Obtained jwt token from spring auth server

MarcialRosales · MarcialRosales · commit c489bfe57527 · 2025-06-17T13:06:57.000+02:00
Pendind to obtain an opaque
diff --git a/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/SecurityConfig.java b/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/SecurityConfig.java
@@ -4,7 +4,6 @@
 import java.security.KeyPairGenerator;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
-import java.util.List;
 import java.util.UUID;
 
 import org.springframework.context.annotation.Bean;
@@ -15,8 +14,6 @@
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
@@ -120,6 +117,10 @@ public OAuth2TokenCustomizer<JwtEncodingContext> jwtTokenCustomizer() {
 		return (context) -> {
 			if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
 				AbstractAuthenticationToken principal = context.getPrincipal();
+				System.out.println("registered client: " + context.getRegisteredClient());
+				System.out.println("authorities : " + principal.getAuthorities());
+				System.out.println("authorized scopes : " + context.getAuthorizedScopes());
+				
 				context.getClaims()
 					.audience(AudienceAuthority.getAll(principal))
 					.claim("extra_scope", ScopeAuthority.getAllUnauthorized(principal, 
diff --git a/selenium/authorization-server/src/main/resources/application.yml b/selenium/authorization-server/src/main/resources/application.yml
@@ -12,7 +12,7 @@ spring:
             alias: server-spring-tls
             password: foobar
           keystore:
-            location: ../test/oauth/spring/server_spring.jks
+            location: ../test/authnz-msg-protocols/spring/server_spring.jks
             password: foobar
             type: PKCS12
   security:
@@ -28,22 +28,25 @@ spring:
             - rabbitmq
       authorizationserver:
         client:
-          mgt_api_client:
+          producer:
             registration:
               provider: spring
-              client-id: mgt_api_client
+              client-id: producer
+              client-secret: "{noop}producer"
               authorization-grant-types: 
                 - client_credentials
               client-authentication-methods:
-                - client_secret_basic
-              require-proof-key: true
+                - client_secret_post
               token-settings:
-                access-token-format: reference
+                access-token-format: reference              
               scopes: 
                 - openid
                 - profile
                 - rabbitmq.tag:management
-              client-name: mgt_api_client
+                - rabbitmq.configure:*/*
+                - rabbitmq.read:*/*
+                - rabbitmq.write:*/*
+              client-name: producer
           rabbitmq_client_code:
             registration:
               provider: spring
diff --git a/selenium/suites/authnz-messaging/auth-cache-http-backends.sh b/selenium/suites/authnz-messaging/auth-cache-http-backends.sh
@@ -3,7 +3,7 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/authnz-msg-protocols
-PROFILES="http-user auth-http auth_backends-cache-http "
+PROFILES="amqp-http-user auth-http auth_backends-cache-http "
 
 source $SCRIPT/../../bin/suite_template
 runWith mock-auth-backend-http
diff --git a/selenium/suites/authnz-messaging/auth-cache-ldap-backends.sh b/selenium/suites/authnz-messaging/auth-cache-ldap-backends.sh
@@ -3,7 +3,7 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/authnz-msg-protocols
-PROFILES="ldap-user auth-ldap auth_backends-cache-ldap"
+PROFILES="amqp-ldap-user auth-ldap auth_backends-cache-ldap"
 
 source $SCRIPT/../../bin/suite_template
 runWith mock-auth-backend-ldap
diff --git a/selenium/suites/authnz-messaging/auth-http-backend-with-mtls.sh b/selenium/suites/authnz-messaging/auth-http-backend-with-mtls.sh
@@ -3,7 +3,7 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/authnz-msg-protocols
-PROFILES="internal-user auth-http auth_backends-http auth-mtls"
+PROFILES="amqp-internal-user auth-http auth_backends-http auth-mtls"
 # internal-user profile is used because the client certificates to 
 # access rabbitmq are issued with the alt_name = internal-user 
 
diff --git a/selenium/suites/authnz-messaging/auth-http-internal-backends-with-internal.sh b/selenium/suites/authnz-messaging/auth-http-internal-backends-with-internal.sh
@@ -3,7 +3,7 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/authnz-msg-protocols
-PROFILES="internal-user auth-http auth_backends-http-internal "
+PROFILES="amqp-internal-user auth-http auth_backends-http-internal "
 
