Support EntraID as alt OAuth provider (#758)

Author: amcclain

.env.template

@@ -16,17 +16,20 @@ APP_TOOLBOX_DB_PASSWORD=toolbox
 #APP_TOOLBOX_USE_H2=true
 #APP_TOOLBOX_DB_CREATE=update
 
+# OAuth provider - set to AUTH_ZERO (default), ENTRA_ID, or NONE (local username/password login)
+#APP_TOOLBOX_OAUTH_PROVIDER=AUTH_ZERO
+
 # Bootstrap admin
-# The _USER var can be set on its own to grant an OAuth (Auth0) sourced user admin rights in local
-# development. This is supported by Toolbox's use of Hoist Core DefaultRoleService.
+# The _USER var can be set on its own to grant an OAuth-sourced user admin rights in local
+# development. This is supported by Toolbox's use of Hoist Core `DefaultRoleService`.
 #APP_TOOLBOX_BOOTSTRAP_ADMIN_USER=
 
 # If the _PASSWORD var is also set, Toolbox will create a password-enabled user in its user
-# database that can be used when Auth0 is not available. Pair this with the env below to disable
-# the OAuth flow entirely and present a form-based login. This is especially useful when testing
-# the client on a private IP address via `yarn startWithHoistAndIp` for on-device mobile testing.
+# database that can be used when Auth0 is not available.
+# Pair with `APP_TOOLBOX_OAUTH_PROVIDER=NONE` to disable the OAuth flow entirely and present a
+# form-based login, useful when testing the client when offline or on a private IP address via
+# `yarn startWithHoistAndIp` for on-device mobile testing.
 #APP_TOOLBOX_BOOTSTRAP_ADMIN_PASSWORD=
-#APP_TOOLBOX_USE_OAUTH=false
 
 # Email support
 #APP_TOOLBOX_SMTP_HOST=

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## v7.0-SNAPSHOT - unreleased
 
+### New Features
+* Enabled support for testing OAuth flows against Azure / Entra ID, in addition to Auth0. To support switching, the prior `useOauth` instance config has been replaced with a new `oauthProvider` config - aka `APP_TOOLBOX_OAUTH_PROVIDER` in your `.env` file for local development.
+
 ## v6.1.0 - 2025-02-14
 
 ### Libraries

client-app/src/core/AuthModel.ts

@@ -1,14 +1,17 @@
 import {HoistAuthModel, managed, PlainObject, XH} from '@xh/hoist/core';
-import {AuthZeroClient, AuthZeroClientConfig} from '@xh/hoist/security/authzero/AuthZeroClient';
+import {AuthZeroClient, AuthZeroClientConfig} from '@xh/hoist/security/authzero';
+import {MsalClient, MsalClientConfig} from '@xh/hoist/security/msal';
 
 /**
- * Toolbox uses Auth0 for OAuth authentication. Here we are overriding the base {@link HoistAuthModel} to load
- * OAuth-related soft-config from the Toolbox server, initialize an {@link AuthZeroClient} instance, kick-off the
- * Oauth flow, and setup default fetch headers to include an id token.
+ * Toolbox's implementation of {@link HoistAuthModel} contract for handling authentication.
+ *
+ * This example is atypical of most application implementations in that it supports a fallback
+ * option for local username/password login, for offline or other local testing scenarios where
+ * OAuth is undesired, as well as flows against either Auth0 (default) or Azure Entra ID.
  */
 export class AuthModel extends HoistAuthModel {
     @managed
-    client: AuthZeroClient;
+    client: AuthZeroClient | MsalClient;
 
     override async completeAuthAsync(): Promise<boolean> {
         this.setMaskMsg('Authenticating...');
@@ -28,34 +31,19 @@ export class AuthModel extends HoistAuthModel {
             return ret;
         }
 
-        // Otherwise we proceed with the primary OAuth flow by constructing and initializing an AuthZeroClient, one of
-        // the OAuth implementations supported out-of-the-box by Hoist.
-        const audience = 'toolbox.xh.io';
-        this.client = new AuthZeroClient({
-            idScopes: ['profile'],
-            // Toolbox does not actually need any access tokens -- just a test
-            accessTokens: {
-                test: {
-                    scopes: ['profile'],
-                    fetchMode: 'eager',
-                    audience
-                }
-            },
-            // This config works along with the accessToken requested above - by passing the same
-            // audience to our interactive login requests, they return access/refresh tokens that
-            // are immediately usable.
-            audience,
-            ...(config as AuthZeroClientConfig)
-        });
+        // Otherwise proceed with the primary OAuth flow by constructing and initializing one of the two
+        // supported client implementations - either Auth0 (default) or MSAL (also supported, for testing OAuth
+        // against Microsoft Entra ID).
+        this.client = this.createClient(config);
         await this.client.initAsync();
 
