diff --git a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema index db8abe8928..6f8c048516 100644 --- a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema +++ b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema @@ -5,7 +5,7 @@ %% %% ---------------------------------------------------------------------------- -%% A prefix used for scopes in UAA to avoid scope collisions (or unintended overlap). It is an empty string by default. +%% A prefix used for scopes to avoid scope collisions (or unintended overlap). It is an empty string by default. %% %% {resource_server_id, <<"my_rabbit_server">>}, diff --git a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema index e2bcf5c5c7..289bd73443 100644 --- a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema +++ b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema @@ -432,20 +432,6 @@ end}. %% =========================================================================== %% Authorization -%% Configure OAuth2 in the management ui to work with old versions of UAA (which versions?) -{mapping, "management.enable_uaa", "rabbitmq_management.enable_uaa", - [{datatype, {enum, [true, false]}}]}. - -%% Your client application's identifier as registered with the OIDC/OAuth2. Deprecated, switch to oauth_client_id -{mapping, "management.uaa_client_id", "rabbitmq_management.uaa_client_id", - [{datatype, string}]}. -{mapping, "management.uaa_client_secret", "rabbitmq_management.uaa_client_secret", - [{datatype, string}]}. - -%% The URL of the OIDC/OAuth2 provider -{mapping, "management.uaa_location", "rabbitmq_management.uaa_location", - [{datatype, string}]}. - %% Enable OAuth2 in the management ui {mapping, "management.oauth_enabled", "rabbitmq_management.oauth_enabled", [{datatype, {enum, [true, false]}}]}. diff --git a/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js b/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js index 6d376aca56..456373101e 100644 --- a/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js +++ b/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js @@ -21,21 +21,7 @@ function oauth_initialize_if_required() { function auth_settings_apply_defaults(authSettings) { - if (authSettings.enable_uaa == "true") { - if (!authSettings.oauth_provider_url) { - authSettings.oauth_provider_url = authSettings.uaa_location - } - if (!authSettings.oauth_client_id) { - authSettings.oauth_client_id = authSettings.uaa_client_id - } - if (!authSettings.oauth_client_secret) { - authSettings.oauth_client_secret = authSettings.uaa_client_secret - } - if (!authSettings.oauth_scopes) { - authSettings.oauth_scopes = "openid profile " + authSettings.oauth_resource_id + ".*"; - } - } if (!authSettings.oauth_response_type) { authSettings.oauth_response_type = "code"; // although the default value in oidc client } @@ -71,7 +57,7 @@ function oauth_initialize(authSettings) { authority: authSettings.oauth_provider_url, client_id: authSettings.oauth_client_id, response_type: authSettings.oauth_response_type, - scope: authSettings.oauth_scopes, // for uaa we may need to include .* + scope: authSettings.oauth_scopes, resource: authSettings.oauth_resource_id, redirect_uri: rabbit_base_uri + "/js/oidc-oauth/login-callback.html", post_logout_redirect_uri: rabbit_base_uri + "/", @@ -89,13 +75,6 @@ function oauth_initialize(authSettings) { oidcSettings.metadataUrl = authSettings.oauth_metadata_url; } - if (authSettings.enable_uaa == true) { - // This is required for old versions of UAA because the newer ones do expose - // the end_session_endpoint on the oidc discovery endpoint, .a.k.a. metadataUrl - oidcSettings.metadataSeed = { - end_session_endpoint: authSettings.oauth_provider_url + "/logout.do" - } - } oidc.Log.setLevel(oidc.Log.DEBUG); oidc.Log.setLogger(console); diff --git a/deps/rabbitmq_management/selenium/test/oauth/rabbitmq.conf b/deps/rabbitmq_management/selenium/test/oauth/rabbitmq.conf index 12065e8f58..d5c3f18e33 100644 --- a/deps/rabbitmq_management/selenium/test/oauth/rabbitmq.conf +++ b/deps/rabbitmq_management/selenium/test/oauth/rabbitmq.conf @@ -1,7 +1,6 @@ auth_backends.1 = rabbit_auth_backend_oauth2 management.login_session_timeout = 1 -management.enable_uaa = true management.oauth_enabled = true management.oauth_client_id = rabbit_client_code management.oauth_scopes = ${OAUTH_SCOPES} diff --git a/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl b/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl