Cor 484 scopes n claims

Makefile

@@ -59,7 +59,7 @@ serve-native:
 serve-pwa:
 	@./scripts/serve-pwa.sh
 
-.PHONY: serve-admin
+.PHONY: serve-authnz-frontend
 serve-authnz-frontend:
 	@./scripts/serve-authnz-frontend.sh
 

cmd/devinit/main.go

@@ -329,6 +329,8 @@ func createIdentityProviders(factory store.Factory, err error, orgId string, env
 		ClientID:       envCfg.idpClientId,
 		ClientSecret:   envCfg.idpClientSecret,
 		EmailDomain:    "nrc.no",
+		Scopes:         "openid profile offline_access",
+		ClaimMappings:  types.ClaimMappings{Mappings: nil, Version: "0"},
 	}
 	if len(idps) == 0 {
 		_, err := idpStore.Create(context.Background(), idp, store.IdentityProviderCreateOptions{})

deployments/envoy.yaml

@@ -23,6 +23,8 @@ static_resources:
                 stat_prefix: ingress_http
                 http_filters:
                   - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
                 route_config:
                   name: local_route
                   virtual_hosts:
@@ -71,6 +73,8 @@ static_resources:
                           timeout: 0.250s
                         path_prefix: /apis/authorization.nrc.no/v1
                   - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
                 route_config:
                   name: local_route
                   virtual_hosts:

deployments/webapp.docker-compose.yaml

@@ -10,12 +10,11 @@ services:
       - ../creds/envoy/tls.crt:/var/run/tls.crt
       - ../certs/ca.crt:/var/run/ca.crt
     network_mode: host
+    restart: on-failure
     command:
       - /usr/local/bin/envoy
       - -c
       - /etc/envoy.yaml
-      - -l
-      - debug
 
   oidc:
     image: node:16

frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviderEditor.tsx

@@ -1,9 +1,9 @@
-import { FC, useCallback, useEffect, useMemo } from 'react';
+import { FC, useCallback, useEffect, useMemo, useState } from 'react';
 import { useForm } from 'react-hook-form';
 import classNames from 'classnames';
 
 import { useApiClient, useFormValidation } from '../../../hooks/hooks';
-import { Organization } from '../../../types/types';
+import { IdentityProvider, Organization } from '../../../types/types';
 
 type Props = {
   id?: string;
@@ -17,6 +17,8 @@ type FormData = {
   clientSecret: string;
   organizationId: string;
   emailDomain: string;
+  scopes: string;
+  claimMappings: { Version: string; Mappings: any };
 };
 
 export const IdentityProviderEditor: FC<Props> = (props) => {
@@ -28,6 +30,8 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
 
   const form = useForm<FormData>({ mode: 'onChange' });
 
+  const [version, setVersion] = useState<string>('0');
+
   const {
     register,
     handleSubmit,
@@ -37,56 +41,84 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
 
   const { fieldErrors, fieldClasses } = useFormValidation(isNew, form);
 
+  const setData = (data: IdentityProvider) => {
+    setValue('name', data.name);
+    setValue('clientId', data.clientId);
+    setValue('organizationId', data.organizationId);
+    setValue('issuer', data.domain);
+    setValue('emailDomain', data.emailDomain);
+    setValue('clientSecret', '');
+    setValue('scopes', data.scopes);
+    setValue(
+      'claimMappings.Mappings',
+      JSON.stringify(data.claimMappings.Mappings),
+    );
+    setVersion(data.claimMappings.Version);
+  };
+
   useEffect(() => {
     if (id) {
       apiClient.getIdentityProvider({ id }).then((resp) => {
         if (resp.response) {
-          setValue('name', resp.response.name);
-          setValue('clientId', resp.response.clientId);
-          setValue('organizationId', resp.response.organizationId);
-          setValue('issuer', resp.response.domain);
-          setValue('emailDomain', resp.response.emailDomain);
-          setValue('clientSecret', '');
+          console.log('RESP', resp.response);
+          setData(resp.response);
         }
       });
     }
   }, [apiClient, id, setValue]);
 
