Revert "Prevent change of username on token refresh"

This reverts commit 3718fe3.

Author: dumbbell

deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl

@@ -103,26 +103,17 @@ check_topic_access(#auth_user{impl = DecodedTokenFun},
 update_state(AuthUser, NewToken) ->
     case resolve_resource_server(NewToken) of
         {error, _} = Err0 -> Err0;
-        {ResourceServer, _} = Tuple ->
+        {_, _} = Tuple ->
             case check_token(NewToken, Tuple) of
                 %% avoid logging the token
                 {refused, {error, {invalid_token, error, _Err, _Stacktrace}}} ->
                     {refused, "Authentication using an OAuth 2/JWT token failed: provided token is invalid"};
                 {refused, Err} ->
                     {refused, rabbit_misc:format("Authentication using an OAuth 2/JWT token failed: ~tp", [Err])};
                 {ok, DecodedToken} ->
-                    CurToken = AuthUser#auth_user.impl,
-                    case ensure_same_username(
-                            ResourceServer#resource_server.preferred_username_claims,
-                            CurToken(), DecodedToken) of 
-                        ok ->
-                            Tags = tags_from(DecodedToken),
-                            {ok, AuthUser#auth_user{tags = Tags,
-                                                    impl = fun() -> DecodedToken end}};
-                        {error, mismatch_username_after_token_refresh} -> 
-                            {refused, 
-                                "Not allowed to change username on refreshed token"}
-                    end
+                    Tags = tags_from(DecodedToken),
+                    {ok, AuthUser#auth_user{tags = Tags,
+                                            impl = fun() -> DecodedToken end}}
             end
     end.
 
@@ -148,7 +139,7 @@ authenticate(_, AuthProps0) ->
                     {refused, "Authentication using an OAuth 2/JWT token failed: provided token is invalid", []};
                 {refused, Err} ->
                     {refused, "Authentication using an OAuth 2/JWT token failed: ~tp", [Err]};
-                {ok, DecodedToken} ->                    
+                {ok, DecodedToken} ->
                     Func = fun(Token0) ->
                                 Username = username_from(
                                     ResourceServer#resource_server.preferred_username_claims,
@@ -173,12 +164,6 @@ with_decoded_token(DecodedToken, Fun) ->
             rabbit_log:error(Msg),
             Err
     end.
-ensure_same_username(PreferredUsernameClaims, CurrentDecodedToken, NewDecodedToken) ->
-    CurUsername = username_from(PreferredUsernameClaims, CurrentDecodedToken),
-    case {CurUsername, username_from(PreferredUsernameClaims, NewDecodedToken)} of 
-        {CurUsername, CurUsername} -> ok;
-        _ -> {error, mismatch_username_after_token_refresh}
-    end. 
 
 validate_token_expiry(#{<<"exp">> := Exp}) when is_integer(Exp) ->
     Now = os:system_time(seconds),

deps/rabbitmq_auth_backend_oauth2/test/jwks_SUITE.erl

@@ -58,8 +58,7 @@ groups() ->
         test_failed_connection_with_a_token_with_insufficient_resource_permission,
         test_failed_connection_with_algorithm_restriction,
         test_failed_token_refresh_case1,
-        test_failed_token_refresh_case2,
-        cannot_change_username_on_refreshed_token
+        test_failed_token_refresh_case2
         ]},
     {no_peer_verification, [], [
         {group, happy_path},
@@ -522,11 +521,6 @@ generate_valid_token(Config, Jwk, Scopes, Audience) ->
     IncludeKid = rabbit_ct_helpers:get_config(Config, include_kid, true),
     ?UTIL_MOD:sign_token_hs(Token, Jwk, IncludeKid).
 
-generate_valid_token_with_sub(Config, Jwk, Scopes, Sub) ->
-    Token = ?UTIL_MOD:token_with_sub(?UTIL_MOD:fixture_token_with_scopes(Scopes), Sub),
-    IncludeKid = rabbit_ct_helpers:get_config(Config, include_kid, true),
-    ?UTIL_MOD:sign_token_hs(Token, Jwk, IncludeKid).
-
 generate_valid_token_with_extra_fields(Config, ExtraFields) ->
     Jwk = 
         case rabbit_ct_helpers:get_config(Config, fixture_jwk) of
@@ -943,29 +937,6 @@ test_failed_token_refresh_case2(Config) ->
 
     close_connection(Conn).
 
