Improve configuration of introspection

Author: MarcialRosales

deps/oauth2_client/include/types.hrl

@@ -26,11 +26,13 @@
     issuer :: option(uri_string:uri_string()),
     discovery_endpoint :: option(uri_string:uri_string()),
     token_endpoint :: option(uri_string:uri_string()),
-    tokeninfo_endpoint :: option(uri_string:uri_string()),
     authorization_endpoint :: option(uri_string:uri_string()),
     end_session_endpoint :: option(uri_string:uri_string()),
     jwks_uri :: option(uri_string:uri_string()),
     introspection_endpoint :: option(uri_string:uri_string()),
+    introspection_client_id :: binary() | undefined,
+    introspection_client_secret :: binary() | undefined,
+    introspection_client_auth_method :: basic | request_param | undefined,
     ssl_options :: option(list())
 }).
 

deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema

@@ -153,32 +153,36 @@
     rabbit_oauth2_schema:translate_signing_keys(Conf)
  end}.
 
-%% When RabbitMQ sends a request to the authorization server, such as to validate a token,
-%% it must authenticate with the authorization server
-
 {mapping, 
  "auth_oauth2.access_token_format", 
  "rabbitmq_auth_backend_oauth2.access_token_format",
  [{datatype, {enum, [jwt, opaque]}}]}.
 
+%% basic_authorization -> Authorization: Basic base64(client_id, client_secret)
+%% post_request_param -> &client_id=<client_id>&client_secret=<client_secret>
+{mapping, 
+ "auth_oauth2.introspection_client_auth_method", 
+ "rabbitmq_auth_backend_oauth2.introspection_client_auth_method",
+ [{datatype, {enum, [basic, request_param]}}]}.
+
 {mapping, 
- "auth_oauth2.oauth_client_id", 
- "rabbitmq_auth_backend_oauth2.oauth_client_id",
+ "auth_oauth2.introspection_client_id", 
+ "rabbitmq_auth_backend_oauth2.introspection_client_id",
  [{datatype, string}]}.
 
 {translation,
- "rabbitmq_auth_backend_oauth2.oauth_client_id",
- fun(Conf) -> list_to_binary(cuttlefish:conf_get("auth_oauth2.oauth_client_id", Conf))
+ "rabbitmq_auth_backend_oauth2.introspection_client_id",
+ fun(Conf) -> list_to_binary(cuttlefish:conf_get("auth_oauth2.introspection_client_id", Conf))
  end}.
 
 {mapping, 
- "auth_oauth2.oauth_client_secret", 
- "rabbitmq_auth_backend_oauth2.oauth_client_secret",
+ "auth_oauth2.introspection_client_secret", 
+ "rabbitmq_auth_backend_oauth2.introspection_client_secret",
 [{datatype, string}]}.
 
 {translation,
- "rabbitmq_auth_backend_oauth2.oauth_client_secret",
- fun(Conf) -> list_to_binary(cuttlefish:conf_get("auth_oauth2.oauth_client_secret", Conf))
+ "rabbitmq_auth_backend_oauth2.introspection_client_secret",
+ fun(Conf) -> list_to_binary(cuttlefish:conf_get("auth_oauth2.introspection_client_secret", Conf))
  end}.
 
 {mapping,
@@ -346,6 +350,23 @@
  "rabbitmq_auth_backend_oauth2.oauth_providers",
  [{datatype, string}, {validators, ["uri", "https_uri"]}]}.
 
+%% basic_authorization -> Authorization: Basic base64(client_id, client_secret)
+%% post_request_param -> &client_id=<client_id>&client_secret=<client_secret>
+{mapping, 
+ "auth_oauth2.oauth_providers.$name.introspection_client_auth_method", 
+ "rabbitmq_auth_backend_oauth2.oauth_providers",
+ [{datatype, {enum, [basic, request_param]}}]}.
+
+{mapping, 
+ "auth_oauth2.oauth_providers.$name.introspection_client_id", 
+ "rabbitmq_auth_backend_oauth2.oauth_providers",
+ [{datatype, string}]}.
+
+{mapping, 
+ "auth_oauth2.oauth_providers.$name.introspection_client_secret", 
+ "rabbitmq_auth_backend_oauth2.oauth_providers",
+[{datatype, string}]}.
+
 {mapping,
  "auth_oauth2.oauth_providers.$name.https.verify",
  "rabbitmq_auth_backend_oauth2.oauth_providers",
@@ -447,18 +468,6 @@
  "rabbitmq_auth_backend_oauth2.resource_servers",
  [{datatype, string}]}.
 
