(incubator-kie-tools) branch main updated: [kie-issues#1938] Remove userinfo call from Management Console to support Azure as IDP (#3085)

tiagobento Fri, 02 May 2025 14:49:56 -0700

This is an automated email from the ASF dual-hosted git repository.

tiagobento pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-kie-tools.git



The following commit(s) were added to refs/heads/main by this push:
     new 144408a8be3 [kie-issues#1938] Remove userinfo call from Management 
Console to support Azure as IDP (#3085)
144408a8be3 is described below

commit 144408a8be3f3204eddf809eda337c444f084b6a
Author: jamedard <[email protected]>
AuthorDate: Fri May 2 23:49:47 2025 +0200

    [kie-issues#1938] Remove userinfo call from Management Console to support 
Azure as IDP (#3085)
    
    Co-authored-by: Jordan MEDARD <[email protected]>
---
 packages/kogito-management-console/README.md        | 10 ++++++----
 .../README.md                                       |  2 +-
 .../build/defaultEnvJson.js                         |  2 ++
 .../env/index.js                                    |  5 +++++
 .../src/aboutModal/AboutButton.tsx                  |  6 ++++++
 .../src/authSessions/AuthSessionApi.ts              |  3 +--
 .../src/authSessions/AuthSessionsService.ts         | 21 ++++++++++++---------
 .../authSessions/components/NewAuthSessionModal.tsx | 12 ++++++++----
 .../src/env/EnvJson.ts                              |  1 +
 9 files changed, 42 insertions(+), 20 deletions(-)

diff --git a/packages/kogito-management-console/README.md 
b/packages/kogito-management-console/README.md
index 5862ab91ff0..26826c6f821 100644
--- a/packages/kogito-management-console/README.md
+++ b/packages/kogito-management-console/README.md
@@ -70,10 +70,11 @@ This package contains the `Containerfile/Dockerfile` and 
scripts to build a cont
 
    [comment]: <> (//TODO: Use EnvJson.schema.json to generate this 
documentation somehow.. See https://github.com/kiegroup/kie-issues/issues/16)
 
-   |                           Name                           |                
          Description                           |                               
             Default                                            |
-   | :------------------------------------------------------: | 
:------------------------------------------------------------: | 
:-------------------------------------------------------------------------------------------:
 |
-   |       `RUNTIME_TOOLS_MANAGEMENT_CONSOLE_APP_NAME`        |                
  Management Console app name.                  | See [ defaultEnvJson.js 
](../runtime-tools-management-console-webapp/build/defaultEnvJson.js) |
-   | `RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID` | OpenID Connect 
client ID for connecting to Identity Providers. | See [ defaultEnvJson.js 
](../runtime-tools-management-console-webapp/build/defaultEnvJson.js) |
+   |                             Name                              |           
                  Description                              |                    
                        Default                                            |
+   | :-----------------------------------------------------------: | 
:------------------------------------------------------------------: | 
:-------------------------------------------------------------------------------------------:
 |
+   |          `RUNTIME_TOOLS_MANAGEMENT_CONSOLE_APP_NAME`          |           
          Management Console app name.                     | See [ 
defaultEnvJson.js 
](../runtime-tools-management-console-webapp/build/defaultEnvJson.js) |
+   |   `RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID`    |    OpenID 
Connect client ID for connecting to Identity Providers.    | See [ 
defaultEnvJson.js 
](../runtime-tools-management-console-webapp/build/defaultEnvJson.js) |
+   | `RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_SCOPES` | OpenID 
Connect default scopes when connecting to Identity Providers. | See [ 
defaultEnvJson.js 
](../runtime-tools-management-console-webapp/build/defaultEnvJson.js) |
 
    ### Examples
 
@@ -92,6 +93,7 @@ This package contains the `Containerfile/Dockerfile` and 
scripts to build a cont
 
    ENV RUNTIME_TOOLS_MANAGEMENT_CONSOLE_APP_NAME=<my_app_name>
    ENV RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID=<my_client_id>
+   ENV 
RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_SCOPES=<my_default_scopes>
    ```
 
