[SQSERVICES-1913] Move OAuth authentication to nginz

charts/galley/templates/configmap.yaml

@@ -71,10 +71,7 @@ data:
       {{- end -}}
       {{- if .settings.disabledAPIVersions }}
       disabledAPIVersions: {{ .settings.disabledAPIVersions }}
-      {{- end }}
-      {{- if $.Values.secrets.oauthPublicJwk }}
-      oauthPublicJwk: /etc/wire/galley/secrets/oauth_ed25519_pub.jwk
-      {{- end }}      
+      {{- end }}     
       {{- if .settings.featureFlags }}
       featureFlags:
         sso: {{ .settings.featureFlags.sso }}

charts/galley/templates/secret.yaml

@@ -14,6 +14,3 @@ data:
   removal_ed25519.pem: {{ .Values.secrets.mlsPrivateKeys.removal.ed25519 | b64enc | quote }}
   {{- end -}}
   {{- end -}}
-  {{- if .Values.secrets.oauthPublicJwk }}
-  oauth_ed25519_pub.jwk: {{ .Values.secrets.oauthPublicJwk | b64enc | quote }}
-  {{- end -}}  

charts/nginz/templates/conf/_nginx.conf.tpl

@@ -193,6 +193,7 @@ http {
 
     zauth_keystore {{ .Values.nginx_conf.zauth_keystore }};
     zauth_acl      {{ .Values.nginx_conf.zauth_acl }};
+    oauth_key      {{ .Values.nginx_conf.oauth_key }};
 
     location /status {
         zauth off;
@@ -258,8 +259,8 @@ http {
               {{- end }}
             {{- end }}
 
-            {{- if ($location.enable_oauth) }}
-        oauth on;
+            {{- if ($location.oauth_scope) }}
+        oauth_scope {{ $location.oauth_scope }};
             {{- end }}
 
             {{- if hasKey $location "specific_user_rate_limit" }}
@@ -293,6 +294,10 @@ http {
         proxy_set_header   Connection     "";
             {{ end -}}
 
+            {{- if not ($location.disable_zauth) }}
+        proxy_set_header   Authorization  "";
+            {{- end }}            
+
         proxy_set_header   Z-Type         $zauth_type;
         proxy_set_header   Z-User         $zauth_user;
         proxy_set_header   Z-Client       $zauth_client;
@@ -345,6 +350,7 @@ http {
     # we need to specify zauth_keystore etc.
     zauth_keystore {{ .Values.nginx_conf.zauth_keystore }};
     zauth_acl      {{ .Values.nginx_conf.zauth_acl }};
+    oauth_key      {{ .Values.nginx_conf.oauth_key }};
 
     listen {{ .Values.config.http.metricsPort }};
 

charts/nginz/templates/secret.yaml

@@ -15,4 +15,5 @@ data:
   {{- with .Values.secrets }}
   zauth.conf: {{ .zAuth.publicKeys | b64enc | quote }}
   basic_auth.txt: {{ .basicAuth | b64enc | quote }}
+  oauth_ed25519_pub.jwk: {{ .oAuth.publicKeys | b64enc | quote }}
   {{- end }}

charts/nginz/values.yaml

@@ -30,6 +30,7 @@ nginx_conf:
   zauth_keystore: /etc/wire/nginz/secrets/zauth.conf
   zauth_acl: /etc/wire/nginz/conf/zauth.acl
   basic_auth_file: /etc/wire/nginz/secrets/basic_auth.txt
+  oauth_key: /etc/wire/nginz/secrets/oauth_ed25519_pub.jwk
   worker_processes: auto
   worker_rlimit_nofile: 131072
   worker_connections: 65536
@@ -163,7 +164,7 @@ nginx_conf:
       envs:
       - staging
     - path: /self$ # Matches exactly /self
-      enable_oauth: true
+      oauth_scope: self
       envs:
       - all
     - path: /self/name
@@ -424,11 +425,20 @@ nginx_conf:
       - all
       max_body_size: 40m
       body_buffer_size: 256k
+    - path: /conversations$
+      envs:
+      - all
+      doc: true
+      oauth_scope: conversations
+    - path: /conversations/([^/]*)/code
+      envs:
+      - all
+      doc: true
+      oauth_scope: conversations_code
     - path: /conversations
       envs:
       - all
       doc: true
-      enable_oauth: true
     - path: /legalhold/conversations/(.*)
       envs:
       - all
@@ -496,7 +506,7 @@ nginx_conf:
     - path: /feature-configs(.*)
       envs:
       - all
-      enable_oauth: true
+      oauth_scope: feature_configs
     - path: /mls/welcome
       envs:
       - all

docs/src/developer/reference/config-options.md

@@ -54,16 +54,6 @@ certificate, is to run the following command:
 openssl req -nodes -newkey ed25519 -keyout ed25519.pem -out /dev/null -subj /
 ```
 
-### Public JWK for OAuth
-
-Set the path to the public JWK key for OAuth like this:
-
-```yml
-# [galley.yaml]
-settings:
-  oauthPublicJwk: test/resources/oauth/ed25519_public.jwk
-```
-
 ## Feature flags
 
 > Also see [Wire docs](https://docs.wire.com/how-to/install/team-feature-settings.html) where some of the feature flags are documented from an operations point of view.

hack/bin/oauth_test.sh

@@ -79,4 +79,4 @@ echo "access token : $ACCESS_TOKEN"
 
 echo ""
 echo "making a request to /self..."
-curl -s -H 'Z-OAUTH: Bearer '"$ACCESS_TOKEN" -H "Content-Type: application/json" localhost:8082/self | jq .
+curl -s -H 'Authorization: Bearer '"$ACCESS_TOKEN" -H "Content-Type: application/json" localhost:8080/self | jq

hack/helm_vars/wire-server/values.yaml.gotmpl

@@ -86,7 +86,7 @@ brig:
       setDpopTokenExpirationTimeSecs: 300
       setEnableMLS: true
       setOAuthAuthCodeExpirationTimeSecs: 3 # 3 secs
-      setOAuthAccessTokenExpirationTimeSecs: 1814400 # 3 weeks
+      setOAuthAccessTokenExpirationTimeSecs: 3 # 3 secs
       setOAuthEnabled: true
       setOAuthRefreshTokenExpirationTimeSecs: 14515200 # 24 weeks
       setOAuthMaxActiveRefreshTokens: 10
@@ -193,12 +193,6 @@ galley:
           -----BEGIN PRIVATE KEY-----
           MC4CAQAwBQYDK2VwBCIEIAocCDXsKIAjb65gOUn5vEF0RIKnVJkKR4ebQzuZ709c
           -----END PRIVATE KEY-----
-    oauthPublicJwk: |
-      {
-        "kty": "OKP",
-        "crv": "Ed25519",
-        "x": "mhP-NgFw3ifIXGZqJVB0kemt9L3BtD5P8q4Gah4Iklc"
-      }          
 
 gundeck:
   replicaCount: 1
@@ -244,6 +238,13 @@ nginz:
     zAuth:
       # this must match the key in brig!
       publicKeys: 0UW38se1yeoc5bVNEvf5LyrHWGZkyvcGTVilK2geGdU=
+    oAuth:
+      publicKeys: |
+        {
+          "kty": "OKP",
+          "crv": "Ed25519",
+          "x": "mhP-NgFw3ifIXGZqJVB0kemt9L3BtD5P8q4Gah4Iklc"
+        }       
 proxy:
   replicaCount: 1
   imagePullPolicy: {{ .Values.imagePullPolicy }}