Feature/1356 openid configuration (#1357)

MikeNeilson · web-flow · commit 678e63cf6c07 · 2026-03-09T07:16:35.000-07:00
Fixes #1356. Definitely still needs work (should only try the initOAuth if an OAuth based security scheme is actually present, but it gets the idea across. Unfortunately, at least using the default Swagger Authentication system, I don't think I can do what I wanted where one, in the auth button, could have a login that would automatically work and pass the additional required query parameter. The SwaggerUI code simply doesn't do anything with extension values provided in the scheme. However, that really only affects the SwaggerUI not usages of the application itself. So I'm inclined not to worry about it and will strip of some of the extra elements I added to the code. Good news is, does pre-populate the client id, and the login flow behaves correctly; I was redirected to the local docker-compose keycloak and saw the kc_idp_hint field on the request so in environment should behave the same.
diff --git a/Dockerfile b/Dockerfile
@@ -56,6 +56,9 @@ ENV cwms.dataapi.access.providers="KeyAccessManager,OpenID"
 ENV cwms.dataapi.access.openid.wellKnownUrl="https://<prefix>/.well-known/openid-configuration"
 ENV cwms.dataapi.access.openid.issuer="<issuer>"
 ENV cwms.dataapi.access.openid.timeout="604800"
+# Putting default values here to easy configuration
+ENV cwms.dataapi.access.openid.clientId=cwms
+ENV cwms.dataapi.access.openid.idpHint=federation-eams
 #ENV cwms.dataapi.access.openid.altAuthUrl="https://identityc-test.cwbi.us/auth/realms/cwbi"
 
 # used to simplify redeploy in certain contexts. Update to match -<marker> in image label
diff --git a/cda-gui/package-lock.json b/cda-gui/package-lock.json
diff --git a/cda-gui/package.json b/cda-gui/package.json
@@ -29,7 +29,7 @@
     "react-dom": "^18.2.0",
     "react-icons": "^5.0.1",
     "react-router-dom": "^7.1.2",
-    "swagger-ui-dist": "^5.17.7",
+    "swagger-ui-dist": "^5.29.5",
     "use-debounce": "^10.0.5"
   },
   "devDependencies": {
diff --git a/cda-gui/public/oauth2-redirect.html b/cda-gui/public/oauth2-redirect.html
@@ -0,0 +1,6 @@
+<!doctype html>
+<html lang="en-US">
+<body>
+<script src="oauth2-redirect.js"></script>
+</body>
+</html>
diff --git a/cda-gui/public/oauth2-redirect.js b/cda-gui/public/oauth2-redirect.js
@@ -0,0 +1,69 @@
+"use strict"
+function run () {
+    var oauth2 = window.opener.swaggerUIRedirectOauth2
+    var sentState = oauth2.state
+    var redirectUrl = oauth2.redirectUrl
+    var isValid, qp, arr
+
+    if (/code|token|error/.test(window.location.hash)) {
+        qp = window.location.hash.substring(1).replace("?", "&")
+    } else {
+        qp = location.search.substring(1)
+    }
+
+    arr = qp.split("&")
+    arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace("=", '":"') + '"' })
+    qp = qp ? JSON.parse("{" + arr.join() + "}",
+            function (key, value) {
+                return key === "" ? value : decodeURIComponent(value)
+            }
+    ) : {}
+
+    isValid = qp.state === sentState
+
+    if ((
+        oauth2.auth.schema.get("flow") === "accessCode" ||
+        oauth2.auth.schema.get("flow") === "authorizationCode" ||
+        oauth2.auth.schema.get("flow") === "authorization_code"
+    ) && !oauth2.auth.code) {
+        if (!isValid) {
+            oauth2.errCb({
+                authId: oauth2.auth.name,
+                source: "auth",
+                level: "warning",
+                message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server"
+            })
+        }
+
+        if (qp.code) {
+            delete oauth2.state
+            oauth2.auth.code = qp.code
+            oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl})
+        } else {
+            let oauthErrorMsg
+            if (qp.error) {
+                oauthErrorMsg = "["+qp.error+"]: " +
+                    (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
+                    (qp.error_uri ? "More info: "+qp.error_uri : "")
+            }
+
+            oauth2.errCb({
+                authId: oauth2.auth.name,
+                source: "auth",
+                level: "error",
+                message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server"
+            })
+        }
+    } else {
+        oauth2.callback({auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl})
+    }
+    window.close()
+}
+
+if( document.readyState !== "loading" ) {
+    run()
+} else {
+    document.addEventListener("DOMContentLoaded", function () {
+    run()
+    })
+}
diff --git a/cda-gui/src/pages/swagger-ui/index.jsx b/cda-gui/src/pages/swagger-ui/index.jsx
@@ -5,32 +5,63 @@ import { useEffect } from "react";
 import { getBasePath } from "../../utils/base";
 
 export default function SwaggerUI() {
-  useEffect(() => {
-    // document.querySelector("#swagger-ui").prepend(Index)
-    // TODO: Add page index to top of page
-    // Alter the page title to match the swagger page
-    document.title = "CWMS Data API for Data Retrieval - Swagger UI";
-    // Begin Swagger UI call region
-    // TODO: add endpoint that dynamic returns swagger generated doc
-    SwaggerUIBundle({
-      url: getBasePath() + "/swagger-docs",
-      dom_id: "#swagger-ui",
-      deepLinking: false,
-      presets: [SwaggerUIBundle.presets.apis],
-      plugins: [SwaggerUIBundle.plugins.DownloadUrl],
-      requestInterceptor: (req) => {
-        // Add a cache-busting query param
-        const sep = req.url.includes("?") ? "&" : "?";
-        req.url = `${req.url}${sep}_cb=${Date.now()}`;
+    useEffect(() => {
+        // document.querySelector("#swagger-ui").prepend(Index)
+        // TODO: Add page index to top of page
+        // Alter the page title to match the swagger page
+        document.title = "CWMS Data API for Data Retrieval - Swagger UI";
+        // Begin Swagger UI call region
+        // TODO: add endpoint that dynamic returns swagger generated doc
 
