OIDC user/password and access/refresh token authentication support (#100)

Author: parkerduckworth

.github/workflows/tests.yaml

@@ -17,6 +17,9 @@ jobs:
       with:
         node-version: '16.x'
     - name: "Run tests"
+      env:
+        OKTA_DUMMY_CI_PW: ${{ secrets.OKTA_DUMMY_CI_PW }}
+        WCS_DUMMY_CI_PW: ${{ secrets.WCS_DUMMY_CI_PW }}
       run: |
         npm install
         ci/run_dependencies.sh
@@ -37,4 +40,4 @@ jobs:
       - run: npm ci && npm run build
       - run: npm publish
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTOMATION_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTOMATION_TOKEN }}

ci/compose.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+function ls_compose {
+  ls ci | grep 'docker-compose'
+}
+
+function exec_all {
+  for file in $(ls_compose); do
+    docker-compose -f $(echo "ci/${file} ${1}")
+  done
+}
+
+function compose_up_all {
+  exec_all "up -d"
+}
+
+function compose_down_all {
+  exec_all "down --remove-orphans"
+}
+
+function all_weaviate_ports {
+  echo "8080 8082 8083"
+}

ci/docker-compose-okta.yml

@@ -0,0 +1,28 @@
+---
+version: '3.4'
+services:
+  weaviate-auth-okta-users:
+    command:
+      - --host
+      - 0.0.0.0
+      - --port
+      - '8082'
+      - --scheme
+      - http
+      - --write-timeout=600s
+    image: semitechnologies/weaviate:1.15.4-b7811d4
+    ports:
+      - 8082:8082
+    restart: on-failure:0
+    environment:
+      PERSISTENCE_DATA_PATH: '/var/lib/weaviate'
+      AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false'
+      AUTHENTICATION_OIDC_ENABLED: 'true'
+      AUTHENTICATION_OIDC_CLIENT_ID: '0oa7iz2g41rNxv95B5d7'
+      AUTHENTICATION_OIDC_ISSUER: 'https://dev-32300990.okta.com/oauth2/aus7iz3tna3kckRWS5d7'
+      AUTHENTICATION_OIDC_USERNAME_CLAIM: 'sub'
+      AUTHENTICATION_OIDC_GROUPS_CLAIM: 'groups'
+      AUTHORIZATION_ADMINLIST_ENABLED: 'true'
+      AUTHORIZATION_ADMINLIST_USERS: 'test@test.de'
+      AUTHENTICATION_OIDC_SCOPES: 'openid,email'
+...

ci/docker-compose-wcs.yml

@@ -0,0 +1,28 @@
+---
+version: '3.4'
+services:
+  weaviate-auth-wcs:
+    command:
+      - --host
+      - 0.0.0.0
+      - --port
+      - '8083'
+      - --scheme
+      - http
+      - --write-timeout=600s
+    image: semitechnologies/weaviate:1.16.5
+    ports:
+      - 8083:8083
+    restart: on-failure:0
+    environment:
+      PERSISTENCE_DATA_PATH: '/var/lib/weaviate'
+      AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'false'
+      AUTHENTICATION_OIDC_ENABLED: 'true'
+      AUTHENTICATION_OIDC_CLIENT_ID: 'wcs'
+      AUTHENTICATION_OIDC_ISSUER: 'https://auth.wcs.api.semi.technology/auth/realms/SeMI'
+      AUTHENTICATION_OIDC_USERNAME_CLAIM: 'email'
+      AUTHENTICATION_OIDC_GROUPS_CLAIM: 'groups'
+      AUTHORIZATION_ADMINLIST_ENABLED: 'true'
+      AUTHORIZATION_ADMINLIST_USERS: 'ms_2d0e007e7136de11d5f29fce7a53dae219a51458@existiert.net'
+      AUTHENTICATION_OIDC_SCOPES: 'openid,email'
+...

docker-compose.yml renamed to ci/docker-compose.yml

@@ -1,7 +1,8 @@
+---
 version: '3.4'
 services:
   weaviate:
-    image: semitechnologies/weaviate:1.16.0
+    image: semitechnologies/weaviate:1.16.5
     restart: on-failure:0
     ports:
       - "8080:8080"
@@ -25,3 +26,4 @@ services:
       EXTENSIONS_STORAGE_ORIGIN: http://weaviate:8080
       NEIGHBOR_OCCURRENCE_IGNORE_PERCENTILE: 5
       ENABLE_COMPOUND_SPLITTING: 'false'
+...

ci/run_dependencies.sh

@@ -1,27 +1,31 @@
 #!/bin/bash
 
+. ./ci/compose.sh
+
 echo "Stop existing session if running"
-docker-compose down
+compose_down_all
 rm -rf weaviate-data || true
 
 echo "Run Docker compose"
-docker-compose up -d
+compose_up_all
 
 echo "Wait until weaviate is up"
 
