Opaque token working on management ui

Refactoring needed so that the resolved
jwt token is kept in the management ui
so that the backend does not need to
reoolve it permanentely

Author: MarcialRosales

deps/rabbitmq_auth_backend_oauth2/include/oauth2.hrl

@@ -16,6 +16,7 @@
 %% Key JWT fields
 %%
 
+-define(ACTIVE_FIELD, <<"active">>). %% FOR INTROSPECTED TOKENS
 -define(AUD_JWT_FIELD, <<"aud">>).
 -define(SCOPE_JWT_FIELD, <<"scope">>).
 -define(TAG_SCOPE_PREFIX, <<"tag:">>).

deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl

@@ -187,7 +187,6 @@ authenticate(_, AuthProps0) ->
         {error, Error} -> {refused, "Unable to introspect token: ~p", [Error]}
     end.
 
-
 -spec with_decoded_token(Token, Fun) -> Result
     when Token :: decoded_jwt_token(),
          Fun :: auth_user_extraction_fun(),
@@ -235,8 +234,11 @@ validate_token_expiry(#{}) -> ok.
           {'error', term() } |
           {'refused', 'signature_invalid' | {'error', term()} | {'invalid_aud', term()}}.
 
-check_token(DecodedToken, _) when is_map(DecodedToken) ->
-    {ok, DecodedToken};
+check_token(DecodedToken, {ResourceServer, _}) when is_map(DecodedToken) ->
+    case maps:is_key(?ACTIVE_FIELD, DecodedToken) of 
+        false -> {ok, DecodedToken};
+        true -> {ok, normalize_token_scope(ResourceServer, DecodedToken)}
+    end;
 
 check_token(Token, {ResourceServer, InternalOAuthProvider}) ->
     case decode_and_verify(Token, ResourceServer, InternalOAuthProvider) of
@@ -257,15 +259,14 @@ extract_scopes_from_scope_claim(Payload) ->
 -spec normalize_token_scope(
     ResourceServer :: resource_server(), DecodedToken :: decoded_jwt_token()) -> map().
 normalize_token_scope(ResourceServer, Payload) ->
-
     filter_duplicates(   
         filter_matching_scope_prefix(ResourceServer,
             extract_scopes_from_rich_auth_request(ResourceServer,
                 extract_scopes_using_scope_aliases(ResourceServer, 
                     extract_scopes_from_additional_scopes_key(ResourceServer, 
                         extract_scopes_from_requesting_party_token(ResourceServer,
                             extract_scopes_from_scope_claim(Payload))))))).
-
+    
 filter_duplicates(#{?SCOPE_JWT_FIELD := Scopes} = Payload) -> 
     set_scope(lists:usort(Scopes), Payload);
 filter_duplicates(Payload) -> Payload.
@@ -492,5 +493,6 @@ resolve_scope_var(Elem, Token, Vhost) ->
 -spec tags_from(decoded_jwt_token()) -> list(atom()).
 tags_from(DecodedToken) ->
     Scopes    = maps:get(?SCOPE_JWT_FIELD, DecodedToken, []),
+    rabbit_log:debug("tags_from Scopes : ~p", [Scopes]),
     TagScopes = filter_matching_scope_prefix_and_drop_it(Scopes, ?TAG_SCOPE_PREFIX),
     lists:usort(lists:map(fun rabbit_data_coercion:to_atom/1, TagScopes)).

selenium/test/oauth/env.spring

@@ -1,3 +1,3 @@
 export OAUTH_SERVER_CONFIG_DIR=${OAUTH_SERVER_CONFIG_BASEDIR}/oauth/spring
-export OAUTH_SCOPES="openid profile rabbitmq.tag:management"
+export OAUTH_SCOPES="openid profile rabbitmq.tag:management rabbitmq.tag:administrator"
 export OAUTH_CLIENT_ID=rabbitmq_client_code

selenium/test/oauth/rabbitmq.opaque-token.conf

@@ -2,3 +2,4 @@ auth_oauth2.access_token_format = opaque
 auth_oauth2.introspection_client_auth_method = basic
 auth_oauth2.introspection_client_id = introspection_client
 auth_oauth2.introspection_client_secret = introspection_client
+auth_oauth2.verify_aud = false

selenium/test/oauth/spring/application.yml

@@ -74,9 +74,7 @@ spring:
               provider: spring
               client-id: rabbitmq_client_code_opaque
               client-secret: "{noop}rabbitmq_client_code_opaque"
-              require-proof-key: true
-              token-settings:
-                access-token-format: reference
+              require-proof-key: true              
               authorization-grant-types: 
                 - authorization_code
               client-authentication-methods:
@@ -91,6 +89,8 @@ spring:
                 - rabbitmq.tag:administrator
                 - rabbitmq.tag:management
               client-name: rabbitmq_client_code_opaque
+            token:
+              access-token-format: reference
           rabbitmq_client_code:
             registration:
               provider: spring