    Client->>OIDC Provider: Redirects for authentication
    OIDC Provider->>User: Presents login prompt
    User->>OIDC Provider: Grants consent
    OIDC Provider->>Client: Returns ID Token
    Client->>User: Establishes session
  
  

sequenceDiagram
  Frontend->>OIDC Provider: Redirects to login (with redirect_uri)
  OIDC Provider->>Frontend: Returns code (URL parameter)
  Frontend->>Backend: Sends code (/oidc/callback)
  Backend->>OIDC Provider: Exchanges code for Token (+client_secret)
  OIDC Provider->>Backend: Returns id_token (JWT)
  Backend->>Database: Queries/creates user (using email)
  Database->>Backend: User data
  Backend->>Frontend: Returns AuthUser (user info + new Token)
  Frontend->>Subsequent requests: Includes Token in API calls

2. Current Authentication Mechanism in DolphinScheduler

• Current State:
  • Local Authentication: Usernames and passwords stored in the DS database, managed via the t_ds_user table.
  • LDAP/AD Integration: Only supports basic directory services, lacking modern protocols like OIDC.
  • Code Entry Point: The SecurityFilter class handles all authentication requests.
• Pain Points:
  • Unable to integrate with enterprise SSO (e.g., Okta, Azure AD).
  • No cross-system account interoperability.

3. Why OIDC?