Support client_credentials OIDC auth flow (#116)

Author: parkerduckworth

.github/workflows/tests.yaml

@@ -25,6 +25,8 @@ jobs:
       env:
         OKTA_DUMMY_CI_PW: ${{ secrets.OKTA_DUMMY_CI_PW }}
         WCS_DUMMY_CI_PW: ${{ secrets.WCS_DUMMY_CI_PW }}
+        AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+        OKTA_CLIENT_SECRET: ${{ secrets.OKTA_CLIENT_SECRET }}
       run: |
         npm test
         npm run build

.gitignore

@@ -3,3 +3,5 @@ node_modules/
 config.yaml
 lib.js
 weaviate-data/
+.vscode/
+.idea/

ci/compose.sh

@@ -19,5 +19,5 @@ function compose_down_all {
 }
 
 function all_weaviate_ports {
-  echo "8080 8082 8083"
+  echo "8080 8081 8082 8083 8085"
 }

ci/docker-compose-azure-cc.yml

@@ -0,0 +1,29 @@
+
+---
+version: '3.4'
+services:
+  weaviate-auth-azure:
+    command:
+      - --host
+      - 0.0.0.0
+      - --port
+      - '8081'
+      - --scheme
+      - http
+      - --write-timeout=600s
+    image: semitechnologies/weaviate:preview-replace-shardingconfig-replicas-with-replication-factor-29e987d
+    ports:
+      - 8081:8081
+    restart: on-failure:0
+    environment:
+      PERSISTENCE_DATA_PATH: '/var/lib/weaviate'
+      AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false'
+      AUTHENTICATION_OIDC_ENABLED: 'true'
+      AUTHENTICATION_OIDC_CLIENT_ID: '4706508f-30c2-469b-8b12-ad272b3de864'
+      AUTHENTICATION_OIDC_ISSUER: 'https://login.microsoftonline.com/36c47fb4-f57c-4e1c-8760-d42293932cc2/v2.0'
+      AUTHENTICATION_OIDC_USERNAME_CLAIM: 'oid'
+      AUTHENTICATION_OIDC_GROUPS_CLAIM: 'groups'
+      AUTHORIZATION_ADMINLIST_ENABLED: 'true'
+      AUTHORIZATION_ADMINLIST_USERS: 'b6bf8e1d-d398-4e5d-8f1b-50fda9146a64'
+      AUTHENTICATION_OIDC_SCOPES: 'openid,email'
+...

ci/docker-compose-okta-cc.yml

@@ -0,0 +1,28 @@
+---
+version: '3.4'
+services:
+  weaviate-auth-okta-cc:
+    command:
+      - --host
+      - 0.0.0.0
+      - --port
+      - '8082'
+      - --scheme
+      - http
+      - --write-timeout=600s
+    image: semitechnologies/weaviate:1.15.4-b7811d4
+    ports:
+      - 8082:8082
+    restart: on-failure:0
+    environment:
+      PERSISTENCE_DATA_PATH: '/var/lib/weaviate'
+      AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false'
+      AUTHENTICATION_OIDC_ENABLED: 'true'
+      AUTHENTICATION_OIDC_CLIENT_ID: '0oa7e9ipdkVZRUcxo5d7'
+      AUTHENTICATION_OIDC_ISSUER: 'https://dev-32300990.okta.com/oauth2/aus7e9kxbwYQB0eht5d7'
+      AUTHENTICATION_OIDC_USERNAME_CLAIM: 'cid'
+      AUTHENTICATION_OIDC_GROUPS_CLAIM: 'groups'
+      AUTHORIZATION_ADMINLIST_ENABLED: 'true'
+      AUTHORIZATION_ADMINLIST_USERS: '0oa7e9ipdkVZRUcxo5d7'
+      AUTHENTICATION_OIDC_SCOPES: 'openid,email'
+...

ci/docker-compose-okta.yml renamed to ci/docker-compose-okta-users.yml

@@ -6,13 +6,13 @@ services:
       - --host
       - 0.0.0.0
       - --port
-      - '8082'
+      - '8083'
       - --scheme
       - http
       - --write-timeout=600s
     image: semitechnologies/weaviate:1.17.0
     ports:
-      - 8082:8082
+      - 8083:8083
     restart: on-failure:0
     environment:
       PERSISTENCE_DATA_PATH: '/var/lib/weaviate'

ci/docker-compose-wcs.yml

@@ -6,13 +6,13 @@ services:
       - --host
       - 0.0.0.0
       - --port
-      - '8083'
+      - '8085'
       - --scheme
       - http
       - --write-timeout=600s
     image: semitechnologies/weaviate:1.17.0
     ports:
-      - 8083:8083
+      - 8085:8085
     restart: on-failure:0
     environment:
       PERSISTENCE_DATA_PATH: '/var/lib/weaviate'

connection/auth.js

@@ -2,16 +2,16 @@ export class Authenticator {
   constructor(http, creds) {
     this.http = http;
     this.creds = creds;
-    this.bearerToken = "";
+    this.accessToken = "";
     this.refreshToken = "";
-    this.expirationEpoch = 0
+    this.expiresAt = 0
     this.refreshRunning = false;
 