   const onSubmit = useCallback(
-    (args: FormData) => {
-      const obj = {
+    async (args: FormData) => {
+      const newVersion = `${parseInt(version, 10) + 1}`;
+
+      const object = {
         id,
         name: args.name,
         clientId: args.clientId,
         clientSecret: args.clientSecret,
         domain: args.issuer,
         organizationId: organization.id,
         emailDomain: args.emailDomain,
+        scopes: args.scopes,
+        claimMappings: {
+          Version: newVersion,
+          Mappings: JSON.parse(args.claimMappings.Mappings),
+        },
       };
+      let resp;
       if (id) {
-        return apiClient.updateIdentityProvider({
-          object: obj,
+        resp = await apiClient.updateIdentityProvider({
+          object,
+        });
+      } else {
+        resp = await apiClient.createIdentityProvider({
+          object,
         });
       }
-      return apiClient.createIdentityProvider({
-        object: obj,
-      });
+      return resp.response && setData(resp.response);
     },
-    [apiClient, id, organization.id],
+    [apiClient, id, organization.id, version],
   );
 
   return (
     <div className={classNames('card bg-dark border-secondary')}>
       <div className="card-body">
-        <form className="needs-validation" noValidate onSubmit={handleSubmit(onSubmit)}>
+        <form
+          className="needs-validation"
+          noValidate
+          onSubmit={handleSubmit(onSubmit)}
+        >
           <div className={classNames('form-group mb-2')}>
             <label className="form-label text-light">Name</label>
             <input
               {...register('name', {
                 required: true,
                 pattern: /^[a-zA-Z0-9\-_ ]+$/,
               })}
-              className={classNames('form-control form-control-darkula', fieldClasses('name'))}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('name'),
+              )}
             />
             {fieldErrors('name')}
           </div>
@@ -97,7 +129,10 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
                 required: true,
                 pattern: /^https?:\/\/[a-zA-Z0-9.\-_]+(:[0-9]+)?$/,
               })}
-              className={classNames('form-control form-control-darkula', fieldClasses('issuer'))}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('issuer'),
+              )}
             />
             {fieldErrors('issuer')}
           </div>
@@ -107,7 +142,10 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
               {...register('emailDomain', {
                 required: true,
               })}
-              className={classNames('form-control form-control-darkula', fieldClasses('emailDomain'))}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('emailDomain'),
+              )}
             />
             {fieldErrors('emailDomain')}
           </div>
@@ -117,7 +155,10 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
               {...register('clientId', {
                 required: true,
               })}
-              className={classNames('form-control form-control-darkula', fieldClasses('clientId'))}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('clientId'),
+              )}
             />
             {fieldErrors('clientId')}
           </div>
@@ -128,11 +169,45 @@ export const IdentityProviderEditor: FC<Props> = (props) => {
               {...register('clientSecret', {
                 required: isNew,
               })}
-              className={classNames('form-control form-control-darkula', fieldClasses('clientSecret'))}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('clientSecret'),
+              )}
               placeholder={isNew ? '' : '********'}
             />
             {fieldErrors('clientSecret')}
           </div>
+
+          <div className="form-group mb-2">
+            <label className="form-label text-light">Scopes</label>
+            <input
+              {...register('scopes', {
+                required: true,
+              })}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('scopes'),
+              )}
+            />
+            {fieldErrors('scopes')}
+          </div>
+
+          <div className="form-group mb-2">
+            <label className="form-label text-light">
+              Claim Mapping (Version: {version})
+            </label>
+            <textarea
+              {...register('claimMappings.Mappings', {
+                required: true,
+              })}
+              className={classNames(
+                'form-control form-control-darkula',
+                fieldClasses('claimMappings.Mappings'),
+              )}
+            />
+          </div>
+          {fieldErrors('claimMappings')}
+
           <button disabled={isSubmitting} className="btn btn-success mt-2">
             {props.id ? 'Update Identity Provider' : 'Create Identity Provider'}
           </button>

frontend/apps/core-authnz-frontend/src/components/organizations/identityproviders/IdentityProviders.tsx

