Forgerock OAuth provider#13499
Conversation
|
Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md)
|
Abstracted the shared OIDC token exchange into a new AbstractOIDCAuth2PRovider base class.
6cc6acd to
3284edd
Compare
|
@bddvlpr |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #13499 +/- ##
=========================================
Coverage 18.94% 18.94%
- Complexity 18363 18365 +2
=========================================
Files 6192 6194 +2
Lines 556361 556380 +19
Branches 67908 67909 +1
=========================================
+ Hits 105397 105413 +16
- Misses 439393 439394 +1
- Partials 11571 11573 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
@blueorangutan package |
|
@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress. |
|
Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 18391 |
DaanHoogland
left a comment
There was a problem hiding this comment.
clgtm. I don’t think the current smoke test suite makes sense for this PR. manual testing needed.
|
Tested and verified successfully with an actual ForgeRock AM setup. |
There was a problem hiding this comment.
Pull request overview
This PR adds ForgeRock as a supported OAuth2/OIDC identity provider and refactors the existing Keycloak implementation by introducing a shared AbstractOIDCOAuth2Provider base class to avoid duplicated OIDC token-exchange logic.
Changes:
- Add ForgeRock as an OAuth provider across UI, config, and Spring plugin registration.
- Introduce
AbstractOIDCOAuth2Providerand refactorKeycloakOAuth2Providerinto a thin subclass. - Consolidate/replace Keycloak-specific tests with base-class OIDC tests.
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| ui/src/views/auth/Login.vue | Adds ForgeRock login button and builds ForgeRock authorize URL from configured provider settings. |
| ui/src/config/section/config.js | Extends provider selection options to include forgerock. |
| ui/public/assets/forgerock.svg | Adds ForgeRock logo asset used by the login button. |
| plugins/user-authenticators/oauth2/src/test/java/org/apache/cloudstack/oauth2/oidc/AbstractOIDCOAuth2ProviderTest.java | Adds unit tests for the shared OIDC provider behavior. |
| plugins/user-authenticators/oauth2/src/test/java/org/apache/cloudstack/oauth2/keycloak/KeycloakOAuth2ProviderTest.java | Removes redundant Keycloak-specific tests in favor of shared OIDC tests. |
| plugins/user-authenticators/oauth2/src/main/resources/META-INF/cloudstack/oauth2/spring-oauth2-context.xml | Registers the ForgeRock provider bean and updates default provider ordering. |
| plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/oidc/AbstractOIDCOAuth2Provider.java | Introduces shared OIDC token exchange / ID token parsing logic. |
| plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/keycloak/KeycloakOAuth2Provider.java | Refactors Keycloak provider to extend the shared OIDC base. |
| plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/forgerock/ForgeRockOAuth2Provider.java | Adds ForgeRock provider implementation (thin OIDC subclass). |
| plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/RegisterOAuthProviderCmd.java | Updates registration validation/messages for OIDC providers (Keycloak + ForgeRock). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| public abstract class AbstractOIDCOAuth2Provider extends AdapterBase implements UserOAuth2Authenticator { | ||
|
|
||
| protected String idToken = null; |
| throw new CloudAuthenticationException(String.format("%s provider is not registered, so user cannot be verified", getName())); | ||
| } | ||
|
|
||
| if (StringUtils.isBlank(idToken)) { |
| String idTokenAsString = fetchedIdToken.getAsString(); | ||
| validateIdToken(idTokenAsString, provider); | ||
|
|
||
| this.idToken = idTokenAsString; |
| protected void clearIdToken() { | ||
| idToken = null; | ||
| } |
| const options = { | ||
| redirect_uri: this.forgerockredirecturi, | ||
| client_id: this.forgerockclientid, | ||
| response_type: 'code', | ||
| scope: 'openid email', | ||
| state: 'cloudstack' | ||
| } |
Description
This PR adds ForgeRock as a supported OAuth2 identity provider. While writing it up I noticed that the new Keycloak provider (committed 4 days ago) would have been a line-for-line copy of this OIDC pipeline. Rather than duplicating it I've abstracted the process into a shared OIDC provider and reduced both the new Keycloak and ForgeRock providers to thin subclasses. \
Perhaps in the future this should be handled as an unbound provider (just a generic OIDC provider, pluggable with any OIDC-compliant server), but for now, this'll do.
Types of changes
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
Bug Severity
Screenshots (if appropriate):
How Has This Been Tested?
Currently only tested against a mock setup, hence why this is a draft. Moved (and merged) the keycloak test into the abstraction layer test.
How did you try to break this feature and the system with this change?