-# pulling all images usually takes < 3 min
-# starting weaviate usuall takes < 2 min
-i="0"
-curl localhost:8080/v1/meta >/dev/null 2>&1
-while [ $? -ne 0 ]; do
-  i=$[$i+5]
-  echo "Sleep $i"
-  sleep 5
-  if [ $i -gt 300 ]; then
-    echo "Weaviate did not start in time"
-    docker-compose logs
-    exit 1
-  fi
-  curl localhost:8080/v1/meta >/dev/null 2>&1
+for port in $(all_weaviate_ports); do
+   # pulling all images usually takes < 3 min
+  # starting weaviate usually takes < 2 min
+  i="0"
+  STATUS_CODE=$(curl -s -o /dev/null -w "%{http_code}" localhost:"$port"/v1/.well-known/ready)
+
+  while [ "$STATUS_CODE" -ne 200 ]; do
+    i=$(($i+5))
+    echo "Sleep $i"
+    sleep 5
+    if [ $i -gt 300 ]; then
+      echo "Weaviate did not start in time"
+      exit 1
+    fi
+    STATUS_CODE=$(curl -s -o /dev/null -w "%{http_code}" localhost:"$port"/v1/.well-known/ready)
+  done
+  echo "Weaviate on port $port is up and running"
 done
-echo "Weaviate is up and running"

ci/stop_dependencies.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
 
-docker-compose down
+. ./ci/compose.sh
+
+compose_down_all
 rm -rf weaviate-data || true

cluster/journey.test.js

@@ -1,8 +1,8 @@
 const weaviate = require("../index");
 const { createTestFoodSchemaAndData, cleanupTestFood, PIZZA_CLASS_NAME, SOUP_CLASS_NAME } = require("../utils/testData");
 
-const EXPECTED_WEAVIATE_VERSION = "1.16.0"
-const EXPECTED_WEAVIATE_GIT_HASH = "9e74add"
+const EXPECTED_WEAVIATE_VERSION = "1.16.5"
+const EXPECTED_WEAVIATE_GIT_HASH = "438e826"
 
