[Feature] Support mysql client OpenID Connect Pluggable Authentication

[HangyuanLiu]

Why I'm doing:

Compatible with openIdConnect authentication method in MySQL 9.2

What I'm doing:

Fixes #55847

What type of PR is this:

• BugFix
• Feature
• Enhancement
• Refactor
• UT
• Doc
• Tool

Does this PR entail a change in behavior?

• Yes, this PR will result in a change in behavior.
• No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

• Interface/UI changes: syntax, type conversion, expression evaluation, display information
• Parameter changes: default values, similar parameters but with different default values
• Policy changes: use new policy to replace old one, functionality automatically enabled
• Feature removed
• Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

• I have added test cases for my bug fix or my new feature
• This pr needs user documentation (for new or modified features or behaviors)
  • I have added documentation for my new feature or new function
• This is a backport pr

Bugfix cherry-pick branch check:

• I have checked the version labels which the pr will be auto-backported to the target branch
  • 3.4
  • 3.3
  • 3.2
  • 3.1
  • 3.0

[starrocks-cr]

The most risky bug in this code is:
Using an empty string for critical JWT configuration values can lead to insecure defaults and potential security vulnerabilities if not handled properly when validating JWTs.

You can modify the code like this:

@ConfField(mutable = false)
public static String oidc_jwks_url = "default_value_here"; // Set a sensible default or validate it programmatically

@ConfField(mutable = false)
public static String oidc_required_issuer = "default_value_here"; // Set a sensible default or validate prior to use

@ConfField(mutable = false)
public static String oidc_required_audience = "default_value_here"; // As above, set or validate as necessary

Ensure that each configuration has a valid default or check them during application initialization/configuration loading to avoid using insecure defaults.

[starrocks-cr]

The most risky bug in this code is:
The typo in the variable name principalFiled should be principalField.

You can modify the code like this:

package com.starrocks.authentication;

//... other imports ...

public class OpenIdConnectAuthenticationProvider implements AuthenticationProvider {
    public static final String PLUGIN_NAME = AuthPlugin.AUTHENTICATION_OPENID_CONNECT.name();

    private final String jwksUrl;
    private final String principalField; // Corrected variable name
    private final String requireIssuer;
    private final String requireAudience;

    public OpenIdConnectAuthenticationProvider(String jwksUrl, String principalField, // Corrected parameter name
                                               String requireIssuer, String requireAudience) {
        this.jwksUrl = jwksUrl;
        this.principalField = principalField; // Use corrected variable name
        this.requireIssuer = requireIssuer;
        this.requireAudience = requireAudience;
    }

    //... rest of the code ...
}

[starrocks-cr]

The most risky bug in this code is:
The verifyJWT method lacks a null check for the return value of jwkSet.getKeyByKeyId(kid), which can lead to a NullPointerException.

You can modify the code like this:

private static void verifyJWT(String jwt, JWKSet jwkSet) throws AuthenticationException, ParseException, JOSEException {
    SignedJWT signedJWT = SignedJWT.parse(jwt);
    String kid = signedJWT.getHeader().getKeyID();

    var key = jwkSet.getKeyByKeyId(kid);
    if (key == null) {
        throw new AuthenticationException("Cannot find public key for kid: " + kid);
    }

    RSAPublicKey publicKey = key.toRSAKey().toRSAPublicKey();
    if (publicKey == null) {
        throw new AuthenticationException("Public key conversion failed for kid: " + kid);
    }

    RSASSAVerifier verifier = new RSASSAVerifier(publicKey);
    if (!signedJWT.verify(verifier)) {
        throw new AuthenticationException("JWT with kid " + kid + " is invalid!");
    }
}

[gengjun-git]

The comments can be added in to the comment field like
@ConfField(mutable = fase, comment = "xxx");
So that admin show config will see the usage of this config param.

[gengjun-git]

Does this file have to be added to the conf/ directory? If so, the comments of this param should be marked.

[sonarqubecloud]

Quality Gate passed

Issues
10 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

[Java-Extensions Incremental Coverage Report]

✅ pass : 0 / 0 (0%)

[github-actions]

[FE Incremental Coverage Report]

✅ pass : 64 / 72 (88.89%)

file detail

	path	covered_line	new_line	coverage	not_covered_line_detail
🔵	com/starrocks/authentication/JwkMgr.java	1	6	16.67%	[29, 30, 32, 33, 35]
🔵	com/starrocks/authentication/OpenIdConnectAuthenticationProvider.java	20	22	90.91%	[67, 68]
🔵	com/starrocks/authentication/OpenIdConnectVerifier.java	31	32	96.88%	[29]
🔵	com/starrocks/mysql/privilege/AuthPlugin.java	2	2	100.00%	[]
🔵	com/starrocks/authentication/AuthenticationMgr.java	1	1	100.00%	[]
🔵	com/starrocks/common/Config.java	4	4	100.00%	[]
🔵	com/starrocks/server/GlobalStateMgr.java	4	4	100.00%	[]
🔵	com/starrocks/mysql/MysqlHandshakePacket.java	1	1	100.00%	[]

[github-actions]

[BE Incremental Coverage Report]

✅ pass : 0 / 0 (0%)