feat(backend): introduce OpenID Connect fields to Actor

Dam-99 · Dam-99 · commit 20344f470fc3 · 2026-04-09T17:39:44.000+02:00
Add the OpenID connect fields of interest for Edgehog to the
`Edgehog.Actors.Actor` resource, and update the `gen-edgehog-jwt` script to
support the creation of JWTs with the new fields.

Signed-off-by: Damiano Mason &lt;damiano.mason@secomind.com&gt;
diff --git a/backend/lib/edgehog/actors/actor.ex b/backend/lib/edgehog/actors/actor.ex
@@ -22,6 +22,7 @@ defmodule Edgehog.Actors.Actor do
   @moduledoc """
   Edgheog Actors.
   This module represents an actor performing a call trough the GraphQL APIs.
+  It implements the ID Token from the OpenID Connect spec.
   """
 
   use Ash.Resource,
@@ -36,11 +37,85 @@ defmodule Edgehog.Actors.Actor do
     defaults [:read]
 
     create :from_claims do
-      accept [:claims]
+      accept [
+        :sub,
+        :aud,
+        :exp,
+        :iat,
+        :auth_time,
+        :preferred_username,
+        :email,
+        :given_name,
+        :family_name,
+        :claims
+      ]
     end
   end
 
   attributes do
-    attribute :claims, :map, allow_nil?: false
+    # TODO: consider using issuer claim
+    # Not required in our use-case for now
+
+    attribute :sub, :string do
+      description """
+        Subject Identifier, a unique and never reassigned identifier within the Issuer for the user.
+        Only at most 255 ASCII characters are allowed. For example, the user's Keycloak UUID
+      """
+    end
+
+    attribute :aud, :string do
+      description """
+        The OAuth2 `client_id` of the of the Client requesting auth on behalf of the user
+      """
+    end
+
+    attribute :exp, :datetime do
+      description """
+        Expiration time of the token (JWT) corresponding to the current actor
+      """
+    end
+
+    attribute :iat, :datetime do
+      description """
+        Time at which the token (JWT) corresponding to the current actor was issued at
+      """
+    end
+
+    attribute :auth_time, :datetime do
+      description """
+        Time at which the user authentication occurred
+      """
+    end
+
+    attribute :preferred_username, :string do
+      description """
+        Username of the user represented by the current actor
+      """
+    end
+
+    attribute :email, :string do
+      description """
+        Email connected to the user's ID
+      """
+    end
+
+    attribute :given_name, :string do
+      description """
+        Given name of the user
+      """
+    end
+
+    attribute :family_name, :string do
+      description """
+        Family name of the user
+      """
+    end
+
+    attribute :claims, :map do
+      description """
+        DEPRECATED: claims specified as a map are deprecated, and will be dropped once
+        the new authentication/authorization flow is finalized
+      """
+    end
   end
 end
diff --git a/backend/lib/edgehog_web/auth/token.ex b/backend/lib/edgehog_web/auth/token.ex
@@ -38,14 +38,51 @@ defmodule EdgehogWeb.Auth.Token do
     # TODO: for now we just check that some e_tga claims are encoded in the token,
     # and we don't care about their value
     # e_tga = Edgehog Tenant GraphQL API
+    # The same is true for the OpenID connect claims required by Edgehog
+    # but only e_tga is used for validating auth for now
     case Map.fetch(claims, "e_tga") do
-      {:ok, claims} ->
+      {:ok, e_tga_value} ->
+        claims = oidc_claims(claims)
+
         Edgehog.Actors.Actor
-        |> Ash.Changeset.for_create(:from_claims, %{claims: %{e_tga: claims}})
+        |> Ash.Changeset.for_create(
+          :from_claims,
+          Map.put(claims, :claims, %{e_tga: e_tga_value})
+        )
         |> Ash.create()
 
       :error ->
         {:error, :no_valid_claims}
     end
   end
+
+  defp oidc_claims(submitted_claims) when is_map(submitted_claims) do
+    required_claims = [
+      :sub,
+      :aud,
+      :exp,
+      :iat,
+      :auth_time,
+      :preferred_username,
+      :email,
+      :given_name,
+      :family_name
+    ]
+
+    Enum.reduce(required_claims, %{}, fn claim_name, acc ->
+      case Map.fetch(submitted_claims, Atom.to_string(claim_name)) do
+        {:ok, value} -> Map.put(acc, claim_name, timestamp_to_datetime(value))
+        _ -> acc
+      end
+    end)
+  end
+
+  defp timestamp_to_datetime(timestamp_or_else) when is_integer(timestamp_or_else) do
+    case DateTime.from_unix(timestamp_or_else) do
+      {:ok, dt} -> dt
+      {:error, _} -> nil
+    end
+  end
+
+  defp timestamp_to_datetime(timestamp_or_else), do: timestamp_or_else
 end
diff --git a/backend/test/support/tenant_api/conn_case.ex b/backend/test/support/tenant_api/conn_case.ex
@@ -91,8 +91,23 @@ defmodule EdgehogWeb.ConnCase do
       |> X509.PrivateKey.to_pem()
       |> JOSE.JWK.from_pem()
 
