add SSO for management UI

Author: kickster97

extras/lavinmq.ini

@@ -1,6 +1,7 @@
 [main]
 data_dir = /var/lib/lavinmq
-log_level = info
+log_level = debug
+auth_backends = local,oauth
 ;pidfile = /var/run/lavinmq.pid
 ;default_user_only_loopback = true
 ;tls_cert = /etc/lavinmq/cert.pem
@@ -28,3 +29,10 @@ bind = ::
 ;port = 5679
 ;advertised_uri = tcp://hostname.local:5679
 ;etcd_endpoints = localhost:2379
+
+[oauth]
+issuer = https://test-giant-beige-hawk.rmq7.cloudamqp.com/realms/lavinmq-dev/
+resource_server_id = kickster-lavin
+audience = account
+preferred_username_claims = sub,preferred_username,email
+client_id = kickster-lavin

spec/http/oauth_spec.cr

@@ -0,0 +1,134 @@
+require "../spec_helper"
+require "../../src/lavinmq/http/oauth2/pkce"
+
+describe "OAuth2" do
+  describe "OAuthController when OAuth is NOT configured" do
+    it "GET /oauth/authorize returns 503" do
+      with_http_server do |http, _|
+        response = ::HTTP::Client.get(http.test_uri("/oauth/authorize"), headers: ::HTTP::Headers.new)
+        response.status_code.should eq 503
+        response.body.should contain("OAuth not configured")
+      end
+    end
+
+    it "GET /oauth/callback redirects to login" do
+      with_http_server do |http, _|
+        response = ::HTTP::Client.get(http.test_uri("/oauth/callback"), headers: ::HTTP::Headers.new)
+        response.status_code.should eq 302
+        response.headers["Location"].should contain("OAuth%20not%20configured")
+      end
+    end
+  end
+
+  describe "OAuthController /oauth/callback error handling" do
+    it "redirects to login when oauth_state cookie is missing" do
+      with_http_server do |http, _|
+        LavinMQ::Config.instance.oauth_client_id = "test-client"
+        LavinMQ::Config.instance.oauth_issuer_url = URI.parse("https://idp.example.com")
+
+        response = ::HTTP::Client.get(
+          http.test_uri("/oauth/callback?state=abc123&code=authcode"),
+          headers: ::HTTP::Headers.new
+        )
+        response.status_code.should eq 302
+        response.headers["Location"].should contain("Missing%20OAuth%20state")
+      end
+    end
+
+    it "redirects to login on state mismatch" do
+      with_http_server do |http, _|
+        LavinMQ::Config.instance.oauth_client_id = "test-client"
+        LavinMQ::Config.instance.oauth_issuer_url = URI.parse("https://idp.example.com")
+
+        headers = ::HTTP::Headers{
+          "Cookie" => "oauth_state=correct_state:verifier123",
+        }
+        response = ::HTTP::Client.get(
+          http.test_uri("/oauth/callback?state=wrong_state&code=authcode"),
+          headers: headers
+        )
+        response.status_code.should eq 302
+        response.headers["Location"].should contain("State%20mismatch")
+      end
+    end
+
+    it "redirects to login when code query parameter is missing" do
