USACE · MikeNeilson · Oct 15, 2025 · Oct 15, 2025 · Oct 22, 2025 · Oct 23, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -56,6 +56,9 @@ ENV cwms.dataapi.access.providers="KeyAccessManager,OpenID"
 ENV cwms.dataapi.access.openid.wellKnownUrl="https://<prefix>/.well-known/openid-configuration"
 ENV cwms.dataapi.access.openid.issuer="<issuer>"
 ENV cwms.dataapi.access.openid.timeout="604800"
+# Putting default values here to easy configuration
+ENV cwms.dataapi.access.openid.clientId=cwms
+ENV cwms.dataapi.access.openid.idpHint=federation-eams
 #ENV cwms.dataapi.access.openid.altAuthUrl="https://identityc-test.cwbi.us/auth/realms/cwbi"
 
 # used to simplify redeploy in certain contexts. Update to match -<marker> in image label

diff --git a/cda-gui/package-lock.json b/cda-gui/package-lock.json
diff --git a/cda-gui/package.json b/cda-gui/package.json
@@ -19,7 +19,7 @@
     "react-dom": "^18.2.0",
     "react-icons": "^5.0.1",
     "react-router-dom": "^7.1.2",
-    "swagger-ui-dist": "^5.17.7",
+    "swagger-ui-dist": "^5.29.5",
     "use-debounce": "^10.0.5"
   },
   "devDependencies": {

diff --git a/cda-gui/public/oauth2-redirect.html b/cda-gui/public/oauth2-redirect.html
@@ -0,0 +1,6 @@
+<!doctype html>
+<html lang="en-US">
+<body>
+<script src="oauth2-redirect.js"></script>
+</body>
+</html>
diff --git a/cda-gui/public/oauth2-redirect.js b/cda-gui/public/oauth2-redirect.js
@@ -0,0 +1,69 @@
+"use strict"
+function run () {
+    var oauth2 = window.opener.swaggerUIRedirectOauth2
+    var sentState = oauth2.state
+    var redirectUrl = oauth2.redirectUrl
+    var isValid, qp, arr
+
+    if (/code|token|error/.test(window.location.hash)) {
+        qp = window.location.hash.substring(1).replace("?", "&")
+    } else {
+        qp = location.search.substring(1)
+    }
+
+    arr = qp.split("&")
+    arr.forEach(function (v,i,_arr) { _arr[i] = '"' + v.replace("=", '":"') + '"' })
+    qp = qp ? JSON.parse("{" + arr.join() + "}",
+            function (key, value) {
+                return key === "" ? value : decodeURIComponent(value)
+            }
+    ) : {}
+
+    isValid = qp.state === sentState
+
+    if ((
+        oauth2.auth.schema.get("flow") === "accessCode" ||
+        oauth2.auth.schema.get("flow") === "authorizationCode" ||
+        oauth2.auth.schema.get("flow") === "authorization_code"
+    ) && !oauth2.auth.code) {
+        if (!isValid) {
+            oauth2.errCb({
+                authId: oauth2.auth.name,
+                source: "auth",
+                level: "warning",
+                message: "Authorization may be unsafe, passed state was changed in server Passed state wasn't returned from auth server"
+            })
+        }
+
+        if (qp.code) {
+            delete oauth2.state
+            oauth2.auth.code = qp.code
+            oauth2.callback({auth: oauth2.auth, redirectUrl: redirectUrl})
+        } else {
+            let oauthErrorMsg
+            if (qp.error) {
+                oauthErrorMsg = "["+qp.error+"]: " +
+                    (qp.error_description ? qp.error_description+ ". " : "no accessCode received from the server. ") +
+                    (qp.error_uri ? "More info: "+qp.error_uri : "")
+            }
+
+            oauth2.errCb({
+                authId: oauth2.auth.name,
+                source: "auth",
+                level: "error",
+                message: oauthErrorMsg || "[Authorization failed]: no accessCode received from the server"
+            })
+        }
+    } else {
+        oauth2.callback({auth: oauth2.auth, token: qp, isValid: isValid, redirectUrl: redirectUrl})
+    }
+    window.close()
+}
+
+if( document.readyState !== "loading" ) {
+    run()
+} else {
+    document.addEventListener("DOMContentLoaded", function () {
+    run()
+    })
+}
diff --git a/cda-gui/src/pages/swagger-ui/index.jsx b/cda-gui/src/pages/swagger-ui/index.jsx
@@ -12,23 +12,54 @@ export default function SwaggerUI() {
         document.title = "CWMS Data API for Data Retrieval - Swagger UI";
         // Begin Swagger UI call region
         // TODO: add endpoint that dynamic returns swagger generated doc
-        SwaggerUIBundle({
+
+        const ui = SwaggerUIBundle({
             url: getBasePath() + "/swagger-docs",
+
             dom_id: "#swagger-ui",
             deepLinking: false,
             presets: [SwaggerUIBundle.presets.apis],
             plugins: [SwaggerUIBundle.plugins.DownloadUrl],
             requestInterceptor: (req) => {
-                // Add a cache-busting query param
-                const sep = req.url.includes("?") ? "&" : "?";
-                req.url = `${req.url}${sep}_cb=${Date.now()}`;
-
-                // Also ask intermediaries not to serve from cache
-                req.headers["Cache-Control"] = "no-cache, no-store, max-age=0";
-                req.headers["Pragma"] = "no-cache";
+                // Add a cache-busting query param... but only if it's to our api. Some
+                // external systems, like keycloak, don't allow random unknown parameters.
+                const origin = window.location.origin;                
+                const re = new RegExp(`^${origin}.*`)
+                if (re.test(req.url))
+                {
+                    const sep = req.url.includes("?") ? "&" : "?";
+                    req.url = `${req.url}${sep}_cb=${Date.now()}`;
 