-        // With the client initialized, we tell FetchService to pass the Auth0 supplied id token (a JWT) via a custom
+        // With the client initialized, we tell FetchService to pass the ID token (a JWT) via a custom
         // header on any local/relative requests going back to Toolbox Grails server.
         XH.fetchService.addDefaultHeaders(async opts => {
             if (opts.url.startsWith('http')) return null;
 
             const idToken = await this.client.getIdTokenAsync();
-            return idToken ? {'x-xh-idt': idToken.value} : null;
+            return idToken ? {Authorization: `Bearer ${idToken.value}`} : null;
         });
 
         // Finally, make a request to check the auth-status on the server - that call will include the id token header
@@ -74,6 +62,30 @@ export class AuthModel extends HoistAuthModel {
         await this.client?.logoutAsync();
     }
 
+    private createClient(config: PlainObject): AuthZeroClient | MsalClient {
+        if (config.provider === 'AUTH_ZERO') {
+            const audience = 'toolbox.xh.io';
+            return new AuthZeroClient({
+                idScopes: ['profile'],
+                // Toolbox does not actually need any access tokens -- just a test
+                accessTokens: {
+                    test: {
+                        scopes: ['profile'],
+                        fetchMode: 'eager',
+                        audience
+                    }
+                },
+                // This config works along with the accessToken requested above - by passing the same
+                // audience to our interactive login requests, they return access/refresh tokens that
+                // are immediately usable.
+                audience,
+                ...(config as AuthZeroClientConfig)
+            });
+        } else {
+            return new MsalClient(config as MsalClientConfig);
+        }
+    }
+
     // Update overall load mask message to provide an indication that this auth flow is processing.
     private setMaskMsg(msg: string) {
         XH.appContainerModel.initializingLoadMaskMessage = msg;

grails-app/init/io/xh/toolbox/BootStrap.groovy

@@ -66,12 +66,12 @@ class BootStrap implements LogSupport {
 
         logInfo("""
 \n
- ______   ______     ______     __         ______     ______     __  __    
-/\\__  _\\ /\\  __ \\   /\\  __ \\   /\\ \\       /\\  == \\   /\\  __ \\   /\\_\\_\\_\\   
-\\/_/\\ \\/ \\ \\ \\/\\ \\  \\ \\ \\/\\ \\  \\ \\ \\____  \\ \\  __<   \\ \\ \\/\\ \\  \\/_/\\_\\/_  
-   \\ \\_\\  \\ \\_____\\  \\ \\_____\\  \\ \\_____\\  \\ \\_____\\  \\ \\_____\\   /\\_\\/\\_\\ 
-    \\/_/   \\/_____/   \\/_____/   \\/_____/   \\/_____/   \\/_____/   \\/_/\\/_/ 
-\n                                                                           
+ ______   ______     ______     __         ______     ______     __  __
+/\\__  _\\ /\\  __ \\   /\\  __ \\   /\\ \\       /\\  == \\   /\\  __ \\   /\\_\\_\\_\\
+\\/_/\\ \\/ \\ \\ \\/\\ \\  \\ \\ \\/\\ \\  \\ \\ \\____  \\ \\  __<   \\ \\ \\/\\ \\  \\/_/\\_\\/_
+   \\ \\_\\  \\ \\_____\\  \\ \\_____\\  \\ \\_____\\  \\ \\_____\\  \\ \\_____\\   /\\_\\/\\_\\
+    \\/_/   \\/_____/   \\/_____/   \\/_____/   \\/_____/   \\/_____/   \\/_/\\/_/
+\n
          ${appName} v${appVersion}${buildLabel}${appEnvironment}
 \n
         """)
@@ -126,6 +126,16 @@ class BootStrap implements LogSupport {
                     clientVisible: false,
                     groupName: 'Toolbox - Example Apps'
             ],
+            entraIdConfig: [
+                    valueType: 'json',
+                    defaultValue: [
+                            clientId: '5d933976-8fe4-40fc-bc13-b9d239a2efe5',
+                            tenantId: '51759969-dc12-46ec-a1e9-2532084dc881'
+                    ],
+                    clientVisible: false,
+                    groupName: 'Auth',
+                    note: 'OAuth config for the Toolbox app registered at our Azure Entra ID tenant. For testing Entra ID as an alternate OAuth provider.'
+            ],
             fileManagerStoragePath: [
                     valueType: 'string',
                     defaultValue: '/var/tmp/xh-toolbox',

