[SQSERVICE-1779] OAuth token endpoint (3/n)

Makefile

@@ -58,7 +58,6 @@ endif
 .PHONY: clean
 clean:
 	cabal clean
-	$(MAKE) -C services/nginz clean
 	-rm -rf dist
 
 .PHONY: clean-hint

changelog.d/2-features/pr-2882

@@ -1 +1 @@
-New OAuth endpoints for registering an OAuth app and for retrieving an authorization code (#2882, #2901)
+New OAuth endpoints for registering an OAuth app, for retrieving an authorization code, and for retrieving an access token (#2882, #2901, #2907)

charts/brig/templates/configmap.yaml

@@ -299,5 +299,14 @@ data:
       {{- if .setEnableMLS }}
       setEnableMLS: {{ .setEnableMLS }}
       {{- end }}
+      {{- if $.Values.secrets.oauthJwkKeyPair }}
+      setOAuthJwkKeyPair: /etc/wire/brig/secrets/jwk_oauth.json
+      {{- end }}
+      {{- if .setOAuthAuthCodeExpirationTimeSecs }}
+      setOAuthAuthCodeExpirationTimeSecs: {{ .setOAuthAuthCodeExpirationTimeSecs }}
+      {{- end }}
+      {{- if .setOAuthAccessTokenExpirationTimeSecs }}
+      setOAuthAccessTokenExpirationTimeSecs: {{ .setOAuthAccessTokenExpirationTimeSecs }}
+      {{- end }}
     {{- end }}
   {{- end }}

charts/brig/templates/secret.yaml

@@ -28,5 +28,8 @@ data:
   {{- if .dpopSigKeyBundle }}
   dpop_sig_key_bundle.pem: {{ .dpopSigKeyBundle | b64enc | quote }}
   {{- end }}
+  {{- if .oauthJwkKeyPair }}
+  jwk_oauth.json: {{ .oauthJwkKeyPair | b64enc | quote }}
+  {{- end }}  
   {{- end }}
 

charts/brig/values.yaml

@@ -87,6 +87,8 @@ config:
     setNonceTtlSecs: 300 # 5 minutes
     setDpopMaxSkewSecs: 1
     setDpopTokenExpirationTimeSecs: 300 # 5 minutes
+    setOAuthAuthCodeExpirationTimeSecs: 300 # 5 minutes
+    setOAuthAccessTokenExpirationTimeSecs: 1814400 # 3 weeks    
   smtp:
     passwordFile: /etc/wire/brig/secrets/smtp-password.txt
   proxy: {}

charts/nginz/values.yaml

@@ -388,6 +388,10 @@ nginx_conf:
     - path: /oauth/authorization/codes
       envs:
       - all
+    - path: /oauth/token
+      envs:
+      - all
+      disable_zauth: true
     galley:
     - path: /conversations/code-check
       disable_zauth: true

docs/src/developer/reference/config-options.md

@@ -604,3 +604,28 @@ If there is no configuration for a domain, it's defaulted to `no_search`.
 #### `setEnableDevelopmentVersions`
 
 This options determines whether development versions should be enabled. If set to `False`, all development versions are removed from the `supported` field of the `/api-version` endpoint. Note that they are still listed in the `development` field, and continue to work normally.
+
+### OAuth
+
+#### JWK
+
+Optionally, configure the JWK to sign and verify OAuth access tokens for local testing as follows:
+
+```yaml
+# [brig.yaml]
+optSettings:
+  # ...
+  setOAuthJwkKeyPair: test/resources/oauth/jwk.json
+```
+
+#### Expiration time
+
+Optionally, configure the OAuth authorization code and access token expiration time in seconds as follows:
+
+```yaml
+# [brig.yaml]
+optSettings:
+  # ...
+  setOAuthAuthCodeExpirationTimeSecs: 300 # 5 minutes
+  setOAuthAccessTokenExpirationTimeSecs: 1814400 # 3 weeks
+```

docs/src/how-to/install/index.rst

@@ -19,6 +19,7 @@ Installing wire-server
    (production) Other configuration options <configuration-options.rst>
    Server and team feature settings <team-feature-settings.md>
    Messaging Layer Security (MLS) <mls.md>
+   OAuth <oauth.md>
    Web app settings <web-app-settings.md>
    sft
    restund

