Make end_session_endpoint configurable

Author: MarcialRosales

deps/oauth2_client/include/oauth2_client.hrl

@@ -41,6 +41,7 @@
 -define(RESPONSE_ISSUER, <<"issuer">>).
 -define(RESPONSE_TOKEN_ENDPOINT, <<"token_endpoint">>).
 -define(RESPONSE_AUTHORIZATION_ENDPOINT, <<"authorization_endpoint">>).
+-define(RESPONSE_END_SESSION_ENDPOINT, <<"end_session_endpoint">>).
 -define(RESPONSE_JWKS_URI, <<"jwks_uri">>).
 -define(RESPONSE_TLS_OPTIONS, <<"ssl_options">>).
 
@@ -51,6 +52,7 @@
   issuer :: option(uri_string:uri_string()),
   token_endpoint :: option(uri_string:uri_string()),
   authorization_endpoint :: option(uri_string:uri_string()),
+  end_session_endpoint :: option(uri_string:uri_string()),
   jwks_uri :: option(uri_string:uri_string()),
   ssl_options :: option(list())
   }).

deps/oauth2_client/src/oauth2_client.erl

@@ -7,7 +7,7 @@
 -module(oauth2_client).
 -export([get_access_token/2, get_expiration_time/1,
         refresh_access_token/2,
-        get_oauth_provider/1, get_oauth_provider/2,
+        get_oauth_provider/1, get_oauth_provider/2, 
         extract_ssl_options_as_list/1
         ]).
 
@@ -104,14 +104,20 @@ do_update_oauth_provider_endpoints_configuration(OAuthProvider) ->
     case OAuthProvider#oauth_provider.token_endpoint of
         undefined ->
             do_nothing;
-        TokenEndPoint ->
-            application:set_env(rabbitmq_auth_backend_oauth2, token_endpoint, TokenEndPoint)
+        TokenEndpoint ->
+            application:set_env(rabbitmq_auth_backend_oauth2, token_endpoint, TokenEndpoint)
     end,
     case OAuthProvider#oauth_provider.authorization_endpoint of
         undefined ->
             do_nothing;
-        AuthzEndPoint ->
-            application:set_env(rabbitmq_auth_backend_oauth2, authorization_endpoint, AuthzEndPoint)
+        AuthzEndpoint ->
+            application:set_env(rabbitmq_auth_backend_oauth2, authorization_endpoint, AuthzEndpoint)
+    end,
+    case OAuthProvider#oauth_provider.end_session_endpoint of
+        undefined ->
+            do_nothing;
+        EndSessionEndpoint ->
+            application:set_env(rabbitmq_auth_backend_oauth2, end_session_endpoint, EndSessionEndpoint)
     end,
     List = application:get_env(rabbitmq_auth_backend_oauth2, key_config, []),
     ModifiedList = case OAuthProvider#oauth_provider.jwks_uri of
@@ -127,17 +133,21 @@ do_update_oauth_provider_endpoints_configuration(OAuthProviderId, OAuthProvider)
     LookupProviderPropList = maps:get(OAuthProviderId, OAuthProviders),
     ModifiedList0 = case OAuthProvider#oauth_provider.token_endpoint of
         undefined ->  LookupProviderPropList;
-        TokenEndPoint -> [{token_endpoint, TokenEndPoint} | LookupProviderPropList]
+        TokenEndpoint -> [{token_endpoint, TokenEndpoint} | LookupProviderPropList]
     end,
     ModifiedList1 = case OAuthProvider#oauth_provider.authorization_endpoint of
         undefined ->  ModifiedList0;
-        AuthzEndPoint -> [{authorization_endpoint, AuthzEndPoint} | ModifiedList0]
+        AuthzEndpoint -> [{authorization_endpoint, AuthzEndpoint} | ModifiedList0]
     end,
-    ModifiedList2 = case OAuthProvider#oauth_provider.jwks_uri of
+    ModifiedList2 = case OAuthProvider#oauth_provider.end_session_endpoint of
         undefined ->  ModifiedList1;
-        JwksEndPoint -> [{jwks_uri, JwksEndPoint} | ModifiedList1]
+        EndSessionEndpoint -> [{end_session_endpoint, EndSessionEndpoint} | ModifiedList1]
     end,
-    ModifiedOAuthProviders = maps:put(OAuthProviderId, ModifiedList2, OAuthProviders),
+    ModifiedList3 = case OAuthProvider#oauth_provider.jwks_uri of
+        undefined ->  ModifiedList2;
+        JwksEndPoint -> [{jwks_uri, JwksEndPoint} | ModifiedList2]
+    end,
+    ModifiedOAuthProviders = maps:put(OAuthProviderId, ModifiedList3, OAuthProviders),
     application:set_env(rabbitmq_auth_backend_oauth2, oauth_providers, ModifiedOAuthProviders),
     rabbit_log:debug("Replacing oauth_providers  ~p", [ ModifiedOAuthProviders]),
     OAuthProvider.
@@ -179,7 +189,7 @@ get_oauth_provider(ListOfRequiredAttributes) ->
         {ok, DefaultOauthProvider} ->
             rabbit_log:debug("Using default_oauth_provider ~p", [DefaultOauthProvider]),
             get_oauth_provider(DefaultOauthProvider, ListOfRequiredAttributes)
-    end.
+    end.    
 