+    now = DateTime.utc_now()
+
+    base_claims = %{
+      iss: "https://example.issuer.com/current",
+      sub: Ash.UUIDv7.generate(),
+      aud: "edgehog-test",
+      exp: now |> DateTime.shift(hour: 2, day: 1) |> DateTime.to_unix(),
+      iat: DateTime.to_unix(now),
+      auth_time: now |> DateTime.shift(hour: 1) |> DateTime.to_unix(),
+      preferred_username: "username",
+      email: "example@email.com",
+      given_name: "John",
+      family_name: "Doe"
+    }
+
     # The value of e_tga claims is ignored for now
-    claims = claims || %{e_tga: true}
+    claims = Map.merge(base_claims, claims || %{e_tga: true})
 
     # Generate the JWT
     {:ok, jwt, _claims} =
diff --git a/tools/gen-edgehog-jwt b/tools/gen-edgehog-jwt
@@ -64,6 +64,7 @@ defmodule GenEdgehogJwt do
       %{}
       |> add_type_claim(opts[:token_type])
       |> add_expiry_claim(opts[:expiry])
+      |> add_auth_claims(opts)
 
     case Joken.generate_and_sign(%{}, claims, signer) do
       {:ok, token, _claims} ->
@@ -78,14 +79,34 @@ defmodule GenEdgehogJwt do
   defp parse_args(args) do
     args
     |> OptionParser.parse!(
-      switches: [private_key: :string, expiry: :integer, token_type: :string],
-      aliases: [k: :private_key, e: :expiry, t: :token_type]
+      switches: [
+        private_key: :string,
+        expiry: :integer,
+        token_type: :string,
+        subject: :string,
+        audience: :string,
+        preferred_username: :string,
+        email: :string,
+        given_name: :string,
+        family_name: :string
+      ],
+      aliases: [
+        k: :private_key,
+        e: :expiry,
+        t: :token_type,
+        s: :subject,
+        a: :audience,
+        u: :preferred_username,
+        m: :email,
+        n: :given_name,
+        N: :family_name
+      ]
     )
     |> validate_args()
   rescue
     e in OptionParser.ParseError ->
       print_usage()
-      IO.puts(:stderr,"#{@red}gen-edgehog-jwt: error: #{e.message}#{@reset}")
+      IO.puts(:stderr, "#{@red}gen-edgehog-jwt: error: #{e.message}#{@reset}")
       System.halt(1)
   end
 
@@ -94,28 +115,39 @@ defmodule GenEdgehogJwt do
       !opts[:private_key] ->
         print_usage()
 
-        IO.puts(:stderr, "#{@red}gen-edgehog-jwt: error: the following arguments are required: -k/--private-key#{@reset}")
+        IO.puts(
+          :stderr,
+          "#{@red}gen-edgehog-jwt: error: the following arguments are required: -k/--private-key#{@reset}"
+        )
 
         System.halt(1)
 
       !opts[:token_type] ->
         print_usage()
 
-        IO.puts(:stderr, "#{@red}gen-edgehog-jwt: error: the following arguments are required: -t/--token-type#{@reset}")
+        IO.puts(
+          :stderr,
+          "#{@red}gen-edgehog-jwt: error: the following arguments are required: -t/--token-type#{@reset}"
+        )
 
         System.halt(1)
 
       opts[:token_type] not in ["tenant", "admin"] ->
         print_usage()
 
-        IO.puts(:stderr,
+        IO.puts(
+          :stderr,
           "#{@red}gen-edgehog-jwt: error: invalid token type '#{opts[:token_type]}'. Choose 'tenant' or 'admin'.#{@reset}"
         )
 
         System.halt(1)
 
       true ->
-        opts = Keyword.put_new(opts, :expiry, 86_400)
+        opts =
+          opts
+          |> Keyword.put_new(:expiry, 86_400)
+          |> Keyword.put(:issued_at, DateTime.to_unix(DateTime.utc_now()))
+
         {opts, rest}
     end
   end
@@ -138,8 +170,35 @@ defmodule GenEdgehogJwt do
     Map.put(claims, "exp", exp)
   end
 
