Additional OIDC config (#562)

Author: olevitt

README.md

@@ -56,27 +56,23 @@ Each variable can be overridden using environment variables.
 | `authentication.mode` | `none` | Supported modes are : `none`, `openidconnect` (must be configured) |
 
 ### Open id configuration (used when `authentication.mode`=`openidconnect`)  
-You have to specify `oidc.issuer-uri`. `oidc.jwk-uri` is optional.  
-Common used configurations :  
-| Provider | `oidc.issuer-uri` | `oidc.jwk-uri` |
-|---|---|---|
-| Keycloak  | `https://keycloak.example.com/auth/realms/REALMNAME` |   |
-| Google  | https://accounts.google.com  | `https://www.googleapis.com/oauth2/v3/certs` |
-| Microsoft | `https://login.microsoftonline.com/TENANTID/v2.0` |   |
+
+The only two required parameters are `oidc.issuer-uri` and `oidc.clientID`. See below for more details.
 
 Configurable properties :  
 | Key | Default | Description |
 | -------------------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
-| `oidc.issuer-uri` | | Issuer URI, should be the same as the `iss` field of the tokens |
-| `oidc.skip-tls-verify` | `false` | Disable tls cert verification when retrieving keys from the IDP. Not intended for production. Consider mounting the proper `cacerts` instead of disabling the verification. |
-| `oidc.jwk-uri` | | JWK URI, useful when auto discovery is not available or when `iss` is not consistent across tokens (e.g [Google](https://stackoverflow.com/questions/38618826/can-i-get-a-consistent-iss-value-for-a-google-openidconnect-id-token)) |
-| `oidc.public-key` | | Public key used for validating incoming tokens. Don't provide this if you set `issuer-uri` or `jwk-uri` as it will be bootstrapped from that. This is useful if Onyxia-API has trouble connecting to your IDP (e.g self signed certificate). You can usually get this key directly by loading the issuer URI : (e.g `https://auth.example.com/realms/my-realm`) |
+| `oidc.issuer-uri` | | Issuer URI. Onyxia-API will use this URL to retrieve the public key for token validation. e.g for Keycloak : `https://keycloak.example.com/auth/realms/REALMNAME` |
 | `oidc.clientID` | | Client id to be used by Onyxia web application |
-| `oidc.audience` | | Optional : audience to validate. Must be the same as the token's `aud` field |
 | `oidc.username-claim` | `preferred_username` | Claim to be used as user id. Must conform to [RFC 1123](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-label-names) |
 | `oidc.groups-claim` | `groups` | Claim to be used as list of user groups. |
 | `oidc.roles-claim` | `roles` | Claim to be used as list of user roles. |
+| `oidc.audience` | | Optional : audience to validate. Must be the same as the token's `aud` field |
+| `oidc.skip-tls-verify` | `false` | Disable tls cert verification when retrieving keys from the IDP. Not intended for production. Consider mounting the proper `cacerts` instead of disabling the verification. |
+| `oidc.public-key` | | Optional: If for some reason you don't want Onyxia-API to bootstrap configuration by requesting the `issuer-uri` then you can manually provide the public key used for validating incoming tokens. |
 | `oidc.extra-query-params` | | Optional : query params to be added by client. e.g : `prompt=consent&kc_idp_hint=google` |
+| `oidc.scope` | `openid profile` | Optional : Specifies the OIDC scopes to be requested by the Onyxia client. `"openid"` is always requested, regardless of this setting. |
+| `oidc.workaroundForGoogleClientSecret` | | For some reasons, Google OAuth requires providing a client secret even for public clients. ⚠️ Use this configuration only if using Google OAuth ! ⚠️ For all other providers you should not have client secret as the Onyxia client is public. Example client secret format: " `GOCSPX-_xxxxxxxxxxxxxxxxxxxxxxxxxxx` |
 
 ### Security configuration :
 | Key | Default | Description |

onyxia-api/src/main/java/fr/insee/onyxia/api/Application.java

@@ -37,16 +37,11 @@ public void onApplicationEvent(ApplicationEnvironmentPreparedEvent event) {
             ConfigurableEnvironment environment = event.getEnvironment();
             MutablePropertySources propertySources = environment.getPropertySources();
             Map<String, Object> myMap = new HashMap<>();
-            String oidcJwkUri = environment.getProperty("oidc.jwk-uri");
             String oidcIssuerUri = environment.getProperty("oidc.issuer-uri");
-            LOGGER.info("oidc properties, jwk-uri: {}, issuer-uri: {}", oidcJwkUri, oidcIssuerUri);
 
             if (StringUtils.isNotEmpty(oidcIssuerUri)) {
                 myMap.put("spring.security.oauth2.resourceserver.jwt.issuer-uri", oidcIssuerUri);
             }
-            if (StringUtils.isNotEmpty(oidcJwkUri)) {
-                myMap.put("spring.security.oauth2.resourceserver.jwt.jwk-set-uri", oidcJwkUri);
-            }
             propertySources.addFirst(new MapPropertySource("ALIASES", myMap));
         }
     }

onyxia-api/src/main/java/fr/insee/onyxia/api/controller/pub/ConfigurationController.java