docs/src/how-to/install/oauth.md

@@ -0,0 +1,45 @@
+# OAuth
+
+To use the OAuth functionality, you will need to set up a public and private JSON web key pair (JWK) in the wire-server helm chart. This key pair will be used to sign and verify OAuth access tokens.
+
+To configure the JWK, go to `brig.secrets.oauthJwkKeyPair` in the wire-server helm chart and provide the JWK information, as shown in the example below:
+
+```yaml
+# values.yaml or secrets.yaml
+brig:
+  secrets:
+    oauthJwkKeyPair: |
+      {
+        "p":"8U9gI_...",
+        "kty":"RSA",
+        "q":"43dqC...",
+        "d":"ixZk7x...",
+        "e":"AQAB",
+        "use":"sig",
+        "kid":"QVapB_J...",
+        "qi":"sYHbPsy...",
+        "dp":"LFmnVNPW...",
+        "alg":"RS256",
+        "dq":"UXTY7...",
+        "n":"1mnyGVT..."
+      }
+```
+
+Note that the JWK is a sensitive configuration value, so it is recommended to use Helm's support for managing secrets instead of including it in a plaintext values.yaml file.
+
+Please keep in mind that OAuth is currently under development and may not be available for use yet. Once it is ready, you will be able to use the OAuth functionality by setting up the JWK as described above.
+
+### OAuth authorization code and access token expiration
+
+The the OAuth authorization code expiration (default 5 minutes) and access token expiration (default 3 weeks) can be overridden in the Helm file as follows:
+
+```yaml
+brig:
+  # ...
+  config:
+    # ...
+    optSettings:
+      # ...
+      setOAuthAuthCodeExpirationTimeSecs: 300 # 5 minutes
+      setOAuthAccessTokenExpirationTimeSecs: 1814400 # 3 weeks
+```

hack/helm_vars/wire-server/values.yaml.gotmpl

@@ -86,6 +86,8 @@ brig:
       setDpopMaxSkewSecs: 1
       setDpopTokenExpirationTimeSecs: 300
       setEnableMLS: true
+      setOAuthAuthCodeExpirationTimeSecs: 3 # 3 secs
+      setOAuthAccessTokenExpirationTimeSecs: 1814400 # 3 weeks      
     aws:
       sesEndpoint: http://fake-aws-ses:4569
       sqsEndpoint: http://fake-aws-sqs:4568
@@ -121,6 +123,21 @@ brig:
       -----BEGIN PUBLIC KEY-----
       MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8=
       -----END PUBLIC KEY-----
+    oauthJwkKeyPair: |
+      {
+        "p":"8U9gI_GHo8ca1g-6Miv9f7E7zTvY90mPZO9Hhygf3ZxhFk_TNH7y3dMyUZebnYLbXf1wUltLve-nND9AO2omtz6WgPEjPomo6nLeIO1swzkBkTqrQhvPioo7rXIAlv4O5vEPPnLFJceSVRmDSGovkjcyklAhZiVRfzAv-_GdnG8",
+        "kty":"RSA",
+        "q":"43dqCXHtiIYJ2bvVvVW8Ch4yhJmPA9VUQSTN2aVlLZoqMOLh8rn6fl0UiBLCQJdoPI3Hc2QuS6_GohVrKI-WgpHEGMssZnH9cbfGuNUX7QK6glhsGSPoxSRpFJMgVDxG5jCgUSOt0BJdY_hgo7wwO_bx2VTdSJPgIt761TUNjiU",
+        "d":"ixZk7xvHUYzY8Eu0NwAF5LoGG7xJSqSuvy7lg4Ag8Pb8imlvwvyo1G2aYpNXGWi9lTv8h_tnVaSBfb7KddS9KLpoC-EuBk6tn8EUyeevKdRD6c-WLZX6QehET_B_LWL_EQQRB2cqfiThkDghN5HWZn18-QskyYgS0vWS_EYquM8LS3s0emQhXkz77ZX4fQrhZGRCAmDeI-iZDt90uRTF6OceKKoC5eTimx9YimQ0Z-qOlKiCpIjplSgHL8QgIZrp6mLdCTVy3vxaegwSNKwGqCCwcewtdBky9nb9pX6sEc6CA3WfyYZMbthMYIYTi0KJ2kaaF2QdR3l7VLTdPBwK-Q",
+        "e":"AQAB",
+        "use":"sig",
+        "kid":"QVapB_JRK66AMCYKN7LHsl4DlkICTNYB6ExJrtmva88",
+        "qi":"sYHbPsyiiRIBKbN-chbXYTLsd03jL_kiT2VdyMsP_tNjOz87WcC8Td-lBUIViw_aMq1VOjJEyhB6yE9-Po4YmlAFbPSf1rmypAdjTKRQznkuTGDue6yd4z1t4SgZJOSlpJSGBtkEiYaIlI9-fviPxtIpDh0JfAbE7XgPItu5vT8",
+        "dp":"LFmnVNPWVx6H6yHW2dPF8osTb6P5O3HUnftwTQHt4WAVY_Fl4vcWEfj3_ZD8s9VSFhM3apuG7zC1rV-WoZTf6rvhE2--R4creXOFKc4ZOEQo6pU61pqf6VmAoF8chqPI_178q0CSxV_JoERhIZUKizgD3mpFyS1ArjygBREiI5c",
+        "alg":"RS256",
+        "dq":"UXTY7yryQhql-mfugc_q98CanKuU8G17r5xrbw5wriTwCPOmsFJzZr8UdCorkA_oTw8CpsrwXUBEJJUA-9R3tKhYjfxsGP-nIAsMyfHdkI2SlsztYQ9f8wE39Bs_z4qKZTJyprvdKY76DKvMh7YDm-Wx8_8VA0GZWUN6ldFa2lU",
+        "n":"1mnyGVTdwCi4umlGMvT6y7aTmibMQuBvySoT5eZcwKti4_sfnEJhyWXfsE6tasUC8ce7YGzFiq886S9-iZc6hYW0ReIPQYCLZ5hn-fUCxefEZdX03e-uJww7OwX_kNQifgdYwzM__QJsy1_nbgEn7olTzplJfJmUSk9dkfFJ-3o5L3AJ1YMbFPgXae0OLmkxjVKfT_6093a0RLSpUCzcti4OhtNa-OEUMX4rYl0jQyzZyO281IH-MatecA1O_o6JbCI1wH46jWNY8of43cemzFwQaS2SnSyppOmJzGf9fpm5j5dozYrAdTdPYdZEA62CimvdLvJqEt4OjyQuRTAuCw"
+      }    
   tests:
     enableFederationTests: true
 cannon:

