e4870b9c70
(c) bump
2019-12-29 05:50:24 +03:00
e936e82292
Move up aud/scope binary to array conversion
...
This way scope is always an array which makes it easier for downstream
processing.
References #41
2019-12-05 14:26:17 +01:00
d9073fba8d
Make this code less unorthodox, take 2
...
Also improves naming a bit.
2019-12-05 10:28:37 +03:00
7d2b069cbd
Make this code less unorthodox, take 1
2019-12-05 10:12:51 +03:00
9a230b0aeb
Resolve PR comments - rename variables.
2019-12-05 05:29:12 +01:00
3a04670a45
Implement support for gathering scopes from predefined JWT section and combine them with existing ones in post_process_payload () method. Create unit_SUITE and system_SUITE test cases.
2019-12-04 19:14:08 +01:00
f3405e46fa
Support Keycloak token format in post-processing
...
Scopes from the "authorization" field are extracted and replace the
value of the "scope" key in the parsed and processed token.
Fixes #37
2019-08-21 10:34:20 +02:00
16968e8c66
Remove unnecessary console output
2019-07-24 09:04:58 +02:00
49f1b6b043
Support simple strings in aud and scope fields
...
Simple strings are supported, strings with spaces are split into arrays.
The strings are split upfront, the Erlang representation of the token
does not change, to avoid impacts in the code downstream.
Fixes #24
2019-07-12 09:45:02 +02:00
5f44635d05
uaa_jwt:get_jwk/1: return an error if there are no configured signing keys
...
Closes #30 .
2019-07-10 18:52:59 +03:00
833bb4cec9
Deal with unused parameter
2019-07-10 15:47:57 +02:00
cb81b0748f
Remove extra parameters from output call
2019-07-10 15:12:48 +02:00
ae8b61a8aa
Check token expiration on authentication
2019-07-02 15:27:13 +02:00
d44e4bce59
Integration tests for JWT token/secret updates; improved error reporting
2019-07-01 21:20:57 +02:00
8a8bda0369
More OAuth 2 token refresh tests (WIP)
2019-07-01 16:48:53 +02:00
e80c125f0b
Implement secret (token) update
2019-06-27 22:08:18 +02:00
975e2bf177
Extract a constant
2019-06-27 16:04:58 +02:00
7e0ebb0fb1
Extract a constant
2019-06-27 16:04:34 +02:00
1bc504d297
Token/state renewal stub
2019-06-27 11:19:33 +02:00
4f9a4f0ac2
Add protocol-specific context
...
Just an update of check_resource_access/3 to check_resource_access/4,
the OAuth has no use of protocol-specific data for now.
References rabbitmq/rabbitmq-server#1767
2019-06-04 14:50:59 +02:00
8cb7b00642
URL Cleanup
...
This commit updates URLs to prefer the https protocol. Redirects are not followed to avoid accidentally expanding intentionally shortened URLs (i.e. if using a URL shortener).
# HTTP URLs that Could Not Be Fixed
These URLs were unable to be fixed. Please review them to see if they can be manually resolved.
* http://blog.listincomprehension.com/search/label/procket (200) with 1 occurrences could not be migrated:
([https](https://blog.listincomprehension.com/search/label/procket ) result ClosedChannelException).
* http://dozzie.jarowit.net/trac/wiki/TOML (200) with 1 occurrences could not be migrated:
([https](https://dozzie.jarowit.net/trac/wiki/TOML ) result SSLHandshakeException).
* http://dozzie.jarowit.net/trac/wiki/subproc (200) with 1 occurrences could not be migrated:
([https](https://dozzie.jarowit.net/trac/wiki/subproc ) result SSLHandshakeException).
* http://e2project.org (200) with 1 occurrences could not be migrated:
([https](https://e2project.org ) result AnnotatedConnectException).
* http://nitrogenproject.com/ (200) with 2 occurrences could not be migrated:
([https](https://nitrogenproject.com/ ) result ConnectTimeoutException).
* http://proper.softlab.ntua.gr (200) with 1 occurrences could not be migrated:
([https](https://proper.softlab.ntua.gr ) result SSLHandshakeException).
* http://yaws.hyber.org (200) with 1 occurrences could not be migrated:
([https](https://yaws.hyber.org ) result AnnotatedConnectException).
* http://choven.ca (503) with 1 occurrences could not be migrated:
([https](https://choven.ca ) result ConnectTimeoutException).
# Fixed URLs
## Fixed But Review Recommended
These URLs were fixed, but the https status was not OK. However, the https status was the same as the http request or http redirected to an https URL, so they were migrated. Your review is recommended.