     // If the authentication method is access token,
     // our bearer token is already available for use
     if (this.creds instanceof AuthAccessTokenCredentials) {
-      this.bearerToken = this.creds.accessToken;
-      this.expirationEpoch = calcExpirationEpoch(this.creds.expiresIn);
+      this.accessToken = this.creds.accessToken;
+      this.expiresAt = calcExpirationEpoch(this.creds.expiresIn);
       this.refreshToken = this.creds.refreshToken;
     }
   }
@@ -27,14 +27,17 @@ export class Authenticator {
       case AuthAccessTokenCredentials:
         authenticator = new AccessTokenAuthenticator(this.http, this.creds, config);
         break;
+      case AuthClientCredentials:
+        authenticator = new ClientCredentialsAuthenticator(this.http, this.creds, config);
+        break;
       default:
         throw new Error("unsupported credential type");
     }
 
     return authenticator.refresh()
       .then(resp => {
-        this.bearerToken = resp.bearerToken;
-        this.expirationEpoch = resp.expirationEpoch;
+        this.accessToken = resp.accessToken;
+        this.expiresAt = resp.expiresAt;
         this.refreshToken = resp.refreshToken;
         if (!this.refreshRunning) {
           this.runBackgroundTokenRefresh(authenticator);
@@ -47,20 +50,21 @@ export class Authenticator {
     return this.http.externalGet(localConfig.href)
       .then(openidProviderConfig => {
         return {
-          clientId: localConfig.clientId, 
-          provider: openidProviderConfig
+          clientId: localConfig.clientId,
+          provider: openidProviderConfig,
+          scopes: localConfig.scopes
         };
       });
   };
 
   runBackgroundTokenRefresh = (authenticator) => {
-    setInterval(async () => { 
+    setInterval(async () => {
       // check every 30s if the token will expire in <= 1m,
       // if so, refresh
-      if (this.expirationEpoch - Date.now() <= 60_000) {
+      if (this.expiresAt - Date.now() <= 60_000) {
         var resp = await authenticator.refresh();
-        this.bearerToken = resp.bearerToken;
-        this.expirationEpoch = resp.expirationEpoch;
+        this.accessToken = resp.accessToken;
+        this.expiresAt = resp.expiresAt;
         this.refreshToken = resp.refreshToken;
       }
     }, 30_000)
@@ -71,6 +75,7 @@ export class AuthUserPasswordCredentials {
   constructor(creds) {
     this.username = creds.username;
     this.password = creds.password;
+    this.scopes = creds.scopes;
   }
 }
 
@@ -79,15 +84,18 @@ class UserPasswordAuthenticator {
     this.http = http;
     this.creds = creds;
     this.openidConfig = config;
+    if (creds.scopes) {
+      this.openidConfig.scopes.push(creds.scopes);
+    }
   }
 
   refresh = () => {
     this.validateOpenidConfig();
     return this.requestAccessToken()
       .then(tokenResp => {
         return {
-          bearerToken: tokenResp.access_token,
-          expirationEpoch: calcExpirationEpoch(tokenResp.expires_in),
+          accessToken: tokenResp.access_token,
+          expiresAt: calcExpirationEpoch(tokenResp.expires_in),
           refreshToken: tokenResp.refresh_token
         };
       })
@@ -98,37 +106,38 @@ class UserPasswordAuthenticator {
       });
   };
 
+  validateOpenidConfig = () => {
+    if (this.openidConfig.provider.grant_types_supported !== undefined &&
+      !this.openidConfig.provider.grant_types_supported.includes("password")) {
+      throw new Error("grant_type password not supported");
+    }
+    if (this.openidConfig.provider.token_endpoint.includes(
+      "https://login.microsoftonline.com")) {
+      throw new Error("microsoft/azure recommends to avoid authentication using " +
+        "username and password, so this method is not supported by this client");
+    }
+    this.openidConfig.scopes.push("offline_access");
+  };
+
   requestAccessToken = () => {
     var url = this.openidConfig.provider.token_endpoint;
     var params = new URLSearchParams({
       grant_type: "password",
       client_id: this.openidConfig.clientId,
       username: this.creds.username,
       password: this.creds.password,
-      scope: "openid offline_access"
+      scope: this.openidConfig.scopes.join(" ")
     });
     let contentType = "application/x-www-form-urlencoded;charset=UTF-8";
     return this.http.externalPost(url, params, contentType);
   };
-
-  validateOpenidConfig = () => {
-    if (this.openidConfig.provider.grant_types_supported !== undefined &&
-      !this.openidConfig.provider.grant_types_supported.includes("password")) {
-        throw new Error("grant_type password not supported");
-      }
-    if (this.openidConfig.provider.token_endpoint.includes(
-      "https://login.microsoftonline.com")) {
-        throw new Error("microsoft/azure recommends to avoid authentication using "+
-          "username and password, so this method is not supported by this client");
-      }
-  };
 }
 
