Merge pull request #674 from openziti/670-jwt-signer-test-update

Added additional error handling cases for External JWT Signer test authentication

Author: rgallettonf

projects/app-ziti-console/src/app/app-routing.module.ts

@@ -56,12 +56,12 @@ import {
   SessionsPageComponent,
   APISessionsPageComponent,
   SessionFormComponent,
-  APISessionFormComponent
+  APISessionFormComponent,
+  CallbackComponent
 } from "ziti-console-lib";
 import {environment} from "./environments/environment";
 import {URLS} from "./app-urls.constants";
 import {AuthenticationGuard} from "./guards/authentication.guard";
-import {CallbackComponent} from "./login/callback.component";
 
 const routes: Routes = [
   {

projects/app-ziti-console/src/app/app.module.ts

@@ -52,7 +52,7 @@ import {
     IDENTITY_EXTENSION_SERVICE,
     SERVICE_POLICY_EXTENSION_SERVICE,
     EDGE_ROUTER_POLICY_EXTENSION_SERVICE,
-    SERVICE_EDGE_ROUTER_POLICY_EXTENSION_SERVICE,
+    SERVICE_EDGE_ROUTER_POLICY_EXTENSION_SERVICE
 } from "ziti-console-lib";
 
 import {AppRoutingModule} from "./app-routing.module";
@@ -70,7 +70,6 @@ import {NodeLoginService} from "./login/node-login.service";
 import {NodeSettingsService} from "./services/node-settings.service";
 import {NoopHttpInterceptor} from "./interceptors/noop-http.interceptor";
 import {NodeApiInterceptor} from "./interceptors/node-api.interceptor";
-import {CallbackComponent} from "./login/callback.component";
 
 let loginService, zitiDataService, settingsService, wrapperService, apiInterceptor;
 if (environment.nodeIntegration) {
@@ -91,8 +90,7 @@ if (environment.nodeIntegration) {
     declarations: [
         AppComponent,
         PageNotFoundComponent,
-        LoginComponent,
-        CallbackComponent
+        LoginComponent
     ],
     imports: [
         BrowserModule,

projects/app-ziti-console/src/app/login/login.component.ts

@@ -106,7 +106,7 @@ export class LoginComponent implements OnInit, OnDestroy {
     handleOAuthLogin(extJwtSigner: any) {
         this.oauthLoading = extJwtSigner.name;
         this.authService.configureOAuth(extJwtSigner).then((result) => {
-            if (result) {
+            if (result?.success) {
                 delay(() => {
                     this.oauthLoading = '';
                 }, 4000);

projects/ziti-console-lib/src/lib/features/json-view/json-view.component.html

@@ -1,2 +1,2 @@
-<div id="jsoneditor" [ngClass]="{'read-only': readOnly}" #editor (keyup.enter)="enterKeyPressed($event)" (keyup)="jsonChanged($event)"></div>
-<div *ngIf="showCopy" class="icon-copy copy" (click)="copyToClipboad()"></div>
+<div id="jsoneditor" [ngClass]="{'read-only': readOnly, 'hide-line-numbers': !showLineNumbers}" #editor (keyup.enter)="enterKeyPressed($event)" (keyup)="jsonChanged($event)"></div>
+<div *ngIf="showCopy" class="icon-copy copy" (click)="copyToClipboad()"></div>

projects/ziti-console-lib/src/lib/features/json-view/json-view.component.ts

@@ -43,9 +43,11 @@ export class JsonViewComponent implements AfterViewInit, OnChanges {
   @Input() readOnly: boolean = false;
   @Input() jsonInvalid: boolean = false;
   @Input() showCopy: boolean = false;
+  @Input() showLineNumbers = true;
   @Output() dataChange: EventEmitter<any> = new EventEmitter();
   @Output() jsonChange: EventEmitter<any> = new EventEmitter();
   @Output() jsonInvalidChange: EventEmitter<any> = new EventEmitter();
+
   onChangeDebounced;
   schemaRefs: any;
   content: any;

projects/ziti-console-lib/src/lib/features/projectable-forms/jwt-signer/jwt-signer-form.component.html