 describe("cluster nodes endpoint", () => {
   const client = weaviate.client({

connection/auth.js

@@ -0,0 +1,197 @@
+export class Authenticator {
+  constructor(http, creds) {
+    this.http = http;
+    this.creds = creds;
+    this.bearerToken = "";
+    this.refreshToken = "";
+    this.expirationEpoch = 0
+    this.refreshRunning = false;
+
+    // If the authentication method is access token,
+    // our bearer token is already available for use
+    if (this.creds instanceof AuthAccessTokenCredentials) {
+      this.bearerToken = this.creds.accessToken;
+      this.expirationEpoch = calcExpirationEpoch(this.creds.expiresIn);
+      this.refreshToken = this.creds.refreshToken;
+    }
+  }
+
+  refresh = async (localConfig) => {
+    var config = await this.getOpenidConfig(localConfig);
+
+    var authenticator;
+    switch (this.creds.constructor) {
+      case AuthUserPasswordCredentials:
+        authenticator = new UserPasswordAuthenticator(this.http, this.creds, config);
+        break;
+      case AuthAccessTokenCredentials:
+        authenticator = new AccessTokenAuthenticator(this.http, this.creds, config);
+        break;
+      default:
+        throw new Error("unsupported credential type");
+    }
+
+    return authenticator.refresh()
+      .then(resp => {
+        this.bearerToken = resp.bearerToken;
+        this.expirationEpoch = resp.expirationEpoch;
+        this.refreshToken = resp.refreshToken;
+        if (!this.refreshRunning) {
+          this.runBackgroundTokenRefresh(authenticator);
+          this.refreshRunning = true;
+        }
+      });
+  };
+
+  getOpenidConfig = async (localConfig) => {
+    return this.http.externalGet(localConfig.href)
+      .then(openidProviderConfig => {
+        return {
+          clientId: localConfig.clientId, 
+          provider: openidProviderConfig
+        };
+      });
+  };
+
+  runBackgroundTokenRefresh = (authenticator) => {
+    setInterval(async () => { 
+      // check every 30s if the token will expire in <= 1m,
+      // if so, refresh
+      if (this.expirationEpoch - Date.now() <= 60_000) {
+        var resp = await authenticator.refresh();
+        this.bearerToken = resp.bearerToken;
+        this.expirationEpoch = resp.expirationEpoch;
+        this.refreshToken = resp.refreshToken;
+      }
+    }, 30_000)
+  };
+}
+
+export class AuthUserPasswordCredentials {
+  constructor(creds) {
+    this.username = creds.username;
+    this.password = creds.password;
+  }
+}
+
+class UserPasswordAuthenticator {
+  constructor(http, creds, config) {
+    this.http = http;
+    this.creds = creds;
+    this.openidConfig = config;
+  }
+
+  refresh = () => {
+    this.validateOpenidConfig();
+    return this.requestAccessToken()
+      .then(tokenResp => {
+        return {
+          bearerToken: tokenResp.access_token,
+          expirationEpoch: calcExpirationEpoch(tokenResp.expires_in),
+          refreshToken: tokenResp.refresh_token
+        };
+      })
+      .catch(err => {
+        return Promise.reject(
+          new Error(`failed to refresh access token: ${err}`)
+        );
+      });
+  };
+
+  requestAccessToken = () => {
+    var url = this.openidConfig.provider.token_endpoint;
+    var params = new URLSearchParams({
+      grant_type: "password",
+      client_id: this.openidConfig.clientId,
+      username: this.creds.username,
+      password: this.creds.password,
+      scope: "openid offline_access"
+    });
+    let contentType = "application/x-www-form-urlencoded;charset=UTF-8";
+    return this.http.externalPost(url, params, contentType);
+  };
+
+  validateOpenidConfig = () => {
+    if (this.openidConfig.provider.grant_types_supported !== undefined &&
+      !this.openidConfig.provider.grant_types_supported.includes("password")) {
+        throw new Error("grant_type password not supported");
+      }
+    if (this.openidConfig.provider.token_endpoint.includes(
+      "https://login.microsoftonline.com")) {
+        throw new Error("microsoft/azure recommends to avoid authentication using "+
+          "username and password, so this method is not supported by this client");
+      }
+  };
+}
+
+export class AuthAccessTokenCredentials {
+  constructor(creds) {
+    this.validate(creds);
+    this.accessToken = creds.accessToken;
+    this.expirationEpoch = calcExpirationEpoch(creds.expiresIn);
+    this.refreshToken = creds.refreshToken;
+  }
+
+  validate = (creds) => {
+    if (creds.expiresIn === undefined) {
+      throw new Error("AuthAccessTokenCredentials: expiresIn is required");
+    }
+    if (!Number.isInteger(creds.expiresIn) || creds.expiresIn <= 0) {
+      throw new Error("AuthAccessTokenCredentials: expiresIn must be int > 0");
+    }
+  };
+}
+
+class AccessTokenAuthenticator {
+  constructor(http, creds, config) {
+    this.http = http;
+    this.creds = creds;
+    this.openidConfig = config;
+  }
+
+  refresh = () => {
+    if (this.creds.refreshToken === undefined || this.creds.refreshToken == "") {
+      console.warn("AuthAccessTokenCredentials not provided with refreshToken, cannot refresh");
+      return Promise.resolve({
+          bearerToken: this.creds.accessToken,
+          expirationEpoch: this.creds.expirationEpoch
+      });
+    }
+    this.validateOpenidConfig();
+    return this.requestAccessToken()
+      .then(tokenResp => {
+        return {
+          bearerToken: tokenResp.access_token,
+          expirationEpoch: calcExpirationEpoch(tokenResp.expires_in),
+          refreshToken: tokenResp.refresh_token
+        };
+      })
+      .catch(err => {
+        return Promise.reject(
+          new Error(`failed to refresh access token: ${err}`)
+        );
+      });
+  };
+
+  validateOpenidConfig = () => {
+    if (this.openidConfig.provider.grant_types_supported === undefined ||
+      !this.openidConfig.provider.grant_types_supported.includes("refresh_token")) {
+        throw new Error("grant_type refresh_token not supported");
+      }
+  };
+
+  requestAccessToken = () => {
+    var url = this.openidConfig.provider.token_endpoint;
+    var params = new URLSearchParams({
+      grant_type: "refresh_token",
+      client_id: this.openidConfig.clientId,
+      refresh_token: this.creds.refreshToken,
+    });
+    let contentType = "application/x-www-form-urlencoded;charset=UTF-8";
+    return this.http.externalPost(url, params, contentType);
+  };
+}
+
+function calcExpirationEpoch(expiresIn) {
+  return Date.now() + ((expiresIn - 2) * 1000) // -2 for some lag
+}

connection/gqlClient.js

@@ -0,0 +1,19 @@
+const client = (config) => {
+    const scheme = config.scheme
+    const host = config.host
+    const defaultHeaders = config.headers
+    return {
+      query: (query, headers = {}) => {
+      var gql = require("graphql-client")({
+        url: `${scheme}://${host}/v1/graphql`,
+        headers: {
+          ...defaultHeaders,
+          ...headers,
+        }
+      });
+      return gql.query(query);
+    }
+  }
+}
+
+module.exports = client;