HP-1361 Feat/keycloak external OIDC

README.md

@@ -76,6 +76,22 @@ Two methods exist for authenticating a request to the `/token` endpoint:
                 ...
             }
         },
+        {
+            "base_url": "https://non-fence-data.org/",
+            "oidc_client_id": "xxx",
+            "oidc_client_secret": "xxx",
+            "login_options": {
+                "externaldata-keycloak": {
+                    "name": "keycloak Login",
+                    "params": {
+                        "idp": "keycloak",
+                        "auth_url": "auth/realms/xyz/protocol/openid-connect/auth",
+                        "token_url": "auth/realms/xyz/protocol/openid-connect/token",
+                        "scope": "openid profile offline_access"
+                   }
+                }
+            }
+        },
         ...
     ]
 }
@@ -88,11 +104,13 @@ Note that IDP IDs (`other-google` and `other-orcid` in the example above) must b
 Also note that the OIDC clients you create must be granted `read-storage` access to all the data in the external
 Data Commons via the data-commons' `user.yaml`.
 
-Finally, the `redirect_uri` property for external OIDC providers is
+The `redirect_uri` property for external OIDC providers is
 an optional field that supports sharing OIDC client
 configuration between multiple workspace deployments
 as part of a multi-account application system.
 
+Finally, non fence IDPs can be provided given their auth url, token url, and necessary scope as a part part of the `params` of the external IDP.
+
 The key `aggregate_endpoint_allowlist` is an optional key which consists of a list of endpoints that are supported by the `/aggregate` api.
 
 ## Dev-Test

wts/api.py

@@ -4,7 +4,7 @@
 import flask
 from flask import Flask
 import json
-from urllib.parse import urlparse
+from urllib.parse import urlparse, urljoin
 from cdislogging import get_logger
 from cdiserrors import APIError
 
@@ -59,9 +59,10 @@ def load_settings(app):
         "client_secret": get_var("OIDC_CLIENT_SECRET"),
         "commons_hostname": urlparse(fence_base_url).netloc,
         "api_base_url": fence_base_url,
-        "authorize_url": fence_base_url + "oauth2/authorize",
-        "access_token_url": fence_base_url + "oauth2/token",
-        "redirect_uri": wts_base_url + "oauth2/authorize",
+        "authorize_url": urljoin(fence_base_url, "oauth2/authorize"),
+        "access_token_url": urljoin(fence_base_url, "oauth2/token"),
+        "redirect_uri": urljoin(wts_base_url, "oauth2/authorize"),
+        "username_field": "context.user.name",
         "scope": "openid data user",
         "state_prefix": "",
     }
@@ -74,23 +75,40 @@ def load_settings(app):
         redirect_uri = get_var("REDIRECT_URI", default="", secret_config=conf)
         state_prefix = wts_hostname or ""
         if not redirect_uri:
-            redirect_uri = wts_base_url + "oauth2/authorize"
+            redirect_uri = urljoin(wts_base_url, "oauth2/authorize")
             state_prefix = ""
 
         for idp, idp_conf in conf.get("login_options", {}).items():
-            authorization_url = fence_base_url + "oauth2/authorize"
-            authorization_url = add_params_to_uri(
-                authorization_url, idp_conf.get("params", {})
-            )
+            scope = "openid data user"
+            idp_params = idp_conf.get("params", {})
+            idp_client = idp_params.get("idp", "")
+
+            if "auth_url" in idp_params and "token_url" in idp_params:  # Generic OIDC
+                auth_endpoint = idp_params.get("auth_url")
+                token_endpoint = idp_params.get("token_url")
+                username_field = idp_params.get("id_token_username_field", "")
+                scope = idp_params.get("scope", scope)
+                authorization_url = urljoin(url, auth_endpoint)
+                access_token_url = urljoin(url, token_endpoint)
+
+            else:  # Default Gen3 Fence Integration
+                authorization_url = urljoin(fence_base_url, "oauth2/authorize")
+                access_token_url = urljoin(fence_base_url, "oauth2/token")
+                username_field = "context.user.name"
+                authorization_url = add_params_to_uri(
+                    authorization_url, idp_conf.get("params", {})
+                )
+
             app.config["OIDC"][idp] = {
                 "client_id": get_var("OIDC_CLIENT_ID", secret_config=conf),
                 "client_secret": get_var("OIDC_CLIENT_SECRET", secret_config=conf),
                 "commons_hostname": urlparse(fence_base_url).netloc,
                 "api_base_url": fence_base_url,
+                "username_field": username_field,
                 "authorize_url": authorization_url,
-                "access_token_url": fence_base_url + "oauth2/token",
+                "access_token_url": access_token_url,
                 "redirect_uri": redirect_uri,
-                "scope": "openid data user",
+                "scope": scope,
                 "state_prefix": state_prefix,
             }
 

wts/blueprints/oauth2.py

@@ -50,7 +50,7 @@ def get_authorization_url():
 
     requested_idp = flask.request.args.get("idp", "default")
     client = get_oauth_client(idp=requested_idp)
-    # This will be the value that was put in the ``metadata`` in config.
+    # This will be the value is in /wts/api.py
     state_prefix = client.metadata.get("state_prefix")
     authorize_url = client.metadata.get("authorize_url")
     state = generate_token()

wts/resources/oauth2.py

@@ -14,16 +14,22 @@ def client_do_authorize():
     requested_idp = flask.session.get("idp", "default")
     client = get_oauth_client(idp=requested_idp)
     token_url = client.metadata["access_token_url"]
+
+    # username_field is defined for external oidc clients but it defaults
+    # to context.user.name for fence clients
+    username_field = client.metadata["username_field"]
+
     mismatched_state = (
         "state" not in flask.request.args
         or "state" not in flask.session
         or flask.request.args["state"] != flask.session.pop("state")
     )
+
     if mismatched_state:
         raise AuthError("could not authorize; state did not match across auth requests")
     try:
         tokens = client.fetch_token(token_url, **flask.request.args.to_dict())
-        refresh_refresh_token(tokens, requested_idp)
+        refresh_refresh_token(tokens, requested_idp, username_field)
     except KeyError as e:
         raise AuthError("error in token response: {}".format(tokens))
     except AuthlibBaseError as e:
@@ -43,7 +49,7 @@ def find_valid_refresh_token(username, idp):
     return has_valid
 
 
-def refresh_refresh_token(tokens, idp):
+def refresh_refresh_token(tokens, idp, username_field):
     """
     store new refresh token in db and purge all old tokens for the user
     """
@@ -59,6 +65,7 @@ def refresh_refresh_token(tokens, idp):
         "verify_at_hash": False,
         "leeway": 0,
     }
+
     refresh_token = tokens["refresh_token"]
     id_token = tokens["id_token"]
     # TODO: verify signature with authutils
@@ -84,9 +91,14 @@ def refresh_refresh_token(tokens, idp):
     user = current_user
     username = user.username
 
+    idp_username = id_token
+    # username field is written like "context.user.name" so we split it and loop through the segments
+    for field in username_field.split("."):
+        idp_username = idp_username.get(field)
+
     flask.current_app.logger.info(
         'Linking username "{}" for IdP "{}" to current user "{}"'.format(
-            id_token["context"]["user"]["name"], idp, username
+            idp_username, idp, username
         )
     )
     new_token = RefreshToken(