* http://fixprotocol.org/ (301) with 1 occurrences migrated to:
https://fixtrading.org ([https](https://fixprotocol.org/ ) result SSLHandshakeException).
* http://erldb.org (UnknownHostException) with 1 occurrences migrated to:
https://erldb.org ([https](https://erldb.org ) result UnknownHostException).
## Fixed Success
These URLs were switched to an https URL with a 2xx status. While the status was successful, your review is still recommended.
* http://cloudi.org/ with 27 occurrences migrated to:
https://cloudi.org/ ([https](https://cloudi.org/ ) result 200).
* http://erlware.org/ with 1 occurrences migrated to:
https://erlware.org/ ([https](https://erlware.org/ ) result 200).
* http://inaka.github.io/cowboy-trails/ with 1 occurrences migrated to:
https://inaka.github.io/cowboy-trails/ ([https](https://inaka.github.io/cowboy-trails/ ) result 200).
* http://ninenines.eu with 6 occurrences migrated to:
https://ninenines.eu ([https](https://ninenines.eu ) result 200).
* http://www.actordb.com/ with 2 occurrences migrated to:
https://www.actordb.com/ ([https](https://www.actordb.com/ ) result 200).
* http://www.cs.kent.ac.uk/projects/wrangler/Home.html with 1 occurrences migrated to:
https://www.cs.kent.ac.uk/projects/wrangler/Home.html ([https](https://www.cs.kent.ac.uk/projects/wrangler/Home.html ) result 200).
* http://www.rabbitmq.com/access-control.html with 2 occurrences migrated to:
https://www.rabbitmq.com/access-control.html ([https](https://www.rabbitmq.com/access-control.html ) result 200).
* http://www.rabbitmq.com/configure.html with 1 occurrences migrated to:
https://www.rabbitmq.com/configure.html ([https](https://www.rabbitmq.com/configure.html ) result 200).
* http://www.rebar3.org with 1 occurrences migrated to:
https://www.rebar3.org ([https](https://www.rebar3.org ) result 200).
* http://inaka.github.com/apns4erl with 1 occurrences migrated to:
https://inaka.github.com/apns4erl ([https](https://inaka.github.com/apns4erl ) result 301).
* http://inaka.github.com/edis/ with 1 occurrences migrated to:
https://inaka.github.com/edis/ ([https](https://inaka.github.com/edis/ ) result 301).
* http://lasp-lang.org/ with 1 occurrences migrated to:
https://lasp-lang.org/ ([https](https://lasp-lang.org/ ) result 301).
* http://saleyn.github.com/erlexec with 1 occurrences migrated to:
https://saleyn.github.com/erlexec ([https](https://saleyn.github.com/erlexec ) result 301).
* http://www.mozilla.org/MPL/ with 6 occurrences migrated to:
https://www.mozilla.org/MPL/ ([https](https://www.mozilla.org/MPL/ ) result 301).
* http://zhongwencool.github.io/observer_cli with 1 occurrences migrated to:
https://zhongwencool.github.io/observer_cli ([https](https://zhongwencool.github.io/observer_cli ) result 301).
# Ignored
These URLs were intentionally ignored.
* http://localhost:8080/uaa/oauth/token with 1 occurrences
2019-03-20 03:11:57 -05:00
0e19df0ce4
Rename uaa_jwt app env setting to key_config
...
See this comment for context:
https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/pull/18#issuecomment-409016622
2018-07-31 15:51:20 -07:00
4bd726b5d4
uaa_jwt is no longer a separate application
...
In order for uaa_jwt settings to be populated by config files, they have to be part of a defined and running application. This PR adds support for a uaa_jwt sub-key of the main rabbitmq_auth_backend_oauth2 env key.
2018-07-20 15:25:09 -07:00
613e35be64
Miscellaneous build and doc fixes
...
* Update erlang.mk to resolve S3 bucket issue
* Update README to indicate that tokens need to be in the password field when clients log in
2018-07-19 15:44:37 -07:00
f0178d7729
rabbitmq_auth_backend_uaa => rabbitmq_auth_backend_oauth2
...
"OAuth 2" is many things but it's still more descriptive, open-ended and easier
to find than "uaa" (too tool-specific) or "jwt" (too narrow, not known widely enough).
Per discussion with @hairyhum @kjnilsson.
2018-07-19 22:20:57 +03:00
5b002c5eab
Fold uaa_jwt into this plugin
...