 get_oauth_provider_from_keyconfig(ListOfRequiredAttributes) ->
     OAuthProvider = lookup_oauth_provider_from_keyconfig(),
@@ -206,7 +216,7 @@ get_oauth_provider_from_keyconfig(ListOfRequiredAttributes) ->
                             {ok, OAuthProvider2};
                         _ = Attrs->
                             {error, {missing_oauth_provider_attributes, Attrs}}
-                    end;
+                    end;                        
                 {error, _} = Error3 -> Error3
             end
   end.
@@ -253,7 +263,7 @@ get_oauth_provider(OAuth2ProviderId, ListOfRequiredAttributes) when is_binary(OA
                                     {ok, OAuthProvider2};
                                 _ = Attrs->
                                     {error, {missing_oauth_provider_attributes, Attrs}}
-                            end;
+                            end;                    
                         {error, _} = Error3 -> Error3
                     end
             end
@@ -285,11 +295,15 @@ find_missing_attributes(#oauth_provider{} = OAuthProvider, RequiredAttributes) -
 lookup_oauth_provider_from_keyconfig() ->
     Issuer = application:get_env(rabbitmq_auth_backend_oauth2, issuer, undefined),
     TokenEndpoint = application:get_env(rabbitmq_auth_backend_oauth2, token_endpoint, undefined),
+    AuthorizationEndpoint = application:get_env(rabbitmq_auth_backend_oauth2, authorization_endpoint, undefined),
+    EndSessionEndpoint = application:get_env(rabbitmq_auth_backend_oauth2, end_session_endpoint, undefined),
     Map = maps:from_list(application:get_env(rabbitmq_auth_backend_oauth2, key_config, [])),
     #oauth_provider{
         issuer = Issuer,
         jwks_uri = maps:get(jwks_url, Map, undefined), %% jwks_url not uri . _url is the legacy name
         token_endpoint = TokenEndpoint,
+        authorization_endpoint = AuthorizationEndpoint,
+        end_session_endpoint = EndSessionEndpoint,
         ssl_options = extract_ssl_options_as_list(Map)
     }.
 
@@ -447,6 +461,7 @@ map_to_oauth_provider(Map) when is_map(Map) ->
         issuer = maps:get(?RESPONSE_ISSUER, Map),
         token_endpoint = maps:get(?RESPONSE_TOKEN_ENDPOINT, Map, undefined),
         authorization_endpoint = maps:get(?RESPONSE_AUTHORIZATION_ENDPOINT, Map, undefined),
+        end_session_endpoint = maps:get(?RESPONSE_END_SESSION_ENDPOINT, Map, undefined),
         jwks_uri = maps:get(?RESPONSE_JWKS_URI, Map, undefined)
     };
 