 export class AuthAccessTokenCredentials {
   constructor(creds) {
     this.validate(creds);
     this.accessToken = creds.accessToken;
-    this.expirationEpoch = calcExpirationEpoch(creds.expiresIn);
+    this.expiresAt = calcExpirationEpoch(creds.expiresIn);
     this.refreshToken = creds.refreshToken;
   }
 
@@ -153,16 +162,16 @@ class AccessTokenAuthenticator {
     if (this.creds.refreshToken === undefined || this.creds.refreshToken == "") {
       console.warn("AuthAccessTokenCredentials not provided with refreshToken, cannot refresh");
       return Promise.resolve({
-          bearerToken: this.creds.accessToken,
-          expirationEpoch: this.creds.expirationEpoch
+        accessToken: this.creds.accessToken,
+        expiresAt: this.creds.expiresAt
       });
     }
     this.validateOpenidConfig();
     return this.requestAccessToken()
       .then(tokenResp => {
         return {
-          bearerToken: tokenResp.access_token,
-          expirationEpoch: calcExpirationEpoch(tokenResp.expires_in),
+          accessToken: tokenResp.access_token,
+          expiresAt: calcExpirationEpoch(tokenResp.expires_in),
           refreshToken: tokenResp.refresh_token
         };
       })
@@ -176,8 +185,8 @@ class AccessTokenAuthenticator {
   validateOpenidConfig = () => {
     if (this.openidConfig.provider.grant_types_supported === undefined ||
       !this.openidConfig.provider.grant_types_supported.includes("refresh_token")) {
-        throw new Error("grant_type refresh_token not supported");
-      }
+      throw new Error("grant_type refresh_token not supported");
+    }
   };
 
   requestAccessToken = () => {
@@ -192,6 +201,66 @@ class AccessTokenAuthenticator {
   };
 }
 
+export class AuthClientCredentials {
+  constructor(creds) {
+    this.clientSecret = creds.clientSecret;
+    this.scopes = creds.scopes;
+  }
+}
+
+class ClientCredentialsAuthenticator {
+  constructor(http, creds, config) {
+    this.http = http;
+    this.creds = creds;
+    this.openidConfig = config;
+    if (creds.scopes) {
+      this.openidConfig.scopes.push(creds.scopes);
+    }
+  }
+
+  refresh = () => {
+    this.validateOpenidConfig();
+    return this.requestAccessToken()
+      .then(tokenResp => {
+        return {
+          accessToken: tokenResp.access_token,
+          expiresAt: calcExpirationEpoch(tokenResp.expires_in),
+          refreshToken: tokenResp.refresh_token
+        };
+      })
+      .catch(err => {
+        return Promise.reject(
+          new Error(`failed to refresh access token: ${err}`)
+        );
+      });
+  };
+
+  validateOpenidConfig = () => {
+    this.openidConfig.scopes = this.openidConfig.scopes
+      .filter(scope => scope != "openid" && scope != "email");
+    if (this.openidConfig.scopes.length > 0) {
+      return;
+    }
+    if (this.openidConfig.provider.token_endpoint
+      .includes("https://login.microsoftonline.com")) {
+      this.openidConfig.scopes.push(this.openidConfig.clientId + "/.default");
+    }
+  };
+
+  requestAccessToken = () => {
+    var url = this.openidConfig.provider.token_endpoint;
+    var params = new URLSearchParams({
+      grant_type: "client_credentials",
+      client_id: this.openidConfig.clientId,
+      client_secret: this.creds.clientSecret,
+      scope: this.openidConfig.scopes.join(" ")
+    });
+
+    let contentType = "application/x-www-form-urlencoded;charset=UTF-8";
+    return this.http.externalPost(url, params, contentType);
+  };
+}
+
 function calcExpirationEpoch(expiresIn) {
   return Date.now() + ((expiresIn - 2) * 1000) // -2 for some lag
 }

connection/index.js

@@ -91,9 +91,9 @@ export default class Connection {
       return "";
     }
 
-    if (Date.now() >= this.auth.expirationEpoch) {
+    if (Date.now() >= this.auth.expiresAt) {
       await this.auth.refresh(localConfig);
     }
-    return this.auth.bearerToken;
+    return this.auth.accessToken;
   };
 }