feat: Added configurable signing algorithm to OIDC configuration (#3522)

We've had requests from customers that use RS512 as the default signing
algorithm in their OIDC server deployment. This PR adds that as a config
variable to the OIDC form.

frontend/src/component/admin/auth/OidcAuth/OidcAuth.tsx

@@ -1,8 +1,12 @@
 import React, { useContext, useEffect, useState } from 'react';
 import {
     Button,
+    FormControl,
     FormControlLabel,
     Grid,
+    InputLabel,
+    MenuItem,
+    Select,
     Switch,
     TextField,
 } from '@mui/material';
@@ -30,6 +34,7 @@ const initialState = {
     discoverUrl: '',
     secret: '',
     acrValues: '',
+    idTokenSigningAlgorithm: 'RS256',
 };
 
 export const OidcAuth = () => {
@@ -244,7 +249,42 @@ export const OidcAuth = () => {
                     setValue={setValue}
                 />
                 <AutoCreateForm data={data} setValue={setValue} />
-
+                <Grid container spacing={3} mb={2}>
+                    <Grid item md={5}>
+                        <strong>ID Signing algorithm</strong>
+                        <p>
+                            Which signing algorithm to use. <br /> Leave this
+                            alone unless you see errors that look like
+                            "unexpected JWT alg received, expected RS256, got:
+                            RS512" in your logs.
+                        </p>
+                    </Grid>
+                    <Grid item md={6}>
+                        <FormControl style={{ minWidth: '200px' }}>
+                            <InputLabel id="defaultRootRole-label">
+                                Signing algorithm
+                            </InputLabel>
+                            <Select
+                                label="Signing algorithm"
+                                labelId="idTokenSigningAlgorithm-label"
+                                id="idTokenSigningAlgorithm"
+                                name="idTokenSigningAlgorithm"
+                                value={data.idTokenSigningAlgorithm || 'RS256'}
+                                onChange={e =>
+                                    setValue(
+                                        'idTokenSigningAlgorithm',
+                                        e.target.value
+                                    )
+                                }
+                            >
+                                {/*consider these from API or constants. */}
+                                <MenuItem value="RS256">RS256</MenuItem>
+                                <MenuItem value="RS384">RS384</MenuItem>
+                                <MenuItem value="RS512">RS512</MenuItem>
+                            </Select>
+                        </FormControl>
+                    </Grid>
+                </Grid>
                 <Grid container spacing={3}>
                     <Grid item md={12}>
                         <Button

frontend/src/openapi/models/_exportParams.ts

@@ -6,11 +6,32 @@
 import type { _ExportFormat } from './_exportFormat';
 
 export type _ExportParams = {
+    /**
+     * Desired export format. Must be either `json` or `yaml`.
+     */
     format?: _ExportFormat;
-    download?: boolean | string | number;
+    /**
+     * Whether exported data should be downloaded as a file.
+     */
+    download?: string;
+    /**
+     * Whether strategies should be included in the exported data.
+     */
     strategies?: boolean | string | number;
+    /**
+     * Whether feature toggles should be included in the exported data.
+     */
     featureToggles?: boolean | string | number;
+    /**
+     * Whether projects should be included in the exported data.
+     */
     projects?: boolean | string | number;
+    /**
+     * Whether tag types, tags, and feature_tags should be included in the exported data.
+     */
     tags?: boolean | string | number;
+    /**
+     * Whether environments should be included in the exported data.
+     */
     environments?: boolean | string | number;
 };

frontend/src/openapi/models/bulkMetricsSchema.ts

@@ -6,7 +6,10 @@
 import type { BulkRegistrationSchema } from './bulkRegistrationSchema';
 import type { ClientMetricsEnvSchema } from './clientMetricsEnvSchema';
 
+/**
+ * A batch of metrics accumulated by Edge (or other compatible applications). Includes both application registrations as well usage metrics from clients
+ */
 export interface BulkMetricsSchema {
-    applications?: BulkRegistrationSchema[];
-    metrics?: ClientMetricsEnvSchema[];
+    applications: BulkRegistrationSchema[];
+    metrics: ClientMetricsEnvSchema[];
 }

frontend/src/openapi/models/bulkRegistrationSchema.ts

@@ -6,13 +6,25 @@
 import type { BulkRegistrationSchemaConnectViaItem } from './bulkRegistrationSchemaConnectViaItem';
 import type { DateSchema } from './dateSchema';
 
