Mega refactoring (#13)

* local login working

* oauth2 token flow working

* cleanup

* token-store connect working

* github, google, xero working

* rest requests working

* get-auth-header working

* rest examples

* oidc login (almost) working

* oidc workflow ok

* oidc login working

* readme

* readme

* cleanup error flow

* readme

---------

Co-authored-by: awb99 <[email protected]>

Author: awb99

README.md

@@ -2,53 +2,48 @@
 
 
 ## core features
-- generate local-identity-token via user/password
-- run oauth2 workflow to get tokens from oauth2 providers (google, github, woo-commerce, xero, ...)
-- renew oauth2 tokens
-- tokens can be used to access rest/graphql apis
-- token store
 
-## gorilla dependencies
-- permission (define users and their permissions)
-- websocket (oauth via websocket and ring-handler)
-- modular (config, persistence)
+- oauth2 access-token engine
+  - allow users to authorize the app via web interface from oauth2 providers (google, github, xero, ..)
+  - get access-tokens for use with rest/graphql apis 
+  - transparently renews access-tokens
+  - token store (rudimentary but necessary)
+  - its primary use is to let your application use oauth2 protected services.
+- identity engine (to allow users to "login")
+  - the idea is that you can expose clj services that are only accessible to certain users.
+  - local-identity tokens via user/password
+  - oidc tokens (using oauth2 flow)
 
-# demo
 
-The demo uses the extension manager from goldly to add oauth2 to goldly.
-
-```
-cd demo
-clj -X:demo:npm-install
-clj -X:demo:compile
-clj -X:demo
-```
 
-*local user/password login*
-Test local user/password login: user: "demo" password: "1234"
+# configuration
 
-*oauth2 login*
-- oauth2 need a configuration before they work
 - [creds-empty.edn](https://github.com/pink-gorilla/oauth2/blob/main/creds-empty.edn) has empty values you can set and a description how to get the credentials
+- before starting the demo you need to set the correct credentials.
+- edit demo/deps.edn in :run alias set the :config to a file that contains your credentials.
 
 
-# demo - inspect received tokens
+# demo
+
+```
+cd demo
+clj -X:webly:npm-install
+clj -X:webly:compile
+clj -X:webly:run
 ```
-clj -X:run:token-info-google
+
+Open a webbrowser on port 8080
 
 ```
 
-# how to use tokens (for example in rest api):
+## gorilla dependencies
 
-Have a look at [pink-gorilla/rest](https://github.com/pink-gorilla/rest) for rest-apis that use oauth2 tokens generated via this library.
+- permission (define users and their permissions)
+- clj-service (expose clj functions via websocket and ring-handler)
+- modular (edn persistence)
 
-```
-(require '[modular.oauth2.token.refresh :as tr])
-(require '[modular.oauth2.token.info :refer [print-token-table]])
 
-(tr/access-token-needs-refresh? :google)
-(tr/refresh-access-token :google)
+# how to use tokens (for example in rest api):
 
-(print-token-table [:xero :shiphero :google :github])
-```
+Have a look at [pink-gorilla/rest](https://github.com/pink-gorilla/rest) for rest-apis that use oauth2 tokens generated via this library.
 

TODO.md

@@ -1,10 +1,11 @@
+# todo 
 
+https://github.com/jarden-digital/jwt-verify-jwks
 
 ## github
 
 - https://docs.github.com/en/rest/reference/users
 
-
 # links
 
 ; AUTHENTICATION for web apps
@@ -46,11 +47,8 @@ https://github.com/ovotech/ring-jwt
 https://github.com/liquidz/clj-jwt/blob/master/src/clj_jwt/core.clj
 
 
-
 [kitchen-async.promise :as p]
 
-
-https://github.com/liquidz/clj-jwt
 https://github.com/liquidz/clj-jwt
 
 Certs from Google.
@@ -78,8 +76,6 @@ https://github.com/cjohansen/auth0-ring/tree/master/src/auth0_ring
 
 
 
-
-
 of multiple endpoints for authenticating users, and for requesting resources including tokens, user information, and public keys.
 
