Integrate the OIDC protocol into OMS Community Edition to implement SSO|V4.2.11|OceanBase Migration Service| docs|Distributed Database

Integrate the OIDC protocol into OMS Community Edition to implement SSO

Last Updated：2025-12-04 08:01:07 Updated

OceanBase Migration Service (OMS) Community Edition must be integrated with the OpenID Connect (OIDC) protocol to adapt to the OAuth 2.0 authentication center. At present, only the authorization-code grant type is supported. This topic describes the configurations to be updated to integrate the OIDC protocol into OMS Community Edition to implement third-party single sign-on (SSO).

Obtain parameters from the authentication center

You must add your application to the third-party SSO service to obtain parameters required by OIDC, such as the application ID and key.

Parameter	Description
clientId	The client ID of the third-party application.
clientSecret	The client secret of the third-party application.
scope	The authorization scope. The value is a list of permission IDs separated with commas (,). `openid` must be included in the value, for example, `openid,profile`.
ClientAuthenticationMethod	The authentication method. Valid values: `client_secret_basic` (recommended) and `basic`.
jwk_set_uri	The endpoint used to retrieve the public key of the JSON web key (JWK) for decoding the JWK.
authorization_uri	The authorization endpoint.
token_uri	The endpoint used to obtain a token.

Configure a callback URL

If the third-party SSO system has a login callback URL allowlist, you must configure the allowlist.

Set the login callback URL to http://{serverDomain}/login/oauth2/code/oms, in which serverDomain is the domain name of the server where OMS Community Edition is deployed.

Deploy OMS Community Edition

This section describes how to log in to OMS Community Edition deployed on a single node. If you want to deploy OMS Community Edition on multiple nodes in a single region, see the "Deployment procedure with a configuration file" section in Deploy OMS Community Edition on multiple nodes in a single region.

Prerequisites

The installation environment meets the system and network requirements. For more information, see System and network requirements.
You have created a MetaDB cluster for OMS Community Edition.
You have obtained the installation package of OMS Community Edition, which is generally a tar.gz file whose name starts with oms.
You have loaded the installation package of OMS Community Edition to the local image repository of the Docker container.

docker load -i <Installation package of OMS Community Edition>
You have prepared a directory for mounting the container of OMS Community Edition. In the mount directory, OMS Community Edition will create the /home/admin/logs, /home/ds/store, and /home/ds/run directories for storing the component information and logs generated during the running of OMS Community Edition.
(Optional) You have prepared a time-series database for storing performance monitoring data and DDL/DML statistics of OMS Community Edition.

Procedure

Log in to the server where OMS Community Edition is to be deployed.
(Optional) Deploy a time-series database.

If you need to collect and display the monitoring data of OMS Community Edition, deploy a time-series database. Otherwise, you can skip this step. For more information, see Deploy a time-series database.

Run the following command to obtain the deployment script docker_remote_deploy.sh from the loaded image:

sudo docker run -d --net host --name oms-config-tool <OMS_IMAGE> bash && sudo docker cp oms-config-tool:/root/docker_remote_deploy.sh . && sudo docker rm -f oms-config-tool

Here is an example:

sudo docker run -d --net host --name oms-config-tool work.oceanbase-dev.com/obartifact-store/oms:feature_3.4.0 bash && sudo docker cp oms-config-tool:/root/docker_remote_deploy.sh . && sudo docker rm -f oms-config-tool

Use the deployment script to start the deployment tool.
```
bash docker_remote_deploy.sh -o <Mount directory of the OMS Community Edition container> -c <Directory of the existing config.yaml file> -i <IP address of the server> -d <OMS_IMAGE>
```
The deployment tool of OMS Community Edition automatically verifies the CPU, memory, and disk resources. If any resource item does not meet the requirement, the deployment tool will display a message prompting that insufficient resources will affect the data migration speed.
Complete the deployment as prompted. After you set each parameter, press Enter to move on to the next parameter.
1. Select a deployment mode.
  
