Skip to content

OAuth2: support opaque tokens #13978

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 34 commits into
base: main
Choose a base branch
from
Draft

OAuth2: support opaque tokens #13978

wants to merge 34 commits into from

Conversation

MarcialRosales
Copy link
Contributor

@MarcialRosales MarcialRosales commented May 29, 2025
edited
Loading

Proposed Changes

Implements #8662

RabbitMQ will never cache the resolved JWT access token. it will only be cached for the duration of the session/connection. Once RabbitMQ resolves the JWT access token (i..e exchanged the opaque one for a JWT one), it will work as usual, i.e. it will use the expiry date in the resolved JWT access token.

Tasks:

  • Add introspection endpoint settings to schema
  • Support opaque tokens via messaging protocols like amqp
  • Add Selenium messaging test to assert opaque tokens are supported over amqp
  • Support opaque tokens in management ui. It requires introspecting the token before passing it to the oauth backend. Otherwise, every single authorization request requires a token introspection
  • Support opaque tokens when using idp-initiated login. Here opaque tokens arrive on the Authorization header and they need to be introspected too.
  • Add Selenium tests for management ui with opaque tokens for sp-initiated login
  • Add Selenium tests for management ui with opaque tokens for idp-initiated login
  • Update documentation

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

  • Bug fix (non-breaking change which fixes issue #NNNN)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause an observable behavior change in existing systems)
  • Documentation improvements (corrections, new content, etc)
  • Cosmetic change (whitespace, formatting, etc)
  • Build system and/or CI

@MarcialRosales MarcialRosales self-assigned this May 29, 2025
@MarcialRosales MarcialRosales force-pushed the feature-8662 branch 3 times, most recently from fe04c36 to 7c59322 Compare June 20, 2025 09:37
@MarcialRosales MarcialRosales force-pushed the feature-8662 branch 5 times, most recently from 1e50258 to 9605c96 Compare July 15, 2025 05:07
@MarcialRosales
Add tokeninfo_endpoint
1070ba3
@MarcialRosales
Add missing id tag
6f773e7
@MarcialRosales
Move changes from PR that created the spring auth server
e995df1
@MarcialRosales
Add binaries to deploy spring auth server
aabb327
@MarcialRosales
Add introspection_endpoint to oauth2 schema
2decad5
@MarcialRosales
Fix typo and test case
bf090a0
@MarcialRosales
Update settings in schema
344ece1
@MarcialRosales
Add function that detects if token is JWT
a906ff9
@MarcialRosales
Test resolve resource server with opaque access token
d670e8f
@MarcialRosales
Improve configuration of introspection
73403e4
@MarcialRosales
Fix config test
4a456a7 
There is still an issue mapping client_auth_method
@MarcialRosales
Fix introspection_client_auth_method
6b17fe0
@MarcialRosales
Move introspect token to oauth2_client
88d7914
@MarcialRosales
Fix unit test
4709dc3
@MarcialRosales
Add more tsets
b4bb0bd
@MarcialRosales
Fix first basic tests
45466d8
@MarcialRosales
Add more test coverage
23db333
@MarcialRosales
Add function that will resolve an opaque token
1479a3f
@MarcialRosales
Remove funtion as not needed
04e6014
@MarcialRosales
Remove statement
b4f7918
@MarcialRosales
Add selenium set for opaque tokens
d2de53c
@MarcialRosales
Fix issue and test invalid oapque tokens
977e13d
@MarcialRosales
Remove not needed statement
07b18ec
@MarcialRosales
Fix access-token-format configuration
17e9e70 
And add client used to introspect tokens
@MarcialRosales
Configure oauth2 client for mgt ui
06aeaf6 
so that it is possible to test with
clients configured with opaque tokens
and others with jwt tokens
@MarcialRosales
Opaque token working on management ui
52edac4 
Refactoring needed so that the resolved
jwt token is kept in the management ui
so that the backend does not need to
reoolve it permanentely
@MarcialRosales
Remove access_token_format
e4432dc 
Rather than configuring the type of token, the
server is able to detect if the token is jwt or not
@MarcialRosales
Added introspect endpoint
e5f65b2 
so that management can cache the jwt token
resulting from introspecting an opaque one
@MarcialRosales
Fix issues in endpoint
8b34d2a 
related to accepted content type
@MarcialRosales
Successful unit test introspect token
86bf8f9
@MarcialRosales
Test active and non active opaque tokens
e28c20f
@MarcialRosales
Test 401 condition
1b39de9
@MarcialRosales
Request introspection from management ui
d68ebfe
@MarcialRosales
Add signing introspected token
9b275c7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@MarcialRosales MarcialRosales

Labels
rabbitmq-auth-backend-oauth2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@MarcialRosales