@@ -455,6 +470,7 @@ map_to_oauth_provider(PropList) when is_list(PropList) ->
         issuer = proplists:get_value(issuer, PropList),
         token_endpoint = proplists:get_value(token_endpoint, PropList),
         authorization_endpoint = proplists:get_value(authorization_endpoint, PropList, undefined),
+        end_session_endpoint = proplists:get_value(end_session_endpoint, PropList, undefined),
         jwks_uri = proplists:get_value(jwks_uri, PropList, undefined),
         ssl_options = extract_ssl_options_as_list(maps:from_list(proplists:get_value(https, PropList, [])))
     }.

deps/oauth2_client/test/system_SUITE.erl

@@ -100,6 +100,7 @@
             {issuer, build_issuer("http") },
             {authorization_endpoint, <<"http://localhost:8000/authorize">>},
             {token_endpoint, build_token_endpoint_uri("http")},
+            {end_session_endpoint, <<"http://localhost:8000/logout">>},
             {jwks_uri, build_jwks_uri("http")}
         ]}
   ]
@@ -117,6 +118,7 @@
             {issuer, build_issuer("https") },
             {authorization_endpoint, <<"https://localhost:8000/authorize">>},
             {token_endpoint, build_token_endpoint_uri("https")},
+            {end_session_endpoint, <<"http://localhost:8000/logout">>},
             {jwks_uri, build_jwks_uri("https")}
         ]}
     ]
@@ -262,6 +264,8 @@ configure_all_oauth_provider_settings(Config) ->
     application:set_env(rabbitmq_auth_backend_oauth2, issuer, OAuthProvider#oauth_provider.issuer),
     application:set_env(rabbitmq_auth_backend_oauth2, oauth_providers, OAuthProviders),
     application:set_env(rabbitmq_auth_backend_oauth2, token_endpoint, OAuthProvider#oauth_provider.token_endpoint),
+    application:set_env(rabbitmq_auth_backend_oauth2, end_sessione_endpoint, OAuthProvider#oauth_provider.end_session_endpoint),
+    application:set_env(rabbitmq_auth_backend_oauth2, authorization_endpoint, OAuthProvider#oauth_provider.authorization_endpoint),
     KeyConfig = [ { jwks_url, OAuthProvider#oauth_provider.jwks_uri } ] ++
         case OAuthProvider#oauth_provider.ssl_options of
             undefined -> 
@@ -313,6 +317,8 @@ end_per_testcase(_, Config) ->
     application:unset_env(rabbitmq_auth_backend_oauth2, oauth_providers),
     application:unset_env(rabbitmq_auth_backend_oauth2, issuer),
     application:unset_env(rabbitmq_auth_backend_oauth2, token_endpoint),
+    application:unset_env(rabbitmq_auth_backend_oauth2, authorization_endpoint),
+    application:unset_env(rabbitmq_auth_backend_oauth2, end_session_endpoint),
     application:unset_env(rabbitmq_auth_backend_oauth2, key_config),
     case ?config(group, Config) of
         http_up ->
@@ -417,11 +423,19 @@ get_oauth_provider_given_oauth_provider_id(Config) ->
         = lookup_expectation(get_openid_configuration, Config),
 
     ct:log("get_oauth_provider ~p", [?config(oauth_provider_id, Config)]),
-    {ok, #oauth_provider{issuer = Issuer, token_endpoint = TokenEndPoint, jwks_uri = Jwks_uri}} =
-        oauth2_client:get_oauth_provider(?config(oauth_provider_id, Config), [issuer, token_endpoint, jwks_uri]),
+    {ok, #oauth_provider{
+            issuer = Issuer, 
+            token_endpoint = TokenEndPoint, 
+            authorization_endpoint = AuthorizationEndpoint,
+            end_session_endpoint = EndSessionEndpoint,
+            jwks_uri = Jwks_uri}} =
+        oauth2_client:get_oauth_provider(?config(oauth_provider_id, Config), 
+            [issuer, token_endpoint, jwks_uri, authorization_endpoint, end_session_endpoint]),
 
     ?assertEqual(proplists:get_value(issuer, JsonPayload), Issuer),
     ?assertEqual(proplists:get_value(token_endpoint, JsonPayload), TokenEndPoint),
+    ?assertEqual(proplists:get_value(authorization_endpoint, JsonPayload), AuthorizationEndpoint),
+    ?assertEqual(proplists:get_value(end_session_endpoint, JsonPayload), EndSessionEndpoint),
     ?assertEqual(proplists:get_value(jwks_uri, JsonPayload), Jwks_uri).
 