 To simplify implementations and increase flexibility, OpenID Connect allows the use of a "Discovery document," a JSON document found at a well-known location containing key-value pairs which provide details about the OpenID Connect provider's configuration, including the URIs of the authorization, token, revocation, userinfo, and public-keys endpoints. The Discovery document for Google's OpenID Connect service may be retrieved from:
@@ -219,3 +215,13 @@ const getAccessToken = async refreshToken => {
     console.log(err);
   }
 };
+
+
+
+https://github.com/jarden-digital/jwt-verify-jwks
+
+https://funcool.github.io/buddy-sign/latest/01-jwt.html
+
+https://stackoverflow.com/questions/60497057/how-to-obtain-jwks-and-use-them-in-jwt-signing
+
+https://github.com/liquidz/clj-jwt

build.clj

@@ -1,15 +1,12 @@
 (ns build
   (:require
-   [babashka.fs :as fs]
-   [clojure.java.io :as io]
-   [clojure.string :as str]
    [clojure.tools.build.api :as b]
    [org.corfield.build :as bb] ; https://github.com/seancorfield/build-clj
-   [deps-deploy.deps-deploy :as dd]))
+))
 
 
 (def lib 'org.pinkgorilla/oauth2)
-(def version (format "0.0.%s" (b/git-count-revs nil)))
+(def version (format "0.2.%s" (b/git-count-revs nil)))
 
 (defn jar "build the JAR" [opts]
   (println "Building the JAR")

creds-empty.edn

@@ -1,12 +1,13 @@
 
-{:oauth2 {:local {:client-secret ""}
-          :google {:client-id ""
-                   :client-secret ""}
-          :github {:client-id        ""
-                   :client-secret    ""}
-          :xero   {:client-id        ""
-                   :client-secret    ""}
-          }}
+{:token {:local {:client-secret ""}
+         :oauth2 {:google {:client-id ""
+                           :client-secret ""}
+                  :github {:client-id        ""
+                           :client-secret    ""}
+                  :xero   {:client-id        ""
+                           :client-secret    ""}}
+         
+}}
 
 ; local
 ; set "client-secret" to a random string which is used to encrypt tokens

demo/bb.edn

@@ -3,11 +3,10 @@
          "target/webly"]
 
  :deps {org.clojure/clojure    {:mvn/version "1.11.1"}
-        org.pinkgorilla/webly {:mvn/version "0.5.655"}
-        org.pinkgorilla/ui-tailwind {:mvn/version "0.0.5"}
+        org.pinkgorilla/webly {:mvn/version "0.6.692"}
+        org.pinkgorilla/ui-tailwind {:mvn/version "0.1.8"}
         org.pinkgorilla/oauth2 {:local/root "../" :deps/manifest :deps}
-        }
-
+        nrepl/nrepl {:mvn/version "1.2.0"}}
 
  :aliases {:webly {:exec-fn webly.app.app/webly-build
                    :exec-args {:config [{}]
@@ -22,35 +21,11 @@
 
            :run {:exec-fn modular.system/start!
                  :exec-args {:profile "jetty"
-                              :config ["oauth2/config.edn" ; oauth2 endpoints
-                                       "demo-config.edn"
-                                       "/home/florian/repo/myLinux/myvault/goldly/oauth2-localhost.edn" ; oauth2 secrets
+                              :config ["/home/florian/repo/myLinux/myvault/goldly/oauth2-localhost.edn" ; oauth2 secrets
                                       ]
                              :services "demo-services.edn"}}
-
-           ;; token info
-           :token-info-xero {:exec-args {:run demo.token/token-info
-                                         :provider :xero}}
-
-           :token-info-google {:exec-args {:run demo.token/token-info
-                                           :provider :google}}
-
-           :token-info-github {:exec-args {:run demo.token/token-info
-                                           :provider :github}}
-
-           :tokens-summary {:exec-fn demo.token/tokens-summary
-                            :exec-args {:providers [:xero :github :google
-                                                     ; :wonderland ; to test non existent tokens
-                                                    ]}}
-
-           ; token refresh
-           :token-refresh-xero {:exec-fn demo.token-refresh/refresh-token-xero}
-
-           ; clj
-
-           :password
-           {:exec-fn demo.password/password
-            :exec-args {:password "1234"}}}
+  
+           }
 
 ;
  }

demo/deps.edn

@@ -6,12 +6,70 @@
   :timbre {:start (modular.log/timbre-config!
                    (:timbre/clj (deref (clip/ref :config))))}
 