 3. Create the application from the image in OpenShift and set the deployment 
environment variable right from the OpenShift UI.
diff --git a/packages/runtime-tools-management-console-webapp/README.md 
b/packages/runtime-tools-management-console-webapp/README.md
index 88122a29fef..df7005778c6 100644
--- a/packages/runtime-tools-management-console-webapp/README.md
+++ b/packages/runtime-tools-management-console-webapp/README.md
@@ -91,7 +91,7 @@ modal:
 More settings are available in the **Advanced OpenID Connect settings** 
section:
 
 - **Client ID**: Overrides the Client ID used for this connection. Defaults to 
the value of the `RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID` 
environment variable.
-- **Scope**: Overrides the scopes requested to the Identity Provider. Useful 
from some Identity Providers that will only grant a Refresh Token if the 
`offline_access` scope is included. Defaults to `openid email profile`.
+- **Scope**: Overrides the scopes requested to the Identity Provider. Useful 
from some Identity Providers that will only grant a Refresh Token if the 
`offline_access` scope is included. Defaults to the value of the 
`RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_SCOPES` environment 
variable
 - **Audience**: This is the `audience` parameter in the Authorization request. 
Used to identify the service that the token is intended for. Empty by default.
 
 If your runtime uses OpenID Connect authentication, you should be redirected 
to the Identity Provider
diff --git 
a/packages/runtime-tools-management-console-webapp/build/defaultEnvJson.js 
b/packages/runtime-tools-management-console-webapp/build/defaultEnvJson.js
index bec7591a21d..c846344fb75 100644
--- a/packages/runtime-tools-management-console-webapp/build/defaultEnvJson.js
+++ b/packages/runtime-tools-management-console-webapp/build/defaultEnvJson.js
@@ -23,5 +23,7 @@ module.exports = {
   defaultEnvJson: {
     RUNTIME_TOOLS_MANAGEMENT_CONSOLE_APP_NAME: 
env.runtimeToolsManagementConsoleWebapp.appName,
     RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID: 
env.runtimeToolsManagementConsoleWebapp.oidcClient.clientId,
+    RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_SCOPES:
+      env.runtimeToolsManagementConsoleWebapp.oidcClient.defaultScopes,
   },
 };
diff --git a/packages/runtime-tools-management-console-webapp/env/index.js 
b/packages/runtime-tools-management-console-webapp/env/index.js
index c9a0fe6061f..50742d5e794 100644
--- a/packages/runtime-tools-management-console-webapp/env/index.js
+++ b/packages/runtime-tools-management-console-webapp/env/index.js
@@ -41,6 +41,10 @@ module.exports = 
composeEnv([require("@kie-tools/root-env/env")], {
       default: "management-console-dev-webapp",
       description: "Client ID used for OpenID Connect client configuration.",
     },
+    RUNTIME_TOOLS_MANAGEMENT_CONSOLE_WEBAPP__oidcClientDefaultScopes: {
+      default: "openid email profile",
+      description: "Default scopes used for OpenID Connect client 
configuration.",
+    },
   }),
   get env() {
     return {
@@ -60,6 +64,7 @@ module.exports = 
composeEnv([require("@kie-tools/root-env/env")], {
         },
         oidcClient: {
           clientId: 
getOrDefault(this.vars.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_WEBAPP__oidcClientClientId),
+          defaultScopes: 
getOrDefault(this.vars.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_WEBAPP__oidcClientDefaultScopes),
         },
         appName: 
getOrDefault(this.vars.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_WEBAPP__appName),
         buildInfo: 
getOrDefault(this.vars.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_WEBAPP__buildInfo),
diff --git 
a/packages/runtime-tools-management-console-webapp/src/aboutModal/AboutButton.tsx
 
b/packages/runtime-tools-management-console-webapp/src/aboutModal/AboutButton.tsx
index a0b68603da5..92143d5ab25 100644
--- 
a/packages/runtime-tools-management-console-webapp/src/aboutModal/AboutButton.tsx
+++ 
b/packages/runtime-tools-management-console-webapp/src/aboutModal/AboutButton.tsx
@@ -93,6 +93,12 @@ export const AboutButton: React.FunctionComponent = () => {
                 {env.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID}
               </DescriptionListDescription>
             </DescriptionListGroup>
+            <DescriptionListGroup>
+              <DescriptionListTerm>OIDC Client (default scopes): 
</DescriptionListTerm>
+              <DescriptionListDescription>
+                
{env.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_SCOPES}
+              </DescriptionListDescription>
+            </DescriptionListGroup>
             <DescriptionListGroup>
               <DescriptionListTerm>Commit SHA: </DescriptionListTerm>
               
