Refactored to use 'enabled' flag to hide provider from JSF

Author: stevenwinship

doc/release-notes/11606-hide-spa-oidc-providers-from-jsf-login-screen.md

@@ -0,0 +1,13 @@
+This release will allow for SPA created OIDC Providers to be hidden from JSF login screens. By setting the ``enabled`` attribute either in the config file ``DATAVERSE_AUTH_OIDC_ENABLED: "0"`` or in the Json of the api call:
+POST api/admin/authenticationProviders
+
+{
+"id": "oidc1",
+"factoryAlias": "oidc",
+"title": "Open ID Connect SPA",
+"subtitle": "SPA OIDC Provider",
+"factoryData": "type: oidc | issuer: http://keycloak.mydomain.com:8090/realms/test | clientId: test | clientSecret: 94XHrfNRwXsjqTqApRrwWmhDLDHpIYV8",
+```"enabled": false```
+}
+
+Calling GET api/admin/authenticationProviders will return all providers allowing SPA to display even the ones with enabled = false

src/main/java/edu/harvard/iq/dataverse/LoginPage.java

@@ -135,23 +135,15 @@ public List<AuthenticationProviderDisplayInfo> listCredentialsAuthenticationProv
      * Retrieve information about all enabled identity providers in a sorted order to be displayed to the user.
      * @return list of display information for each provider
      */
-    public List<AuthenticationProviderDisplayInfo> listAuthenticationProvidersJSF() {
-        return listAuthenticationProviders(false);
-    }
     public List<AuthenticationProviderDisplayInfo> listAuthenticationProviders() {
-        return listAuthenticationProviders(true);
-    }
-    public List<AuthenticationProviderDisplayInfo> listAuthenticationProviders(boolean ignoreBlocked) {
         List<AuthenticationProviderDisplayInfo> infos = new LinkedList<>();
         List<AuthenticationProvider> idps = new ArrayList<>(authSvc.getAuthenticationProviders());
 
         // sort by order first. in case of same order values, be deterministic in UI and sort by id, too.
         Collections.sort(idps, Comparator.comparing(AuthenticationProvider::getOrder).thenComparing(AuthenticationProvider::getId));
 
         for (AuthenticationProvider idp : idps) {
-            if (idp != null && (ignoreBlocked || !idp.isJsfBlocked())) {
-                infos.add(idp.getInfo());
-            }
+            infos.add(idp.getInfo());
         }
         return infos;
     }

src/main/java/edu/harvard/iq/dataverse/authorization/AuthenticationProvider.java

@@ -33,9 +33,7 @@ public interface AuthenticationProvider {
     default boolean isUserInfoUpdateAllowed() { return false; };
     default boolean isUserDeletionAllowed() { return false; };
     default boolean isOAuthProvider() { return false; };
-    default boolean isJsfBlocked() { return false; };
-    
-    
+    default boolean isEnabled() { return true; };
 
     /**
      * Some providers (e.g organizational ones) provide verified email addresses.

src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/AbstractOAuth2AuthenticationProvider.java

@@ -93,6 +93,7 @@ public String toString() {
     protected String clientSecret;
     protected String baseUserEndpoint;
     protected String redirectUrl;
+    protected boolean enabled = true;
 
     /**
      * List of scopes to be requested for authorization at identity provider.
@@ -272,6 +273,9 @@ public String getSubTitle() {
 
     public String getSpacedScope() { return String.join(" ", getScope()); }
 
+    public void setEnabled(boolean enabled) { this.enabled = enabled; }
+    public boolean isEnabled() { return enabled; }
+
     @Override
     public int hashCode() {
         int hash = 7;

src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/oidc/OIDCAuthProvider.java