+  :exts {:start (extension/discover)}
+
+  :permission {:start (modular.permission.core/start-permissions
+                       {:demo {:roles #{:logistic}
+                               :password "a231498f6c1f441aa98482ea0b224ffa" ; "1234"
+                               :email ["[email protected]"]}
+                        :boss {:roles #{:logistic :supervisor :accounting}
+                               :password "a231498f6c1f441aa98482ea0b224ffa" ; "1234"
+                               :email ["[email protected]"]}
+                        :florian {:roles #{:logistic}
+                                  :password "a231498f6c1f441aa98482ea0b224ffa" ; 1234
+                                  :email ["[email protected]"]}
+                        :john {:roles #{:logistic}
+                               :password "a231498f6c1f441aa98482ea0b224ffa" ; "1234"
+                               :email ["[email protected]"]}})}
+
+  :clj-service {:start (clj-service.core/start-clj-services
+                        (clip/ref :permission)
+                        (clip/ref :exts))}
+
+  #_:identity/local #_{:start (token.identity.local/start-local-identity
+                               {:permission (clip/ref :permission)
+                                :clj (clip/ref :clj-service)
+                                :secret "AbHzj834ri9"})}
+
+  #_:identity/oidc #_{:start (token.identity.oidc/start-oidc-identity
+                              {:permission (clip/ref :permission)
+                               :clj (clip/ref :clj-service)})}
+
+  :identity {:start (token.identity.service/start-identity-service
+                     {:permission (clip/ref :permission)
+                      :clj (clip/ref :clj-service)
+                      :secret "AbHzj834ri9"})}
+
+  #_:oauth2/token-store #_{:start (token.oauth2.store/create-store {:clj (clip/ref :clj-service)
+                                                                    :store-path ".webly/tokenstore"
+                                                                    :store-role nil ; #{}
+                                                                    })}
+
+  #_:oauth2 #_{:start (token.oauth2.core/start-oauth2-providers
+                       {:clj (clip/ref :clj-service)
+                        :store (clip/ref :oauth2/token-store)
+                        :providers (:oauth2 (:token (deref (clip/ref :config))))
+                    ;:providers {:google {:client-id "" :client-secret ""}}
+                        })}
+
+  :oauth2 {:start (token.oauth2.service/start-oauth2-service
+                   {:clj (clip/ref :clj-service)
+                    :providers (:oauth2 (:token (deref (clip/ref :config))))
+                    ;:providers {:google {:client-id "" :client-secret ""}}
+                    :store-path ".webly/tokenstore"
+                    :store-role nil ; #{}
+                    })}
+
 
   :webly {:start (webly.app.app/start-webly
-                (deref (clip/ref :config))
-                (:profile #ref [:modular]))
-        :stop (webly.app.app/stop-webly this)}
+                  (clip/ref :exts)
+                  (deref (clip/ref :config))
+                  (:profile #ref [:modular]))
+          :stop (webly.app.app/stop-webly this)}
+
 
+  :nrepl {:start (nrepl.server/start-server :bind "0.0.0.0" :port 9100)
+          :stop (.close this)}
 
 
 ;

demo/resources/demo-config.edn

@@ -0,0 +1,5 @@
+{:clj-services {:name "time-public"
+                :permission  nil
+                :symbols [demo.time/time-public
+                          demo.time/time-debug]}}
+

demo/resources/demo-services.edn

@@ -0,0 +1,4 @@
+{:clj-services {:name "time-supervisor"
+                :permission  #{:supervisor}
+                :symbols [demo.time/time-supervisor]}}
+

demo/resources/ext/time-public.edn

@@ -0,0 +1,3 @@
+{:clj-services {:name "time-user"
+                :permission  #{}
+                :symbols [demo.time/time-user]}}

demo/resources/ext/time-supervisor.edn

@@ -0,0 +1,43 @@
+{:modular (modular.system/modular-env)  ; {:profile "jetty"  :config ["demo.edn" "secrets.edn"]}
+ ;:secrets #include "secrets.edn" ;; externalised and usually "mounted" as a docker/kubernetes secret
+ :components
+ {:config {:start (modular.config/load-config! (:config #ref [:modular]))}
+
+  :timbre {:start (modular.log/timbre-config!
+                   (:timbre/clj (deref (clip/ref :config))))}
+  
+  :exts {:start (extension/discover)}
+
+  :permission {:start (modular.permission.core/start-permissions
+                       {:demo {:roles #{:logistic}
+                               :password "a231498f6c1f441aa98482ea0b224ffa" ; "1234"
+                               :email ["[email protected]"]}
+                        :boss {:roles #{:logistic :supervisor :accounting}
+                               :password "a231498f6c1f441aa98482ea0b224ffa" ; "1234"
+                               :email ["[email protected]"]}
+
+                        :florian {:roles #{:logistic}
+                                  :password "a231498f6c1f441aa98482ea0b224ffa" ; 1234
+                                  :email ["[email protected]"]}
+                        :john {:roles #{:logistic}
+                               :password "a231498f6c1f441aa98482ea0b224ffa" ; "1234"
+                               :email ["[email protected]"]}})}
+  :token {:start (token.oauth2.store/create-store {:path ".webly/tokenstore"})}
+  
+
+  :demo {:start (demo.token-info/run (clip/ref :token))}
+
+  ;:clj-service {:start (clj-service.core/start-clj-services
+  ;                      (clip/ref :permission)
+  ;                      (clip/ref :exts))}
+
+  ;:webly {:start (webly.app.app/start-webly
+  ;                (clip/ref :exts)
+  ;                (deref (clip/ref :config))
+  ;                (:profile #ref [:modular]))
+  ;        :stop (webly.app.app/stop-webly this)}
+
+
+
+;
+  }}