rabbitmq-server/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js


var mgr;
var _management_logger;

function oauth_initialize_if_required() {
    rabbit_port = window.location.port ? ":" +  window.location.port : ""
    rabbit_base_uri = window.location.protocol + "//" + window.location.hostname + rabbit_port

    var request = new XMLHttpRequest();
    request.open('GET', rabbit_base_uri + '/api/auth', false);
    request.send(null);
    if (request.status === 200) {
        return oauth_initialize(JSON.parse(request.responseText));
    }else {
        return { "enable" : false };
    }

}
function auth_settings_apply_defaults(authSettings) {
  if (authSettings.enable_uaa == "true") {

    if (!authSettings.oauth_provider_url) {
      authSettings.oauth_provider_url = authSettings.uaa_location
    }
    if (!authSettings.oauth_client_id) {
      authSettings.oauth_client_id = authSettings.uaa_client_id
    }
    if (!authSettings.oauth_client_secret) {
      authSettings.oauth_client_secret = authSettings.uaa_client_secret
    }
    if (!authSettings.oauth_scopes) {
      authSettings.oauth_scopes = "openid profile " + authSettings.oauth_resource_id + ".*";
    }
  }
  if (!authSettings.oauth_response_type) {
    authSettings.oauth_response_type = "code"; // although the default value in oidc client
  }

  if (!authSettings.oauth_scopes) {
    authSettings.oauth_scopes = "openid profile";
  }

  return authSettings;

}

function oauth_initialize(authSettings) {
    oauth = {
      "logged_in": false,
      "enable" : authSettings.oauth_enabled,
      "authority" : authSettings.oauth_provider_url
    }

    if (!oauth.enable) return oauth;

    authSettings = auth_settings_apply_defaults(authSettings);

    oidcSettings = {
        //userStore: new WebStorageStateStore({ store: window.localStorage }),
        authority: authSettings.oauth_provider_url,
        client_id: authSettings.oauth_client_id,
        client_secret: authSettings.oauth_client_secret,
        response_type: authSettings.oauth_response_type,
        scope: authSettings.oauth_scopes, // for uaa we may need to include <resource-server-id>.*
        resource: authSettings.oauth_resource_id,
        redirect_uri: rabbit_base_uri + "/js/oidc-oauth/login-callback.html",
        post_logout_redirect_uri: rabbit_base_uri ,

        automaticSilentRenew: true,
        revokeAccessTokenOnSignout: true,
        extraQueryParams: {
          audience: authSettings.oauth_resource_id, // required by oauth0
        },
    };
    if (authSettings.oauth_metadata_url != "") oidcSettings.metadataUrl = authSettings.oauth_metadata_url

    if (authSettings.enable_uaa == true) {
      // This is required for old versions of UAA because the newer ones do expose
      // the end_session_endpoint on the oidc discovery endpoint, .a.k.a. metadataUrl
      oidcSettings.metadataSeed = {
        end_session_endpoint: authSettings.oauth_provider_url + '/logout.do'
      }
    }
    oidc.Log.setLevel(oidc.Log.DEBUG);
    oidc.Log.setLogger(console);

    mgr = new oidc.UserManager(oidcSettings);
    oauth.readiness_url = mgr.settings.metadataUrl

    _management_logger = new oidc.Logger("Management");

    mgr.events.addAccessTokenExpiring(function() {
        _management_logger.info("token expiring...");
    });
    mgr.events.addAccessTokenExpired(function() {
        _management_logger.info("token expired!!");
    });
    mgr.events.addSilentRenewError(function(err) {
        _management_logger.error("token expiring failed due to ", err);
    });
    mgr.events.addUserLoaded(function(user) {
        oauth.access_token = user.access_token;
     });

    return oauth;
}

function log() {
    message = ""
    Array.prototype.forEach.call(arguments, function(msg) {
        if (msg instanceof Error) {
            msg = "Error: " + msg.message;
        }
        else if (typeof msg !== "string") {
            msg = JSON.stringify(msg, null, 2);
        }
        message += msg
    });
    _management_logger.info(message)
}

