feat(model-client): more OAuth2 configuration options (client ID, secret, scopes)

Author: slisson

model-client/src/commonMain/kotlin/org/modelix/model/client2/ModelClientV2.kt

@@ -53,7 +53,13 @@ import org.modelix.model.lazy.IDeserializingKeyValueStore
 import org.modelix.model.lazy.ObjectStoreCache
 import org.modelix.model.lazy.RepositoryId
 import org.modelix.model.lazy.computeDelta
+import org.modelix.model.oauth.IAuthConfig
+import org.modelix.model.oauth.IAuthRequestHandler
 import org.modelix.model.oauth.ModelixAuthClient
+import org.modelix.model.oauth.OAuthConfig
+import org.modelix.model.oauth.OAuthConfigBuilder
+import org.modelix.model.oauth.TokenProvider
+import org.modelix.model.oauth.TokenProviderAuthConfig
 import org.modelix.model.operations.OTBranch
 import org.modelix.model.persistent.HashUtil
 import org.modelix.model.persistent.MapBasedStore
@@ -491,9 +497,7 @@ class ModelClientV2(
 abstract class ModelClientV2Builder {
     protected var httpClient: HttpClient? = null
     protected var baseUrl: String = "https://localhost/model/v2"
-    protected var authTokenProvider: (suspend () -> String?)? = null
-    protected var authRequestBrowser: ((url: String) -> Unit)? = null
-    protected var oauthEnabled = false
+    protected var authConfig: IAuthConfig? = null
     protected var userId: String? = null
     protected var connectTimeout: Duration = 1.seconds
     protected var requestTimeout: Duration = 30.seconds
@@ -519,18 +523,70 @@ abstract class ModelClientV2Builder {
         return this
     }
 
-    fun authToken(provider: suspend () -> String?): ModelClientV2Builder {
-        authTokenProvider = provider
-        return this
+    fun authToken(provider: TokenProvider) = also {
+        authConfig = TokenProviderAuthConfig(provider)
+    }
+
+    fun authConfig(config: IAuthConfig) = also {
+        this.authConfig = config
     }
 
-    fun authRequestBrowser(browser: ((url: String) -> Unit)?) = also {
-        authRequestBrowser = browser
-        enableOAuth()
+    fun authRequestBrowser(browser: ((url: String) -> Unit)?) = oauth {
+        authRequestHandler(
+            if (browser == null) {
+                null
+            } else {
+                object : IAuthRequestHandler {
+                    override fun browse(url: String) {
+                        browser(url)
+                    }
+                }
+            },
+        )
+    }
+
+    fun enableOAuth() = oauth { }
+
+    fun oauth(body: OAuthConfigBuilder.() -> Unit) = also {
+        authConfig = OAuthConfigBuilder(authConfig as? OAuthConfig ?: legacyOAuthConfig()).apply(body).build()
     }
 
-    fun enableOAuth() = also {
-        oauthEnabled = true
+    /**
+     * Handles the case when the model-server runs inside a kubernetes cluster with keycloak but doesn't provide the
+     * OAuth endpoints in the 401 response headers.
+     */
+    private fun legacyOAuthConfig(): OAuthConfig? {
+        // When the model server is reachable at https://example.org/model/,
+        // Keycloak is expected to be reachable under https://example.org/realms/
+        // See https://github.com/modelix/modelix.kubernetes/blob/60f7db6533c3fb82209b1a6abb6836923f585672/proxy/nginx.conf#L14
+        // and https://github.com/modelix/modelix.kubernetes/blob/60f7db6533c3fb82209b1a6abb6836923f585672/proxy/nginx.conf#L41
+
+        val normalizedModelUrl = buildUrl {
+            takeFrom(baseUrl)
+            if (pathSegments.lastOrNull() == "") pathSegments = pathSegments.dropLast(1)
+            if (pathSegments.lastOrNull() == "v2") pathSegments = pathSegments.dropLast(1)
+        }
+        if (normalizedModelUrl.segments.lastOrNull() != "model") return null
+
+        val oidcUrl = buildUrl {
+            takeFrom(normalizedModelUrl)
+            if (pathSegments.lastOrNull() == "model") pathSegments = pathSegments.dropLast(1)
+            appendPathSegments("realms", "modelix", "protocol", "openid-connect")
+        }
+        val authUrl = buildUrl {
+            takeFrom(oidcUrl)
+            appendPathSegments("auth")
+        }
+        val tokenUrl = buildUrl {
+            takeFrom(oidcUrl)
+            appendPathSegments("token")
+        }
+        return OAuthConfig(
+            clientId = "external-mps",
+            scopes = setOf("email"),
+            authorizationUrl = authUrl.toString(),
+            tokenUrl = tokenUrl.toString(),
+        )
     }
 