nix/haskell-pins.nix

@@ -3,12 +3,12 @@
 # 1. If your target git repository has only package with the cabal file at the
 # root, add it like this under 'gitPins':
 #     <name-of-the-package> = {
-#       src = fetchgit = {
-#          url = "<https-url-to-git>"
+#       src = fetchgit {
+#          url = "<https-url-to-git>";
 #          rev = "<commit-id/sha>";
 #          sha256 = "";
-#       }
-#     }
+#       };
+#     };
 #
 # 2. If your target git repsitory has many packages, add it like this under 'gitPins':
 #
@@ -227,6 +227,20 @@ let
         sha256 = "sha256-8XeCeJWbkdqrUf6tERFMoGM8xRI5l/nKNqI810kzMs0=";
       };
     };
+    tasty-hedgehog = {
+      src = fetchgit {
+          url = "https://github.com/qfpl/tasty-hedgehog";
+          rev = "729617f82699be189954825920d6f30985e1cfa7";
+          sha256 = "sha256-O81wlQbzwCOWLueDLiqf/K2g9XWvSNWgHv7IbYmLsgI=";
+      };
+    };    
+    jose = {
+      src = fetchgit {
+          url = "https://github.com/frasertweedale/hs-jose";
+          rev = "a7f919b19f667dfbb4d5c989ce620d3e75af8247";
+          sha256 = "sha256-SKEE9ZqhjBxHYUKQaoB4IpN4/Ui3tS4S98FgZqj7WlY=";
+      };
+    };
     kind-generics = {
       src = fetchgit {
         url = "https://gitlab.com/trupill/kind-generics.git";

services/brig/brig.cabal

@@ -67,6 +67,7 @@ library
     Brig.Effects.Delay
     Brig.Effects.GalleyProvider
     Brig.Effects.GalleyProvider.RPC
+    Brig.Effects.Jwk
     Brig.Effects.JwtTools
     Brig.Effects.PasswordResetStore
     Brig.Effects.PasswordResetStore.CodeStore
@@ -230,6 +231,7 @@ library
     , HsOpenSSL                  >=0.10
     , HsOpenSSL-x509-system      >=0.1
     , html-entities              >=1.1
+    , http-api-data
     , http-client                >=0.5
     , http-client-openssl        >=0.2
     , http-media
@@ -238,6 +240,7 @@ library
     , insert-ordered-containers
     , iproute                    >=1.5
     , iso639                     >=0.1
+    , jose
     , jwt-tools
     , lens                       >=3.8
     , lens-aeson                 >=1.0
@@ -555,6 +558,7 @@ executable brig-integration
     , http-reverse-proxy
     , http-types
     , imports
+    , jose
     , lens                   >=3.9
     , lens-aeson
     , metrics-wai

services/brig/brig.integration.yaml

@@ -193,6 +193,9 @@ optSettings:
   setDpopTokenExpirationTimeSecs: 300 # 5 minutes
   setPublicKeyBundle: test/resources/jwt/ed25519_bundle.pem
   setEnableMLS: true
+  setOAuthJwkKeyPair: test/resources/oauth/jwk.json
+  setOAuthAuthCodeExpirationTimeSecs: 3 # 3 secs
+  setOAuthAccessTokenExpirationTimeSecs: 1814400 # 3 weeks
 
 logLevel: Warn
 # ^ NOTE: We log too much in brig, if we set this to Info like other services, running tests

services/brig/default.nix

@@ -68,6 +68,7 @@
 , insert-ordered-containers
 , iproute
 , iso639
+, jose
 , jwt-tools
 , lens
 , lens-aeson
@@ -213,6 +214,7 @@ mkDerivation {
     HsOpenSSL
     HsOpenSSL-x509-system
     html-entities
+    http-api-data
     http-client
     http-client-openssl
     http-media
@@ -221,6 +223,7 @@ mkDerivation {
     insert-ordered-containers
     iproute
     iso639
+    jose
     jwt-tools
     lens
     lens-aeson
@@ -332,6 +335,7 @@ mkDerivation {
     http-reverse-proxy
     http-types
     imports
+    jose
     lens
     lens-aeson
     metrics-wai