…/xh/toolbox/security/Auth0Service.groovy …box/security/AuthZeroTokenService.groovygrails-app/services/io/xh/toolbox/security/Auth0Service.groovy renamed to grails-app/services/io/xh/toolbox/security/AuthZeroTokenService.groovy grails-app/services/io/xh/toolbox/security/Auth0Service.groovy renamed to grails-app/services/io/xh/toolbox/security/AuthZeroTokenService.groovy

@@ -12,24 +12,31 @@ import static io.xh.hoist.json.JSONParser.parseObject
 import static java.lang.System.currentTimeMillis
 
 /**
- * Decodes and validates ID tokens issues by Auth0, the OAuth provider for Toolbox.
+ * Decodes and validates ID tokens issued by Auth0, the primary/default OAuth provider for Toolbox.
  */
-class Auth0Service extends BaseService {
+class AuthZeroTokenService extends BaseService {
 
     static clearCachesConfigs = ['auth0Config']
 
+    AuthenticationService authenticationService
     ConfigService configService
 
     private JsonWebKeySet _jwks
 
     Map getClientConfig() {
-        configService.getMap('auth0Config', [:])
+        return [
+            provider: 'AUTH_ZERO',
+            *: config
+        ]
     }
 
     void init() {
         super.init()
+
         // Fetch JWKS eagerly so it's ready for potential burst of initial requests after startup.
-        getJsonWebKeySet()
+        if (authenticationService.oauthProvider == 'AUTH_ZERO') {
+            getJsonWebKeySet()
+        }
     }
 
     TokenValidationResult validateToken(String token) {
@@ -39,44 +46,38 @@ class Auth0Service extends BaseService {
         }
 
         try {
-            logTrace('Validating token', token)
-
-            def jws = new JsonWebSignature()
-            jws.setCompactSerialization(token)
-
-            def selector = new VerificationJwkSelector(),
-                jwk = selector.select(jws, jsonWebKeySet.jsonWebKeys)
-            if (!jwk?.key) throw new RuntimeException('Unable to select valid key for token from loaded JWKS')
-
-            jws.setKey(jwk.key)
-            if (!jws.verifySignature()) throw new RuntimeException('Token failed signature validation')
-            def payload = parseObject(jws.payload)
-
-            logDebug('Token parsed successfully', [
-                email: payload.email,
-                name: payload.name,
-                sub: payload.sub,
-                aud: payload.aud,
-                exp: payload.exp
-            ])
-
-            if (payload.aud != clientId) {
-                throw new RuntimeException('Token aud value does not match expected value from clientId')
-            }
-            if (payload.exp * 1000L < currentTimeMillis()) {
-                throw new RuntimeException('Token has expired')
+            withTrace(['Validating token', token]) {
+                def jws = new JsonWebSignature()
+                jws.setCompactSerialization(token)
+
+                def selector = new VerificationJwkSelector(),
+                    jwk = selector.select(jws, jsonWebKeySet.jsonWebKeys)
+                if (!jwk?.key) throw new RuntimeException('Unable to select valid key for token from loaded JWKS')
+
+                jws.setKey(jwk.key)
+                if (!jws.verifySignature()) throw new RuntimeException('Token failed signature validation')
+                def payload = parseObject(jws.payload)
+
+                logDebug('Token parsed successfully', payload)
+
+                if (payload.aud != clientId) {
+                    throw new RuntimeException('Token aud value does not match expected value from clientId')
+                }
+                if (payload.exp * 1000L < currentTimeMillis()) {
+                    throw new RuntimeException('Token has expired')
+                }
+                if (!payload.sub || !payload.email) {
+                    throw new RuntimeException('Token is missing sub or email')
+                }
+
+                return new TokenValidationResult(
+                    email: payload.email,
+                    name: payload.name,
+                    picture: payload.picture
+                )
             }
-            if (!payload.sub || !payload.email) {
-                throw new RuntimeException('Token is missing sub or email')
-            }
-
-            return new TokenValidationResult(
-                email: payload.email,
-                name: payload.name,
-                picture: payload.picture
-            )
         } catch (Exception e) {
-            logError('Exception parsing JWT', e)
+            logDebug('Exception parsing JWT', e)
             return null
         }
     }