     fun userId(userId: String?): ModelClientV2Builder {
@@ -585,9 +641,7 @@ abstract class ModelClientV2Builder {
                     }
                 }
             }
-            if (authTokenProvider != null || oauthEnabled) {
-                ModelixAuthClient.installAuth(this, baseUrl, authTokenProvider, authRequestBrowser)
-            }
+            authConfig?.let { ModelixAuthClient.installAuth(this, it) }
         }
     }
 

model-client/src/commonMain/kotlin/org/modelix/model/oauth/ModelixAuthClient.kt

@@ -13,30 +13,14 @@ expect object ModelixAuthClient {
     /**
      * Function to configure the authentication for an HTTP client.
      *
-     * If an [authTokenProvider] is given, both implementations use the provided token for Bearer authentication.
-     * This is stateless.
-     *
-     * If no [authTokenProvider] is given, the JS implementation does not configure authentication.
-     * If no [authTokenProvider] is given,
-     * the JVM implementation setups a server to perform an OAuth authorization code flow with PKCE.
-     * This makes many assumptions about the model server deployment,
-     * Keycloak deployment, Keycloak configuration, and the client.
-     * The PKCE is hard coded to work for MPS instances inside Modelix workspaces.
-     * This is stateful.
-     *
      * @param config Config for the HTTP client to be created.
      *               This config will be modified to enable authentication.
      * @param baseUrl Base url of model server.
      *                Required for PKCE flow in JVM.
-     * @param authTokenProvider This function will be used to initially get an auth token
-     *                          and to refresh it when the old one expired.
-     *                          Returning `null` cause the client to attempt the request without a token.
      */
     fun installAuth(
         config: HttpClientConfig<*>,
-        baseUrl: String,
-        authTokenProvider: (suspend () -> String?)? = null,
-        authRequestBrowser: ((url: String) -> Unit)? = null,
+        authConfig: IAuthConfig,
     )
 }
 

model-client/src/commonMain/kotlin/org/modelix/model/oauth/OAuthConfig.kt

@@ -0,0 +1,51 @@
+package org.modelix.model.oauth
+
+sealed interface IAuthConfig {
+    companion object {
+        fun fromTokenProvider(provider: TokenProvider): IAuthConfig {
+            return TokenProviderAuthConfig(provider)
+        }
+
+        fun oauth(body: OAuthConfigBuilder.() -> Unit): IAuthConfig {
+            return OAuthConfigBuilder(null).apply(body).build()
+        }
+    }
+}
+
+class TokenProviderAuthConfig(val provider: TokenProvider) : IAuthConfig
+
+data class OAuthConfig(
+    val clientId: String? = "external-mps",
+    val clientSecret: String? = null,
+    val authorizationUrl: String? = null,
+    val tokenUrl: String? = null,
+    val scopes: Set<String> = emptySet(),
+    val authRequestHandler: IAuthRequestHandler? = null,
+) : IAuthConfig
+
+typealias TokenProvider = suspend () -> String?
+
+class OAuthConfigBuilder(initial: OAuthConfig?) {
+    private var config = initial ?: OAuthConfig()
+
+    fun clientId(id: String) = also { config = config.copy(clientId = id) }
+    fun clientSecret(secret: String) = also { config = config.copy(clientSecret = secret) }
+    fun scopes(scopes: Iterable<String>) = also { config = config.copy(scopes = scopes.toSet()) }
+    fun scope(scope: String) = scopes(setOf(scope))
+    fun additionalScopes(scopes: Iterable<String>) = also { config = config.copy(scopes = config.scopes + scopes) }
+    fun additionalScope(scope: String) = additionalScopes(setOf(scope))
+    fun authorizationUrl(url: String) = also { config = config.copy(authorizationUrl = url) }
+    fun tokenUrl(url: String) = also { config = config.copy(tokenUrl = url) }
+    fun oidcUrl(url: String) = authorizationUrl(url.trimEnd('/') + "/auth").tokenUrl(url.trimEnd('/') + "/token")
+    fun authRequestHandler(handler: IAuthRequestHandler?) = also { config = config.copy(authRequestHandler = handler) }
+
+    fun build() = config.copy()
+}
+
+interface IAuthRequestHandler {
+    /**
+     * Open the URL where the user can log in. The OAuth server will redirect the user to a callback URL to transmit
+     * the authorization code.
+     */
+    fun browse(url: String)
+}