@@ -1,4 +1,4 @@
-import { FC, Fragment } from 'react';
+import { FC } from 'react';
 import { Link, useRouteMatch } from 'react-router-dom';
 
 import { Organization } from '../../../types/types';
@@ -23,11 +23,22 @@ export const IdentityProviders: FC<Props> = (props) => {
 
       <div className="list-group list-group-darkula">
         {idps.map((idp) => (
-          <Link className="list-group-item list-group-item-action" to={`${match.url}/${idp.id}`}>
-            {idp.name} <span className="badge bg-dark font-monospace">{idp.emailDomain}</span>
+          <Link
+            key={idp.id}
+            className="list-group-item list-group-item-action"
+            to={`${match.url}/${idp.id}`}
+          >
+            {idp.name}{' '}
+            <span className="badge bg-dark font-monospace">
+              {idp.emailDomain}
+            </span>
           </Link>
         ))}
-        {idps.length === 0 ? <div className="disabled list-group-item">No Identity Provider</div> : <></>}
+        {idps.length === 0 ? (
+          <div className="disabled list-group-item">No Identity Provider</div>
+        ) : (
+          <></>
+        )}
       </div>
     </div>
   );

frontend/apps/core-authnz-frontend/src/types/types.ts

@@ -35,11 +35,19 @@ export interface Client
 
 export type IdentityProviderList = { items: IdentityProvider[] };
 
-export type TokenEndpointAuthMethod = 'client_secret_post' | 'client_secret_basic' | 'private_key_jwt' | 'none';
+export type TokenEndpointAuthMethod =
+  | 'client_secret_post'
+  | 'client_secret_basic'
+  | 'private_key_jwt'
+  | 'none';
 
 export type ResponseType = 'code' | 'token' | 'id_token';
 
-export type GrantType = 'authorization_code' | 'refresh_token' | 'client_credentials' | 'implicit';
+export type GrantType =
+  | 'authorization_code'
+  | 'refresh_token'
+  | 'client_credentials'
+  | 'implicit';
 
 export class OAuth2Client {
   public id = '';
@@ -60,7 +68,8 @@ export class OAuth2Client {
 
   public allowedCorsOrigins: string[] = [];
 
-  public tokenEndpointAuthMethod: TokenEndpointAuthMethod = 'client_secret_basic';
+  public tokenEndpointAuthMethod: TokenEndpointAuthMethod =
+    'client_secret_basic';
 }
 
 export type OAuth2ClientList = {
@@ -91,6 +100,13 @@ export class IdentityProvider {
   public clientSecret = '';
 
   public emailDomain = '';
+
+  public scopes = '';
+
+  public claimMappings = {
+    Version: '0',
+    Mappings: {},
+  };
 }
 
 export type Session = {

pkg/api/types/identity_provider.go

@@ -18,6 +18,15 @@ type IdentityProvider struct {
 	// TODO: add unique constraint for email domains
 	// TODO: add support for multiple email domains for a single IdentityProvider
 	EmailDomain string `json:"emailDomain"`
+
+	Scopes string `json:"scopes"`
+
+	ClaimMappings ClaimMappings `json:"claimMappings"`
+}
+
+type ClaimMappings struct {
+	Version  string            `json:"Version"`
+	Mappings map[string]string `json:"Mappings"`
 }
 
 // IdentityProviderList represents a list of IdentityProvider

pkg/server/login/handlers/login/utils.go

@@ -65,7 +65,7 @@ func getOauthProvider(
 		RedirectURL:  redirectUri,
 	}
 	if loginRequest != nil {
-		oauthConfig.Scopes = loginRequest.RequestedScope
+		oauthConfig.Scopes = strings.Split(client.Scopes, " ")
 	}
 
 	verifier := oidcProvider.Verifier(&oidc.Config{