@@ -54,6 +54,9 @@ public AppInfo configuration() {
             OIDCConfiguration.setIssuerURI(oidcConfiguration.getIssuerUri());
             OIDCConfiguration.setClientID(oidcConfiguration.getClientID());
             OIDCConfiguration.setExtraQueryParams(oidcConfiguration.getExtraQueryParams());
+            OIDCConfiguration.setWorkaroundForGoogleClientSecret(
+                    oidcConfiguration.getWorkaroundForGoogleClientSecret());
+            OIDCConfiguration.setScope(oidcConfiguration.getScope());
             appInfo.setOidcConfiguration(OIDCConfiguration);
         }
         return appInfo;

onyxia-api/src/main/java/fr/insee/onyxia/api/security/OIDCConfiguration.java

@@ -79,9 +79,6 @@ public class OIDCConfiguration {
     @Value("${oidc.public-key}")
     private String publicKey;
 
-    @Value("${oidc.jwk-uri}")
-    private String jwkUri;
-
     @Value("${oidc.audience}")
     private String audience;
 
@@ -94,6 +91,12 @@ public class OIDCConfiguration {
     @Value("${oidc.extra-query-params}")
     private String extraQueryParams;
 
+    @Value("${oidc.scope}")
+    private String scope;
+
+    @Value("${oidc.workaroundForGoogleClientSecret}")
+    private String workaroundForGoogleClientSecret;
+
     private final HttpRequestUtils httpRequestUtils;
 
     private static final Logger LOGGER = LoggerFactory.getLogger(OIDCConfiguration.class);
@@ -229,14 +232,6 @@ public void setIssuerUri(String issuerUri) {
         this.issuerUri = issuerUri;
     }
 
-    public String getJwkUri() {
-        return jwkUri;
-    }
-
-    public void setJwkUri(String jwkUri) {
-        this.jwkUri = jwkUri;
-    }
-
     public String getAudience() {
         return audience;
     }
@@ -269,15 +264,44 @@ public void setExtraQueryParams(String extraQueryParams) {
         this.extraQueryParams = extraQueryParams;
     }
 
+    public boolean isSkipTlsVerify() {
+        return skipTlsVerify;
+    }
+
+    public void setSkipTlsVerify(boolean skipTlsVerify) {
+        this.skipTlsVerify = skipTlsVerify;
+    }
+
+    public String getRolesClaim() {
+        return rolesClaim;
+    }
+
+    public void setRolesClaim(String rolesClaim) {
+        this.rolesClaim = rolesClaim;
+    }
+
+    public String getScope() {
+        return scope;
+    }
+
+    public void setScope(String scope) {
+        this.scope = scope;
+    }
+
+    public void setWorkaroundForGoogleClientSecret(String workaroundForGoogleClientSecret) {
+        this.workaroundForGoogleClientSecret = workaroundForGoogleClientSecret;
+    }
+
+    public String getWorkaroundForGoogleClientSecret() {
+        return workaroundForGoogleClientSecret;
+    }
+
     @Bean
     @ConditionalOnProperty(prefix = "oidc", name = "issuer-uri")
     NimbusJwtDecoder jwtDecoder() {
         NimbusJwtDecoder decoder = null;
         OAuth2TokenValidator<Jwt> validator = JwtValidators.createDefault();
-        if (StringUtils.isNotEmpty(jwkUri)) {
-            LOGGER.info("OIDC : using JWK URI {} to validate tokens", jwkUri);
-            decoder = NimbusJwtDecoder.withJwkSetUri(jwkUri).build();
-        } else if (StringUtils.isNotEmpty(publicKey)) {
+        if (StringUtils.isNotEmpty(publicKey)) {
             LOGGER.info("OIDC : using public key {} to validate tokens", publicKey);
             try {
                 byte[] decodedKey = Base64.getDecoder().decode(publicKey);

onyxia-api/src/main/resources/application.properties

@@ -3,14 +3,15 @@ authentication.mode=none
 # Open id connect authentication
 oidc.issuer-uri=
 oidc.skip-tls-verify=false
-oidc.jwk-uri=
 oidc.public-key=
 oidc.clientID=onyxia
 oidc.audience=
 oidc.username-claim=preferred_username
 oidc.groups-claim=groups
 oidc.roles-claim=roles
 oidc.extra-query-params=
+oidc.scope=openid profile
+oidc.workaroundForGoogleClientSecret=
 # Catalogs
 catalogs.refresh.ms=300000
 # Security

onyxia-model/src/main/java/fr/insee/onyxia/model/region/Region.java

@@ -785,8 +785,9 @@ public static class OIDCConfiguration {
 
         private String issuerURI;
         private String clientID;
-
         private String extraQueryParams;
+        private String scope;
+        private String workaroundForGoogleClientSecret;
 
         public String getIssuerURI() {
             return issuerURI;
@@ -811,6 +812,22 @@ public String getExtraQueryParams() {
         public void setExtraQueryParams(String extraQueryParams) {
             this.extraQueryParams = extraQueryParams;
         }
+
+        public String getWorkaroundForGoogleClientSecret() {
+            return workaroundForGoogleClientSecret;
+        }
+
+        public void setWorkaroundForGoogleClientSecret(String workaroundForGoogleClientSecret) {
+            this.workaroundForGoogleClientSecret = workaroundForGoogleClientSecret;
+        }
+
+        public String getScope() {
+            return scope;
+        }
+
+        public void setScope(String scope) {
+            this.scope = scope;
+        }
     }
 
     public static class Expose {