model-client/src/jsMain/kotlin/org/modelix/model/oauth/ModelixAuthClient.kt

@@ -7,12 +7,11 @@ actual object ModelixAuthClient {
     @Suppress("UndocumentedPublicFunction") // already documented in the expected declaration
     actual fun installAuth(
         config: HttpClientConfig<*>,
-        baseUrl: String,
-        authTokenProvider: (suspend () -> String?)?,
-        authRequestBrowser: ((url: String) -> Unit)?,
+        authConfig: IAuthConfig,
     ) {
-        if (authTokenProvider != null) {
-            installAuthWithAuthTokenProvider(config, authTokenProvider)
+        when (authConfig) {
+            is OAuthConfig -> UnsupportedOperationException("JS client doesn't support OAuth2")
+            is TokenProviderAuthConfig -> installAuthWithAuthTokenProvider(config, authConfig.provider)
         }
     }
 }

model-client/src/jvmMain/kotlin/org/modelix/model/client/RestWebModelClient.kt

@@ -166,13 +166,7 @@ class RestWebModelClient @JvmOverloads constructor(
                 refreshTokens {
                     val tp = authTokenProvider
                     if (tp == null) {
-                        var url = baseUrl
-                        if (!url.endsWith("/")) url += "/"
-                        // TODO MODELIX-975 See ModelixOAuthClient.installAuthWithPKCEFlow
-                        if (url.endsWith("/model/")) url = url.substringBeforeLast("/model/")
-                        connectionStatus = ConnectionStatus.WAITING_FOR_TOKEN
-                        val tokens = ModelixAuthClient.authorize(url)
-                        BearerTokens(tokens.accessToken, tokens.refreshToken)
+                        null
                     } else {
                         val providedToken = tp()
                         if (providedToken != null && providedToken != this.oldTokens?.accessToken) {

model-client/src/jvmMain/kotlin/org/modelix/model/oauth/ModelixAuthClient.kt

@@ -16,11 +16,18 @@ import com.google.api.client.util.store.MemoryDataStoreFactory
 import io.ktor.client.HttpClientConfig
 import io.ktor.client.plugins.auth.Auth
 import io.ktor.client.plugins.auth.providers.BearerTokens
+import io.ktor.client.plugins.auth.providers.RefreshTokensParams
 import io.ktor.client.plugins.auth.providers.bearer
+import io.ktor.client.statement.request
 import io.ktor.http.HttpHeaders
 import io.ktor.http.HttpMessage
+import io.ktor.http.URLProtocol
+import io.ktor.http.Url
 import io.ktor.http.auth.HttpAuthHeader
 import io.ktor.http.auth.parseAuthorizationHeader
+import io.ktor.http.buildUrl
+import io.ktor.http.isSecure
+import io.ktor.http.takeFrom
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.withContext
 
@@ -45,35 +52,18 @@ actual object ModelixAuthClient {
         return this
     }
 
-    suspend fun authorize(modelixServerUrl: String): Credential {
-        val oidcUrl = modelixServerUrl.trimEnd('/') + "/realms/modelix/protocol/openid-connect"
-        return authorize(
-            clientId = "external-mps",
-            scopes = listOf("email"),
-            authUrl = "$oidcUrl/auth",
-            tokenUrl = "$oidcUrl/token",
-            authRequestBrowser = null,
-        )
-    }
-
-    suspend fun authorize(
-        clientId: String,
-        scopes: List<String>,
-        authUrl: String,
-        tokenUrl: String,
-        authRequestBrowser: ((url: String) -> Unit)?,
-    ): Credential {
+    suspend fun authorize(config: OAuthConfig): Credential {
         return withContext(Dispatchers.IO) {
             val flow = AuthorizationCodeFlow.Builder(
                 BearerToken.authorizationHeaderAccessMethod(),
                 HTTP_TRANSPORT,
                 JSON_FACTORY,
-                GenericUrl(tokenUrl),
-                ClientParametersAuthentication(clientId, null),
-                clientId,
-                authUrl,
+                GenericUrl(config.tokenUrl),
+                ClientParametersAuthentication(config.clientId, config.clientSecret),
+                config.clientId,
+                config.authorizationUrl,
             )
-                .setScopes(scopes)
+                .setScopes(config.scopes)
                 .enablePKCE()
                 .setDataStoreFactory(DATA_STORE_FACTORY)
                 .build()
@@ -82,10 +72,10 @@ actual object ModelixAuthClient {
             if (existingTokens?.isExpired() == false) return@withContext existingTokens
 