 

deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema

@@ -163,6 +163,16 @@
  "rabbitmq_auth_backend_oauth2.key_config.jwks_url",
  [{datatype, string}, {validators, ["uri", "https_uri"]}]}.
 
+{mapping,
+ "auth_oauth2.end_session_endpoint",
+ "rabbitmq_auth_backend_oauth2.end_session_endpoint",
+ [{datatype, string}, {validators, ["uri", "https_uri"]}]}.
+
+{mapping,
+ "auth_oauth2.authorization_endpoint",
+ "rabbitmq_auth_backend_oauth2.authorization_endpoint",
+ [{datatype, string}, {validators, ["uri", "https_uri"]}]}.
+
 {mapping,
  "auth_oauth2.https.peer_verification",
  "rabbitmq_auth_backend_oauth2.key_config.peer_verification",
@@ -240,6 +250,16 @@
  [{datatype, string}, {validators, ["uri", "https_uri"]}]
 }.
 
+{mapping,
+ "auth_oauth2.oauth_providers.$name.end_session_endpoint",
+ "rabbitmq_auth_backend_oauth2.oauth_providers",
+ [{datatype, string}, {validators, ["uri", "https_uri"]}]}.
+
+{mapping,
+ "auth_oauth2.oauth_providers.$name.authorization_endpoint",
+ "rabbitmq_auth_backend_oauth2.oauth_providers",
+ [{datatype, string}, {validators, ["uri", "https_uri"]}]}.
+
 {mapping,
  "auth_oauth2.oauth_providers.$name.https.verify",
  "rabbitmq_auth_backend_oauth2.oauth_providers",

deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets

@@ -129,6 +129,8 @@
         auth_oauth2.oauth_providers.uaa.issuer = https://uaa
         auth_oauth2.oauth_providers.keycloak.token_endpoint = https://keycloak/token
         auth_oauth2.oauth_providers.keycloak.jwks_uri = https://keycloak/keys
+        auth_oauth2.oauth_providers.keycloak.authorization_endpoint = https://keycloak/authorize
+        auth_oauth2.oauth_providers.keycloak.end_session_endpoint = https://keycloak/logout
         auth_oauth2.oauth_providers.keycloak.https.cacertfile = /mnt/certs/ca_certificate.pem
         auth_oauth2.oauth_providers.keycloak.https.verify = verify_none",
         [
@@ -149,8 +151,10 @@
                     {verify, verify_none},
                     {cacertfile, "/mnt/certs/ca_certificate.pem"}
                   ]},
+                  {end_session_endpoint, <<"https://keycloak/logout">>},
+                  {authorization_endpoint, <<"https://keycloak/authorize">>},
                   {token_endpoint, <<"https://keycloak/token">>},
-                  {jwks_uri, <<"https://keycloak/keys">>}
+                  {jwks_uri, <<"https://keycloak/keys">>}                  
                 ]
 
               }

deps/rabbitmq_management/Makefile

@@ -22,7 +22,7 @@ define PROJECT_APP_EXTRA_KEYS
 endef
 
 DEPS = rabbit_common rabbit amqp_client cowboy cowlib rabbitmq_web_dispatch rabbitmq_management_agent oauth2_client
-TEST_DEPS = rabbitmq_ct_helpers rabbitmq_ct_client_helpers proper
+TEST_DEPS = rabbitmq_ct_helpers rabbitmq_ct_client_helpers proper amqp10_client
 LOCAL_DEPS += ranch ssl crypto public_key
 
 # FIXME: Add Ranch as a BUILD_DEPS to be sure the correct version is picked.

deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js

@@ -103,6 +103,11 @@ function oauth_initialize_user_manager(resource_server) {
           audience: resource_server.id, // required by oauth0
         },
     };
+    if (resource_server.end_session_endpoint != "") {
+      oidcSettings.metadataSeed = {
+        end_session_endpoint: resource_server.end_session_endpoint
+      }
+    }
     if (resource_server.oauth_client_secret != "") {
       oidcSettings.client_secret = resource_server.oauth_client_secret;
     }