<DescriptionListDescription>{commitSha}</DescriptionListDescription>
diff --git 
a/packages/runtime-tools-management-console-webapp/src/authSessions/AuthSessionApi.ts
 
b/packages/runtime-tools-management-console-webapp/src/authSessions/AuthSessionApi.ts
index 2884343301c..21db8cd42a0 100644
--- 
a/packages/runtime-tools-management-console-webapp/src/authSessions/AuthSessionApi.ts
+++ 
b/packages/runtime-tools-management-console-webapp/src/authSessions/AuthSessionApi.ts
@@ -19,7 +19,7 @@
 
 import { LfsFsCache } from 
"@kie-tools-core/workspaces-git-fs/dist/lfs/LfsFsCache";
 import { LfsStorageService } from 
"@kie-tools-core/workspaces-git-fs/dist/lfs/LfsStorageService";
-import { IDToken, ServerMetadata, TokenEndpointResponse, UserInfoResponse } 
from "openid-client";
+import { IDToken, ServerMetadata, TokenEndpointResponse } from "openid-client";
 
 export const authSessionFsCache = new LfsFsCache();
 export const authSessionFsService = new LfsStorageService();
@@ -88,7 +88,6 @@ export type OpenIDConnectAuthSession = {
   impersonator?: boolean;
   claims: IDToken;
   issuer: string;
-  userInfo: UserInfoResponse;
   clientId: string;
   clientSecret?: string;
   audience?: string;
diff --git 
a/packages/runtime-tools-management-console-webapp/src/authSessions/AuthSessionsService.ts
 
b/packages/runtime-tools-management-console-webapp/src/authSessions/AuthSessionsService.ts
index 1694de1cf50..1fef790f188 100644
--- 
a/packages/runtime-tools-management-console-webapp/src/authSessions/AuthSessionsService.ts
+++ 
b/packages/runtime-tools-management-console-webapp/src/authSessions/AuthSessionsService.ts
@@ -233,20 +233,16 @@ export class AuthSessionsService {
 
     const tokens = await client.refreshTokenGrant(config, 
args.authSession.tokens.refresh_token);
 
-    const { access_token } = tokens;
     const claims = tokens.claims();
     if (!claims) {
       // expires_in was not returned by the authorization server
       console.error(`Failed to extract claims from token for AuthSession: 
${args.authSession.id}!`);
       throw new Error("Failed to extract claims from token.");
     }
-    const { sub } = claims;
-    const userInfo = await client.fetchUserInfo(config, access_token, sub);
 
     return {
       tokens,
       claims,
-      userInfo,
       tokensRefreshedAtDateISO: new Date(Date.now()).toISOString(),
       status: AuthSessionStatus.VALID,
     };
@@ -293,22 +289,23 @@ export class AuthSessionsService {
       idTokenExpected: true,
     });
 
-    const { access_token } = tokens;
     const claims = tokens.claims();
     if (!claims) {
       // expires_in was not returned by the authorization server
       console.error("Failed to extract claims from token");
       throw new Error("Failed to extract claims from token.");
     }
-    const { sub } = claims;
-    const userInfo = await client.fetchUserInfo(config, access_token, sub);
 
     const authSession: OpenIDConnectAuthSession = {
       id: uuid(),
       type: AuthSessionType.OPENID_CONNECT,
       version: AUTH_SESSIONS_VERSION_NUMBER,
       name: temporaryAuthSessionData.name,
-      username: userInfo.preferred_username ?? userInfo.email ?? userInfo.sub,
+      username:
+        this.getClaimAsString(claims.preferred_username) ??
+        this.getClaimAsString(claims.name) ??
+        this.getClaimAsString(claims.email) ??
+        claims.sub,
       // TODO: This changes between IdPs. Figure out a generic way to list the 
users roles.
       roles: [],
       // TODO: Somehow get this information from the Kogito application.
@@ -320,7 +317,6 @@ export class AuthSessionsService {
       claims,
       runtimeUrl: temporaryAuthSessionData.runtimeUrl,
       issuer: issuer.toString(),
-      userInfo: userInfo,
       status: AuthSessionStatus.VALID,
       createdAtDateISO: new Date(Date.now()).toISOString(),
       tokensRefreshedAtDateISO: new Date(Date.now()).toISOString(),
@@ -328,4 +324,11 @@ export class AuthSessionsService {
 