 source $SCRIPT/../../bin/suite_template
 runWith mock-auth-backend-http
diff --git a/selenium/suites/authnz-messaging/auth-http-internal-backends.sh b/selenium/suites/authnz-messaging/auth-http-internal-backends.sh
@@ -3,7 +3,7 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/authnz-msg-protocols
-PROFILES="http-user auth-http auth_backends-http-internal "
+PROFILES="amqp-http-user auth-http auth_backends-http-internal "
 
 source $SCRIPT/../../bin/suite_template
 runWith mock-auth-backend-http
diff --git a/selenium/suites/authnz-messaging/auth-internal-backend.sh b/selenium/suites/authnz-messaging/auth-internal-backend.sh
@@ -3,7 +3,7 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/authnz-msg-protocols
-PROFILES="internal-user auth_backends-internal"
+PROFILES="amqp-internal-user auth_backends-internal"
 
 source $SCRIPT/../../bin/suite_template
 run
diff --git a/selenium/suites/authnz-messaging/auth-internal-http-backends.sh b/selenium/suites/authnz-messaging/auth-internal-http-backends.sh
@@ -3,7 +3,7 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/authnz-msg-protocols
-PROFILES="internal-user auth_http auth_backends-internal-http "
+PROFILES="amqp-internal-user auth_http auth_backends-internal-http "
 
 source $SCRIPT/../../bin/suite_template
 runWith mock-auth-backend-http
diff --git a/selenium/suites/authnz-messaging/auth-internal-mtls-backend.sh b/selenium/suites/authnz-messaging/auth-internal-mtls-backend.sh
@@ -3,7 +3,7 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/authnz-msg-protocols
-PROFILES="internal-user auth_backends-internal tls auth-mtls"
+PROFILES="amqp-internal-user auth_backends-internal tls auth-mtls"
 
 source $SCRIPT/../../bin/suite_template
 run
diff --git a/selenium/suites/authnz-messaging/auth-ldap-backend.sh b/selenium/suites/authnz-messaging/auth-ldap-backend.sh
@@ -3,7 +3,7 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/authnz-msg-protocols
-PROFILES="ldap-user auth-ldap auth_backends-ldap "
+PROFILES="amqp-ldap-user auth-ldap auth_backends-ldap "
 
 source $SCRIPT/../../bin/suite_template
 runWith mock-auth-backend-ldap
diff --git a/selenium/suites/authnz-messaging/auth-oauth-backend-with-opaque-tokens.sh b/selenium/suites/authnz-messaging/auth-oauth-backend-with-opaque-tokens.sh
@@ -3,7 +3,7 @@
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 TEST_CASES_PATH=/authnz-msg-protocols
-PROFILES="spring oauth-producer auth-oauth-spring auth_backends-opaque-oauth auth-mtls"
+PROFILES="spring oauth-producer auth-oauth-spring auth_backends-opaque-oauth "
 
 source $SCRIPT/../../bin/suite_template
 runWith spring
diff --git a/selenium/test/authnz-msg-protocols/env.amqp-http-user b/selenium/test/authnz-msg-protocols/env.amqp-http-user
diff --git a/selenium/test/authnz-msg-protocols/env.amqp-internal-user b/selenium/test/authnz-msg-protocols/env.amqp-internal-user
@@ -1,2 +1,3 @@
 export RABBITMQ_AMQP_USERNAME=internaluser
 export RABBITMQ_AMQP_PASSWORD=management
+export RABBITMQ_MQTT_CLIENT_ID=internaluser
diff --git a/selenium/test/authnz-msg-protocols/env.amqp-ldap-user b/selenium/test/authnz-msg-protocols/env.amqp-ldap-user
diff --git a/selenium/test/authnz-msg-protocols/env.auth-oauth-spring.local b/selenium/test/authnz-msg-protocols/env.auth-oauth-spring.local
@@ -1,4 +1,4 @@
 export SPRING_URL=https://localhost:8443
 export OAUTH_PROVIDER_URL=https://localhost:8443
-export SPRING_CA_CERT=authnz-msg-protocols/spring/ca_spring_certificate.pem
+export SPRING_CA_CERT=${TEST_CONFIG_PATH}/spring/ca_spring_certificate.pem
 export OAUTH_NODE_EXTRA_CA_CERTS=authnz-msg-protocols/spring/ca_spring_certificate.pem
diff --git a/selenium/test/authnz-msg-protocols/mqtt.js b/selenium/test/authnz-msg-protocols/mqtt.js
@@ -21,7 +21,7 @@ describe('Having MQTT protocol enbled and the following auth_backends: ' + backe
   let mqttUrl = process.env.RABBITMQ_MQTT_URL || "mqtt://" + rabbit + ":1883"
   let username = process.env.RABBITMQ_AMQP_USERNAME
   let password = process.env.RABBITMQ_AMQP_PASSWORD
-  let client_id = process.env.RABBITMQ_AMQP_USERNAME || 'selenium-client'
+  let client_id = process.env.RABBITMQ_MQTT_CLIENT_ID || 'selenium-client'
   