@@ -155,7 +155,7 @@
                     <lib-form-field-container
                         [title]="'Verify OIDC Authentication'"
                         class="form-field-advanced"
-                        [ngClass]="{'formFieldError': !oidcVerified && oidcErrorMessage, 'formFieldSuccess': oidcVerified}"
+                        [ngClass]="{'formFieldError': !oidcVerified && oidcErrorMessageDetail, 'formFieldSuccess': oidcVerified}"
                     >
                         <div class="form-field-row" #oidcVerification>
                             <div class="form-field-label-container">
@@ -181,7 +181,15 @@
                                 <input type="checkbox" [disabled]="true" [checked]="true" class="success-check" *ngIf="oidcVerified">
                             </div>
                         </div>
-                        <span class="oidc-error-message" *ngIf="oidcErrorMessage">{{oidcErrorMessage}}</span>
+                        <div class="oidc-error-message-container" *ngIf="oidcErrorMessageDetail">
+                            <code class="oidc-error-message-source">{{oidcErrorMessageSource}}: </code>
+                            <code class="oidc-error-message-detail">{{oidcErrorMessageDetail}}</code>
+                            <code class="oidc-error-message-detail2" *ngIf="oidcErrorMessageDetail2">{{oidcErrorMessageDetail2}}</code>
+                        </div>
+                        <div class="oidc-token-claims-container" *ngIf="oidcAuthTokenClaims">
+                            <code class="oidc-token-claims-title">OAuth Token Claims: </code>
+                            <lib-json-view [showLineNumbers]="false" [(data)]="oidcAuthTokenClaims"></lib-json-view>
+                        </div>
                     </lib-form-field-container>
                     <lib-form-field-container
                             [title]="'Custom Tags'"
@@ -218,7 +226,7 @@
                                     <span class="form-field-title">JWKS Endpoint</span>
                                 </div>
                             </div>
-                            <input class="form-field-input read-only" placeholder="Enter endpoint URL" [(ngModel)]="formData.jwksEndpoint" [ngClass]="{error: errors['certPem']}"/>
+                            <input class="form-field-input read-only" placeholder="Enter endpoint URL" [(ngModel)]="formData.jwksEndpoint" [ngClass]="{error: errors['jwksEndpoint']}"/>
                         </div>
                     </div>
                     <div *ngIf="signatureMethod === 'CERT_PEM'" class="form-field-input-group">
@@ -274,7 +282,7 @@
                         <input class="form-field-input" [value]="apiCallURL"/>
                         <div class="icon-copy copy" (click)="copyToClipboard(apiCallURL)"></div>
                     </div>
-                    <lib-json-view *ngIf="formData" [(data)]="apiData" [readOnly]="true" [showCopy]="true"></lib-json-view>
+                    <lib-json-view *ngIf="formData" [showLineNumbers]="false" [(data)]="apiData" [readOnly]="true" [showCopy]="true"></lib-json-view>
                 </lib-form-field-container>
             </div>
         </div>

projects/ziti-console-lib/src/lib/features/projectable-forms/jwt-signer/jwt-signer-form.component.scss

@@ -234,16 +234,68 @@
   }
 }
 
-.oidc-error-message {
+.oidc-token-claims-container {
+  background-color: var(--backgroundMuted);
+  height: fit-content;
+  display: flex;
+  flex-direction: column;
+  align-items: flex-start;
+  justify-content: flex-start;
+  padding: var(--paddingMedium);
+  border-radius: var(--inputBorderRadius);
+  color: var(--tableText);
+  font-weight: 600;
+  overflow: auto;
+
+  .oidc-token-claims-title {
+    font-weight: 600;
+    font-size: 1rem;
+    white-space: nowrap;
+    margin-bottom: var(--marginMedium);
+  }
+}
+
+.oidc-error-message-container {
   background-color: var(--lightRed);
-  height: var(--defaultInputHeight);
+  height: fit-content;
   display: flex;
-  flex-direction: row;
-  align-items: center;
+  flex-direction: column;
+  align-items: flex-start;
+  justify-content: flex-start;
   padding: var(--paddingMedium);
   border-radius: var(--inputBorderRadius);
   color: var(--red);
   font-weight: 600;
+  overflow: auto;
+
+  .oidc-error-message-source {
+    font-weight: 600;
+    font-size: 1rem;
+    white-space: nowrap;
+  }
+
+  .oidc-error-message-detail2,
+  .oidc-error-message-detail {
+    margin-top: var(--marginSmall);
+    font-weight: 400;
+    white-space: nowrap;
+  }
+
+  &::-webkit-scrollbar {
+    height: 6px;
+    width: 6px;
+  }
+
+  &::-webkit-scrollbar-thumb {
+    background-color: var(--menu);
+    border-radius: 10px;
+  }
+
+  &:hover {
+    &::-webkit-scrollbar-thumb {
+      background-clip: unset !important;
+    }
+  }
 }
 
 .read-only-2 {

projects/ziti-console-lib/src/lib/features/projectable-forms/jwt-signer/jwt-signer-form.component.ts