-        // Also ask intermediaries not to serve from cache
-        req.headers["Cache-Control"] = "no-cache, no-store, max-age=0";
-        req.headers["Pragma"] = "no-cache";
+        const ui = SwaggerUIBundle({
+            url: getBasePath() + "/swagger-docs",
+            
+            dom_id: "#swagger-ui",
+            deepLinking: false,
+            presets: [SwaggerUIBundle.presets.apis],
+            plugins: [SwaggerUIBundle.plugins.DownloadUrl],
+            requestInterceptor: (req) => {
+                // Add a cache-busting query param... but only if it's to our api. Some
+                // external systems, like keycloak, don't allow random unknown parameters.
+                const origin = window.location.origin;                
+                const re = new RegExp(`^${origin}.*`)
+                if (re.test(req.url))
+                {
+                    const sep = req.url.includes("?") ? "&" : "?";
+                    req.url = `${req.url}${sep}_cb=${Date.now()}`;
 
-        return req;
-      },
-    });
-  }, []);
+                    // Also ask intermediaries not to serve from cache
+                    req.headers["Cache-Control"] = "no-cache, no-store, max-age=0";
+                    req.headers["Pragma"] = "no-cache";
+                }
+                return req;
+            },
+            onComplete: () => {
+                const spec = JSON.parse(ui.spec().get("spec"));
+                for (const schemeName in spec.components.securitySchemes) {
+                    const scheme = spec.components.securitySchemes[schemeName];
+                    if (scheme.type === "openIdConnect") {
+                        let additionalParams = null;
+                        let hints = scheme["x-kc_idp_hint"];
+                        if (hints) {
+                            additionalParams = {
+                                // Since getting the interface to allow users to choose
+                                // is likely impossible, we will assume the first in the list
+                                // is the "primary" auth system
+                                "kc_idp_hint": hints.values[0]
+                            };
+                        }
+                        ui.initOAuth({
+                            clientId: scheme["x-oidc-client-id"],
+                            usePkceWithAuthorizationCodeGrant: true,
+                            additionalQueryStringParams: additionalParams,
+                        });
+                        break;
+                    }
+                }
+            },
+        });
+    }, []);
 
   return <div id="swagger-ui"></div>;
 }
diff --git a/cda-gui/vite.config.js b/cda-gui/vite.config.js
@@ -3,7 +3,7 @@ import react from "@vitejs/plugin-react";
 
 // https://vitejs.dev/config/
 export default defineConfig(({ mode }) => {
-  // const env = loadEnv(mode, process.cwd(), "");
+  const env = loadEnv(mode, process.cwd(), "");
   // const BASE_PATH = env?.BASE_PATH ?? "/cwms-data";
   return {
     base: "/cwms-data",
@@ -14,12 +14,22 @@ export default defineConfig(({ mode }) => {
     server: {
       proxy: {
         "^/cwms-data/timeseries/.*": {
-          target: "https://cwms-data.usace.army.mil",
+          target: env.CDA_API_ROOT,
           changeOrigin: true,
           secure: false,
         },
         "^/cwms-data/catalog/.*": {
-          target: "https://cwms-data.usace.army.mil",
+          target: env.CDA_API_ROOT,
+          changeOrigin: true,
+          secure: false,
+        },
+        "^/cwms-data/auth/.*": {
+          target: env.CDA_API_ROOT,
+          changeOrigin: true,
+          secure: false,
+        },
+        "^/cwms-data/swagger-docs$": {
+          target: env.CDA_API_ROOT,
           changeOrigin: true,
           secure: false,
         },
diff --git a/compose_files/keycloak/realm.json b/compose_files/keycloak/realm.json
@@ -663,7 +663,8 @@
       "clientAuthenticatorType": "client-secret",
       "redirectUris": [
         "https://cwms-data.test:8444/*",
-        "https://localhost:5010/*"
+        "https://localhost:5010/*",
+        "http://localhost:*"
       ],
       "webOrigins": [
         "*"
diff --git a/cwms-data-api/build.gradle b/cwms-data-api/build.gradle
@@ -229,6 +229,7 @@ task run(type: JavaExec) {
     mainClass = "fixtures.TomcatServer"
     systemProperties += project.properties.findAll { k, v -> k.startsWith("RADAR") }
     systemProperties += project.properties.findAll { k, v -> k.startsWith("CDA") }
+    systemProperties += project.properties.findAll { k, v -> k.startsWith("cwms") }
 
     def context = project.findProperty("cda.war.context") ?: "spk-data"
 
diff --git a/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java b/cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java
diff --git a/cwms-data-api/src/main/java/cwms/cda/security/OpenIdConnectIdentitityProvider.java b/cwms-data-api/src/main/java/cwms/cda/security/OpenIdConnectIdentitityProvider.java
diff --git a/docker-compose.yml b/docker-compose.yml