@@ -67,8 +67,7 @@ public class OIDCAuthProvider extends AbstractOAuth2AuthenticationProvider {
     final OIDCProviderMetadata idpMetadata;
     final boolean pkceEnabled;
     final CodeChallengeMethod pkceMethod;
-    final boolean jsfBlocked;
-    
+
     /**
      * Using PKCE, we create and send a special {@link CodeVerifier}. This contains a secret
      * we need again when verifying the response by the provider, thus the cache.
@@ -81,7 +80,7 @@ public class OIDCAuthProvider extends AbstractOAuth2AuthenticationProvider {
         .build();
 
     public OIDCAuthProvider(String aClientId, String aClientSecret, String issuerEndpointURL,
-                            boolean pkceEnabled, String pkceMethod, boolean jsfBlocked) throws AuthorizationSetupException {
+                            boolean pkceEnabled, String pkceMethod) throws AuthorizationSetupException {
         this.clientSecret = aClientSecret; // needed for state creation
         this.clientAuth = new ClientSecretBasic(new ClientID(aClientId), new Secret(aClientSecret));
         this.issuer = new Issuer(issuerEndpointURL);
@@ -90,10 +89,7 @@ public OIDCAuthProvider(String aClientId, String aClientSecret, String issuerEnd
 
         this.pkceEnabled = pkceEnabled;
         this.pkceMethod = CodeChallengeMethod.parse(pkceMethod);
-        this.jsfBlocked = jsfBlocked;
     }
-    
-    public boolean isJsfBlocked() { return jsfBlocked; }
 
     /**
      * Setup metadata from OIDC provider during creation of the provider representation

src/main/java/edu/harvard/iq/dataverse/authorization/providers/oauth2/oidc/OIDCAuthenticationProviderFactory.java

@@ -43,13 +43,13 @@ public AuthenticationProvider buildProvider( AuthenticationProviderRow aRow ) th
             factoryData.get("clientSecret"),
             factoryData.get("issuer"),
             Boolean.parseBoolean(factoryData.getOrDefault("pkceEnabled", "false")),
-            factoryData.getOrDefault("pkceMethod", "S256"),
-            Boolean.parseBoolean(factoryData.getOrDefault("jsfBlocked", "false"))
+            factoryData.getOrDefault("pkceMethod", "S256")
         );
 
         oidc.setId(aRow.getId());
         oidc.setTitle(aRow.getTitle());
         oidc.setSubTitle(aRow.getSubtitle());
+        oidc.setEnabled(aRow.isEnabled());
 
         return oidc;
     }
@@ -65,13 +65,13 @@ public static AuthenticationProvider buildFromSettings() throws AuthorizationSet
             JvmSettings.OIDC_CLIENT_SECRET.lookup(),
             JvmSettings.OIDC_AUTH_SERVER_URL.lookup(),
             JvmSettings.OIDC_PKCE_ENABLED.lookupOptional(Boolean.class).orElse(false),
-            JvmSettings.OIDC_PKCE_METHOD.lookupOptional().orElse("S256"),
-            JvmSettings.OIDC_JSFBLOCKED.lookupOptional(Boolean.class).orElse(false)
+            JvmSettings.OIDC_PKCE_METHOD.lookupOptional().orElse("S256")
         );
 
         oidc.setId("oidc-mpconfig");
         oidc.setTitle(JvmSettings.OIDC_TITLE.lookupOptional().orElse("OpenID Connect"));
         oidc.setSubTitle(JvmSettings.OIDC_SUBTITLE.lookupOptional().orElse("OpenID Connect"));
+        oidc.setEnabled(JvmSettings.OIDC_ENABLED.lookupOptional(Boolean.class).orElse(true));
 
         return oidc;
     }

src/main/java/edu/harvard/iq/dataverse/settings/JvmSettings.java

@@ -252,7 +252,6 @@ public enum JvmSettings {
     OIDC_AUTH_SERVER_URL(SCOPE_OIDC, "auth-server-url"),
     OIDC_CLIENT_ID(SCOPE_OIDC, "client-id"),
     OIDC_CLIENT_SECRET(SCOPE_OIDC, "client-secret"),
-    OIDC_JSFBLOCKED(SCOPE_OIDC, "jsfBlocked"),
     SCOPE_OIDC_PKCE(SCOPE_OIDC, "pkce"),
     OIDC_PKCE_ENABLED(SCOPE_OIDC_PKCE, "enabled"),
     OIDC_PKCE_METHOD(SCOPE_OIDC_PKCE, "method"),