@@ -29,17 +29,18 @@ import {GrowlerService} from "../../messaging/growler.service";
 import {ExtensionService, SHAREDZ_EXTENSION} from "../../extendable/extensions-noop.service";
 
 import semver from 'semver';
-import {cloneDeep, defer, delay, forOwn, keys, invert, isEmpty, isNil, unset, trim} from 'lodash';
+import {cloneDeep, defer, delay, forOwn, get, keys, invert, invoke, isEmpty, isNil, unset, trim} from 'lodash';
 import {GrowlerModel} from "../../messaging/growler.model";
 import {SETTINGS_SERVICE, SettingsService} from "../../../services/settings.service";
 import {ZITI_DATA_SERVICE, ZitiDataService} from "../../../services/ziti-data.service";
 import {ActivatedRoute, Router} from "@angular/router";
 import {JwtSigner} from "../../../models/jwt-signer";
 import {Location} from "@angular/common";
 import {ValidationService} from "../../../services/validation.service";
-import {OAuthService} from "angular-oauth2-oidc";
+import {OAuthErrorEvent, OAuthService} from "angular-oauth2-oidc";
 import {LoginServiceClass, ZAC_LOGIN_SERVICE} from "../../../services/login-service.class";
 import {AuthService} from "../../../services/auth.service";
+import {HttpClient} from "@angular/common/http";
 
 @Component({
     selector: 'lib-configuration',
@@ -65,8 +66,14 @@ export class JwtSignerFormComponent extends ProjectableForm implements OnInit, O
     configKey = 'oauth_test_callback_config';
     tokenTypeKey = 'oauth_test_callback_token_type';
     oidcVerified = false;
-    oidcErrorMessage;
+    oidcErrorMessageSource;
+    oidcErrorMessageDetail;
+    oidcErrorMessageDetail2;
+    jwksValidationError;
+    oidcAuthTokenClaims;
+    oidcClaims;
     overrideFormData;
+    override usePreviousLocation = false
     override entityType = 'external-jwt-signers';
     override entityClass = JwtSigner;
 
@@ -86,6 +93,7 @@ export class JwtSignerFormComponent extends ProjectableForm implements OnInit, O
         private validationService: ValidationService,
         private authService: AuthService,
         private oauthService: OAuthService,
+        private http: HttpClient,
         @Inject(ZAC_LOGIN_SERVICE) private loginService: LoginServiceClass,
 
     ) {
@@ -456,7 +464,7 @@ export class JwtSignerFormComponent extends ProjectableForm implements OnInit, O
     }
 
     get callbackURL() {
-        return window.location.origin + this.baseHref + `callback`
+        return window.location.origin + (this.baseHref + this.loginService.callbackRoute).replace('//', '/');
     }
 
     copyCallbackURL() {
@@ -466,35 +474,125 @@ export class JwtSignerFormComponent extends ProjectableForm implements OnInit, O
         );
     }
 
-    testOIDCAuthentication() {
+    async testOIDCAuthentication() {
         this.oauthLoading = true;
-        const callbackParams = `redirectRoute=jwt-signers/${this.formData.id}/test-auth`;
+        this.oidcAuthTokenClaims = undefined;
+        this.oidcErrorMessageSource = undefined;
+        this.oidcErrorMessageDetail = undefined;
+        this.oidcErrorMessageDetail2 = undefined;
+        this.jwksValidationError = undefined;
+        const jwksValid = await this.testJWKS();
+        if (!jwksValid) {
+            this.oidcVerified = false;
+            this.oauthLoading = false
+            return;
+        }
+        const callbackParams = `${this.loginService.callbackRoute}?redirectRoute=jwt-signers/${this.formData.id}/test-auth`;
         localStorage.setItem('oidc_callback_test_config', JSON.stringify(this.formData));
         this.authService.configureOAuth(this.formData, callbackParams).then((result) => {
-            if (result) {
+            if (result.success) {
                 delay(() => {
                     this.oauthLoading = false;
                 }, 4000);
             } else {
                 delay(() => {
+                    this.oidcErrorMessageDetail = result.message;
+                    this.oidcErrorMessageSource = 'OAuth Configuration Error';
+                    if (this.jwksValidationError) {
+                        this.oidcErrorMessageDetail2 = this.jwksValidationError;
+                    }
                     this.oauthLoading = false;
+                    this.oidcVerified = false;
                 }, 700);
+
             }
         });
     }
 
