From 19335439bdee97331f2e8627686c1a927e5abd74 Mon Sep 17 00:00:00 2001
From: Matt Scott <matt@azorian.solutions>
Date: Sun, 2 Apr 2023 09:19:05 -0400
Subject: [PATCH] Completed the removal of the OAuth JWKS URL setting as well
 as the update of how the existing metadata URL settings are being used.

For additional information, reference GitHub issue #1499.
---
 powerdnsadmin/models/setting.py               |  4 --
 powerdnsadmin/routes/admin.py                 |  8 ----
 powerdnsadmin/services/azure.py               | 27 +++++++-----
 powerdnsadmin/services/github.py              | 32 +++++++++-----
 powerdnsadmin/services/google.py              | 30 ++++++++-----
 powerdnsadmin/services/oidc.py                | 30 ++++++++-----
 .../admin_setting_authentication.html         | 44 -------------------
 7 files changed, 75 insertions(+), 100 deletions(-)

diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py
index 48f929f..dedaaab 100644
--- a/powerdnsadmin/models/setting.py
+++ b/powerdnsadmin/models/setting.py
@@ -73,7 +73,6 @@ class Setting(db.Model):
             'https://github.com/login/oauth/access_token',
         'github_oauth_authorize_url':
             'https://github.com/login/oauth/authorize',
-        'github_oauth_jwks_url': '',
         'github_oauth_metadata_url': '',
         'google_oauth_enabled': False,
         'google_oauth_client_id': '',
@@ -81,7 +80,6 @@ class Setting(db.Model):
         'google_token_url': 'https://oauth2.googleapis.com/token',
         'google_oauth_scope': 'openid email profile',
         'google_authorize_url': 'https://accounts.google.com/o/oauth2/v2/auth',
-        'google_oauth_jwks_url': '',
         'google_oauth_metadata_url': '',
         'google_base_url': 'https://www.googleapis.com/oauth2/v3/',
         'azure_oauth_enabled': False,
@@ -93,7 +91,6 @@ class Setting(db.Model):
             'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/token',
         'azure_oauth_authorize_url':
             'https://login.microsoftonline.com/[tenancy]/oauth2/v2.0/authorize',
-        'azure_oauth_jwks_url': '',
         'azure_oauth_metadata_url': '',
         'azure_sg_enabled': False,
         'azure_admin_group': '',
@@ -111,7 +108,6 @@ class Setting(db.Model):
         'oidc_oauth_api_url': '',
         'oidc_oauth_token_url': '',
         'oidc_oauth_authorize_url': '',
-        'oidc_oauth_jwks_url': '',
         'oidc_oauth_metadata_url': '',
         'oidc_oauth_logout_url': '',
         'oidc_oauth_username': 'preferred_username',
diff --git a/powerdnsadmin/routes/admin.py b/powerdnsadmin/routes/admin.py
index 3e44fd6..eedabdc 100644
--- a/powerdnsadmin/routes/admin.py
+++ b/powerdnsadmin/routes/admin.py
@@ -1680,8 +1680,6 @@ def setting_authentication():
                               request.form.get('google_oauth_scope'))
                 Setting().set('google_authorize_url',
                               request.form.get('google_authorize_url'))
-                Setting().set('google_oauth_jwks_url',
-                              request.form.get('google_oauth_jwks_url'))
                 Setting().set('google_base_url',
                               request.form.get('google_base_url'))
                 result = {
@@ -1715,8 +1713,6 @@ def setting_authentication():
                               request.form.get('github_oauth_token_url'))
                 Setting().set('github_oauth_authorize_url',
                               request.form.get('github_oauth_authorize_url'))
-                Setting().set('github_oauth_jwks_url',
-                              request.form.get('github_oauth_jwks_url'))
                 result = {
                     'status': True,
                     'msg':
@@ -1748,8 +1744,6 @@ def setting_authentication():
                               request.form.get('azure_oauth_token_url'))
                 Setting().set('azure_oauth_authorize_url',
                               request.form.get('azure_oauth_authorize_url'))
-                Setting().set('azure_oauth_jwks_url',
-                              request.form.get('azure_oauth_jwks_url'))
                 Setting().set(
                     'azure_sg_enabled', True
                     if request.form.get('azure_sg_enabled') == 'ON' else False)
@@ -1803,8 +1797,6 @@ def setting_authentication():
                               request.form.get('oidc_oauth_token_url'))
                 Setting().set('oidc_oauth_authorize_url',
                               request.form.get('oidc_oauth_authorize_url'))
-                Setting().set('oidc_oauth_jwks_url',
-                              request.form.get('oidc_oauth_jwks_url'))
                 Setting().set('oidc_oauth_logout_url',
                               request.form.get('oidc_oauth_logout_url'))
                 Setting().set('oidc_oauth_username',
diff --git a/powerdnsadmin/services/azure.py b/powerdnsadmin/services/azure.py
index c1fb626..65f3bf3 100644
--- a/powerdnsadmin/services/azure.py
+++ b/powerdnsadmin/services/azure.py
@@ -15,18 +15,25 @@ def azure_oauth():
         session['azure_token'] = token
         return token
 