+/**
+ * An application registration. Defines the format POSTed by our server-side SDKs when they're starting up
+ */
 export interface BulkRegistrationSchema {
+    /** A list of applications this app registration has been registered through. If connected directly to Unleash, this is an empty list. 
+ This can be used in later visualizations to tell how many levels of proxy or Edge instances our SDKs have connected through */
     connectVia?: BulkRegistrationSchemaConnectViaItem[];
+    /** The name of the application that is evaluating toggles */
     appName: string;
-    environment?: string;
+    /** Which environment the application is running in */
+    environment: string;
+    /** A [(somewhat) unique identifier](https://docs.getunleash.io/reference/sdks/node#advanced-usage) for the application */
     instanceId: string;
+    /** How often (in seconds) the application refreshes its features */
     interval?: number;
+    /** The application started at */
     started?: DateSchema;
+    /** Enabled [strategies](https://docs.getunleash.io/reference/activation-strategies) in the application */
     strategies?: string[];
+    /** The version the sdk is running. Typically <client>:<version> */
     sdkVersion?: string;
 }

frontend/src/openapi/models/changeRequestDefaultEventSchema.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by Orval
+ * Do not edit manually.
+ * See `gen:api` script in package.json
+ */
+import type { ChangeRequestDefaultEventSchemaPayload } from './changeRequestDefaultEventSchemaPayload';
+
+export interface ChangeRequestDefaultEventSchema {
+    action: string;
+    payload: ChangeRequestDefaultEventSchemaPayload;
+}

frontend/src/openapi/models/changeRequestDefaultEventSchemaPayload.ts

@@ -0,0 +1,7 @@
+/**
+ * Generated by Orval
+ * Do not edit manually.
+ * See `gen:api` script in package.json
+ */
+
+export type ChangeRequestDefaultEventSchemaPayload = { [key: string]: any };

frontend/src/openapi/models/changeRequestEditTitleSchema.ts

@@ -0,0 +1,9 @@
+/**
+ * Generated by Orval
+ * Do not edit manually.
+ * See `gen:api` script in package.json
+ */
+
+export interface ChangeRequestEditTitleSchema {
+    title: string;
+}

frontend/src/openapi/models/changeRequestFeatureSchema.ts

@@ -4,9 +4,11 @@
  * See `gen:api` script in package.json
  */
 import type { ChangeRequestEventSchema } from './changeRequestEventSchema';
+import type { ChangeRequestDefaultEventSchema } from './changeRequestDefaultEventSchema';
 
 export interface ChangeRequestFeatureSchema {
     name: string;
     conflict?: string;
     changes: ChangeRequestEventSchema[];
+    defaultChange?: ChangeRequestDefaultEventSchema;
 }

frontend/src/openapi/models/changeRequestSchema.ts

@@ -11,6 +11,7 @@ import type { ChangeRequestSchemaCreatedBy } from './changeRequestSchemaCreatedB
 
 export interface ChangeRequestSchema {
     id: number;
+    title?: string;
     environment: string;
     state: ChangeRequestSchemaState;
     minApprovals: number;

frontend/src/openapi/models/changeRequestStateSchema.ts

@@ -7,4 +7,5 @@ import type { ChangeRequestStateSchemaState } from './changeRequestStateSchemaSt
 
 export interface ChangeRequestStateSchema {
     state: ChangeRequestStateSchemaState;
+    comment?: string;
 }

frontend/src/openapi/models/clientMetricsEnvSchema.ts

@@ -6,13 +6,23 @@
 import type { DateSchema } from './dateSchema';
 import type { ClientMetricsEnvSchemaVariants } from './clientMetricsEnvSchemaVariants';
 
+/**
+ * Used for reporting feature evaluation results from SDKs
+ */
 export interface ClientMetricsEnvSchema {
+    /** Name of the feature checked by the SDK */
     featureName: string;
+    /** The name of the application the SDK is being used in */
     appName: string;
-    environment?: string;
+    /** Which environment the SDK is being used in */
+    environment: string;
+    /** The start of the time window these metrics are valid for. The window is 1 hour wide */
     timestamp?: DateSchema;
+    /** How many times the toggle evaluated to true */
     yes?: number;
+    /** How many times the toggle evaluated to false */
     no?: number;
+    /** How many times each variant was returned */
     variants?: ClientMetricsEnvSchemaVariants;
     [key: string]: any;
 }

frontend/src/openapi/models/clientMetricsEnvSchemaVariants.ts

@@ -4,4 +4,7 @@
  * See `gen:api` script in package.json
  */
 
+/**
+ * How many times each variant was returned
+ */
 export type ClientMetricsEnvSchemaVariants = { [key: string]: number };

frontend/src/openapi/models/edgeTokenSchema.ts

@@ -5,8 +5,14 @@
  */
 import type { EdgeTokenSchemaType } from './edgeTokenSchemaType';
 
