Update settings in schema

Author: MarcialRosales

deps/rabbitmq_auth_backend_oauth2/include/oauth2.hrl

@@ -50,7 +50,8 @@
   scope_aliases :: map() | undefined,
   oauth_provider_id :: oauth_provider_id(),
   oauth_client_id :: binary() | undefined,
-  oauth_client_secret :: binary() | undefined 
+  oauth_client_secret :: binary() | undefined,
+  access_token_format :: jwt | opaque | undefined
  }).
 
 -type resource_server() :: #resource_server{}.

deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema

@@ -156,16 +156,31 @@
 %% When RabbitMQ sends a request to the authorization server, such as to validate a token,
 %% it must authenticate with the authorization server
 
+{mapping, 
+ "auth_oauth2.access_token_format", 
+ "rabbitmq_auth_backend_oauth2.access_token_format",
+ [{datatype, {enum, [jwt, opaque]}}]}.
+
 {mapping, 
  "auth_oauth2.oauth_client_id", 
  "rabbitmq_auth_backend_oauth2.oauth_client_id",
  [{datatype, string}]}.
 
+{translation,
+ "rabbitmq_auth_backend_oauth2.oauth_client_id",
+ fun(Conf) -> list_to_binary(cuttlefish:conf_get("auth_oauth2.oauth_client_id", Conf))
+ end}.
+
 {mapping, 
  "auth_oauth2.oauth_client_secret", 
  "rabbitmq_auth_backend_oauth2.oauth_client_secret",
 [{datatype, string}]}.
 
+{translation,
+ "rabbitmq_auth_backend_oauth2.oauth_client_secret",
+ fun(Conf) -> list_to_binary(cuttlefish:conf_get("auth_oauth2.oauth_client_secret", Conf))
+ end}.
+
 {mapping,
  "auth_oauth2.issuer",
  "rabbitmq_auth_backend_oauth2.issuer",
@@ -444,6 +459,10 @@
  "rabbitmq_auth_backend_oauth2.resource_servers",
 [{datatype, string}]}.
 
+{mapping, 
+ "auth_oauth2.resource_servers.$name.access_token_format", 
+ "rabbitmq_auth_backend_oauth2.resource_servers",
+ [{datatype, {enum, [jwt, opaque]}}]}.
 
 {translation, "rabbitmq_auth_backend_oauth2.resource_servers",
  fun(Conf) ->

deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_resource_server.erl

@@ -24,7 +24,8 @@ new_resource_server(ResourceServerId) ->
         additional_scopes_key = undefined,
         preferred_username_claims = ?DEFAULT_PREFERRED_USERNAME_CLAIMS,
         scope_aliases = undefined,
-        oauth_provider_id = root
+        oauth_provider_id = root,
+        access_token_format = jwt
     }.
 
 -spec resolve_resource_server_from_audience(binary() | list() | none) ->
@@ -85,6 +86,8 @@ get_root_resource_server() ->
         end,
     ScopePrefix =
         get_env(scope_prefix, DefaultScopePrefix),
+    AccessTokenFormat =
+        get_env(access_token_format, jwt),
     OAuthProviderId =
         case get_env(default_oauth_provider) of
             undefined -> root;
@@ -99,6 +102,7 @@ get_root_resource_server() ->
         additional_scopes_key = AdditionalScopesKey,
         preferred_username_claims = PreferredUsernameClaims,
         scope_aliases = ScopeAliases,
+        access_token_format = AccessTokenFormat,
         oauth_provider_id = OAuthProviderId
     }.
 
@@ -143,6 +147,9 @@ get_resource_server(ResourceServerId, RootResourseServer) when
                 undefined -> erlang:iolist_to_binary([ResourceServerId, <<".">>]);
                 Prefix -> Prefix
             end),
+    AccessTokenFormat =
+        proplists:get_value(access_token_format, ResourceServerProps,
+            RootResourseServer#resource_server.access_token_format),
     OAuthProviderId =
         proplists:get_value(oauth_provider_id, ResourceServerProps,
             RootResourseServer#resource_server.oauth_provider_id),
@@ -155,7 +162,8 @@ get_resource_server(ResourceServerId, RootResourseServer) when
         additional_scopes_key = AdditionalScopesKey,
         preferred_username_claims = PreferredUsernameClaims,
         scope_aliases = ScopeAliases,
-        oauth_provider_id = OAuthProviderId
+        oauth_provider_id = OAuthProviderId,
+        access_token_format = AccessTokenFormat
     }.
 
