SQL-85 Convert OIDC config into system params#34845
Merged
SangJunBak merged 4 commits intoMaterializeInc:mainfrom Feb 20, 2026
Merged
SQL-85 Convert OIDC config into system params#34845SangJunBak merged 4 commits intoMaterializeInc:mainfrom
SangJunBak merged 4 commits intoMaterializeInc:mainfrom
Conversation
SangJunBak
force-pushed
the
jun/oidc-config-as-system-params
branch
from
4f46b9b to
6013469
Compare
SangJunBak
requested review from
ggevay and
teskje
and removed request for
ggevay
SangJunBak
force-pushed
the
jun/oidc-config-as-system-params
branch
from
6013469 to
4effde6
Compare
5 tasks
SangJunBak
force-pushed
the
jun/oidc-config-as-system-params
branch
3 times, most recently
from
72e4912 to
c06caf6
Compare
SangJunBak
force-pushed
the
jun/oidc-config-as-system-params
branch
from
c06caf6 to
a477778
Compare
SangJunBak
force-pushed
the
jun/oidc-config-as-system-params
branch
3 times, most recently
from
eef5a9e to
c589475
Compare
…nfig - Remove OIDC CLI args - Initialize oidc authenticator with adapter client to get access to system variables - Refactor tests to use system parameter default
- Tests the runtime nature of OIDC configuration
SangJunBak
force-pushed
the
jun/oidc-config-as-system-params
branch
from
c589475 to
ed01884
Compare
teskje
reviewed
Feb 18, 2026
Contributor
teskje
left a comment
teskje
left a comment
There was a problem hiding this comment.
Looks good, I just have one question/concern about the issuer default and how we behave when no issuer was set.
| use mz_frontegg_auth::Authenticator as FronteggAuthenticator; | ||
|
|
||
| pub use oidc::{GenericOidcAuthenticator, OidcClaims, OidcConfig, OidcError}; | ||
| pub use mz_adapter::Client as AdapterClient; |
Contributor
There was a problem hiding this comment.
Does this need to be pub? I don't see it used anywhere.
| /// issued by a dummy application, but from the same identity provider. | ||
| pub const OIDC_AUDIENCE: Config<&'static str> = Config::new( | ||
| "oidc_audience", | ||
| "", |
Contributor
There was a problem hiding this comment.
Is it possible to make this an Option, so we remember to handle the case where this wasn't set? Also for OIDC_ISSUER above.
Contributor
Author
There was a problem hiding this comment.
I think I chose to make it a &'static str because an Option didn't exist for Config, but I can create one!
| ) -> Result<OidcClaims, OidcError> { | ||
| // Fetch current OIDC configuration from system variables | ||
| let system_vars = self.adapter_client.get_system_vars().await; | ||
| let issuer = OIDC_ISSUER.get(system_vars.dyncfgs()); |
Contributor
There was a problem hiding this comment.
Here we might get the empty string if this wasn't set before. Probably want to handle that specially to return a proper error?
Contributor
There was a problem hiding this comment.
Can you also add a test for the behavior when trying to authenticate with OIDC without an issuer set?
Contributor
Author
There was a problem hiding this comment.
Added a test! Right now it just asserts on "Invalid Password" but I have a future PR that surfaces a more informative error
- Remove pub from AdapterClient - Add Option<String> as a possible dyncfg type
SangJunBak
force-pushed
the
jun/oidc-config-as-system-params
branch
2 times, most recently
from
3c2a49c to
fac6923
Compare
teskje
approved these changes
Feb 19, 2026
| use mz_frontegg_auth::Authenticator as FronteggAuthenticator; | ||
|
|
||
| pub use mz_adapter::Client as AdapterClient; | ||
| use mz_adapter::Client as AdapterClient; |
Contributor
There was a problem hiding this comment.
Nit: Mind putting this up to the non-pub block again?
Comment on lines
+282
to
+286
| let issuer = if let Some(issuer) = OIDC_ISSUER.get(system_vars.dyncfgs()) { | ||
| issuer | ||
| } else { | ||
| return Err(OidcError::MissingIssuer); | ||
| }; |
Contributor
There was a problem hiding this comment.
Suggested change
| let issuer = if let Some(issuer) = OIDC_ISSUER.get(system_vars.dyncfgs()) { | |
| issuer | |
| } else { | |
| return Err(OidcError::MissingIssuer); | |
| }; | |
| let Some(issuer) = OIDC_ISSUER.get(system_vars.dyncfgs()) else { | |
| return Err(OidcError::MissingIssuer); | |
| }; |
- Set constants as Option<String> and initializes as None - Adds test to validate that issuer exists
SangJunBak
force-pushed
the
jun/oidc-config-as-system-params
branch
from
fac6923 to
54c8ab5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See commit messages
Start reviewing from Update OIDC tests to use system parameter defaults as config
Motivation
Tips for reviewer
Checklist
$T ⇔ Proto$Tmapping (possibly in a backwards-incompatible way), then it is tagged with aT-protolabel.