function oauth_is_logged_in() {
    return mgr.getUser().then(user => {
        if (!user) {
            return { "loggedIn": false };
        }
        return { "user": user, "loggedIn": !user.expired };
    });
}
function oauth_initiateLogin() {
    mgr.signinRedirect({ state: { } }).then(function() {
        _management_logger.debug("signinRedirect done");
    }).catch(function(err) {
        _management_logger.error(err);
    });
}
function oauth_redirectToHome(oauth) {
  set_auth_pref(oauth.user_name + ':' + oauth.access_token);
  location.href = "/"
}
function oauth_redirectToLogin(error) {
  if (!error) location.href = "/"
  else {
    location.href = "/?error=" + error
  }
}
function oauth_completeLogin() {
    mgr.signinRedirectCallback().then(user => oauth_redirectToHome(user)).catch(function(err) {
        _management_logger.error(err);
        oauth_redirectToLogin(err)
    });
}

function oauth_initiateLogout() {
    mgr.signoutRedirect();
}
function oauth_completeLogout() {
    mgr.signoutRedirectCallback().then(_ => oauth_redirectToLogin());
}
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00
			`var mgr;`
Logging improvements Rather than logging directly via console.log we do it via the Logger library provided by oidc-client which allows to use logging levels 2022-09-01 20:53:42 +08:00			`var _management_logger;`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`function oauth_initialize_if_required() {`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`rabbit_port = window.location.port ? ":" + window.location.port : ""`
			`rabbit_base_uri = window.location.protocol + "//" + window.location.hostname + rabbit_port`

			`var request = new XMLHttpRequest();`
			`request.open('GET', rabbit_base_uri + '/api/auth', false);`
			`request.send(null);`
			`if (request.status === 200) {`
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`return oauth_initialize(JSON.parse(request.responseText));`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`}else {`
			`return { "enable" : false };`
			`}`

			`}`
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`function auth_settings_apply_defaults(authSettings) {`
Handle scopes It is important that RabbitMQ specifies which scopes it has to request. We control that via the management.oauth_scopes field. If we have enable_uaa = true, the scopes are automatically configured for us as follows: "openid profile " + authSettings.oauth_resource_id + ".*" Else we have to configure oauth_scopes field. 2022-05-24 23:07:39 +08:00			`if (authSettings.enable_uaa == "true") {`
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00
			`if (!authSettings.oauth_provider_url) {`
			`authSettings.oauth_provider_url = authSettings.uaa_location`
			`}`
			`if (!authSettings.oauth_client_id) {`
			`authSettings.oauth_client_id = authSettings.uaa_client_id`
			`}`
			`if (!authSettings.oauth_client_secret) {`
			`authSettings.oauth_client_secret = authSettings.uaa_client_secret`
			`}`
Handle scopes It is important that RabbitMQ specifies which scopes it has to request. We control that via the management.oauth_scopes field. If we have enable_uaa = true, the scopes are automatically configured for us as follows: "openid profile " + authSettings.oauth_resource_id + ".*" Else we have to configure oauth_scopes field. 2022-05-24 23:07:39 +08:00			`if (!authSettings.oauth_scopes) {`
			`authSettings.oauth_scopes = "openid profile " + authSettings.oauth_resource_id + ".*";`
			`}`
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`}`
			`if (!authSettings.oauth_response_type) {`
			`authSettings.oauth_response_type = "code"; // although the default value in oidc client`
			`}`

Handle scopes It is important that RabbitMQ specifies which scopes it has to request. We control that via the management.oauth_scopes field. If we have enable_uaa = true, the scopes are automatically configured for us as follows: "openid profile " + authSettings.oauth_resource_id + ".*" Else we have to configure oauth_scopes field. 2022-05-24 23:07:39 +08:00			`if (!authSettings.oauth_scopes) {`
			`authSettings.oauth_scopes = "openid profile";`
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`}`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`return authSettings;`

