Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth 2.0: support IDP-initiated login in the management UI #6015

Merged
merged 17 commits into from Jan 3, 2023
Merged

OAuth 2.0: support IDP-initiated login in the management UI #6015

merged 17 commits into from Jan 3, 2023

Conversation

MarcialRosales
Copy link
Contributor

@MarcialRosales MarcialRosales commented Oct 4, 2022
edited

Proposed Changes

Support "Identity Provider initiated login" workflow whereby a user comes to RabbitMQ with an access_token rather than coming without any and being redirected to the authorization server to get one. The http endpoint to login directly with an access token is POST /login with the token as the value of the form field access_token (here is the sample form used by our automated testing).

This PR must take into account the following flows :

  • login,
  • logout,
  • session expiry and
  • token expiry

It requires the following oauth2 related configuration settings in the management plugin :

  • oauth_enabled
  • oauth_provider_url : This is the URL of the idp where to redirect the user when the user clicks on the button "Click here to login" which is the landing page when Oauth2 is enabled. Although the idp may not necessarily be an oauth 2.0 provider but in practice, it is ultimately the entity responsible of granting token to users and redirecting them to RabbitMQ.
  • oauth_initiated_logon_type : This new setting configures the type of logon which can be one of these two:
    - service-provider initiated logon (sp_initiated term) which is the default value and corresponds to Oauth 2.0 authorization code flow.
    - identity-provider initiated logon (idp_initiated term)

It has been considered to use this PR to merge another 2 PRs very much related to the same area of code as this PR.

There is a documentation PR linked to this PR: rabbitmq/rabbitmq-website#1504

This PR introduces the following potential breaking change: With this PR the management UI no longer stores credentials (basic or token) on cookies. Instead it uses window.localStorage. Furthermore, and here it is the breaking change: if the window.localStorage is disabled, the management ui will not proceed with the login process. It will not fallback to cookies. This is because bearer tokens may be larger than 4Kb in length and browsers will not accept cookies whose value is greater than 4Kbytes.

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

  • Bug fix (non-breaking change which fixes issue #NNNN)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause an observable behavior change in existing systems)
  • Documentation improvements (corrections, new content, etc)
  • Cosmetic change (whitespace, formatting, etc)
  • Build system and/or CI

@MarcialRosales MarcialRosales changed the title OIDC idp initiated login OIDC idp initiated login in the management ui Oct 4, 2022
@mergify mergify bot added the make label Oct 4, 2022
@MarcialRosales MarcialRosales changed the title OIDC idp initiated login in the management ui OAuth 2.0 idp initiated login in the management ui Oct 5, 2022
@MarcialRosales MarcialRosales force-pushed the oidc_idp_initiated_login branch 2 times, most recently from 058e928 to 89f9d39 Compare October 20, 2022 07:29
@MarcialRosales MarcialRosales mentioned this pull request Oct 20, 2022
Merged
@MarcialRosales MarcialRosales marked this pull request as ready for review October 20, 2022 08:48
@MarcialRosales MarcialRosales mentioned this pull request Oct 24, 2022
Closed
@MarcialRosales MarcialRosales marked this pull request as draft October 26, 2022 10:44
@MarcialRosales MarcialRosales force-pushed the oidc_idp_initiated_login branch 2 times, most recently from 64cdb38 to 47f49fa Compare November 2, 2022 12:16
@MarcialRosales MarcialRosales force-pushed the oidc_idp_initiated_login branch 3 times, most recently from 3e90f1d to 35b7845 Compare November 14, 2022 06:18
@michaelklishin michaelklishin marked this pull request as ready for review November 14, 2022 07:39
@michaelklishin michaelklishin changed the title OAuth 2.0 idp initiated login in the management ui OAuth 2.0 IDP-initiated login in the management UI Nov 14, 2022
@michaelklishin michaelklishin changed the title OAuth 2.0 IDP-initiated login in the management UI OAuth 2.0: support IDP-initiated login in the management UI Nov 14, 2022
This was referenced Nov 21, 2022
Closed
Closed
@PraveenNanda124

This comment was marked as spam.

Sign in to view
@MarcialRosales MarcialRosales marked this pull request as draft December 5, 2022 08:48
@MarcialRosales MarcialRosales force-pushed the oidc_idp_initiated_login branch 2 times, most recently from be85e06 to 28e4212 Compare December 13, 2022 13:10
@MarcialRosales MarcialRosales marked this pull request as ready for review December 13, 2022 14:17
@MarcialRosales MarcialRosales mentioned this pull request Dec 13, 2022
Closed
@michaelklishin michaelklishin added this to the 3.11.6 milestone Dec 16, 2022
@michaelklishin michaelklishin self-assigned this Dec 16, 2022
michaelklishin and others added 17 commits January 2, 2023 07:15
@michaelklishin
Cosmetics
0a8dd19 
(cherry picked from commit 042725d8364bac3fed40df4dcdb534728dd56576)
@MarcialRosales @michaelklishin
Support Idp initiated logon in mgt ui with Oauth
9354397 
Configure preferred username from a token
Make client_secret optional
@MarcialRosales @michaelklishin
Support path_prefix in /login url
54acf88 
For OAuth2 idp initiated logon
@MarcialRosales @michaelklishin
Improve coverage
9fca4a7
@MarcialRosales @michaelklishin
Test basic-auth behind proxy
8f1ddb2
@MarcialRosales @michaelklishin
Do not use cookies to store basic auth
c76e589 
Instead use localStorage
@MarcialRosales @michaelklishin
Do not use cookies to store basic auth
bf172af 
Use window.localStorage. If it is disabled
Management UI should stop working rather than
falling back to cookies
@MarcialRosales @michaelklishin
Test with selenium export/import definitions
3672804
@MarcialRosales @michaelklishin
Use only token in authorization header to
58be01f 
import and export definitions
@MarcialRosales @michaelklishin
Fix import/export test cases
4b1e306 
When running test remotely, the import
definition file must be transfered from
the test container onto the selenium container
wehre the browser runs
@MarcialRosales @michaelklishin
Rename section otherwise
f6fad5c 
clicking on any area triggered
the download of the definitions
@MarcialRosales @michaelklishin
Refactor code following recommendations
e8fc9af 
from @essen
@MarcialRosales @michaelklishin
Test token refresh
6e84444 
And enable hard session timeout which was
disabled by mistake when moved credentials
from cookies to local storage
@MarcialRosales @michaelklishin
Validate imported user from file
07fc6d1
@MarcialRosales @michaelklishin
Run selenium GH Action on oidc_idp_initiated_login branch
9921526 
This is to force GH Action run selenium tests.
for some reason it is not running it
@MarcialRosales @michaelklishin
Remove branch
3556cc2
@MarcialRosales @michaelklishin
Resolve conflict
6a08cd0
@michaelklishin michaelklishin merged commit 801f5c4 into main Jan 3, 2023
@michaelklishin michaelklishin deleted the oidc_idp_initiated_login branch January 3, 2023 13:10
@mergify mergify bot mentioned this pull request Jan 3, 2023
Merged
michaelklishin added a commit that referenced this pull request Jan 3, 2023
@michaelklishin
Resolve conflicts related to #6015
555aa1e
@binarin binarin mentioned this pull request Jan 24, 2023
Closed
@michaelklishin michaelklishin mentioned this pull request Feb 6, 2023
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelklishin michaelklishin michaelklishin left review comments

Assignees

@michaelklishin michaelklishin

Labels
backport-v3.11.x make
Projects
None yet
Milestone
3.11.6
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@MarcialRosales @PraveenNanda124 @michaelklishin