  Select Single Node in Single Region.
2. Select a task.
  
  Select Use Configuration File Uploaded with Script Option [-c].
3. If the system displays The specified database names already exist in the MetaDB. Are you sure that you want to continue?, it indicates that the database names you specified already exist in the MetaDB cluster in the original configuration file. This may be caused by repeated deployment or upgrade of OMS Community Edition. You can enter y and press Enter to proceed, or enter n and press Enter to re-specify the settings.
4. If the configuration file passes the check, all the settings are displayed. If the settings are correct, enter n and press Enter to proceed. Otherwise, enter y and press Enter to modify the settings.
  
  If the configuration file fails the check, modify the settings as prompted.
5. Specify the directory to which the container of OMS Community Edition is mounted on the node.
  
  Specify a directory with a large capacity.
6. Confirm whether the image file of OMS Community Edition can be named <OMS_IMAGE>.
  
  If yes, enter y and press Enter to proceed. Otherwise, enter n and press Enter to modify the settings.
7. Determine whether to mount an SSL certificate to the container of OMS Community Edition.
  
  If yes, enter y, press Enter, and specify the https_key and https_crt directories as prompted. Otherwise, enter n and press Enter.
8. Start the deployment.
  - During deployment, you can run the docker logs -f <OMS Community Edition container name> command to view the initialization status.
    
    To view all initialization logs, run the docker logs <OMS Community Edition container name> command.
  - If the deployment fails, you can log in to the running OMS container and view the .log files in the /home/admin/logs directory that start with docker_init to obtain the log information.
  - If the OMS container fails to start, you cannot obtain the logs.

To modify the configuration after deployment, perform the following steps:

Log in to the container of OMS Community Edition.
Modify the config.yaml file in the /home/admin/conf/ directory based on business needs.
Go to the /root directory and run the python -m omsflow.scripts.units.oms_init_manager --init-config-file command.
Run the supervisorctl restart oms_console oms_drc_supervisor command.

Template and example of a configuration file

Configuration file template

Notice

You must replace the sample values of required parameters based on your actual deployment environment. Both the required and optional parameters are described in the following table. You can specify the optional parameters as needed.
In the config.yaml file, you must specify the parameters in the key: value format, with a space after the colon (:).

# Information about the MetaDB cluster for OMS Community Edition
oms_meta_host: ${oms_meta_host}
oms_meta_port: ${oms_meta_port}
oms_meta_user: ${oms_meta_user}
oms_meta_password: ${oms_meta_password}
     
# You can define the names of the following three databases, which are created in the MetaDB cluster during the deployment of OMS Community Edition.
drc_rm_db: ${drc_rm_db}
drc_cm_db: ${drc_cm_db}
drc_cm_heartbeat_db: ${drc_cm_heartbeat_db}
     
# Configurations of OMS Community Edition
# In single-node deployment mode, the cm_url parameter is generally set to the IP address of the server where OMS Community Edition is deployed. We recommend that you use an internal IP address.
cm_url: ${cm_url}
cm_location: ${cm_location}
# The cm_region parameter is not required in single-node deployment mode.
# cm_region: ${cm_region}
# The cm_region_cn parameter is not required in single-node deployment mode.
# cm_region_cn: ${cm_region_cn}
cm_is_default: true
cm_nodes:
 - ${cm_nodes}
     
# Configurations of the time-series database
# The default value of `tsdb_enabled`, which specifies whether to configure a time-series database, is `false`. To enable metric reporting, set the parameter to `true`.
# tsdb_enabled: false 
# If the `tsdb_enabled` parameter is set to `true`, delete comments for the following parameters and specify the values based on your actual configurations.
# tsdb_service: 'INFLUXDB'
# tsdb_url: '${tsdb_url}'
# tsdb_username: ${tsdb_user}
# tsdb_password: ${tsdb_password}