src/main/webapp/loginpage.xhtml

@@ -23,7 +23,7 @@
             <ui:param name="showMessagePanel" value="#{true}"/>
             <ui:param name="loginRedirectPage" value="dataverse.xhtml"/>
             <ui:define name="body">
-                <ui:fragment rendered="#{LoginPage.listAuthenticationProvidersJSF().size() lt 1}">
+                <ui:fragment rendered="#{LoginPage.listAuthenticationProviders().size() lt 1}">
                     <div class="row">
                         <div class="col-sm-12">
                             <div class="alert alert-danger">
@@ -214,10 +214,10 @@
                                 </div>
                             </div>
 
-                            <div id="otherProviders" jsf:rendered="#{LoginPage.listAuthenticationProvidersJSF().size() > 1}">
+                            <div id="otherProviders" jsf:rendered="#{LoginPage.listAuthenticationProviders().size() > 1}">
                                 <h3>#{bundle['auth.providers.title']}</h3>
                                 <h:form>
-                                    <ui:repeat value="#{LoginPage.listAuthenticationProvidersJSF()}" var="provider">
+                                    <ui:repeat value="#{LoginPage.listAuthenticationProviders()}" var="provider">
                                         <p:commandLink rendered="#{provider.id != LoginPage.authProvider.id}" styleClass="btn btn-default" actionListener="#{LoginPage.setAuthProviderById(provider.id)}" update="login-container">
                                             <h:outputText value="#{provider.title}" />
                                         </p:commandLink>

src/test/java/edu/harvard/iq/dataverse/api/AdminIT.java

@@ -978,14 +978,14 @@ public void testAddAuthProviders() {
         Response getAuthProviders = UtilIT.getAuthProviders(superuserApiToken);
         getAuthProviders.prettyPrint();
 
-        String factoryData = String.format("type: oidc | issuer: http://keycloak.mydomain.com:8090/realms/test | clientId: %s | clientSecret: %s | jsfBlocked: true", clientId, clientSecret);
+        String factoryData = String.format("type: oidc | issuer: http://keycloak.mydomain.com:8090/realms/test | clientId: %s | clientSecret: %s", clientId, clientSecret);
         JsonObject jsonObject = Json.createObjectBuilder()
                 .add("id", "oidc1")
                 .add("factoryAlias", "oidc")
                 .add("title", "Open ID Connect SPA")
                 .add("subtitle", "SPA OIDC Provider")
                 .add("factoryData", factoryData)
-                .add("enabled", true)
+                .add("enabled", false)
                 .build();
         Response addAuthProviders = UtilIT.addAuthProviders(superuserApiToken, jsonObject);
         addAuthProviders.prettyPrint();
@@ -995,9 +995,17 @@ public void testAddAuthProviders() {
         getAuthProviders = UtilIT.getAuthProviders(superuserApiToken);
         getAuthProviders.prettyPrint();
         getAuthProviders.then().assertThat()
-                .statusCode(OK.getStatusCode())
-                .body("data[1].id", equalTo("oidc1"))
-                .body("data[1].factoryData", containsString("jsfBlocked: true"));
+                .statusCode(OK.getStatusCode());
 
+        boolean found = false;
+        List<Map<String, Object>> providers = getAuthProviders.body().jsonPath().getList("data");
+        for (Map<String, Object> provider : providers) {
+            if ("oidc1".equalsIgnoreCase((String) provider.get("id"))) {
+                found = true;
+                assertTrue(provider.get("title") != null && provider.get("title").equals("Open ID Connect SPA"));
+                assertTrue(provider.get("enabled") != null && !(Boolean) provider.get("enabled"));
+            }
+        }
+        assertTrue(found);
     }
 }