[Feature][Authentication] support oauth2 login (#14743)

* support oauth2 login

---------

Co-authored-by: Eric Gao <[email protected]>

docs/docs/en/guide/security/authentication-type.md

@@ -1,6 +1,6 @@
 # Authentication Type
 
-* So far we support three authentication types, Apache DolphinScheduler password, LDAP and Casdoor SSO.
+* So far we support four authentication types, Apache DolphinScheduler password, LDAP, Casdoor SSO and OAuth2，the OAuth2 authorization login mode can be used with other authentication modes.
 
 ## Change Authentication Type
 
@@ -30,6 +30,29 @@ security:
         # jks file absolute path && password
         trust-store: "/ldapkeystore.jks"
         trust-store-password: "password"
+    oauth2:
+      enable: false
+      provider:
+        github:
+          authorizationUri: ""
+          redirectUri: ""
+          clientId: ""
+          clientSecret: ""
+          tokenUri: ""
+          userInfoUri: ""
+          callbackUrl: ""
+          iconUri: ""
+          provider: github
+        google:
+          authorizationUri: ""
+          redirectUri: ""
+          clientId: ""
+          clientSecret: ""
+          tokenUri: ""
+          userInfoUri: ""
+          callbackUrl: ""
+          iconUri: ""
+          provider: google
 ```
 
 For detailed explanation of specific fields, please see: [Api-server related configuration](../../architecture/configuration.md)
@@ -110,3 +133,66 @@ casdoor:
   redirect-url: http://localhost:5173/login 
 ```
 
+## OAuth2
+
+Dolphinscheduler can support multiple OAuth2 providers.
+
+### Step1. Create Client Credentials
+
+![create-client-credentials-1](../../../../img/security/authentication/create-client-credentials-1.png)
+
+![create-client-credentials-2](../../../../img/security/authentication/create-client-credentials-2.png)
+
+### Step2.Enable OAuth2 Login In The Api's Configuration File
+
+```yaml
+security:
+  authentication:
+    …… # omit
+    oauth2:
+      # Set enable to true to enable oauth2 login mode
+      enable: true
+      provider:
+        github:
+          # Set the provider authorization address, for example:https://github.com/login/oauth/authorize
+          authorizationUri: ""
+          # dolphinscheduler backend redirection interface address, for example :http://127.0.0.1:12345/dolphinscheduler/redirect/login/oauth2
+          redirectUri: ""
+          #  clientId
+          clientId: ""
+          # client secret
+          clientSecret: ""
+          # Set the provider's request token address
+          tokenUri: ""
+          # Set the provider address for requesting user information
+          userInfoUri: ""
+          # Redirect address after successful login, http://{ip}:{port}/login
+          callbackUrl: ""
+          # The image url of the login page jump button, if not filled, a text button will be displayed
+          iconUri: ""
+          provider: github
+        google:
+          authorizationUri: ""
+          redirectUri: ""
+          clientId: ""
+          clientSecret: ""
+          tokenUri: ""
+          userInfoUri: ""
+          callbackUrl: ""
+          iconUri: ""
+          provider: google
+        gitee:
+          authorizationUri: "https://gitee.com/oauth/authorize"
+          redirectUri: "http://127.0.0.1:12345/dolphinscheduler/redirect/login/oauth2"
+          clientId: ""
+          clientSecret: ""
+          tokenUri: "https://gitee.com/oauth/token?grant_type=authorization_code"
+          userInfoUri: "https://gitee.com/api/v5/user"
+          callbackUrl: "http://127.0.0.1:5173/login"
+          iconUri: ""
+          provider: gitee
+```
+
+### Step.3 Login With OAuth2
+
+![login-with-oauth2](../../../../img/security/authentication/login-with-oauth2.png)

docs/docs/zh/guide/security/authentication-type.md

@@ -1,6 +1,6 @@
 # 认证方式
 
-* 目前我们支持三种认证方式，Apache DolphinScheduler自身账号密码登录，LDAP和通过Casdoor实现的SSO登录。
+* 目前我们支持四种认证方式，Apache DolphinScheduler自身账号密码登录，LDAP, 通过Casdoor实现的SSO登录和通过Oauth2授权登录，并且oauth2授权登录方式可以和其他认证方式同时使用。
 