+    authlib_params = {
+        'client_id': Setting().get('azure_oauth_key'),
+        'client_secret': Setting().get('azure_oauth_secret'),
+        'api_base_url': Setting().get('azure_oauth_api_url'),
+        'request_token_url': None,
+        'access_token_url': Setting().get('azure_oauth_token_url'),
+        'authorize_url': Setting().get('azure_oauth_authorize_url'),
+        'client_kwargs': {'scope': Setting().get('azure_oauth_scope')},
+        'fetch_token': fetch_azure_token,
+    }
+
+    server_metadata_url = Setting().get('azure_oauth_metadata_url')
+
+    if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0:
+        authlib_params['server_metadata_url'] = server_metadata_url
+
     azure = authlib_oauth_client.register(
         'azure',
-        client_id=Setting().get('azure_oauth_key'),
-        client_secret=Setting().get('azure_oauth_secret'),
-        api_base_url=Setting().get('azure_oauth_api_url'),
-        request_token_url=None,
-        access_token_url=Setting().get('azure_oauth_token_url'),
-        authorize_url=Setting().get('azure_oauth_authorize_url'),
-        jwks_url=Setting().get('azure_oauth_jwks_url'),
-        server_metadata_url=Setting().get('azure_oauth_metadata_url'),
-        client_kwargs={'scope': Setting().get('azure_oauth_scope')},
-        fetch_token=fetch_azure_token,
+        **authlib_params
     )
 
     @current_app.route('/azure/authorized')
diff --git a/powerdnsadmin/services/github.py b/powerdnsadmin/services/github.py
index 13c2f00..ff4a20f 100644
--- a/powerdnsadmin/services/github.py
+++ b/powerdnsadmin/services/github.py
@@ -15,20 +15,28 @@ def github_oauth():
         session['github_token'] = token
         return token
 
+    authlib_params = {
+        'client_id': Setting().get('github_oauth_key'),
+        'client_secret': Setting().get('github_oauth_secret'),
+        'request_token_params': {'scope': Setting().get('github_oauth_scope')},
+        'api_base_url': Setting().get('github_oauth_api_url'),
+        'request_token_url': None,
+        'access_token_url': Setting().get('github_oauth_token_url'),
+        'authorize_url': Setting().get('github_oauth_authorize_url'),
+        'client_kwargs': {'scope': Setting().get('github_oauth_scope')},
+        'fetch_token': fetch_github_token,
+        'update_token': update_token
+    }
+
+    server_metadata_url = Setting().get('github_oauth_metadata_url')
+
+    if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0:
+        authlib_params['server_metadata_url'] = server_metadata_url
+
     github = authlib_oauth_client.register(
         'github',
-        client_id=Setting().get('github_oauth_key'),
-        client_secret=Setting().get('github_oauth_secret'),
-        request_token_params={'scope': Setting().get('github_oauth_scope')},
-        api_base_url=Setting().get('github_oauth_api_url'),
-        request_token_url=None,
-        access_token_url=Setting().get('github_oauth_token_url'),
-        authorize_url=Setting().get('github_oauth_authorize_url'),
-        jwks_url=Setting().get('github_oauth_jwks_url'),
-        server_metadata_url=Setting().get('github_oauth_metadata_url'),
-        client_kwargs={'scope': Setting().get('github_oauth_scope')},
-        fetch_token=fetch_github_token,
-        update_token=update_token)
+        **authlib_params
+    )
 