 -spec find_audience(binary() | list(), list()) ->

deps/rabbitmq_auth_backend_oauth2/src/rabbit_oauth2_schema.erl

@@ -244,16 +244,22 @@ extract_oauth_providers_properties(Settings) ->
 extract_resource_server_properties(Settings) ->
     KeyFun = fun extract_key_as_binary/1,
     ValueFun = fun extract_value/1,
-
-    OAuthProviders = [{Name, {list_to_atom(resource_servers_key_synonym(Key)), list_to_binary(V)}}
+    MapValueFun = fun(V) -> 
+        case V of 
+            jwt -> V;
+            opaque -> V;
+            _ -> list_to_binary(V)
+        end end,
+
+    ResourceServers = [{Name, {list_to_atom(resource_servers_key_synonym(Key)), MapValueFun(V)}}
         || {[?AUTH_OAUTH2, ?RESOURCE_SERVERS, Name, Key], V} <- Settings ],
-    maps:groups_from_list(KeyFun, ValueFun, OAuthProviders).
+    maps:groups_from_list(KeyFun, ValueFun, ResourceServers).
 
 mapOauthProviderProperty({Key, Value}) ->
     {Key, case Key of
         issuer -> validator_https_uri(Key, Value);
         token_endpoint -> validator_https_uri(Key, Value);
-        tokeninfo_endpoint -> validator_https_uri(Key, Value);
+        introspection_endpoint -> validator_https_uri(Key, Value);
         jwks_uri -> validator_https_uri(Key, Value);
         end_session_endpoint -> validator_https_uri(Key, Value);
         authorization_endpoint -> validator_https_uri(Key, Value);

deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets

@@ -31,7 +31,7 @@
             {resource_server_type,<<"new_resource_server_type">>},
             {extra_scopes_source, <<"my_custom_scope_key">>},
             {preferred_username_claims, [<<"user_name">>, <<"username">>, <<"email">>]},
-            {verify_aud, true},
+            {verify_aud, true},            
             {issuer, "https://my-jwt-issuer"},
             {discovery_endpoint_path, "/.well-known/openid-configuration"},
             {discovery_endpoint_params, [
@@ -96,14 +96,14 @@
             {jwks_uri, "https://my-jwt-issuer/jwks.json"},
             {resource_servers,
               #{
+                <<"rabbitmq-customers">> => [
+                  {extra_scopes_source, <<"roles">>},
+                  {id, <<"rabbitmq-customers">>}                  
+                ],
                 <<"rabbitmq-operations">> => [
                   {scope_prefix, <<"api://">>},
                   {id, <<"rabbitmq-operations">>}
-                ],
-                <<"rabbitmq-customers">> => [
-                  {extra_scopes_source, <<"roles">>},
-                  {id, <<"rabbitmq-customers">>}
-                ]
+                ]                
               }
             },
             {key_config, [
@@ -326,5 +326,39 @@
             {extra_scopes_source, <<"roles realm.roles">> }            
         ]}
        ], []
+  },
+  {token_introspection, 
+      "auth_oauth2.resource_server_id = new_resource_server_id
+       auth_oauth2.introspection_endpoint = https://introspect
+       auth_oauth2.access_token_format = jwt
+       auth_oauth2.oauth_client_id = rabbit
+       auth_oauth2.oauth_client_secret = rabbit_secret
+       auth_oauth2.oauth_providers.p.introspection_endpoint = https://introspect_p
+       auth_oauth2.resource_servers.b.access_token_format = opaque
+       auth_oauth2.resource_servers.b.oauth_client_id = rabbit_b
+       auth_oauth2.resource_servers.b.oauth_client_secret = rabbit_secret_b",
+       [
+        {rabbitmq_auth_backend_oauth2, [
+            {introspection_endpoint, "https://introspect"},
+            {oauth_client_secret, <<"rabbit_secret">> },
+            {oauth_client_id, <<"rabbit">> },
+            {access_token_format, jwt},            
+            {resource_server_id,<<"new_resource_server_id">>},            
+            {oauth_providers, #{
+                <<"p">> => [
+                   {introspection_endpoint, "https://introspect_p"}
+                ]
+            }},
+            {resource_servers, #{
+                <<"b">> => [
+                   {oauth_client_secret, <<"rabbit_secret_b">>},
+                   {oauth_client_id, <<"rabbit_b">>},                   
+                   {access_token_format, opaque},
+                   {id, <<"b">>}
+                ]
+            }}
+                       
+        ]}
+       ], []
   }
 ].