+/**
+ * A representation of a client token, limiting access to [CLIENT](https://docs.getunleash.io/reference/api-tokens-and-client-keys#client-tokens) (used by serverside SDKs) or [FRONTEND](https://docs.getunleash.io/reference/api-tokens-and-client-keys#front-end-tokens) (used by proxy SDKs)
+ */
 export interface EdgeTokenSchema {
+    /** The list of projects this token has access to. If the token has access to specific projects they will be listed here. If the token has access to all projects it will be represented as [`*`] */
     projects: string[];
+    /** The [API token](https://docs.getunleash.io/reference/api-tokens-and-client-keys#api-tokens)'s **type**. Unleash supports three different types of API tokens ([ADMIN](https://docs.getunleash.io/reference/api-tokens-and-client-keys#admin-tokens), [CLIENT](https://docs.getunleash.io/reference/api-tokens-and-client-keys#client-tokens), [FRONTEND](https://docs.getunleash.io/reference/api-tokens-and-client-keys#front-end-tokens)). They all have varying access, so when validating a token it's important to know what kind you're dealing with */
     type: EdgeTokenSchemaType;
+    /** The actual token value. [Unleash API tokens](https://docs.getunleash.io/reference/api-tokens-and-client-keys) are comprised of three parts. <project(s)>:<environment>.randomcharacters */
     token: string;
 }

frontend/src/openapi/models/edgeTokenSchemaType.ts

@@ -4,6 +4,9 @@
  * See `gen:api` script in package.json
  */
 
+/**
+ * The [API token](https://docs.getunleash.io/reference/api-tokens-and-client-keys#api-tokens)'s **type**. Unleash supports three different types of API tokens ([ADMIN](https://docs.getunleash.io/reference/api-tokens-and-client-keys#admin-tokens), [CLIENT](https://docs.getunleash.io/reference/api-tokens-and-client-keys#client-tokens), [FRONTEND](https://docs.getunleash.io/reference/api-tokens-and-client-keys#front-end-tokens)). They all have varying access, so when validating a token it's important to know what kind you're dealing with
+ */
 export type EdgeTokenSchemaType =
     typeof EdgeTokenSchemaType[keyof typeof EdgeTokenSchemaType];
 

frontend/src/openapi/models/featureSchema.ts

@@ -15,7 +15,7 @@ export interface FeatureSchema {
     type?: string;
     /** Detailed description of the feature */
     description?: string | null;
-    /** `true` if the feature is archived, otherwise `false`. */
+    /** `true` if the feature is archived */
     archived?: boolean;
     /** Name of the project the feature belongs to */
     project?: string;

frontend/src/openapi/models/featureTagSchema.ts

@@ -4,10 +4,24 @@
  * See `gen:api` script in package.json
  */
 
+/**
+ * Describes a tag applied to a feature
+ */
 export interface FeatureTagSchema {
+    /** The name of the feature this tag is applied to */
     featureName: string;
+    /** The type of tag */
     tagType?: string;
+    /** The value of the tag */
     tagValue: string;
+    /**
+     * This field is deprecated and currently unused, use tagType instead
+     * @deprecated
+     */
     type?: string;
+    /**
+     * This field is deprecated and currently unused, use tagValue instead
+     * @deprecated
+     */
     value?: string;
 }

frontend/src/openapi/models/getEventsParams.ts

@@ -4,4 +4,9 @@
  * See `gen:api` script in package.json
  */
 
-export type GetEventsParams = { project?: string };
+export type GetEventsParams = {
+    /**
+     * The name of the project whose events you want to retrieve
+     */
+    project?: string;
+};

