Freeform extra claims, update-user command, and lots of tweaks

Also fixes an issue with the login form, and generally makes sure error/success
pages look ok

Author: plexus

resources/oak/config.edn

@@ -1,6 +1,8 @@
 {:application/name                    "Oak"
  :http/host                           "0.0.0.0"
  :http/port                           4800
+ ;; not set by default, in which case it gets inferred from the request
+ ;; :http/origin "http://localhost:4800"
  :password/hash-type                  "argon2" ;; "bcrypt", "scrypt"
  :http-session/cookie-name            "oak-session"
  :redis/host                          "localhost"

src/co/gaiwan/oak/apis/auth.clj

@@ -8,7 +8,7 @@
    [co.gaiwan.oak.html.email.password-reset :as email-views]
    [co.gaiwan.oak.html.layout :as layout]
    [co.gaiwan.oak.html.login-page :as login-form]
-   [co.gaiwan.oak.html.password-reset :as views]
+   [co.gaiwan.oak.html.auth :as views]
    [co.gaiwan.oak.lib.auth-middleware :as auth-mw]
    [co.gaiwan.oak.lib.db :as db]
    [co.gaiwan.oak.lib.email :as email]
@@ -20,18 +20,21 @@
    (java.time Instant)
    (java.time.temporal ChronoUnit)))
 
-(defn GET-login [req]
+(defn GET-login
+  {:parameters
+   {:query [:map [:id {:optional true} string?]]}}
+  [req]
   (if (:identity req)
     {:status 302
      :headers {"Location" (routing/url-for req :home/dash)}}
     {:status 200
-     :html/body [login-form/login-html req]
+     :html/body [login-form/login-html req {:identifier (-> req :parameters :query :id)}]
      :html/head [:title "Oak Login"]}))
 
 (defn POST-login
   {:parameters
    {:form
-    {:email string?
+    {:identifier string?
      :password string?}}}
   [{:keys [db parameters session] :as req}]
   (if-let [id (identity/validate-login db (:form parameters))]
@@ -41,11 +44,12 @@
        :session {:identity id
                  :auth-time (System/currentTimeMillis)}}
       {:status 200
-       :html/body [:p "Successfully authenticated"]
+       :html/body [views/success-page req {:title "Successfully authenticated"}]
        :session {:identity id
                  :auth-time (System/currentTimeMillis)}})
     {:status 403
-     :html/body [:p "Invalid credentials"]}))
+     :html/body [login-form/login-html req {:identifier (:identifier (:form parameters))
+                                            :error "Invalid username or password"}]}))
 
 (defn GET-logout [req]
   {:status 302

src/co/gaiwan/oak/apis/oauth.clj

@@ -2,62 +2,28 @@
   "OAuth 2.1 authorization and token exchange"
   (:require
    [clojure.string :as str]
+   [co.gaiwan.oak.domain.identity :as identity]
    [co.gaiwan.oak.domain.jwk :as jwk]
    [co.gaiwan.oak.domain.jwt :as jwt]
    [co.gaiwan.oak.domain.oauth-authorization :as oauth-authorization]
    [co.gaiwan.oak.domain.oauth-client :as oauth-client]
    [co.gaiwan.oak.domain.oauth-code :as oauth-code]
    [co.gaiwan.oak.domain.refresh-token :as refresh-token]
    [co.gaiwan.oak.domain.scope :as scope]
+   [co.gaiwan.oak.html.layout :as layout]
+   [co.gaiwan.oak.html.oauth :as views]
    [co.gaiwan.oak.lib.auth-middleware :as auth-mw]
-   [co.gaiwan.oak.lib.debug-middleware :as debug]
-   [co.gaiwan.oak.html.forms :as f]
    [co.gaiwan.oak.util.hash :as hash]
    [co.gaiwan.oak.util.jose :as jose]
    [co.gaiwan.oak.util.log :as log]
    [co.gaiwan.oak.util.routing :as routing]
    [lambdaisland.hiccup.middleware :as hiccup-mw]
    [lambdaisland.uri :as uri]))
 