# The following parameters need to be added when you log in to OMS Community Edition by using SSO.
oms_iam_auth: OAUTH2   
oms_oauth2_user_account_name_field: nickname
oms_oauth2_sso_login_url: http://oms.example.org:8090/omsp/oauth2/authorization/oms?oms_back_url=http://oms.example.org:8089
spring_security_oauth2_client_registration_oms_client_id: xxx
spring_security_oauth2_client_registration_oms_client_secret: xxx
spring_security_oauth2_client_registration_oms_redirect_uri: http://oms.example.org:8090/omsp/login/oauth2/code/{registrationId}
spring_security_oauth2_client_registration_oms_authorization_grant_type: authorization_code
spring_security_oauth2_client_registration_oms_scope: openid,profile
spring_security_oauth2_client_registration_oms_clientAuthenticationMethod: client_secret_basic
spring_security_oauth2_client_registration_oms_provider: oms
spring_security_oauth2_client_provider_jwk_set_uri: https:xxx.com
spring_security_oauth2_client_provider_authorization_uri: https://xxxx/api/auth
spring_security_oauth2_client_provider_token_uri: https://xxx/api/token

The following table describes the configuration parameters.

Parameter	Description	Required
oms_meta_host	The IP address of the MetaDB cluster, which can be that of a MySQL database or a MySQL-compatible tenant of OceanBase Database Community Edition. Notice This parameter is valid only in OceanBase Database V2.0 and later.	Yes
oms_meta_port	The port number of the MetaDB cluster.	Yes
oms_meta_user	The username used for accessing the MetaDB cluster.	Yes
oms_meta_password	The user password used for accessing the MetaDB cluster.	Yes
drc_rm_db	The name of the database for the console of OMS Community Edition.	Yes
drc_cm_db	The name of the database for the CM service.	Yes
drc_cm_heartbeat_db	The name of the heartbeat database for the CM service.	Yes
cm_url	The URL of the CM service of OMS Community Edition, for example, `http://xxx.xxx.xxx.xxx:8088`. Note In single-node deployment mode, the IP address of the server where OMS Community Edition is deployed is used. We recommend that you do not set it to `http://127.0.0.1:8088`. The access URL of the console of OMS Community Edition is in the following format: `IP address of the host where OMS Community Edition is deployed:8089`, for example, `http://xxx.xxx.xxx.xxx:8089` or `https://xxx.xxx.xxx.xxx:8089`. Port 8088 is used for program calls, and Port 8089 is used for web page access. You must specify Port 8088.	Yes
cm_location	The code of the region. Value range: [0, 127]. You can select one number for each region.	Yes
cm_region	The name of the region, for example, cn-jiangsu. Notice If you use OMS Community Edition with the Alibaba Cloud Multi-Site High Availability (MSHA) service in an active-active disaster recovery scenario, use the region configured for the Alibaba Cloud service.	No
cm_region_cn	The value here is the same as the value of cm_region.	No
cm_nodes	The IP addresses of servers on which the CM service of OMS Community Edition is deployed.	Yes
cm_is_default	Specifies whether the CM service is enabled for OMS Community Edition by default.	No. Default value: `true`.
tsdb_enabled	Specifies whether metric reporting is enabled for monitoring. Valid values: `true` and `false`.	No. Default value: `false`.
tsdb_service	The type of the time-series database. Valid values: `INFLUXDB` and `CERESDB`.	No. Default value: `INFLUXDB`.
tsdb_url	The IP address of the server where InfluxDB is deployed. You need to modify this parameter based on the actual environment if you set the `tsdb_enabled` parameter to `true`.	No
tsdb_username	The username used for accessing the time-series database. You need to modify this parameter based on the actual environment if you set the `tsdb_enabled` parameter to `true`. After you deploy a time-series database, manually create a user and specify the username and password.	No
tsdb_password	The password used for accessing the time-series database. You need to modify this parameter based on the actual environment if you set the `tsdb_enabled` parameter to `true`.	No
oms_iam_auth	The login method. Valid values: `OAUTH2` and `LOCAL`. `OAUTH2` is compatible with the password-based login method.	Yes
oms_oauth2_user_account_name_field	The field used to obtain the username from IdToken. Example: `nick` or `nickname`.	Yes
oms_oauth2_sso_login_url	The redirection URL for SSO based on the OIDC protocol. The value is in the format of `http://{cm_url}/omsp/oauth2/authorization/oms?oms_back_url={serverDomain}`. {serverDomain} is the domain name and `oms_back_url` is the page of OMS Community Edition displayed after the login succeeds.	Yes
spring_security_oauth2_client_registration_oms_client_id	The client ID of the third-party application.	Yes
spring_security_oauth2_client_registration_oms_client_secret	The client secret of the third-party application.	Yes
spring_security_oauth2_client_registration_oms_redirect_uri	The callback URL in the `http://{serverDomain}/omsp/login/oauth2/code/{registrationId}` format, which is specified by `redirectUrl`. {serverDomain} is the domain name and {registrationId} does not need to be specified.	Yes
spring_security_oauth2_client_registration_oms_authorization_grant_type	The grant type used by OMS Community Edition to obtain access tokens from the OAuth2 authorization server. At present, only the `authorization-code` grant type is supported.	Yes
spring_security_oauth2_client_registration_oms_scope	The authorization scope. The value is a list of permission IDs separated with commas (,). `openid` must be included in the value.	Yes
spring_security_oauth2_client_registration_oms_provider	The name of the authorization service provider. You can define the value. Example: oidc.	Yes
spring_security_oauth2_client_provider_jwk_set_uri	The endpoint used to retrieve the public key of the JSON web key (JWK) for decoding the JWK.	Yes
spring_security_oauth2_client_provider_authorization_uri	The authorization endpoint.	Yes
spring_security_oauth2_client_provider_token_uri	The endpoint used to obtain a token.	Yes