   before(function () {    
     if (backends.includes("http") && (username.includes("http") || usemtls)) {
@@ -47,7 +47,7 @@ describe('Having MQTT protocol enbled and the following auth_backends: ' + backe
       log("Obtening OpenId configuration from " + oauthProviderUrl)
       let openIdConfig = openIdConfiguration(oauthProviderUrl)
       log("Obtaining token from  " + openIdConfig.token_endpoint + " using " + oauthClientId + ":" + oauthClientSecret)
-      password = tokenFor(oauthClientId, oauthClientSecret, openIdConfig.token_endpoint)
+      password = tokenFor(oauthClientId, oauthClientSecret, openIdConfig.token_endpoint, "rabbitmq.configure:*/*")
       log("Obtained access token : " + password)
     }
     mqttOptions = {
diff --git a/selenium/test/authnz-msg-protocols/rabbitmq.auth_backends-opaque-oauth.conf b/selenium/test/authnz-msg-protocols/rabbitmq.auth_backends-opaque-oauth.conf
@@ -4,16 +4,13 @@ log.console.level = debug
 auth_backends.1 = rabbit_auth_backend_oauth2
 
 # Common auth_oauth2 settings for all resources
-auth_oauth2.preferred_username_claims.1 = preferred_username
-auth_oauth2.preferred_username_claims.2 = user_name
-auth_oauth2.preferred_username_claims.3 = email
+auth_oauth2.preferred_username_claims.1 = sub
 
-## Resource servers hosted by this rabbitmq instance
-auth_oauth2.resource_servers.1.id = rabbitmq
-auth_oauth2.resource_servers.1.oauth_provider_id = spring
+## Resource server hosted by this rabbitmq instance
+auth_oauth2.resource_server_id = rabbitmq
+auth_oauth2.verify_aud = false 
+auth_oauth2.issuer = ${SPRING_URL}
+auth_oauth2.https.cacertfile = ${SPRING_CA_CERT}
+auth_oauth2.https.verify = verify_peer
+auth_oauth2.https.hostname_verification = wildcard
 
-## Oauth providers
-auth_oauth2.oauth_providers.spring.issuer = ${SPRING_URL}
-auth_oauth2.oauth_providers.spring.https.cacertfile = ${SPRING_CA_CERT}
-auth_oauth2.oauth_providers.spring.https.verify = verify_peer
-auth_oauth2.oauth_providers.spring.https.hostname_verification = wildcard
diff --git a/selenium/test/authnz-msg-protocols/spring/application.yml b/selenium/test/authnz-msg-protocols/spring/application.yml
@@ -43,6 +43,9 @@ spring:
                 - openid
                 - profile
                 - rabbitmq.tag:management
+                - rabbitmq.configure:*/*
+                - rabbitmq.read:*/*
+                - rabbitmq.write:*/*
               client-name: producer
           rabbitmq_client_code:
             registration:
diff --git a/selenium/test/utils.js b/selenium/test/utils.js
@@ -236,14 +236,16 @@ module.exports = {
     }
   },
 
-  tokenFor: (client_id, client_secret, url = uaaUrl) => {
+  tokenFor: (client_id, client_secret, url = uaaUrl, scopes = "") => {
     const req = new XMLHttpRequest()
-    const params = 'client_id=' + client_id +
+    let params = 'client_id=' + client_id +
       '&client_secret=' + client_secret +
       '&grant_type=client_credentials' +
       '&token_format=jwt' +
       '&response_type=token'
-
+    if (scopes != "") {
+      params = params + "&scope=" + scopes
+    }
     req.open('POST', url, false)
     req.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')
     req.setRequestHeader('Accept', 'application/json')
