Add auth and token endpoint params to authSettings

Author: MarcialRosales

deps/rabbitmq_management/priv/schema/rabbitmq_management.schema

@@ -568,11 +568,11 @@ end}.
     "rabbitmq_management.oauth_resource_servers",
   [{datatype, {enum, [sp_initiated, idp_initiated]}}]}.
 
-{mapping, "management.oauth_resource_servers.$name.authorization_endpoint_params.$name", 
+{mapping, "management.oauth_resource_servers.$name.oauth_authorization_endpoint_params.$name", 
     ""rabbitmq_management.oauth_resource_servers",
     [{datatype, string}]}.
 
-{mapping, "management.oauth_resource_servers.$name.token_endpoint_params.$name", 
+{mapping, "management.oauth_resource_servers.$name.oauth_token_endpoint_params.$name", 
     ""rabbitmq_management.oauth_resource_servers",
     [{datatype, string}]}.
 

deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl

@@ -25,6 +25,18 @@ variances(Req, Context) ->
 content_types_provided(ReqData, Context) ->
    {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}.
 
+merge_property(Key, List, MapIn) -> 
+  case proplists:get_value(Key, List) of 
+    undefined -> MapIn;
+    V0 -> MapIn#{Key => V0}
+  end.
+
+extract_oauth_provider_info_props_as_map(ManagementProps) ->
+  lists:foldl(fun(K, Acc) -> 
+    merge_property(K, ManagementProps, Acc) end, #{}, [oauth_provider_url, 
+      oauth_metadata_url, oauth_authorization_endpoint_params, 
+      oauth_token_endpoint_params]).
+
 merge_oauth_provider_info(OAuthResourceServer, MgtResourceServer, ManagementProps) ->
   OAuthProviderResult = case proplists:get_value(oauth_provider_id, OAuthResourceServer) of
     undefined -> oauth2_client:get_oauth_provider([issuer]);
@@ -35,15 +47,17 @@ merge_oauth_provider_info(OAuthResourceServer, MgtResourceServer, ManagementProp
     {error, _} -> #{}
   end,
   OAuthProviderInfo1 = maps:merge(OAuthProviderInfo0, 
-    case proplists:get_value(oauth_provider_url, ManagementProps) of
-      undefined -> #{};
-      V1 -> #{oauth_provider_url => V1}
-    end),
+    extract_oauth_provider_info_props_as_map(ManagementProps)),
   maps:merge(OAuthProviderInfo1, proplists:to_map(MgtResourceServer)).
 
 oauth_provider_to_map(OAuthProvider) ->
   % only include issuer and end_session_endpoint for now. The other endpoints are resolved by oidc-client library
-  Map0 = #{ oauth_provider_url => OAuthProvider#oauth_provider.issuer },
+  Map0 = case OAuthProvider#oauth_provider.issuer of 
+    undefined -> #{};
+    Issuer -> #{ oauth_provider_url => Issuer,
+                oauth_metadata_url => OAuthProvider#oauth_provider.discovery_endpoint 
+              }
+  end,
   case OAuthProvider#oauth_provider.end_session_endpoint of 
     undefined -> Map0;
     V -> maps:put(end_session_endpoint, V, Map0)
@@ -75,12 +89,22 @@ getAllDeclaredOauth2Resources(OAuth2BackendProps) ->
   OAuth2Resources = proplists:get_value(resource_servers, OAuth2BackendProps, #{}),
   case proplists:get_value(resource_server_id, OAuth2BackendProps) of
     undefined -> OAuth2Resources;
-    Id -> maps:put(Id, [{id, Id}], OAuth2Resources)
+    Id -> maps:put(Id, buildRootResourceServerIfAny(Id, OAuth2BackendProps), 
+    OAuth2Resources)
   end.
-buildRootResourceServerIfAny(Props) ->
-  [ {id, proplists:get_value(resource_server_id, Props) }, 
-    {oauth_client_id, proplists:get_value(oauth_client_id, Props)}, 
-    {oauth_client_id, proplists:get_value(oauth_client_id, Props)} ].
+buildRootResourceServerIfAny(Id, Props) ->
+  [ {id, Id}, 
+    {oauth_client_id, 
+        proplists:get_value(oauth_client_id, Props)}, 
+    {oauth_client_secret,
+        proplists:get_value(oauth_client_secret, Props)},
+    {oauth_response_type, 
+        proplists:get_value(oauth_response_type, Props)},
+    {authorization_endpoint_params, 
+        proplists:get_value(authorization_endpoint_params, Props)},
+    {token_endpoint_params, 
+        proplists:get_value(token_endpoint_params, Props)} 
+  ].
 
