Configure Swagger OAuth systems from OpenAPI extension values.

Author: MikeNeilson

cda-gui/src/pages/swagger-ui/index.jsx

@@ -38,13 +38,27 @@ export default function SwaggerUI() {
             },
             onComplete: () => {
                 const spec = JSON.parse(ui.spec().get("spec"));
-                console.log(JSON.stringify(spec.components.securitySchemes));
-                
-                ui.initOAuth({
-                    clientId:"cwms",
-                    additionalQueryStringParams: {kc_idp_hint: "federation-eams"},
-                    usePkceWithAuthorizationCodeGrant: true
-                });
+                for (const schemeName in spec.components.securitySchemes) {
+                    const scheme = spec.components.securitySchemes[schemeName];
+                    if (scheme.type === "openIdConnect") {
+                        let additionalParams = null;
+                        let hints = scheme["x-kc_idp_hint"];
+                        if (hints) {
+                            additionalParams = {
+                                // Since getting the interface to allow users to choose
+                                // is likely impossible, we will assume the first in the list
+                                // is the "primary" auth system
+                                "kc_idp_hint": hints.values[0]
+                            };
+                        }
+                        ui.initOAuth({
+                            clientId: scheme["x-oidc-client-id"],
+                            usePkceWithAuthorizationCodeGrant: true,
+                            additionalQueryStringParams: additionalParams,
+                        });
+                        break;
+                    }
+                }
             },
         });
     }, []);

cda-gui/vite.config.js

@@ -23,6 +23,11 @@ export default defineConfig(({ mode }) => {
           changeOrigin: true,
           secure: false,
         },
+        "^/cwms-data/auth/.*": {
+          target: env.CDA_API_ROOT,
+          changeOrigin: true,
+          secure: false,
+        },
         "^/cwms-data/swagger-docs$": {
           target: env.CDA_API_ROOT,
           changeOrigin: true,

cwms-data-api/src/main/java/cwms/cda/security/OpenIDConfig.java

@@ -12,7 +12,6 @@
 import com.google.common.flogger.FluentLogger;
 
 import io.swagger.v3.oas.models.security.SecurityScheme;
-import io.swagger.v3.oas.models.security.SecurityScheme.In;
 import io.swagger.v3.oas.models.security.SecurityScheme.Type;
 
 public class OpenIDConfig {
@@ -42,6 +41,7 @@ public OpenIDConfig(URL wellKnown, String client_id, String idp_hint) throws IOE
                 ObjectMapper mapper = new ObjectMapper();
                 JsonNode node = mapper.readTree(http.getInputStream());
                 jwksUrl = new URL(node.get("jwks_uri").asText());
+                issuer = node.get("issuer").asText();
             } else {
                 log.atSevere().log("Unable to retrieve data from realm. Response code %d",status);
             }

docker-compose.yml

@@ -77,6 +77,9 @@ services:
       - cwms.dataapi.access.openid.altAuthUrl=http://localhost:${APP_PORT:-8081}
       - cwms.dataapi.access.openid.useAltWellKnown=true
       - cwms.dataapi.access.openid.issuer=http://localhost:${APP_PORT:-8081}/auth/realms/cwms
+      - cwms.dataapi.access.openid.clientId=cwms
+      # values are not actually used in the local keycloak, however it does fail and leaves them in place for various testing.
+      - cwms.dataapi.access.openid.idpHint=federation-eams,login.gov
     expose:
       - 7000
       - 5005