+      with_http_server do |http, _|
+        LavinMQ::Config.instance.oauth_client_id = "test-client"
+        LavinMQ::Config.instance.oauth_issuer_url = URI.parse("https://idp.example.com")
+
+        headers = ::HTTP::Headers{
+          "Cookie" => "oauth_state=mystate:verifier123",
+        }
+        response = ::HTTP::Client.get(
+          http.test_uri("/oauth/callback?state=mystate"),
+          headers: headers
+        )
+        response.status_code.should eq 302
+        response.headers["Location"].should contain("Missing%20authorization%20code")
+      end
+    end
+  end
+
+  describe "AuthHandler JWT cookie" do
+    it "rejects a fake JWT in the m cookie with 401" do
+      with_http_server do |http, _|
+        headers = ::HTTP::Headers{
+          "Cookie" => "m=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.fakepayload.fakesignature",
+        }
+        response = ::HTTP::Client.get(http.test_uri("/api/whoami"), headers: headers)
+        response.status_code.should eq 401
+      end
+    end
+
+    it "still allows basic auth" do
+      with_http_server do |http, _|
+        response = http.get("/api/whoami")
+        response.status_code.should eq 200
+      end
+    end
+  end
+
+  describe "PKCE" do
+    it "generates a verifier of at least 43 characters" do
+      verifier, _ = LavinMQ::HTTP::OAuth2::PKCE.generate
+      verifier.size.should be >= 43
+    end
+
+    it "generates a correct challenge (SHA256 of verifier, base64url-encoded)" do
+      verifier, challenge = LavinMQ::HTTP::OAuth2::PKCE.generate
+      expected = Base64.urlsafe_encode(
+        OpenSSL::Digest.new("SHA256").update(verifier).final,
+        padding: false
+      )
+      challenge.should eq expected
+    end
+
+    it "produces different verifiers on each call" do
+      verifier1, _ = LavinMQ::HTTP::OAuth2::PKCE.generate
+      verifier2, _ = LavinMQ::HTTP::OAuth2::PKCE.generate
+      verifier1.should_not eq verifier2
+    end
+  end
+
+  describe "OAuthController /oauth/enabled" do
+    it "returns enabled=false when OAuth is not configured" do
+      with_http_server do |http, _|
+        response = ::HTTP::Client.get(http.test_uri("/oauth/enabled"), headers: ::HTTP::Headers.new)
+        response.status_code.should eq 200
+        JSON.parse(response.body)["enabled"].as_bool.should be_false
+      end
+    end
+
+    it "returns enabled=true when OAuth is configured" do
+      with_http_server do |http, _|
+        LavinMQ::Config.instance.oauth_client_id = "test-client"
+        LavinMQ::Config.instance.oauth_issuer_url = URI.parse("https://idp.example.com")
+
+        response = ::HTTP::Client.get(http.test_uri("/oauth/enabled"), headers: ::HTTP::Headers.new)
+        response.status_code.should eq 200
+        JSON.parse(response.body)["enabled"].as_bool.should be_true
+      end
+    end
+  end
+end