grails-app/services/io/xh/toolbox/security/AuthenticationService.groovy

@@ -1,5 +1,6 @@
 package io.xh.toolbox.security
 
+import grails.compiler.GrailsCompileStatic
 import grails.gorm.transactions.ReadOnly
 import io.xh.hoist.security.BaseAuthenticationService
 import io.xh.toolbox.user.User
@@ -10,22 +11,47 @@ import javax.servlet.http.HttpServletRequest
 
 import static io.xh.hoist.util.InstanceConfigUtils.getInstanceConfig
 
-class AuthenticationService extends BaseAuthenticationService  {
-
-    Auth0Service auth0Service
+/**
+ * Toolbox's implementation of Hoist's {@link BaseAuthenticationService} contract for handling
+ * authentication. This example is atypical of most application implementations of this service
+ * in that it supports a fallback option for local username/password login as well as OAuth.
+ *
+ * Use the `oauthProvider` instance config to set the OAuth provider to use, or `NONE` to disable.
+ *
+ * It can also delegate to either {@link AuthZeroTokenService} or {@link EntraIdTokenService} to
+ * validate JWTs when in OAuth mode, to support testing flows against either provider.
+ */
+@GrailsCompileStatic
+class AuthenticationService extends BaseAuthenticationService {
+
+    AuthZeroTokenService authZeroTokenService
+    EntraIdTokenService entraIdTokenService
     UserService userService
 
-    private String AUTH_HEADER = 'x-xh-idt'
+    private String AUTH_HEADER = 'Authorization'
 
     AuthenticationService() {
         super()
         whitelistURIs.push('/gitHub/webhookTrigger')
     }
 
     Map getClientConfig() {
-        useOAuth ?
-            [useOAuth: true, *: auth0Service.getClientConfig()] :
-            [useOAuth: false]
+        switch (oauthProvider) {
+            case 'AUTH_ZERO':
+                return [useOAuth: true, *: authZeroTokenService.getClientConfig()];
+            case 'ENTRA_ID':
+                return [useOAuth: true, *: entraIdTokenService.getClientConfig()];
+            default:
+                return [useOAuth: false]
+        }
+    }
+
+    String getOauthProvider() {
+        getInstanceConfig('oauthProvider') ?: 'AUTH_ZERO'
+    }
+
+    boolean getUseOAuth() {
+        getInstanceConfig('oauthProvider') != 'NONE'
     }
 
     /**
@@ -37,11 +63,14 @@ class AuthenticationService extends BaseAuthenticationService  {
     protected boolean completeAuthentication(HttpServletRequest request, HttpServletResponse response) {
         if (!useOAuth) return true
 
-        String token = request.getHeader(AUTH_HEADER)
+        String token = request.getHeader(AUTH_HEADER)?.replace('Bearer ', '')
         TokenValidationResult tokenResult = null
 
         if (token) {
-            tokenResult = auth0Service.validateToken(token)
+            tokenResult = oauthProvider == 'AUTH_ZERO' ?
+                authZeroTokenService.validateToken(token) :
+                entraIdTokenService.validateToken(token)
+
         } else {
             logTrace("Unable to validate inbound request - no token presented in header")
         }
@@ -76,6 +105,16 @@ class AuthenticationService extends BaseAuthenticationService  {
     }
 
 
+    @Override
+    Map getAdminStats() {
+        return [
+            *: super.getAdminStats(),
+            oauthProvider: oauthProvider,
+            clientConfig: clientConfig
+        ]
+    }
+
+
     //------------------------
     // Implementation
     //------------------------
@@ -85,8 +124,4 @@ class AuthenticationService extends BaseAuthenticationService  {
         return user?.checkPassword(password) ? user : null
     }
 
-    private static boolean getUseOAuth() {
-        getInstanceConfig('useOAuth') != 'false'
-    }
-
 }