			`}`

			`function oauth_initialize(authSettings) {`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`oauth = {`
			`"logged_in": false,`
management.oauth_enable => management.oauth_enabled 2022-09-02 04:16:13 +08:00			`"enable" : authSettings.oauth_enabled,`
Handle rabbitmq session timeout 2022-05-26 22:49:07 +08:00			`"authority" : authSettings.oauth_provider_url`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`}`

			`if (!oauth.enable) return oauth;`

WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`authSettings = auth_settings_apply_defaults(authSettings);`

Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`oidcSettings = {`
			`//userStore: new WebStorageStateStore({ store: window.localStorage }),`
			`authority: authSettings.oauth_provider_url,`
			`client_id: authSettings.oauth_client_id,`
			`client_secret: authSettings.oauth_client_secret,`
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`response_type: authSettings.oauth_response_type,`
Handle scopes It is important that RabbitMQ specifies which scopes it has to request. We control that via the management.oauth_scopes field. If we have enable_uaa = true, the scopes are automatically configured for us as follows: "openid profile " + authSettings.oauth_resource_id + ".*" Else we have to configure oauth_scopes field. 2022-05-24 23:07:39 +08:00			`scope: authSettings.oauth_scopes, // for uaa we may need to include <resource-server-id>.*`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`resource: authSettings.oauth_resource_id,`
			`redirect_uri: rabbit_base_uri + "/js/oidc-oauth/login-callback.html",`
Fix logout workflow The issue was primarily that UAA was not properly configured. We had to whitelist the uri used for logout otherwise UAA redirects to its login page WIP verify that logout.js works when running in headless mode. For that we need a docker image and at the moment, make docker-image is not working because it is still using old otp 24.0.2 2022-08-30 01:21:58 +08:00			`post_logout_redirect_uri: rabbit_base_uri ,`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00
Set cookies expiry from token expiry claim 2022-05-05 22:22:47 +08:00			`automaticSilentRenew: true,`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`revokeAccessTokenOnSignout: true,`
Add audience request parameter to /authorize Oauth0 requires this parameter in order to return a proper JWT token and not an opaque JWT token. 2022-05-31 21:08:32 +08:00			`extraQueryParams: {`
			`audience: authSettings.oauth_resource_id, // required by oauth0`
			`},`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`};`
			`if (authSettings.oauth_metadata_url != "") oidcSettings.metadataUrl = authSettings.oauth_metadata_url`

WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`if (authSettings.enable_uaa == true) {`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`// This is required for old versions of UAA because the newer ones do expose`
			`// the end_session_endpoint on the oidc discovery endpoint, .a.k.a. metadataUrl`
			`oidcSettings.metadataSeed = {`
			`end_session_endpoint: authSettings.oauth_provider_url + '/logout.do'`
			`}`
			`}`
Logging improvements Rather than logging directly via console.log we do it via the Logger library provided by oidc-client which allows to use logging levels 2022-09-01 20:53:42 +08:00			`oidc.Log.setLevel(oidc.Log.DEBUG);`
			`oidc.Log.setLogger(console);`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00
			`mgr = new oidc.UserManager(oidcSettings);`
			`oauth.readiness_url = mgr.settings.metadataUrl`

