GitHub user GulshanMishra321 created a discussion: Enterprise OAuth2/OIDC
(Hydra + MFA) integration with DolphinScheduler – state issue and best-practice
guidance needed
Hello Community,
We are evaluating [Apache DolphinScheduler](chatgpt://generic-entity?number=0)
3.x (binary deployment) for integration with our enterprise IDAM, which is
based on OAuth2 / OpenID Connect (Hydra) with MFA enabled.
Our objective is to enable secure SSO with MFA in a way that is stable,
upgrade-safe, and aligned with enterprise best practices. Below is what we have
tried, the issues we are facing, and what we are trying to achieve.
⸻
🔹 Environment
• DolphinScheduler version: 3.x (tested on 3.3.x)
• Deployment type: Binary (API + Master on VM)
• IDAM: OAuth2 / OIDC (Hydra)
• MFA: Enabled at IDAM level
• Requirement: Enterprise SSO, CSRF protection, minimal custom
code
⸻
🔹 What We Have Tried
• Used DolphinScheduler’s inbuilt OAuth2/OIDC configuration
• Configured authorization, token, and userinfo endpoints
• Tested authorization code flow with redirect and callback
• Tested with MFA enabled on IDAM side
⸻
🔹 Issues Observed
1. OAuth2 state handling issue
• state parameter (CSRF protection) is not reliably persisted or
validated
• Callback sometimes fails even after successful IDAM
authentication
• Redirect flow becomes unstable
2. Incomplete enterprise OAuth2 / OIDC behavior
• OIDC support appears limited
• MFA flow is not clearly or reliably handled
• No silent / auto-login experience
3. No automatic (JIT) user provisioning
• Users must be pre-created in Dolphin
• No native support for auto user creation on first login
• No built-in role / tenant mapping from IDAM claims
4. Upgrade & maintenance concerns
• Fixing OAuth issues appears to require code or JAR-level changes
• Such changes are not upgrade-safe and increase operational risk
⸻
🔹 What We Are Trying to Achieve
• Enterprise-grade SSO with OAuth2 / OIDC
• MFA enforced by IDAM
• Proper CSRF protection (state)
• Stable redirect and login behavior
• No risky or unsupported code changes in Dolphin
• A clean approach for user provisioning and role/tenant
assignment
⸻
🔹 Questions to the Community
1. Is DolphinScheduler’s inbuilt OAuth2/OIDC intended for
enterprise-grade IDAM + MFA, or mainly for simpler SSO scenarios?
2. Are the OAuth2 state and redirect issues known limitations in
the current design?
3. Is there an officially recommended approach for integrating
DolphinScheduler with enterprise IDAM systems?
4. Is externalizing authentication (e.g., using a reverse proxy /
API gateway like Kong in front of Dolphin) considered a best practice?
5. What is the recommended approach for user provisioning and
role/tenant mapping in SSO scenarios?
Any guidance, best practices, or reference architectures from the community
would be greatly appreciated.
Thanks in advance.
GitHub link: https://github.com/apache/dolphinscheduler/discussions/17886
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to:
[email protected]
