From 892420e2c6211b8c2d2c8d86f3a14959aabf9fed Mon Sep 17 00:00:00 2001
From: firest <enlanubo@gmail.com>
Date: Fri, 21 Jun 2024 22:38:20 +0800
Subject: [PATCH] feat(oidc): be more compatible with okta

---
 apps/emqx_dashboard_sso/rebar.config          |  2 +-
 .../src/emqx_dashboard_sso_oidc.erl           | 42 ++++++++++++++++++-
 .../src/emqx_dashboard_sso_oidc_api.erl       | 10 ++++-
 rel/i18n/emqx_dashboard_sso_oidc.hocon        |  9 ++++
 4 files changed, 58 insertions(+), 5 deletions(-)

diff --git a/apps/emqx_dashboard_sso/rebar.config b/apps/emqx_dashboard_sso/rebar.config
index 070e1edb1..e9a52c56d 100644
--- a/apps/emqx_dashboard_sso/rebar.config
+++ b/apps/emqx_dashboard_sso/rebar.config
@@ -5,5 +5,5 @@
     {emqx_ldap, {path, "../../apps/emqx_ldap"}},
     {emqx_dashboard, {path, "../../apps/emqx_dashboard"}},
     {esaml, {git, "https://github.com/emqx/esaml", {tag, "v1.1.3"}}},
-    {oidcc, {git, "https://github.com/erlef/oidcc.git", {tag, "v3.2.0"}}}
+    {oidcc, {git, "https://github.com/emqx/oidcc.git", {branch, "ev3.2.0"}}}
 ]}.
diff --git a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_oidc.erl b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_oidc.erl
index d36d08cb7..f904230c7 100644
--- a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_oidc.erl
+++ b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_oidc.erl
@@ -91,6 +91,38 @@ fields(oidc) ->
                     desc => ?DESC(require_pkce),
                     default => false
                 })},
+            {preferred_auth_methods,
+                ?HOCON(
+                    ?ARRAY(
+                        ?ENUM([
+                            private_key_jwt,
+                            client_secret_jwt,
+                            client_secret_post,
+                            client_secret_basic,
+                            none
+                        ])
+                    ),
+                    #{
+                        desc => ?DESC(preferred_auth_methods),
+                        default => [
+                            client_secret_post,
+                            client_secret_basic,
+                            none
+                        ]
+                    }
+                )},
+            {provider,
+                ?HOCON(?ENUM([okta, generic]), #{
+                    mapping => "oidcc.provider",
+                    desc => ?DESC(provider),
+                    default => generic
+                })},
+            {fallback_methods,
+                ?HOCON(?ARRAY(binary()), #{
+                    mapping => "oidcc.fallback_methods",
+                    desc => ?DESC(fallback_methods),
+                    default => [<<"RS256">>]
+                })},
             {client_jwks,
                 %% TODO: add url JWKS
                 ?HOCON(?UNION([none, ?R_REF(client_file_jwks)]), #{
@@ -155,6 +187,7 @@ destroy(State) ->
     emqx_dashboard_sso_oidc_session:stop(),
     try_delete_jwks_file(State).
 
+-dialyzer({nowarn_function, login/2}).
 login(
     _Req,
     #{
@@ -163,7 +196,8 @@ login(
             clientid := ClientId,
             secret := Secret,
             scopes := Scopes,
-            require_pkce := RequirePKCE
+            require_pkce := RequirePKCE,
+            preferred_auth_methods := AuthMethods
         }
     } = Cfg
 ) ->
@@ -182,7 +216,11 @@ login(
             ?PROVIDER_SVR_NAME,
             ClientId,
             Secret,
-            Opts#{state => State, client_jwks => ClientJwks}
+            Opts#{
+                state => State,
+                client_jwks => ClientJwks,
+                preferred_auth_methods => AuthMethods
+            }
         )
     of
         {ok, [Base, Delimiter, Params]} ->
diff --git a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_oidc_api.erl b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_oidc_api.erl
index a1008f29d..3b5c9f5d8 100644
--- a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_oidc_api.erl
+++ b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_oidc_api.erl
@@ -117,7 +117,11 @@ retrieve_token(
     #{
         name := Name,
         client_jwks := ClientJwks,
-        config := #{clientid := ClientId, secret := Secret}
+        config := #{
+            clientid := ClientId,
+            secret := Secret,
+            preferred_auth_methods := AuthMethods
+        }
     } = Cfg,
     Data
 ) ->
@@ -129,7 +133,8 @@ retrieve_token(
             Secret,
             Data#{
                 redirect_uri => make_callback_url(Cfg),
-                client_jwks => ClientJwks
+                client_jwks => ClientJwks,
+                preferred_auth_methods => AuthMethods
             }
         )
     of
@@ -165,6 +170,7 @@ retrieve_userinfo(Token, #{
             Error
     end.
 
+-dialyzer({nowarn_function, ensure_user_exists/1}).
 ensure_user_exists(<<>>) ->
     {error, <<"Username can not be empty">>};
 ensure_user_exists(<<"undefined">>) ->
diff --git a/rel/i18n/emqx_dashboard_sso_oidc.hocon b/rel/i18n/emqx_dashboard_sso_oidc.hocon
index a9a2f61c4..a13abeab2 100644
--- a/rel/i18n/emqx_dashboard_sso_oidc.hocon
+++ b/rel/i18n/emqx_dashboard_sso_oidc.hocon
@@ -33,4 +33,13 @@ client_file_jwks_type.desc:
 client_file_jwks_file.desc:
 """The content of the JWKS."""
 
+preferred_auth_methods.desc:
+"""Set the valid authentication methods and their priority."""
+
+provider.desc:
+"""The OIDC provider."""
+
+fallback_methods.desc:
+"""Some providers do not provide all the method items in the provider configuration, set this value as a fallback for those items."""
+
 }