index 8c00e5caff..6d77671b6d 100644 --- a/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl +++ b/deps/rabbitmq_management/src/rabbit_mgmt_wm_auth.erl @@ -24,52 +24,49 @@ variances(Req, Context) -> content_types_provided(ReqData, Context) -> {rabbit_mgmt_util:responder_map(to_json), ReqData, Context}. -to_json(ReqData, Context) -> - EnableUAA = application:get_env(rabbitmq_management, enable_uaa, false), - EnableOAUTH = application:get_env(rabbitmq_management, oauth_enabled, false), - Data = case EnableOAUTH of - true -> - OAuthInitiatedLogonType = application:get_env(rabbitmq_management, oauth_initiated_logon_type, sp_initiated), - OAuthProviderUrl = application:get_env(rabbitmq_management, oauth_provider_url, ""), +authSettings() -> + EnableOAUTH = application:get_env(rabbitmq_management, oauth_enabled, false), + case EnableOAUTH of + true -> + OAuthInitiatedLogonType = application:get_env(rabbitmq_management, oauth_initiated_logon_type, sp_initiated), + OAuthProviderUrl = application:get_env(rabbitmq_management, oauth_provider_url, ""), + case OAuthInitiatedLogonType of + sp_initiated -> + OAuthClientId = application:get_env(rabbitmq_management, oauth_client_id, ""), + OAuthClientSecret = application:get_env(rabbitmq_management, oauth_client_secret, ""), + OAuthMetadataUrl = application:get_env(rabbitmq_management, oauth_metadata_url, ""), + OAuthScopes = application:get_env(rabbitmq_management, oauth_scopes, ""), + OAuthResourceId = application:get_env(rabbitmq_auth_backend_oauth2, resource_server_id, ""), + case is_invalid([OAuthResourceId]) of + true -> + [{oauth_enabled, false}]; + false -> + case is_invalid([OAuthClientId, OAuthProviderUrl]) of + true -> + [{oauth_enabled, false}, {oauth_client_id, <<>>}, {oauth_provider_url, <<>>}]; + false -> + append_oauth_optional_secret([ + {oauth_enabled, true}, + {oauth_client_id, rabbit_data_coercion:to_binary(OAuthClientId)}, + {oauth_provider_url, rabbit_data_coercion:to_binary(OAuthProviderUrl)}, + {oauth_scopes, rabbit_data_coercion:to_binary(OAuthScopes)}, + {oauth_metadata_url, rabbit_data_coercion:to_binary(OAuthMetadataUrl)}, + {oauth_resource_id, rabbit_data_coercion:to_binary(OAuthResourceId)} + ], OAuthClientSecret) + end + end; + idp_initiated -> + [{oauth_enabled, true}, + {oauth_initiated_logon_type, rabbit_data_coercion:to_binary(OAuthInitiatedLogonType)}, + {oauth_provider_url, rabbit_data_coercion:to_binary(OAuthProviderUrl)} + ] + end; + false -> + [{oauth_enabled, false}] + end. - case OAuthInitiatedLogonType of - sp_initiated -> - OAuthClientId = application:get_env(rabbitmq_management, oauth_client_id, ""), - OAuthClientSecret = application:get_env(rabbitmq_management, oauth_client_secret, ""), - OAuthMetadataUrl = application:get_env(rabbitmq_management, oauth_metadata_url, ""), - OAuthScopes = application:get_env(rabbitmq_management, oauth_scopes, ""), - OAuthResourceId = application:get_env(rabbitmq_auth_backend_oauth2, resource_server_id, ""), - case is_invalid([OAuthResourceId]) of - true -> - rabbit_log:warning("Disabling OAuth 2 authorization, missing resource_server_id in oauth2 plugin", []), - [{oauth_enabled, false}]; - false -> - case is_invalid([OAuthClientId, OAuthProviderUrl]) of - true -> - rabbit_log:warning("Disabling OAuth 2 authorization, missing relevant configuration in management plugin", []), - [{oauth_enabled, false}, {oauth_client_id, <<>>}, {oauth_provider_url, <<>>}]; - false -> - append_oauth_optional_secret([ - {oauth_enabled, true}, - {enable_uaa, rabbit_data_coercion:to_binary(EnableUAA)}, - {oauth_client_id, rabbit_data_coercion:to_binary(OAuthClientId)}, - {oauth_provider_url, rabbit_data_coercion:to_binary(OAuthProviderUrl)}, - {oauth_scopes, rabbit_data_coercion:to_binary(OAuthScopes)}, - {oauth_metadata_url, rabbit_data_coercion:to_binary(OAuthMetadataUrl)}, - {oauth_resource_id, rabbit_data_coercion:to_binary(OAuthResourceId)} - ], OAuthClientSecret) - end - end; - idp_initiated -> - [{oauth_enabled, true}, - {oauth_initiated_logon_type, rabbit_data_coercion:to_binary(OAuthInitiatedLogonType)}, - {oauth_provider_url, rabbit_data_coercion:to_binary(OAuthProviderUrl)} - ] - end; - false -> - [{oauth_enabled, false}] - end, - rabbit_mgmt_util:reply(Data, ReqData, Context). + to_json(ReqData, Context) -> + rabbit_mgmt_util:reply(authSettings(), ReqData, Context). is_authorized(ReqData, Context) -> {true, ReqData, Context}.