-(defn auth-error-html [extra-info]
-  [:<>
-   [:h1 "Oh no! Something went wrong."]
-   [:hr]
-   [:p "It looks like the link you clicked to sign in isn't quite right. Don't worry, this is usually a simple fix."]
-   [:p "The application you're trying to use did not pass along all information needed to let you log in. This could be because of a broken link or a typo."]
-   [:p "What you can do:"
-    [:ul
-     [:li "Head back to the application and try clicking the sign-in button again."]
-     [:li "If the issue continues, please reach out to the application's support team. They'll know exactly what to do!"]]]
-   [:p "We apologize for the inconvenience!"]
-   [:hr]
-   [:details
-    [:summary "Technical information"]
-    extra-info]])
-
-(defn permission-dialog-html [oauth-client requested-scopes params]
-  (let [{:keys [client_id redirect_uri response_type scope state code_challenge code_challenge_method]} params]
-    [:<>
-     [:p (:oauth-client/client-name oauth-client) " wants to access your account."]
-     [:p "This will allow " (:oauth-client/client-name oauth-client) " to:"]
-     [:ul
-      (for [s requested-scopes]
-        [:li (scope/desc s)])]
-     [f/form {:method "post"}
-      [:input {:type "hidden", :name "client_id", :value client_id}]
-      [:input {:type "hidden", :name "redirect_uri", :value redirect_uri}]
-      [:input {:type "hidden", :name "response_type", :value response_type}]
-      [:input {:type "hidden", :name "scope", :value scope}]
-      [:input {:type "hidden", :name "code_challenge", :value code_challenge}]
-      [:input {:type "hidden", :name "code_challenge_method", :value code_challenge_method}]
-      (when state [:input {:type "hidden", :name "state", :value state}])
-      [:button {:type "submit", :name "allow", :value "true"} "Allow"]
-      [:button {:type "submit", :name "allow", :value "false"} "Cancel"]]]))
-
 (defn error-html-response [message]
   {:status 400
    :html/head [:title "Something went wrong"]
-   :html/body [auth-error-html message]})
+   :html/body [views/auth-error-html message]})
 
 (defn error-redirect-response [redirect-uri kvs]
   {:status 302
@@ -124,7 +90,7 @@
   "Ask the user permission for the requested scopes"
   [oauth-client scope params]
   {:status 200
-   :html/body [permission-dialog-html oauth-client (str/split scope #"\s+") params]})
+   :html/body [views/permission-dialog-html oauth-client (str/split scope #"\s+") params]})
 
 (defn authorize-response
   "Happy path, store a code for later token exchange, and send the user back to
@@ -243,6 +209,7 @@
             ;; Look up the authorization code
             (if-let [code-entity (oauth-code/find-one db {:code code :client-uuid client-uuid})]
               (let [{:oauth-code/keys [identity-id scope code-challenge code-challenge-method]} code-entity
+                    identity (identity/find-one db {:id identity-id})
                     code-verifier-valid? (when (= code-challenge-method "S256")
                                            (and code_verifier
                                                 (= code-challenge (hash/sha256-base64url code_verifier))))]
@@ -260,11 +227,15 @@
                         at-claims (jwt/access-token-claims claim-opts)
                         access-token (jose/build-jwt jwk at-claims)
                         openid? (scope/subset? #{"openid"} scope)
-                        id-claims (when openid? (jwt/id-token-claims db (assoc claim-opts :access-token access-token)))
+                        offline-access? (scope/subset? #{"offline_access"} scope)
+                        id-claims (when openid? (merge (jwt/id-token-claims db (assoc claim-opts :access-token access-token))
+                                                       (:identity/claims identity)
+                                                       {"email" "foo@bar.com"}))
                         id-token (when openid? (jose/build-jwt jwk id-claims))
-                        refresh-token (refresh-token/create! db {:client-id client-uuid
-                                                                 :access-token-claims at-claims
-                                                                 :id-token-claims id-claims})]
+                        refresh-token (when offline-access?
+                                        (refresh-token/create! db {:client-id client-uuid
+                                                                   :access-token-claims at-claims
+                                                                   :id-token-claims id-claims}))]
                     (log/info :token/exchange {:scope scope :id-claims id-claims :at-claims at-claims})
                     ;; Delete the used code
                     (oauth-code/delete! db {:code code :client-uuid client-uuid})
@@ -275,8 +246,9 @@
                      (cond-> {:access_token access-token
                               :token_type "Bearer"
                               :expires_in (- (get at-claims "exp") (get at-claims "iat"))
-                              :refresh_token refresh-token
                               :scope scope}
+                       offline-access?
+                       (assoc :refresh_token refresh-token)
                        id-token
                        (assoc :id_token id-token))})
                   (error-response "server_error" "No default JWK configured")))
@@ -476,6 +448,7 @@
       :get #'GET-authorization-server-metadata}]
     ["/oauth" {:openapi {:tags ["oauth"]}}
      ["/authorize" {:name :oauth/authorize
+                    :html/layout layout/layout
                     :middleware [hiccup-mw/wrap-render]
                     :get #'GET-authorize
                     :post #'POST-authorize}]