src/lavinmq/auth/jwt/jwks_fetcher.cr

@@ -19,8 +19,11 @@ module LavinMQ
 
           property issuer : String
           property jwks_uri : String
+          property authorization_endpoint : String?
+          property token_endpoint : String?
 
-          def initialize(*, @issuer : String, @jwks_uri : String)
+          def initialize(*, @issuer : String, @jwks_uri : String,
+                         @authorization_endpoint : String? = nil, @token_endpoint : String? = nil)
           end
         end
 
@@ -92,8 +95,7 @@ module LavinMQ
           1.hour
         end
 
-        def fetch_jwks : JWKSResult
-          # Discover jwks_uri from OIDC configuration
+        def fetch_oidc_config : OIDCConfiguration
           body, _ = fetch_url("#{@issuer_url}/.well-known/openid-configuration")
           oidc_config = OIDCConfiguration.from_json(body)
 
@@ -103,9 +105,13 @@ module LavinMQ
             raise "OIDC issuer mismatch: expected #{@issuer_url}, got #{oidc_issuer}"
           end
 
-          jwks_uri = oidc_config.jwks_uri
+          oidc_config
+        end
+
+        def fetch_jwks : JWKSResult
+          oidc_config = fetch_oidc_config
 
-          body, headers = fetch_url(jwks_uri)
+          body, headers = fetch_url(oidc_config.jwks_uri)
           jwks = JWKSResponse.from_json(body)
           public_keys = extract_public_keys_from_jwks(jwks)
           ttl = extract_jwks_ttl(headers)

src/lavinmq/auth/jwt/token_verifier.cr

@@ -107,6 +107,8 @@ module LavinMQ
           end
 
           unless audiences.includes?(expected)
+            pp audiences
+            pp expected
             raise JWT::VerificationError.new("Token audience does not match expected value")
           end
         end

src/lavinmq/config/options.cr

@@ -367,6 +367,10 @@ module LavinMQ
       property oauth_audience : String? = nil
       @[IniOpt(section: "oauth", ini_name: jwks_cache_ttl)]
       property oauth_jwks_cache_ttl : Time::Span = 1.hours
+      @[IniOpt(section: "oauth", ini_name: client_id)]
+      property oauth_client_id : String? = nil
+      @[IniOpt(section: "oauth", ini_name: mgmt_base_url)]
+      property oauth_mgmt_base_url : String? = nil
     end
   end
 end

src/lavinmq/http/controller/oauth.cr

@@ -0,0 +1,152 @@
+require "../controller"
+require "../router"
+require "../oauth2/pkce"
+require "../oauth2/token_exchange"
+require "../../auth/jwt/jwks_fetcher"
+
+module LavinMQ
+  module HTTP
+    class OAuthController
+      include Router
+
+      Log = LavinMQ::Log.for "http.oauth"
+
+      def initialize(@authenticator : Auth::Authenticator)
+        register_routes
+      end
+
+      private def register_routes
+        get "/oauth/enabled" { |context, _params| handle_enabled(context) }
+        get "/oauth/authorize" { |context, _params| handle_authorize(context) }
+        get "/oauth/callback" { |context, _params| handle_callback(context) }
+      end
+
+      private def handle_enabled(context) : ::HTTP::Server::Context
+        config = Config.instance
+        enabled = !!(config.oauth_client_id && config.oauth_issuer_url)
+        context.response.content_type = "application/json"
+        {enabled: enabled}.to_json(context.response)
+        context
+      end
+
+      private def handle_authorize(context) : ::HTTP::Server::Context
+        config = Config.instance
+        issuer_url = config.oauth_issuer_url || oauth_error(context, 503, "OAuth not configured")
+        client_id = config.oauth_client_id || oauth_error(context, 503, "OAuth not configured")
+
+        oidc = Auth::JWT::JWKSFetcher.new(issuer_url, config.oauth_jwks_cache_ttl).fetch_oidc_config
+        auth_ep = oidc.authorization_endpoint || raise "OIDC missing authorization_endpoint"
+
+        verifier, challenge = OAuth2::PKCE.generate
+        state = Random::Secure.urlsafe_base64(32)
+
+        context.response.cookies << ::HTTP::Cookie.new(
+          name: "oauth_state",
+          value: "#{state}:#{verifier}",
+          path: "/oauth",
+          http_only: true,
+          secure: true,
+          samesite: ::HTTP::Cookie::SameSite::Lax,
+          max_age: 5.minutes
+        )
+
+        redirect_uri = build_redirect_uri(context.request)
+        params = ::URI::Params.build do |p|
+          p.add "client_id", client_id
+          p.add "redirect_uri", redirect_uri
+          p.add "response_type", "code"
+          p.add "scope", "openid profile"
+          p.add "code_challenge", challenge
+          p.add "code_challenge_method", "S256"
+          p.add "state", state
+        end
+
+        context.response.content_type = "application/json"
+        {authorize_url: "#{auth_ep}?#{params}"}.to_json(context.response)
+        context
+      rescue OAuthError
+        context
+      rescue ex