     handleOAuthCallback() {
         this.showMore = true;
-        const errorMessage = this.route.snapshot.queryParamMap.get('oidcAuthErrorMessage');
+        const errorMessageDetail = this.route.snapshot.queryParamMap.get('oidcAuthErrorMessageDetail');
+        const errorMessageSource = this.route.snapshot.queryParamMap.get('oidcAuthErrorMessageSource');
+        const oidcAuthTokenClaims = this.route.snapshot.queryParamMap.get('oidcAuthTokenClaims');
         const result = this.route.snapshot.queryParamMap.get('oidcAuthResult');
+        const formData = localStorage.getItem('oidc_callback_test_config');
+        if (!isEmpty(formData)) {
+            this.overrideFormData = JSON.parse(formData);
+        }
         if (result === 'success') {
             this.oidcVerified = true;
+            if (oidcAuthTokenClaims) {
+                this.oidcAuthTokenClaims = JSON.parse(oidcAuthTokenClaims);
+            }
         } else {
-            this.oidcErrorMessage = errorMessage;
+            this.oidcErrorMessageDetail = errorMessageDetail;
+            this.oidcErrorMessageSource = errorMessageSource;
+            if (oidcAuthTokenClaims) {
+                this.oidcAuthTokenClaims = JSON.parse(oidcAuthTokenClaims);
+                this.validateTokenClaims(this.oidcAuthTokenClaims, this.overrideFormData);
+            }
         }
-        const formData = localStorage.getItem('oidc_callback_test_config');
-        if (!isEmpty(formData)) {
-            this.overrideFormData = JSON.parse(formData);
+    }
+
+    validateTokenClaims(token, formData) {
+        if (!token.aud) {
+            this.errors.audience = true;
+            this.oidcErrorMessageDetail2 = 'Audience is missing from token claims'
+        } else {
+            let audError = true;
+            token.aud.forEach((audItem) => {
+                if (audItem === formData.audience) {
+                    audError = false;
+                }
+            });
+            if (audError) {
+                this.errors.audience = true;
+                this.oidcErrorMessageDetail2 = 'Audience in token does not match External JWT Signer configuration.'
+            }
+        }
+    }
+
+    async testJWKS() {
+        this.errors.jwksEndpoint = false;
+        try {
+            const response: any = await this.http.get(this.formData.jwksEndpoint).toPromise().catch((error) => {
+                this.oidcErrorMessageSource = 'JWKS Endpoint Error';
+                this.oidcErrorMessageDetail = `HTTP error returned. Status: ${error.status}. Message: ${error.message}`;
+                this.errors.jwksEndpoint = true;
+                return false;
+            });
+            if (response) {
+                // Basic structural validation
+                if (!response?.keys || !Array.isArray(response?.keys)) {
+                    this.oidcErrorMessageSource = 'JWKS Endpoint Error';
+                    this.oidcErrorMessageDetail = `Invalid JWKS: "keys" property missing or not an array`;
+                    this.errors.jwksEndpoint = true;
+                } else {
+                    const logError: any = get(this.oauthService, 'logger.error');
+                    this.oauthService['logger'].error = (...args) => {
+                        this.jwksValidationError = '';
+                        args.forEach((arg) => {
+                            this.jwksValidationError += arg + ' ';
+                        });
+                        logError.apply(this, args);
+                    }
+                    const result = invoke(this.oauthService, 'validateDiscoveryDocument', response);
+                }
+            }
+        } catch (error: any) {
+            this.oidcErrorMessageSource = 'JWKS Endpoint Error';
+            this.oidcErrorMessageDetail = `${error.message}`;
+            this.errors.jwksEndpoint = true;
+        }
+        const growlerData = new GrowlerModel(
+            'error',
+            'Invalid',
+            this.oidcErrorMessageSource,
+            this.oidcErrorMessageDetail,
+        );
+        if (this.errors.jwksEndpoint) {
+            this.growlerService.show(growlerData);
         }
+        return !this.errors.jwksEndpoint;
     }
 }

projects/ziti-console-lib/src/lib/features/projectable-forms/projectable-form.class.ts

@@ -73,6 +73,7 @@ export abstract class ProjectableForm extends ExtendableComponent implements DoC
     protected entityType = 'identities';
     protected entityClass: any = Entity;
     protected isLoading = false;
+    protected usePreviousLocation = true;
     moreActions: any[] = [];
     tagElements: any = [];
     tagData: any = [];
@@ -282,7 +283,7 @@ export abstract class ProjectableForm extends ExtendableComponent implements DoC
     }
 
     returnToListPage() {
-        if (this.location && this.previousRoute) {
+        if (this.location && this.previousRoute && this.usePreviousLocation) {
             this.location.back();
         } else {
             this.router?.navigateByUrl(`${this.basePath}`);