src/co/gaiwan/oak/app/admin_cli.clj

@@ -7,11 +7,14 @@
   (:require
    [clojure.string :as str]
    [co.gaiwan.oak.app.config :as config]
+   [co.gaiwan.oak.domain.credential :as credential]
+   [co.gaiwan.oak.domain.identifier :as identifier]
    [co.gaiwan.oak.domain.identity :as identity]
    [co.gaiwan.oak.domain.jwk :as jwk]
    [co.gaiwan.oak.domain.jwt :as jwt]
    [co.gaiwan.oak.domain.oauth-client :as oauth-client]
    [co.gaiwan.oak.lib.cli-error-mw :as cli-error-mw]
+   [co.gaiwan.oak.lib.db :as db]
    [lambdaisland.cli :as cli])
   (:import
    (java.io StringWriter)))
@@ -84,12 +87,43 @@
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
 (defn create-user
-  "Create a new user user"
-  {:flags ["--email <email>" "Email address"
-           "--password <password>" "User password"]}
+  "Create a new user"
+  {:flags ["--email <email>" {:doc "Email address"
+                              :required true}
+           "--password <password>" "User password"
+           "--claim <k=v>" {:doc "Additional claim"
+                            :handler (fn [opts claim]
+                                       (let [[k v] (str/split claim #"=")]
+                                         (update opts :claims assoc k v)))}]}
   [opts]
   {:data [(identity/create-user! (db) opts)]})
 
+(defn update-user
+  "Update a user/identity"
+  {:flags ["--email <email>" {:doc "Email address"
+                              :required true}
+           "--password <password>" "User password"
+           "--claim <k=v>" {:doc "Set a JWK claim, e.g. `--claim 'groups=admin owner'`
+
+Leave the part after `=` blank to unset a claim."
+                            :handler (fn [opts claim]
+                                       (let [[k v] (str/split claim #"=")]
+                                         (update opts :claims assoc k v)))}]}
+  [{:keys [email password claims] :as opts}]
+  (db/with-transaction [conn (db)]
+    (if-let [{user-id :identifier/identity-id} (identifier/find-one conn {:type "email" :value email})]
+      (do
+        (when claims
+          (let [{orig-claims :identity/claims} (identity/find-one conn {:id user-id})]
+            (identity/update! conn {:id user-id :claims (reduce (fn [c [k v]]
+                                                                  (if (str/blank? v)
+                                                                    (dissoc c k)
+                                                                    (assoc c k v)))
+                                                                orig-claims
+                                                                claims)})))
+        (when password
+          (credential/set-password! conn {:identity-id user-id :password password}))))))
+
 (defn list-users
   "List users"
   [opts]
@@ -107,6 +141,7 @@
    :commands
    ["create" #'create-user
     "list" #'list-users
+    "update" #'update-user
     "delete <id>" #'delete-user]})
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

src/co/gaiwan/oak/domain/credential.clj

@@ -118,7 +118,4 @@
             :type "totp_secret"
             :value secret})
 
-  (get-hash (user/db) tmp-uuid "totp")
-  (get-hash (user/db) tmp-uuid "password")
-  (get-password-hash (user/db) tmp-uuid)
 )

src/co/gaiwan/oak/domain/identity.clj

@@ -11,15 +11,18 @@
 
 (def attributes
   [[:id :uuid :primary-key]
-   [:type :text [:not nil]]])
+   [:type :text [:not nil]]
+   ;; freeform extra jwt claims, escape hatch
+   [:claims :jsonb]])
 
-(defn create! [db {:keys [id type]}]
+(defn create! [db {:keys [id type claims]}]
   (db/insert! db :identity {:id (or id (uuid/v7))
-                            :type (or type "user")}))
+                            :type (or type "user")
+                            :claims claims}))
 