Per discussion with @hairyhum.
2018-07-19 19:22:47 +03:00
6618c21b1f
More integration tests
...
[#158782152 ]
[#158782156 ]
2018-07-19 14:40:18 +03:00
821f54c92a
More integration tests
...
[#158782152 ]
[#158782156 ]
2018-07-18 18:15:50 +03:00
37366191f2
Extract tags from the provided JWT token
...
Pair: @acogoluegnes.
[#158782152 ]
[#158782156 ]
2018-07-09 18:26:53 +03:00
ff5fdc0829
Logging, naming
...
[#158782152 ]
[#158782156 ]
2018-07-09 08:51:08 +03:00
915c45390c
Adopt uaa_jwt:client/2 and uaa_jwt:sub/2
...
[#158782152 ]
[#158782156 ]
2018-07-09 07:20:57 +03:00
e5c84c31fa
Pass decoded token so that effective username is computed from it
...
[#158782152 ]
[#158782156 ]
2018-07-06 17:35:34 +03:00
cb4dfba58a
Expect access token in the password field
...
We cannot pass access tokens in the username since
those are logged and displayed by operator tools.
Per discussion with @acogoluegnes.
[#158782152 ]
[#158782156 ]
2018-07-05 19:50:12 +03:00
54bf34d9c7
Wording
...
[#158782152 ]
[#158782156 ]
2018-07-03 20:02:48 +03:00
7a758a2ece
More test massaging, remove debug logging
...
[#158782152 ]
[#158782156 ]
2018-07-03 16:27:58 +03:00
4cc2cfef89
Split and simplify unit tests; naming
2018-07-03 02:15:51 +03:00
7cf71b01a6
Better errors when validating the decoded token
2018-06-25 15:51:29 +01:00
032be9763b
Use erlang version of uaa_jwt and jose
2018-06-21 17:07:35 +01:00
973ef5ccef
Add support for pem public key
2017-09-20 16:40:56 +01:00
540f3452c9
Handle json parsing error
2017-02-16 15:58:39 +00:00
7b421e6ae1
Return error instead of error_message to comply with authz_backend API
2017-02-08 16:32:59 +00:00
c71c3eb292
Test token expiration
2017-02-03 13:01:24 +00:00
612c9eeacf
Do not decode token every time permission is checked.
...
Decoded token is saved to `impl`.
When permission is checked, the `exp` field of the token
is compared to system_time and if the token is expired
`{error_message, "Token expired"}` is returned.
2017-02-02 18:31:01 +00:00
a07b4485e6
Test key validation when adding via cli command
2017-02-02 12:25:38 +00:00
78bb2044fb
Test command validation
2017-02-02 11:29:25 +00:00
df197ad5b9
Command to add UAA signing keys
2017-02-01 17:15:10 +00:00
759d66263b
Decode and verify UAA JWT tokens without connecting to UAA server
...
Fixes #3
Uses rabbitmq/uaa_jwt library to decode a token and verify signature.
Signing keys should be predefined in the uaa_jwt application environment
2017-01-27 11:32:14 +00:00
42e401e900
invalid_resource_authorization => resource_server_authentication_failed
...
HTTP 401 response can indicate an authorization failure as well
but let's assume authentication failures will be more common in this
specific case.
2017-01-27 01:51:48 +03:00
ff88614186
Wording
2017-01-27 01:34:47 +03:00
a53e4d3cb9
Support topic authorization
2017-01-24 17:26:59 +00:00
dfc61ec18f
Change scope to permission mapping
2016-12-20 13:13:18 +00:00
ff84dfae52
Support for custom resource kinds
2016-02-16 12:36:38 +00:00
b5c47a75f6
Resource ID filtering
2016-02-16 12:22:49 +00:00
4835e0b3af
Indent
2016-01-20 14:24:06 +00:00
99279bd10f
Tests
2016-01-20 14:04:14 +00:00
db72e7d9e3
Tesing on working UAA
2016-01-18 18:05:45 +00:00
0109fab275
Resource id. Scopes README
2016-01-15 17:03:31 +00:00
d6888dafb0
wrong arity
2016-01-15 16:51:16 +00:00
f0a5693939
rabbitmq_oauth2_scope from oauth backend
2016-01-15 16:50:25 +00:00
47da90b652
Init. Make request to /check_token
2016-01-15 14:50:21 +00:00
Michael Klishin
Arnaud Cogoluègnes
Michal Papuga
Michael Klishin
Spring Operator
Luke Bakken
Daniil Fedotov
Daniil Fedotov