+                    // Also ask intermediaries not to serve from cache
+                    req.headers["Cache-Control"] = "no-cache, no-store, max-age=0";
+                    req.headers["Pragma"] = "no-cache";
+                }
                 return req;
             },
+            onComplete: () => {
+                const spec = JSON.parse(ui.spec().get("spec"));
+                for (const schemeName in spec.components.securitySchemes) {
+                    const scheme = spec.components.securitySchemes[schemeName];
+                    if (scheme.type === "openIdConnect") {
+                        let additionalParams = null;
+                        let hints = scheme["x-kc_idp_hint"];
+                        if (hints) {
+                            additionalParams = {
+                                // Since getting the interface to allow users to choose
+                                // is likely impossible, we will assume the first in the list
+                                // is the "primary" auth system
+                                "kc_idp_hint": hints.values[0]
+                            };
+                        }
+                        ui.initOAuth({
+                            clientId: scheme["x-oidc-client-id"],
+                            usePkceWithAuthorizationCodeGrant: true,
+                            additionalQueryStringParams: additionalParams,
+                        });
+                        break;
+                    }
+                }
+            },
         });
     }, []);
 

diff --git a/cda-gui/vite.config.js b/cda-gui/vite.config.js
@@ -3,7 +3,7 @@ import react from "@vitejs/plugin-react";
 
 // https://vitejs.dev/config/
 export default defineConfig(({ mode }) => {
-  // const env = loadEnv(mode, process.cwd(), "");
+  const env = loadEnv(mode, process.cwd(), "");
   // const BASE_PATH = env?.BASE_PATH ?? "/cwms-data";
   return {
     base: "/cwms-data",
@@ -14,12 +14,22 @@ export default defineConfig(({ mode }) => {
     server: {
       proxy: {
         "^/cwms-data/timeseries/.*": {
-          target: "https://cwms-data.usace.army.mil",
+          target: env.CDA_API_ROOT,
           changeOrigin: true,
           secure: false,
         },
         "^/cwms-data/catalog/.*": {
-          target: "https://cwms-data.usace.army.mil",
+          target: env.CDA_API_ROOT,
+          changeOrigin: true,
+          secure: false,
+        },
+        "^/cwms-data/auth/.*": {
+          target: env.CDA_API_ROOT,
+          changeOrigin: true,
+          secure: false,
+        },
+        "^/cwms-data/swagger-docs$": {
+          target: env.CDA_API_ROOT,
           changeOrigin: true,
           secure: false,
         },

diff --git a/compose_files/keycloak/realm.json b/compose_files/keycloak/realm.json
@@ -663,7 +663,8 @@
       "clientAuthenticatorType": "client-secret",
       "redirectUris": [
         "https://cwms-data.test:8444/*",
-        "https://localhost:5010/*"
+        "https://localhost:5010/*",
+        "http://localhost:*"
       ],
       "webOrigins": [
         "*"

diff --git a/cwms-data-api/build.gradle b/cwms-data-api/build.gradle
@@ -227,6 +227,7 @@ task run(type: JavaExec) {
     mainClass = "fixtures.TomcatServer"
     systemProperties += project.properties.findAll { k, v -> k.startsWith("RADAR") }
     systemProperties += project.properties.findAll { k, v -> k.startsWith("CDA") }
+    systemProperties += project.properties.findAll { k, v -> k.startsWith("cwms") }
 
     def context = project.findProperty("cda.war.context") ?: "spk-data"