-(defn create-user! [db {:keys [email password]}]
+(defn create-user! [db {:keys [email password claims]}]
   (db/with-transaction [conn db]
-    (let [ident (create! conn {:type "user"})
+    (let [ident (create! conn {:type "user" :claims claims})
           id    (:identity/id ident)]
       (identifier/create!
        conn
@@ -33,6 +36,15 @@
         :password password})
       ident)))
 
+(defn update! [db {:keys [id type claims]}]
+  (db/execute-honey!
+   db
+   {:update :identity
+    :set (cond-> {}
+           type (assoc :type type)
+           claims (assoc :claims [:lift claims]))
+    :where [:= :id id]}))
+
 (defn list-all [db]
   (doall
    (for [i (db/execute-honey! db {:select [:*] :from :identity})]
@@ -46,7 +58,7 @@
 
 (defn validate-login
   "Return identity id if password matches, nil otherwise"
-  [db {:keys [identifier password]}]
+  [db {:keys [identifier password] :as opts}]
   (when-let [identity
              (some->
               (db/execute-honey!

src/co/gaiwan/oak/domain/oauth_authorization.clj

@@ -45,3 +45,12 @@
    db
    {:delete-from :oauth-authorization
     :where [:= identity-id :identity_id]}))
+
+(comment
+  (db/execute-honey!
+   (user/db)
+   {:select [:*]
+    :from :oauth-authorization
+    })
+
+  )

src/co/gaiwan/oak/domain/oauth_client.clj

@@ -112,8 +112,7 @@
     id
     (conj [:= :oauth_client.id id])
     client-id
-    (conj [:= :oauth_client.client-id client-id])
-    ))
+    (conj [:= :oauth_client.client-id client-id])))
 
 (defn find-by-client-id [db client-id]
   (first
@@ -131,4 +130,12 @@
 
 (comment
   (create! (user/db) {:client-name "My client"
-                      :redirect-uris []}))
+                      :redirect-uris []})
+
+  (db/execute-honey! (user/db)
+                     {:update :oauth_client
+                      :set {:redirect-uris [:lift ["http://localhost:3111/user/oauth2/oak/callback"]]
+                            :scope "openid profile email"}
+                      :where [:= :client_id "2ZyVA5TnoXw.oak.client"]})
+
+  )

src/co/gaiwan/oak/html/password_reset.clj src/co/gaiwan/oak/html/auth.cljsrc/co/gaiwan/oak/html/password_reset.clj renamed to src/co/gaiwan/oak/html/auth.clj

@@ -1,4 +1,4 @@
-(ns co.gaiwan.oak.html.password-reset
+(ns co.gaiwan.oak.html.auth
   (:require
    [co.gaiwan.oak.html.forms :as f]
    [co.gaiwan.oak.html.graphics :as g]
@@ -19,7 +19,7 @@
 
 (defn password-reset-html [req]
   [layout
-   [:h1 "Reset Password"]
+   [:h1 "Reset password"]
    [:p "Enter your email and we'll send you a link to reset your password."]
    [f/form {:method "POST"}
     [f/input-group
@@ -56,7 +56,7 @@
   ([req {:keys [email password confirm-password minlength
                 password-error confirm-error]}]
    [layout
-    [:h1 "Reset Password"]
+    [:h1 "Set your new password"]
     [:p "Choose a new password for " [:strong email]]
     [f/form {:method "POST"}
      [f/input-group
@@ -85,18 +85,23 @@
        :minlength    minlength}]
      [f/submit {:type "submit" :value "Reset password"}]]]))
 
-(o/defstyled password-reset-success :div
+(o/defstyled success-page :div
   {:text-align :center}
   [g/checkmark {:height "3rem"
                 :margin "1rem"
                 :align-self :center}]
-  ([req]
+  ([req {:keys [title]} & children]
    [layout
-    [:h1 "Password Successfully Reset"]
-    [:p "Your password has been updated. You can now log in with your new password."]
+    [:h1 title]
+    (into [:<>] children)
+
     [g/checkmark]
     [:a.subtle {:href (routing/url-for req :auth/login)} "Back to Login"]]))
 
+(defn password-reset-success [req]
+  [success-page req
+   {:title "Password Successfully Reset"}
+   [:p "Your password has been updated. You can now log in with your new password."]])
 
 (o/defstyled error-page :div
   {:text-align :center}