 authSettings() ->
   ManagementProps = application:get_all_env(rabbitmq_management),

deps/rabbitmq_management/test/rabbit_mgmt_wm_auth_SUITE.erl

@@ -74,8 +74,13 @@ groups() ->
               should_return_disabled_auth_settings,
               {with_mgt_oauth_client_id_z, [], [
                 should_return_mgt_oauth_provider_url_url1,
+                should_return_mgt_oauth_metadata_url_url1,
                 {with_mgt_oauth_provider_url_url0, [], [
-                  should_return_mgt_oauth_provider_url_url0
+                  should_return_mgt_oauth_provider_url_url0,
+                  should_return_mgt_oauth_metadata_url_url1,
+                  {with_mgt_oauth_metadata_url_url0, [], [
+                    should_return_mgt_oauth_metadata_url_url0
+                  ]}
                 ]}
               ]}
             ]}
@@ -299,10 +304,15 @@ init_per_suite(Config) ->
     {idp2, <<"idp2">>},
     {idp3, <<"idp3">>},
     {idp1_url, <<"https://idp1">>},
+    {idp1_meta_url, <<"https://idp1/.well-known/openid-configuration">>},
     {idp2_url, <<"https://idp2">>},
+    {idp2_meta_url, <<"https://idp2/.well-known/openid-configuration">>},
     {idp3_url, <<"https://idp3">>},
+    {idp3_meta_url, <<"https://idp3/.well-known/openid-configuration">>},
     {url0, <<"https://url0">>},
+    {meta_url0, <<"https://url0/.well-known/openid-configuration">>},
     {url1, <<"https://url1">>},
+    {meta_url1, <<"https://url1/.well-known/openid-configuration">>},
     {logout_url_0, <<"https://logout_0">>},
     {logout_url_1, <<"https://logout_1">>},
     {logout_url_2, <<"https://logout_2">>},
@@ -340,6 +350,9 @@ init_per_group(with_mgt_oauth_client_secret_q, Config) ->
 init_per_group(with_mgt_oauth_provider_url_url0, Config) ->
   application:set_env(rabbitmq_management, oauth_provider_url, ?config(url0, Config)),
   Config;
+init_per_group(with_mgt_oauth_metadata_url_url0, Config) ->
+  application:set_env(rabbitmq_management, oauth_metadata_url, ?config(meta_url0, Config)),
+  Config;
 init_per_group(with_root_issuer_url1, Config) ->
   application:set_env(rabbitmq_auth_backend_oauth2, issuer, ?config(url1, Config)),
   Config;
@@ -542,6 +555,14 @@ should_return_mgt_oauth_provider_url_url1(Config) ->
   assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
     Config, rabbit, oauth_provider_url, url1).
 
+should_return_mgt_oauth_metadata_url_url1(Config) ->
+  assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
+    Config, rabbit, oauth_metadata_url, meta_url1).
+
+should_return_mgt_oauth_metadata_url_url0(Config) ->
+  assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
+    Config, rabbit, oauth_metadata_url, meta_url0).
+
 should_return_mgt_oauth_provider_url_url0(Config) ->
   assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
     Config, rabbit, oauth_provider_url, url0).
@@ -585,6 +606,10 @@ should_return_oauth_resource_server_rabbit_with_oauth_provider_url_url1(Config)
   assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
     Config, rabbit, oauth_provider_url, url1).
 
+should_return_oauth_resource_server_rabbit_with_oauth_metadata_url_url1(Config) ->
+  assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
+    Config, rabbit, oauth_provider_url, url1 ).
+
 should_return_oauth_resource_server_rabbit_with_oauth_provider_url_url0(Config) ->
   assertEqual_on_attribute_for_oauth_resource_server(rabbit_mgmt_wm_auth:authSettings(),
     Config, rabbit, oauth_provider_url, url0).
@@ -617,9 +642,9 @@ should_not_return_oauth_scopes(_Config) ->
 
 should_return_oauth_enabled(_Config) ->
   Actual = rabbit_mgmt_wm_auth:authSettings(),
-  log(Actual),
   ?assertEqual(true, proplists:get_value(oauth_enabled, Actual)).
 
+  
 should_return_oauth_idp_initiated_logon(_Config) ->
   Actual = rabbit_mgmt_wm_auth:authSettings(),
   ?assertEqual(<<"idp_initiated">>, proplists:get_value(oauth_initiated_logon_type, Actual)).
@@ -699,6 +724,12 @@ assertEqual_on_attribute_for_oauth_resource_server(Actual, Config, ConfigKey, At
   end,
   ?assertEqual(Value, proplists:get_value(Attribute, OauthResource)).
 
+assert_attribute_is_defined_for_oauth_resource_server(Actual, Config, ConfigKey, Attribute) ->
+  log(Actual),
+  OAuthResourceServers =  proplists:get_value(oauth_resource_servers, Actual),
+  OauthResource = maps:get(?config(ConfigKey, Config), OAuthResourceServers),
+  ?assertEqual(true, proplists:is_defined(Attribute, OauthResource)).
+
 assert_attribute_not_defined_for_oauth_resource_server(Actual, Config, ConfigKey, Attribute) ->
   log(Actual),
   OAuthResourceServers =  proplists:get_value(oauth_resource_servers, Actual),