frontend/src/openapi/models/index.ts

@@ -1,3 +1,9 @@
+/**
+ * Generated by Orval
+ * Do not edit manually.
+ * See `gen:api` script in package.json
+ */
+
 export * from './_exportFormat';
 export * from './_exportParams';
 export * from './addonParameterSchema';
@@ -43,6 +49,9 @@ export * from './changeRequestCreateSchemaOneOfOneonePayload';
 export * from './changeRequestCreateSchemaOneOfPayload';
 export * from './changeRequestCreateSchemaOneOfSix';
 export * from './changeRequestCreateSchemaOneOfSixAction';
+export * from './changeRequestDefaultEventSchema';
+export * from './changeRequestDefaultEventSchemaPayload';
+export * from './changeRequestEditTitleSchema';
 export * from './changeRequestEnvironmentConfigSchema';
 export * from './changeRequestEventSchema';
 export * from './changeRequestEventSchemaCreatedBy';
@@ -146,6 +155,7 @@ export * from './notificationsSchemaItemCreatedBy';
 export * from './notificationsSchemaItemNotificationType';
 export * from './oidcSettingsSchema';
 export * from './oidcSettingsSchemaDefaultRootRole';
+export * from './oidcSettingsSchemaIdTokenSigningAlgorithm';
 export * from './overrideSchema';
 export * from './parametersSchema';
 export * from './passwordAuthSchema';
@@ -239,6 +249,8 @@ export * from './tagTypesSchema';
 export * from './tagWithVersionSchema';
 export * from './tagsBulkAddSchema';
 export * from './tagsSchema';
+export * from './toggleMaintenanceSchema';
+export * from './tokenStringListSchema';
 export * from './tokenUserSchema';
 export * from './uiConfigSchema';
 export * from './uiConfigSchemaAuthenticationType';
@@ -264,11 +276,10 @@ export * from './userWithProjectRoleSchema';
 export * from './usersGroupsBaseSchema';
 export * from './usersSchema';
 export * from './usersSearchSchema';
-export * from './validateEdgeTokensSchema';
-export * from './validateEdgeTokensSchemaTokensItem';
 export * from './validatePasswordSchema';
 export * from './validateProjectSchema';
 export * from './validateTagTypeSchema';
+export * from './validatedEdgeTokensSchema';
 export * from './variantSchema';
 export * from './variantSchemaPayload';
 export * from './variantsSchema';

frontend/src/openapi/models/oidcSettingsSchema.ts

@@ -4,15 +4,32 @@
  * See `gen:api` script in package.json
  */
 import type { OidcSettingsSchemaDefaultRootRole } from './oidcSettingsSchemaDefaultRootRole';
+import type { OidcSettingsSchemaIdTokenSigningAlgorithm } from './oidcSettingsSchemaIdTokenSigningAlgorithm';
 
+/**
+ * Settings for configuring OpenID Connect as a login provider for Unleash
+ */
 export interface OidcSettingsSchema {
+    /** `true` if OpenID connect is turned on for this instance, otherwise `false` */
     enabled?: boolean;
+    /** The [.well-known OpenID discover URL](https://swagger.io/docs/specification/authentication/openid-connect-discovery/) */
     discoverUrl?: string;
+    /** The OIDC client ID of this application. */
     clientId: string;
+    /** Shared secret from OpenID server. Used to authenticate login requests */
     secret: string;
+    /** Auto create users based on email addresses from login tokens */
     autoCreate?: boolean;
+    /** Support Single sign out when user clicks logout in Unleash. If `true` user is signed out of all OpenID Connect sessions against the clientId they may have active */
     enableSingleSignOut?: boolean;
+    /** [Default role](https://docs.getunleash.io/reference/rbac#standard-roles) granted to users auto-created from email. Only relevant if autoCreate is `true` */
     defaultRootRole?: OidcSettingsSchemaDefaultRootRole;
+    /** Comma separated list of email domains that are automatically approved for an account in the server. Only relevant if autoCreate is `true` */
     emailDomains?: string;
+    /** Authentication Context Class Reference, used to request extra values in the acr claim returned from the server. If multiple values are required, they should be space separated. 
+ Consult [the OIDC reference](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint) for more information 
+ */
     acrValues?: string;
+    /** The signing algorithm used to sign our token. Refer to the [JWT signatures](https://jwt.io/introduction) documentation for more information. */
+    idTokenSigningAlgorithm?: OidcSettingsSchemaIdTokenSigningAlgorithm;
 }

frontend/src/openapi/models/oidcSettingsSchemaDefaultRootRole.ts

@@ -4,6 +4,9 @@
  * See `gen:api` script in package.json
  */
 
+/**
+ * [Default role](https://docs.getunleash.io/reference/rbac#standard-roles) granted to users auto-created from email. Only relevant if autoCreate is `true`
+ */
 export type OidcSettingsSchemaDefaultRootRole =
     typeof OidcSettingsSchemaDefaultRootRole[keyof typeof OidcSettingsSchemaDefaultRootRole];