     return authSession;
   }
+
+  private static getClaimAsString(claim: client.JsonValue | undefined): string 
| undefined {
+    if (typeof claim === "string") {
+      return claim;
+    }
+    return undefined;
+  }
 }
diff --git 
a/packages/runtime-tools-management-console-webapp/src/authSessions/components/NewAuthSessionModal.tsx
 
b/packages/runtime-tools-management-console-webapp/src/authSessions/components/NewAuthSessionModal.tsx
index 62ac886e54c..b607d254c35 100644
--- 
a/packages/runtime-tools-management-console-webapp/src/authSessions/components/NewAuthSessionModal.tsx
+++ 
b/packages/runtime-tools-management-console-webapp/src/authSessions/components/NewAuthSessionModal.tsx
@@ -24,7 +24,7 @@ import { useAuthSessions, useAuthSessionsDispatch } from 
"../AuthSessionsContext
 import { AuthSessionsService } from "../AuthSessionsService";
 import { useEnv } from "../../env/hooks/EnvContext";
 import { useRoutes } from "../../navigation/Hooks";
-import { AUTH_SESSION_OIDC_DEFAULT_SCOPES, AuthSession } from 
"../AuthSessionApi";
+import { AuthSession } from "../AuthSessionApi";
 import { TextInput } from 
"@patternfly/react-core/dist/js/components/TextInput";
 import { Form, FormGroup, ActionGroup, FormHelperText } from 
"@patternfly/react-core/dist/js/components/Form";
 import { Checkbox } from "@patternfly/react-core/dist/js/components/Checkbox";
@@ -43,7 +43,7 @@ export const NewAuthSessionModal: React.FC<Props> = ({ 
onAddAuthSession }) => {
   const { env } = useEnv();
 
   const [audience, setAudience] = useState<string>();
-  const [scope, setScope] = useState<string>(AUTH_SESSION_OIDC_DEFAULT_SCOPES);
+  const [scope, setScope] = 
useState<string>(env.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_SCOPES);
   const [clientId, setClientId] = 
useState<string>(env.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID);
 
   const { isNewAuthSessionModalOpen } = useAuthSessions();
@@ -57,9 +57,13 @@ export const NewAuthSessionModal: React.FC<Props> = ({ 
onAddAuthSession }) => {
     setRuntimeUrl("");
     setAlias("");
     setClientId(env.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID);
-    setScope(AUTH_SESSION_OIDC_DEFAULT_SCOPES);
+    setScope(env.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_SCOPES);
     setAudience("");
-  }, [env.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID, 
setIsNewAuthSessionModalOpen]);
+  }, [
+    env.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID,
+    env.RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_SCOPES,
+    setIsNewAuthSessionModalOpen,
+  ]);
 
   const onConnect = useCallback<React.FormEventHandler>(
     (e) => {
diff --git 
a/packages/runtime-tools-management-console-webapp/src/env/EnvJson.ts 
b/packages/runtime-tools-management-console-webapp/src/env/EnvJson.ts
index 661d6392e0d..9ba79e6649d 100644
--- a/packages/runtime-tools-management-console-webapp/src/env/EnvJson.ts
+++ b/packages/runtime-tools-management-console-webapp/src/env/EnvJson.ts
@@ -20,4 +20,5 @@
 export interface EnvJson {
   RUNTIME_TOOLS_MANAGEMENT_CONSOLE_APP_NAME: string;
   RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_CLIENT_ID: string;
+  RUNTIME_TOOLS_MANAGEMENT_CONSOLE_OIDC_CLIENT_DEFAULT_SCOPES: string;
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(incubator-kie-tools) branch main updated: [kie-issues#1938] Remove userinfo call from Management Console to support Azure as IDP (#3085)

Reply via email to