             val receiver: LocalServerReceiver = LocalServerReceiver.Builder().setHost("127.0.0.1").build()
-            val browser = authRequestBrowser?.let {
+            val browser = config.authRequestHandler?.let {
                 object : AuthorizationCodeInstalledApp.Browser {
                     override fun browse(url: String) {
-                        it(url)
+                        it.browse(url)
                     }
                 }
             } ?: AuthorizationCodeInstalledApp.DefaultBrowser()
@@ -100,21 +90,17 @@ actual object ModelixAuthClient {
     @Suppress("UndocumentedPublicFunction") // already documented in the expected declaration
     actual fun installAuth(
         config: HttpClientConfig<*>,
-        baseUrl: String,
-        authTokenProvider: (suspend () -> String?)?,
-        authRequestBrowser: ((url: String) -> Unit)?,
+        authConfig: IAuthConfig,
     ) {
-        if (authTokenProvider != null) {
-            installAuthWithAuthTokenProvider(config, authTokenProvider)
-        } else {
-            installAuthWithPKCEFlow(config, baseUrl, authRequestBrowser)
+        when (authConfig) {
+            is TokenProviderAuthConfig -> installAuthWithAuthTokenProvider(config, authConfig.provider)
+            is OAuthConfig -> installAuthWithPKCEFlow(config, authConfig)
         }
     }
 
     private fun installAuthWithPKCEFlow(
         config: HttpClientConfig<*>,
-        baseUrl: String,
-        authRequestBrowser: ((url: String) -> Unit)?,
+        authConfig: OAuthConfig,
     ) {
         config.apply {
             install(Auth) {
@@ -127,32 +113,16 @@ actual object ModelixAuthClient {
                             // The model server tells the client where to get a token
 
                             if (wwwAuthenticate.parameter("error") != "invalid_token") return@let null
-                            val authUrl = wwwAuthenticate.parameter("authorization_uri") ?: return@let null
-                            val tokenUrl = wwwAuthenticate.parameter("token_uri") ?: return@let null
+                            val updatedConfig = authConfig.copy(
+                                authorizationUrl = authConfig.authorizationUrl ?: useSameProtocol(wwwAuthenticate.parameter("authorization_uri") ?: return@let null),
+                                tokenUrl = authConfig.tokenUrl ?: useSameProtocol(wwwAuthenticate.parameter("token_uri") ?: return@let null),
+                            )
                             val realm = wwwAuthenticate.parameter("realm")
                             val description = wwwAuthenticate.parameter("error_description")
-                            authorize(
-                                clientId = "modelix-sync-plugin",
-                                scopes = listOf("sync"),
-                                authUrl = authUrl,
-                                tokenUrl = tokenUrl,
-                                authRequestBrowser = authRequestBrowser,
-                            )
-                        } ?: let {
-                            // legacy keycloak specific URLs
+                            authorize(updatedConfig)
+                        } ?: authorize(authConfig)
 
-                            var url = baseUrl
-                            if (!url.endsWith("/")) url += "/"
-                            // XXX Detecting and removing "/model/" is workaround for when the model server
-                            // is used in Modelix workspaces and reachable behind the sub path /model/".
-                            // When the model server is reachable at https://example.org/model/,
-                            // Keycloak is expected to be reachable under https://example.org/realms/
-                            // See https://github.com/modelix/modelix.kubernetes/blob/60f7db6533c3fb82209b1a6abb6836923f585672/proxy/nginx.conf#L14
-                            // and https://github.com/modelix/modelix.kubernetes/blob/60f7db6533c3fb82209b1a6abb6836923f585672/proxy/nginx.conf#L41
-                            // TODO MODELIX-975 remove this check and replace with configuration.
-                            if (url.endsWith("/model/")) url = url.substringBeforeLast("/model/")
-                            authorize(url)
-                        }
+                        println("Access Token: " + tokens.accessToken)
 
                         BearerTokens(tokens.accessToken, tokens.refreshToken)
                     }
@@ -165,4 +135,21 @@ actual object ModelixAuthClient {
         return headers[HttpHeaders.WWWAuthenticate]
             ?.let { parseAuthorizationHeader(it) as? HttpAuthHeader.Parameterized }
     }
+
+    /**
+     * In test environments https often doesn't have a valid certificate.
+     * Use http for authorization, if the original request itself uses http.
+     */
+    private fun RefreshTokensParams.useSameProtocol(url: String): String {
+        val needSecureProtocol = response.request.url.protocol.isSecure()
+        if (Url(url).protocol.isSecure() == needSecureProtocol) return url
+        return buildUrl {
+            takeFrom(url)
+            protocol = when (protocol) {
+                URLProtocol.HTTPS, URLProtocol.HTTP -> if (needSecureProtocol) URLProtocol.HTTPS else URLProtocol.HTTP
+                URLProtocol.WSS, URLProtocol.WS -> if (needSecureProtocol) URLProtocol.WSS else URLProtocol.WS
+                else -> protocol
+            }
+        }.toString()
+    }
 }