Logging improvements Rather than logging directly via console.log we do it via the Logger library provided by oidc-client which allows to use logging levels 2022-09-01 20:53:42 +08:00			`_management_logger = new oidc.Logger("Management");`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00
Set cookies expiry from token expiry claim 2022-05-05 22:22:47 +08:00			`mgr.events.addAccessTokenExpiring(function() {`
Logging improvements Rather than logging directly via console.log we do it via the Logger library provided by oidc-client which allows to use logging levels 2022-09-01 20:53:42 +08:00			`_management_logger.info("token expiring...");`
Set cookies expiry from token expiry claim 2022-05-05 22:22:47 +08:00			`});`
Fix issue related to refreshing access tokens 2022-07-07 17:10:03 +08:00			`mgr.events.addAccessTokenExpired(function() {`
Logging improvements Rather than logging directly via console.log we do it via the Logger library provided by oidc-client which allows to use logging levels 2022-09-01 20:53:42 +08:00			`_management_logger.info("token expired!!");`
Fix issue related to refreshing access tokens 2022-07-07 17:10:03 +08:00			`});`
Set cookies expiry from token expiry claim 2022-05-05 22:22:47 +08:00			`mgr.events.addSilentRenewError(function(err) {`
Logging improvements Rather than logging directly via console.log we do it via the Logger library provided by oidc-client which allows to use logging levels 2022-09-01 20:53:42 +08:00			`_management_logger.error("token expiring failed due to ", err);`
Set cookies expiry from token expiry claim 2022-05-05 22:22:47 +08:00			`});`
Fix issue related to refreshing access tokens 2022-07-07 17:10:03 +08:00			`mgr.events.addUserLoaded(function(user) {`
			`oauth.access_token = user.access_token;`
			`});`
Set cookies expiry from token expiry claim 2022-05-05 22:22:47 +08:00
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`return oauth;`
			`}`

			`function log() {`
			`message = ""`
			`Array.prototype.forEach.call(arguments, function(msg) {`
			`if (msg instanceof Error) {`
			`msg = "Error: " + msg.message;`
			`}`
			`else if (typeof msg !== "string") {`
			`msg = JSON.stringify(msg, null, 2);`
			`}`
			`message += msg`
			`});`
Logging improvements Rather than logging directly via console.log we do it via the Logger library provided by oidc-client which allows to use logging levels 2022-09-01 20:53:42 +08:00			`_management_logger.info(message)`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`}`

WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`function oauth_is_logged_in() {`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`return mgr.getUser().then(user => {`
			`if (!user) {`
			`return { "loggedIn": false };`
			`}`
			`return { "user": user, "loggedIn": !user.expired };`
			`});`
			`}`
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`function oauth_initiateLogin() {`
Logging improvements Rather than logging directly via console.log we do it via the Logger library provided by oidc-client which allows to use logging levels 2022-09-01 20:53:42 +08:00			`mgr.signinRedirect({ state: { } }).then(function() {`
			`_management_logger.debug("signinRedirect done");`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`}).catch(function(err) {`
Logging improvements Rather than logging directly via console.log we do it via the Logger library provided by oidc-client which allows to use logging levels 2022-09-01 20:53:42 +08:00			`_management_logger.error(err);`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`});`
			`}`
Handle rabbitmq session timeout 2022-05-26 22:49:07 +08:00			`function oauth_redirectToHome(oauth) {`
			`set_auth_pref(oauth.user_name + ':' + oauth.access_token);`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`location.href = "/"`
			`}`
Handle rabbitmq session timeout 2022-05-26 22:49:07 +08:00			`function oauth_redirectToLogin(error) {`
			`if (!error) location.href = "/"`
			`else {`
			`location.href = "/?error=" + error`
			`}`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`}`
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`function oauth_completeLogin() {`
Handle rabbitmq session timeout 2022-05-26 22:49:07 +08:00			`mgr.signinRedirectCallback().then(user => oauth_redirectToHome(user)).catch(function(err) {`
management.oauth_enable => management.oauth_enabled 2022-09-02 04:16:13 +08:00			`_management_logger.error(err);`
Handle rabbitmq session timeout 2022-05-26 22:49:07 +08:00			`oauth_redirectToLogin(err)`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`});`
			`}`

WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`function oauth_initiateLogout() {`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`mgr.signoutRedirect();`
			`}`
WIP login/logout/token-refresh against keycloak 2022-05-10 22:22:04 +08:00			`function oauth_completeLogout() {`
			`mgr.signoutRedirectCallback().then(_ => oauth_redirectToLogin());`
Replace singular with oidc-client-ts library Right now only login and logout flows are supported To be added refresh token And test all possible failure scenarios 2022-05-05 21:08:48 +08:00			`}`