-cannot_change_username_on_refreshed_token(Config) ->
-    Jwk = 
-        case get_config(Config, fixture_jwk) of
-            undefined -> ?UTIL_MOD:fixture_jwk();
-            Value     -> Value
-        end,
-    {_, CurToken} = generate_valid_token(Config, Jwk, <<"oldUsername">>, [
-        <<"rabbitmq.configure:vhost4/*">>,
-        <<"rabbitmq.write:vhost4/*">>,
-        <<"rabbitmq.read:vhost4/*">>]),
-    Conn     = open_unmanaged_connection(Config, 0, <<"vhost4">>, 
-                <<"oldUsername">>, CurToken),
-   
-    {_, RefreshToken} = generate_valid_token_with_sub(Config, Jwk, <<"newUsername">>,
-        [<<"rabbitmq.configure:vhost4/*">>,
-         <<"rabbitmq.write:vhost4/*">>,
-         <<"rabbitmq.read:vhost4/*">>]),
-
-    %% the error is communicated asynchronously via a connection-level error
-    ?assertException(exit, _, amqp_connection:update_secret(Conn, RefreshToken,
-        <<"token refresh">>)).
-
-
 test_failed_connection_with_algorithm_restriction(Config) ->
     {_Algo, Token} = get_config(Config, fixture_jwt),
     ?assertMatch({error, {auth_failure, _}},

deps/rabbitmq_auth_backend_oauth2/test/system_SUITE.erl

@@ -52,8 +52,7 @@ groups() ->
 
      {token_refresh, [], [
                        test_failed_token_refresh_case1,
-                       test_failed_token_refresh_case2,
-                       refreshed_token_cannot_change_username
+                       test_failed_token_refresh_case2
      ]},
 
      {extra_scopes_source, [], [
@@ -324,33 +323,21 @@ preconfigure_node(Config) ->
 
     rabbit_ct_helpers:set_config(Config, {fixture_jwk, Jwk}).
 
-generate_valid_token_with_sub(Config, Sub) ->
-    generate_valid_token(Config, 
-        ?UTIL_MOD:full_permission_scopes(), undefined, Sub).
-
 generate_valid_token(Config) ->
     generate_valid_token(Config, ?UTIL_MOD:full_permission_scopes()).
 
 generate_valid_token(Config, Scopes) ->
-    generate_valid_token(Config, Scopes, undefined, undefined).
+    generate_valid_token(Config, Scopes, undefined).
 
 generate_valid_token(Config, Scopes, Audience) ->
-    generate_valid_token(Config, Scopes, Audience, undefined).
-
-generate_valid_token(Config, Scopes, Audience, Sub) ->
     Jwk = case rabbit_ct_helpers:get_config(Config, fixture_jwk) of
               undefined -> ?UTIL_MOD:fixture_jwk();
               Value     -> Value
           end,
-    Token0 = case Audience of
+    Token = case Audience of
         undefined -> ?UTIL_MOD:fixture_token_with_scopes(Scopes);
-        DefinedAudience -> maps:put(<<"aud">>, DefinedAudience, 
-            ?UTIL_MOD:fixture_token_with_scopes(Scopes))
+        DefinedAudience -> maps:put(<<"aud">>, DefinedAudience, ?UTIL_MOD:fixture_token_with_scopes(Scopes))
     end,
-    Token = case Sub of 
-        undefined -> Token0;
-        _ -> maps:put(<<"sub">>, Sub, Token0)
-    end,    
     ?UTIL_MOD:sign_token_hs(Token, Jwk).
 
 generate_valid_token_with_extra_fields(Config, ExtraFields) ->
@@ -926,15 +913,6 @@ test_failed_token_refresh_case1(Config) ->
 
     close_connection(Conn).
 
-refreshed_token_cannot_change_username(Config) ->
-    {_, Token} = generate_valid_token_with_sub(Config, <<"username">>),
-    Conn     = open_unmanaged_connection(Config, 0, <<"vhost4">>, <<"username">>, Token),
-    {_, RefreshedToken} = generate_valid_token_with_sub(Config, <<"username2">>),
-
-    %% the error is communicated asynchronously via a connection-level error
-    ?assertException(exit, {{nodedown,not_allowed},_}, amqp_connection:update_secret(Conn, RefreshedToken, <<"token refresh">>)).
-    
-
 test_failed_token_refresh_case2(Config) ->
     {_Algo, Token} = generate_valid_token(Config, [<<"rabbitmq.configure:vhost4/*">>,
                                                    <<"rabbitmq.write:vhost4/*">>,