+  defp add_auth_claims(claims, opts) do
+    subject_claim = opts[:subject]
+    audience_claim = opts[:audience]
+    username_claim = opts[:preferred_username]
+    email_claim = opts[:email]
+    given_name_claim = opts[:given_name]
+    family_name_claim = opts[:family_name]
+
+    auth_time_claim =
+      opts[:issued_at]
+      |> DateTime.from_unix()
+      |> elem(1)
+      |> DateTime.add(1, :second)
+      |> DateTime.to_unix()
+
+    claims
+    |> Map.put("sub", subject_claim)
+    |> Map.put("aud", audience_claim)
+    |> Map.put("preferred_username", username_claim)
+    |> Map.put("email", email_claim)
+    |> Map.put("given_name", given_name_claim)
+    |> Map.put("family_name", family_name_claim)
+    |> Map.put("auth_time", auth_time_claim)
+  end
+
   defp print_usage do
-    IO.puts("usage: gen-edgehog-jwt [-h] -k PRIVATE_KEY [-e EXPIRY] -t {tenant,admin}")
+    IO.puts(
+      "usage: gen-edgehog-jwt [-h] -k PRIVATE_KEY [-e EXPIRY] -t {tenant,admin} -s SUBJECT -a AUDIENCE -u PREFERRED_USERNAME -m EMAIL_ADDRESS -n GIVEN_NAME -N FAMILY_NAME"
+    )
   end
 
   defp print_help do
@@ -152,22 +211,32 @@ defmodule GenEdgehogJwt do
       Supports both #{@green}tenant#{@reset} and #{@green}admin#{@reset} tokens.
 
     #{@yellow}Required Options:#{@reset}
-      #{@green}-k, --private-key PATH#{@reset}   Path to your private key file (RSA or EC)
-      #{@green}-t, --token-type TYPE#{@reset}   Token type: #{@green}tenant#{@reset} or #{@green}admin#{@reset}
+      #{@green}-k, --private-key PATH#{@reset}              Path to your private key file (RSA or EC)
+      #{@green}-t, --token-type TYPE#{@reset}               Token type: #{@green}tenant#{@reset} or #{@green}admin#{@reset}
 
     #{@yellow}Optional Options:#{@reset}
       #{@green}-e, --expiry SECONDS#{@reset}    Token expiration time in seconds (default: 86400); set to #{@green}0#{@reset} for no expiration
       #{@green}-h, --help#{@reset}              Display this help message
+      #{@green}-s, --subject SUBJECT#{@reset}               Subject Identifier, a unique and never reassigned identifier. Max 255 ASCII characters
+      #{@green}-a, --audience AUDIENCE#{@reset}             The OAuth2 client_id of the of the Client requesting auth on behalf of the user
+      #{@green}-u, --preferred-username USERNAME#{@reset}   Username of the user
+      #{@green}-m, --email EMAIL#{@reset}                   Email address of the user
+      #{@green}-n, --given-name GIVEN_NAME#{@reset}         Given name of the user
+      #{@green}-N, --family-name FAMILY_NAME#{@reset}       Family name of the user
+
+      #{@blue}AUTH_OPTIONS#{@reset}
+        Options used for authentication and authorization of the user's client:
+        #{@green}--subject#{@reset}, #{@green}--audience#{@reset}, #{@green}--preferred-username#{@reset}, #{@green}--email#{@reset}, #{@green}--given-name#{@reset}, #{@green}--family-name#{@reset}
 
     #{@yellow}Examples:#{@reset}
       #{@blue}# Generate a tenant token with default expiry (24 hours)#{@reset}
-      ./gen-edgehog-jwt -k private_key.pem -t tenant
+      ./gen-edgehog-jwt -k private_key.pem -t tenant [AUTH_OPTIONS]
 
       #{@blue}# Generate an admin token with 1 hour expiry#{@reset}
-      ./gen-edgehog-jwt -k private_key.pem -t admin -e 3600
+      ./gen-edgehog-jwt -k private_key.pem -t admin -e 3600 [AUTH_OPTIONS]
 
       #{@blue}# Generate a token with no expiration#{@reset}
-      ./gen-edgehog-jwt -k private_key.pem -t tenant -e 0
+      ./gen-edgehog-jwt -k private_key.pem -t tenant -e 0 [AUTH_OPTIONS]
     """)
   end
 end