Sample configuration file

Replace related parameters with the actual values in the target deployment environment.

oms_meta_host: xxx.xxx.xxx.xxx
oms_meta_port: 2883
oms_meta_user: oms_meta_user
oms_meta_password: ***********
drc_rm_db: oms_rm
drc_cm_db: oms_cm
drc_cm_heartbeat_db: oms_cm_heartbeat
cm_url: http://xxx.xxx.xxx.xxx:8088
cm_location: 100
cm_region: cn-anhui
cm_region_cn: cn-anhui
cm_is_default: true
cm_nodes:
  - xxx.xxx.xxx.xxx
tsdb_service: 'INFLUXDB'
tsdb_enabled: true
tsdb_url: 'xxx.xxx.xxx.xxx:8086'
tsdb_username: username
tsdb_password: *************
oms_iam_auth: OAUTH2   
oms_oauth2_user_account_name_field: nickname
oms_oauth2_sso_login_url: http://oms.example/org:8090/omsp/oauth2/authorization/oms?oms_back_url=http://oms.example.org:8090
spring_security_oauth2_client_registration_oms_client_id: xxx
spring_security_oauth2_client_registration_oms_client_secret: xxx
spring_security_oauth2_client_registration_oms_redirect_uri: http://oms.example.org:8090/omsp/login/oauth2/code/{registrationId}
spring_security_oauth2_client_registration_oms_authorization_grant_type: authorization_code
spring_security_oauth2_client_registration_oms_scope: openid,profile
spring_security_oauth2_client_registration_oms_clientAuthenticationMethod: client_secret_basic
spring_security_oauth2_client_registration_oms_provider: oms
spring_security_oauth2_client_provider_jwk_set_uri: https:xxx.com
spring_security_oauth2_client_provider_authorization_uri: https://xxxx/api/auth
spring_security_oauth2_client_provider_token_uri: https://xxx/api/token

Enterprise Edition

Community Edition