Add OpenID-Connect Support

[nscuro]

This PR addresses #10 by implementing support for OAuth2 / OpenID Connect.

I'm opening this PR in a WIP state mainly for transparency reasons, but also to potentially get early feedback. I'll update this description when something changes and let you know when I feel like the PR is ready for a serious review.

TODO

• Test with multiple authorization servers
  • Keycloak
  • GitLab
• Unit test coverage

How to test

Besides the unit tests, here's a quick guide on how to test this implementation in action. It can be done locally using Docker, Keycloak and Dependency-Track:

• Checkout this branch and install the Maven project:

$ git clone -b 10-openidconnect-support https://github.com/nscuro/Alpine.git
$ cd Alpine
$ mvn clean clean install -Dcyclonedx.skip -DskipTests

Setup Dependency-Track

• Checkout the openidconnect-support branch of Dependency-Track and build an executable WAR:

$ git clone -b openidconnect-support https://github.com/nscuro/dependency-track.git
$ cd dependency-track
$ mvn clean package -Dcyclonedx.skip -DskipTests -P embedded-jetty -Dlogback.configuration.file=src/main/docker/logback.xml

• Start Dependency-Track with OpenID Connect enabled, including its user provisioning and team synchronization capabilities:

$ java -Dalpine.oidc.enabled=true -Dalpine.oidc.issuer=http://localhost:8081/auth/realms/dtrack-oidc -Dalpine.oidc.username.claim=preferred_username -Dalpine.oidc.user.provisioning=true -Dalpine.oidc.team.synchronization=true -Dalpine.oidc.teams.claim=groups -jar target/dependency-track-embedded.war

• Checkout the openidconnect-support branch of the new Dependency-Track frontend:

$ git clone -b openidconnect-support https://github.com/nscuro/frontend.git

• Modify public/static/config.json as follows:

"OIDC_ISSUER": "http://localhost:8081/auth/realms/dtrack-oidc",
"OIDC_CLIENT_ID": "dependency-track",
"OIDC_FLOW": "code"

• Run the development server: npm run serve
• Navigate to the server's base url and login with the default Dependency-Track admin account (admin:admin)
• Navigate to Administration -> Access Management -> OpenID Connect Groups and add create the groups DTRACK_ADMINS and DTRACK_USERS
• Map DTRACK_ADMINS to the team Administrators and DTRACK_USERS to Portfolio Managers

Setup Keycloak

• Download realm-export.json:
  • Includes the default configuration of the master realm with pre-configured client dependency-track

$ curl -o realm-export.json https://gist.githubusercontent.com/nscuro/70949d507207cd27d2dce5d8e72fff45/raw/ebfbc12c2e9ce46845ada708554e124b0cf76e4d/realm-export.json

• Start Keycloak, importing realm-export.json

$ docker run -d -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e KEYCLOAK_IMPORT=/tmp/realm-export.json -v "$(pwd)/realm-export.json:/tmp/realm-export.json" -p 8081:8080 --name keycloak jboss/keycloak:8.0.2

• Login to Keycloak at http://localhost:8081/auth with admin:admin
• Select the realm dtrack-oidc
• Add a new user under Manage-> Users -> Add user with the following credentials:
  • Username: dtrack
  • E-Mail: dtrack@mail.local
  • Password: test (Make sure the option Temporary is OFF)
• After creation, navigate to the Groups tab for the user and join either DTRACK_ADMINS, DTRACK_USERS or both

Test

• Download the *.postman_collection.json and *.postman_environment.json files from this gist and import them into Postman
• Send the Keycloak: Get Access Token request to acquire an access token for the user dtrack:
  
• Send the DTrack: OIDC Login request to exchange the Keycloak access token for a JWT issued by Dependency-Track:
  
• Finally, verify that the user has been privisioned and the teams have been synced by sending the DTrack: Get Self request:
  

[nscuro]

@stevespringett I'd consider this PR to be ready for review. I'll possibly add minor changes while integrating this into Dependency-Track and its new frontend, but all in all this is pretty much the final version.

[nscuro]

I noticed that the current way of authenticating users is somewhat flawed. LDAP or OIDC users with the name admin are able to login as the managed user admin. JWTs issued by Alpine / Dependency-Track only contain the username, which is not guaranteed to be unique across all identity providers. Alpine attempts to load users by their name in the order Managed -> LDAP -> OIDC. We probably need another claim in the JWT that denotes the identity provider that was used for authentication.

I was thinking about a new claim idp. When issuing JWTs, Dependency-Track can then specify which identity provider performed the authentication. So options could be LOCAL, LDAP, OIDC for example. JwtAuthenticationService would then evaluate the idp claim and only attempt to load the user from the correlating database tables.