-%% When RabbitMQ sends a request to the authorization server, such as to validate a token,
-%% it must authenticate with the authorization server
-{mapping, 
- "auth_oauth2.resource_servers.$name.oauth_client_id", 
- "rabbitmq_auth_backend_oauth2.resource_servers",
- [{datatype, string}]}.
-
-{mapping, 
- "auth_oauth2.resource_servers.$name.oauth_client_secret", 
- "rabbitmq_auth_backend_oauth2.resource_servers",
-[{datatype, string}]}.
-
 {mapping, 
  "auth_oauth2.resource_servers.$name.access_token_format", 
  "rabbitmq_auth_backend_oauth2.resource_servers",

deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets

@@ -331,33 +331,40 @@
       "auth_oauth2.resource_server_id = new_resource_server_id
        auth_oauth2.introspection_endpoint = https://introspect
        auth_oauth2.access_token_format = jwt
-       auth_oauth2.oauth_client_id = rabbit
-       auth_oauth2.oauth_client_secret = rabbit_secret
-       auth_oauth2.oauth_providers.p.introspection_endpoint = https://introspect_p
-       auth_oauth2.resource_servers.b.access_token_format = opaque
-       auth_oauth2.resource_servers.b.oauth_client_id = rabbit_b
-       auth_oauth2.resource_servers.b.oauth_client_secret = rabbit_secret_b",
+       auth_oauth2.introspection_client_auth_method = basic
+       auth_oauth2.introspection_client_id = rabbit
+       auth_oauth2.introspection_client_secret = rabbit_secret",
        [
         {rabbitmq_auth_backend_oauth2, [
+            {access_token_format, jwt},
+            {introspection_client_auth_method, basic },
+            {introspection_client_id, <<"rabbit">> },
+            {introspection_client_secret, <<"rabbit_secret">> },
             {introspection_endpoint, "https://introspect"},
-            {oauth_client_secret, <<"rabbit_secret">> },
-            {oauth_client_id, <<"rabbit">> },
-            {access_token_format, jwt},            
-            {resource_server_id,<<"new_resource_server_id">>},            
+            {resource_server_id, <<"new_resource_server_id">>}
+          ]
+        }
+       ], []
+   },
+   {token_introspection_via_oauth_providers, 
+      "auth_oauth2.resource_server_id = new_resource_server_id
+       auth_oauth2.access_token_format = jwt
+       auth_oauth2.oauth_providers.p.introspection_endpoint = https://introspect
+       auth_oauth2.oauth_providers.p.introspection_client_auth_method = basic
+       auth_oauth2.oauth_providers.p.introspection_client_id = rabbit
+       auth_oauth2.oauth_providers.p.introspection_client_secret = rabbit_secret",
+       [
+        {rabbitmq_auth_backend_oauth2, [
+            {access_token_format, jwt},
+            {resource_server_id, <<"new_resource_server_id">>},
             {oauth_providers, #{
-                <<"p">> => [
-                   {introspection_endpoint, "https://introspect_p"}
-                ]
-            }},
-            {resource_servers, #{
-                <<"b">> => [
-                   {oauth_client_secret, <<"rabbit_secret_b">>},
-                   {oauth_client_id, <<"rabbit_b">>},                   
-                   {access_token_format, opaque},
-                   {id, <<"b">>}
-                ]
-            }}
-                       
+              <<"p">> => [
+                {introspection_client_auth_method, basic},
+                {introspection_client_id, <<"rabbit">>},
+                {introspection_client_secret, <<"rabbit_secret">>},
+                {introspection_endpoint, <<"https://introspect">>}
+              ]
+            }}                       
         ]}
        ], []
   }

deps/rabbitmq_auth_backend_oauth2/test/rabbit_oauth2_resource_server_SUITE.erl

@@ -48,7 +48,8 @@ groups() -> [
             verify_get_rabbitmq_server_configuration()}
     ]},
     {without_resource_server_id, [], [
-        resolve_resource_server_id_for_any_audience_returns_no_matching_aud_found
+        resolve_resource_server_id_for_any_audience_returns_no_matching_aud_found,
+        cannot_resolve_resource_server_for_opaque_access_token
     ]},
 
     {with_two_resource_servers, [], [
@@ -57,13 +58,17 @@ groups() -> [
         resolve_resource_server_id_for_both_resources_returns_error,
         resolve_resource_server_for_none_audience_returns_no_aud_found,
         resolve_resource_server_for_unknown_audience_returns_no_matching_aud_found,
+        cannot_resolve_resource_server_for_opaque_access_token,
         {with_verify_aud_false, [], [
             resolve_resource_server_for_none_audience_returns_rabbitmq2,
             resolve_resource_server_for_unknown_audience_returns_rabbitmq2,
             {with_rabbitmq1_verify_aud_false, [], [
                 resolve_resource_server_for_none_audience_returns_error
             ]}
         ]},
+        {with_opaque_access_token_format_for_rabbitmq1_and_rabbitmq2, [], [
+            resolve_resource_server_for_opaque_access_token
+        ]},
         verify_rabbitmq1_server_configuration,
         {verify_configuration_inheritance_with_rabbitmq2, [],
             verify_configuration_inheritance_with_rabbitmq2()},
@@ -215,6 +220,15 @@ init_per_group(with_opaque_access_token_format, Config) ->
     set_env(access_token_format, opaque),
     Config;
 
+init_per_group(with_opaque_access_token_format_for_rabbitmq1_and_rabbitmq2, Config) ->
+    RabbitMQServers = get_env(resource_servers, #{}),
+    Resource0 = maps:get(?RABBITMQ_RESOURCE_ONE, RabbitMQServers, []),
+    Resource = [{access_token_format, opaque} | Resource0],
+    Maps0 = maps:put(?RABBITMQ_RESOURCE_ONE, Resource, RabbitMQServers),
+    Maps1 = maps:put(?RABBITMQ_RESOURCE_TWO, Resource, Maps0),
+    set_env(resource_servers, Maps1),
+    Config;
+
 init_per_group(_any, Config) ->
     Config.