 ## 修改认证方式
 
@@ -30,6 +30,29 @@ security:
         # jks file absolute path && password
         trust-store: "/ldapkeystore.jks"
         trust-store-password: "password"
+    oauth2:
+      enable: false
+      provider:
+        github:
+          authorizationUri: ""
+          redirectUri: ""
+          clientId: ""
+          clientSecret: ""
+          tokenUri: ""
+          userInfoUri: ""
+          callbackUrl: ""
+          iconUri: ""
+          provider: github
+        google:
+          authorizationUri: ""
+          redirectUri: ""
+          clientId: ""
+          clientSecret: ""
+          tokenUri: ""
+          userInfoUri: ""
+          callbackUrl: ""
+          iconUri: ""
+          provider: google
 ```
 
 具体字段解释详见：[Api-server相关配置](../../architecture/configuration.md)
@@ -106,3 +129,66 @@ casdoor:
   redirect-url: http://localhost:5173/login 
 ```
 
+## 通过OAuth2授权认证登录
+
+dolphinscheduler可以同时支持多种OAuth2的provider，只需要在配置文件中打开Oauth2的开关并进行简单的配置即可。
+
+### 步骤1. 获取OAuth2客户端凭据
+
+![create-client-credentials-1](../../../../img/security/authentication/create-client-credentials-1.png)
+
+![create-client-credentials-2](../../../../img/security/authentication/create-client-credentials-2.png)
+
+### 步骤2. 在api的配置文件中开启oauth2登录
+
+```yaml
+security:
+  authentication:
+    …… # 省略
+    oauth2:
+      # 将enable设置为true 开启oauth2登录模式
+      enable: true
+      provider:
+        github:
+          # 设置provider的授权地址，例如https://github.com/login/oauth/authorize
+          authorizationUri: ""
+          # dolphinscheduler的后端重定向接口地址，例如http://127.0.0.1:12345/dolphinscheduler/redirect/login/oauth2
+          redirectUri: ""
+          # oauth2的 clientId
+          clientId: ""
+          # oauth2的 clientSecret
+          clientSecret: ""
+          # 设置provider的请求token的地址
+          tokenUri: ""
+          # 设置provider的请求用户信息的地址
+          userInfoUri: ""
+          # 登录成功后的重定向地址, http://{ip}:{port}/login
+          callbackUrl: ""
+          # 登录页跳转按钮的图片url，不填写则会展示一个文字按钮
+          iconUri: ""
+          provider: github
+        google:
+          authorizationUri: ""
+          redirectUri: ""
+          clientId: ""
+          clientSecret: ""
+          tokenUri: ""
+          userInfoUri: ""
+          callbackUrl: ""
+          iconUri: ""
+          provider: google
+        gitee:
+          authorizationUri: "https://gitee.com/oauth/authorize"
+          redirectUri: "http://127.0.0.1:12345/dolphinscheduler/redirect/login/oauth2"
+          clientId: ""
+          clientSecret: ""
+          tokenUri: "https://gitee.com/oauth/token?grant_type=authorization_code"
+          userInfoUri: "https://gitee.com/api/v5/user"
+          callbackUrl: "http://127.0.0.1:5173/login"
+          iconUri: ""
+          provider: gitee
+```
+
+### 步骤3.使用oauth2登录
+
+![login-with-oauth2](../../../../img/security/authentication/login-with-oauth2.png)

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/configuration/AppConfiguration.java

@@ -105,7 +105,8 @@ public void addInterceptors(InterceptorRegistry registry) {
                 .addPathPatterns(LOGIN_INTERCEPTOR_PATH_PATTERN)
                 .excludePathPatterns(LOGIN_PATH_PATTERN, REGISTER_PATH_PATTERN,
                         "/swagger-resources/**", "/webjars/**", "/v3/api-docs/**", "/api-docs/**", "/swagger-ui.html",
-                        "/doc.html", "/swagger-ui/**", "*.html", "/ui/**", "/error");
+                        "/doc.html", "/swagger-ui/**", "*.html", "/ui/**", "/error", "/oauth2-provider",
+                        "/redirect/login/oauth2", "/cookies");
     }
 
     @Override

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/configuration/OAuth2Configuration.java

@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.dolphinscheduler.api.configuration;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import lombok.Getter;
+import lombok.Setter;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Getter
+@Setter
+@Configuration
+@ConditionalOnProperty(prefix = "security.authentication.oauth2", name = "enable", havingValue = "true")
+@ConfigurationProperties(prefix = "security.authentication.oauth2")
+public class OAuth2Configuration {
+
+    private Map<String, OAuth2ClientProperties> provider = new HashMap<>();
+
+    @Getter
+    @Setter
+    public static class OAuth2ClientProperties {
+
+        private String authorizationUri;
+        private String clientId;
+        private String redirectUri;
+        private String clientSecret;
+        private String tokenUri;
+        private String userInfoUri;
+        private String callbackUrl;
+        private String iconUri;
+        private String provider;
+
+    }
+}