+        Log.error(exception: ex) { "OAuth authorize failed: #{ex.message}" }
+        context.response.status_code = 502
+        context.response.content_type = "application/json"
+        {reason: "OAuth authorization failed"}.to_json(context.response)
+        context
+      end
+
+      private def handle_callback(context) : ::HTTP::Server::Context
+        config = Config.instance
+        issuer_url = config.oauth_issuer_url || oauth_redirect_error(context, "OAuth not configured")
+        client_id = config.oauth_client_id || oauth_redirect_error(context, "OAuth not configured")
+
+        cookie_value = context.request.cookies["oauth_state"]?.try(&.value) || oauth_redirect_error(context, "Missing OAuth state")
+        sep = cookie_value.index(':') || oauth_redirect_error(context, "Invalid OAuth state cookie")
+        cookie_state = cookie_value[0...sep]
+        code_verifier = cookie_value[sep + 1..]
+
+        oauth_redirect_error(context, "State mismatch") unless context.request.query_params["state"]? == cookie_state
+        code = context.request.query_params["code"]? || oauth_redirect_error(context, "Missing authorization code")
+
+        oidc = Auth::JWT::JWKSFetcher.new(issuer_url, config.oauth_jwks_cache_ttl).fetch_oidc_config
+        token_ep = oidc.token_endpoint || raise "OIDC missing token_endpoint"
+
+        redirect_uri = build_redirect_uri(context.request)
+        token_response = OAuth2::TokenExchange.new(token_ep, client_id).exchange(code, redirect_uri, code_verifier)
+
+        auth_context = Auth::Context.new("", token_response.access_token.to_slice, context.request.remote_address)
+        oauth_redirect_error(context, "Token validation failed") unless @authenticator.authenticate(auth_context)
+
+        context.response.cookies << ::HTTP::Cookie.new(
+          name: "m",
+          value: token_response.access_token,
+          path: "/",
+          secure: true,
+          samesite: ::HTTP::Cookie::SameSite::Strict,
+          max_age: 8.hours
+        )
+        context.response.cookies << ::HTTP::Cookie.new(
+          name: "oauth_state",
+          value: "",
+          path: "/oauth",
+          max_age: 0.seconds
+        )
+
+        context.response.status = ::HTTP::Status::FOUND
+        context.response.headers["Location"] = "/"
+        context
+      rescue OAuthError
+        context
+      rescue ex
+        Log.error(exception: ex) { "OAuth callback failed: #{ex.message}" }
+        context.response.status = ::HTTP::Status::FOUND
+        context.response.headers["Location"] = "/login?error=#{URI.encode_path_segment("OAuth authentication failed")}"
+        context
+      end
+
+      private def oauth_error(context, status_code, message) : NoReturn
+        context.response.status_code = status_code
+        context.response.content_type = "application/json"
+        {reason: message}.to_json(context.response)
+        raise OAuthError.new
+      end
+
+      private def oauth_redirect_error(context, message) : NoReturn
+        context.response.status = ::HTTP::Status::FOUND
+        context.response.headers["Location"] = "/login?error=#{URI.encode_path_segment(message)}"
+        raise OAuthError.new
+      end
+
+      private def build_redirect_uri(request : ::HTTP::Request) : String
+        if base_url = Config.instance.oauth_mgmt_base_url
+          "#{base_url.chomp("/")}/oauth/callback"
+        else
+          host = request.headers["Host"]? || "localhost"
+          scheme = request.headers["X-Forwarded-Proto"]? || "http"
+          "#{scheme}://#{host}/oauth/callback"
+        end
+      end
+
+      class OAuthError < Exception; end
+    end
+  end
+end

src/lavinmq/http/handler/auth_handler.cr

@@ -14,7 +14,9 @@ module LavinMQ
           context.user = @direct_user
         end
 
-        if auth = cookie_auth(context) || basic_auth(context)
+        if user = jwt_cookie_auth(context)
+          context.user = user
+        elsif auth = cookie_auth(context) || basic_auth(context)
           username, password = auth
           if user = authenticate(username, password, context.request.remote_address)
             context.user = user
@@ -42,6 +44,17 @@ module LavinMQ
         end
       end
 
+      private def jwt_cookie_auth(context) : Auth::BaseUser?
+        if m = context.request.cookies["m"]?
+          value = m.value
+          if value.starts_with?("eyJ")
+            auth_context = Auth::Context.new("", value.to_slice, context.request.remote_address)
+            user = @authenticator.authenticate(auth_context)
+            return user if user && !user.tags.empty?
+          end
+        end
+      end
+
       private def decode(base64) : Tuple(String, String)?
         string = Base64.decode_string(base64)
         if idx = string.index(':')