     @current_app.route('/github/authorized')
     def github_authorized():
diff --git a/powerdnsadmin/services/google.py b/powerdnsadmin/services/google.py
index fc9af12..5604819 100644
--- a/powerdnsadmin/services/google.py
+++ b/powerdnsadmin/services/google.py
@@ -15,19 +15,27 @@ def google_oauth():
         session['google_token'] = token
         return token
 
+    authlib_params = {
+        'client_id': Setting().get('google_oauth_client_id'),
+        'client_secret': Setting().get('google_oauth_client_secret'),
+        'api_base_url': Setting().get('google_base_url'),
+        'request_token_url': None,
+        'access_token_url': Setting().get('google_token_url'),
+        'authorize_url': Setting().get('google_authorize_url'),
+        'client_kwargs': {'scope': Setting().get('google_oauth_scope')},
+        'fetch_token': fetch_google_token,
+        'update_token': update_token
+    }
+
+    server_metadata_url = Setting().get('google_oauth_metadata_url')
+
+    if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0:
+        authlib_params['server_metadata_url'] = server_metadata_url
+
     google = authlib_oauth_client.register(
         'google',
-        client_id=Setting().get('google_oauth_client_id'),
-        client_secret=Setting().get('google_oauth_client_secret'),
-        api_base_url=Setting().get('google_base_url'),
-        request_token_url=None,
-        access_token_url=Setting().get('google_token_url'),
-        authorize_url=Setting().get('google_authorize_url'),
-        jwks_url=Setting().get('google_oauth_jwks_url'),
-        server_metadata_url=Setting().get('google_oauth_metadata_url'),
-        client_kwargs={'scope': Setting().get('google_oauth_scope')},
-        fetch_token=fetch_google_token,
-        update_token=update_token)
+        **authlib_params
+    )
 
     @current_app.route('/google/authorized')
     def google_authorized():
diff --git a/powerdnsadmin/services/oidc.py b/powerdnsadmin/services/oidc.py
index 432457f..7b0cd46 100644
--- a/powerdnsadmin/services/oidc.py
+++ b/powerdnsadmin/services/oidc.py
@@ -15,19 +15,27 @@ def oidc_oauth():
         session['oidc_token'] = token
         return token
 
+    authlib_params = {
+        'client_id': Setting().get('oidc_oauth_key'),
+        'client_secret': Setting().get('oidc_oauth_secret'),
+        'api_base_url': Setting().get('oidc_oauth_api_url'),
+        'request_token_url': None,
+        'access_token_url': Setting().get('oidc_oauth_token_url'),
+        'authorize_url': Setting().get('oidc_oauth_authorize_url'),
+        'client_kwargs': {'scope': Setting().get('oidc_oauth_scope')},
+        'fetch_token': fetch_oidc_token,
+        'update_token': update_token
+    }
+
+    server_metadata_url = Setting().get('oidc_oauth_metadata_url')
+
+    if isinstance(server_metadata_url, str) and len(server_metadata_url.strip()) > 0:
+        authlib_params['server_metadata_url'] = server_metadata_url
+
     oidc = authlib_oauth_client.register(
         'oidc',
-        client_id=Setting().get('oidc_oauth_key'),
-        client_secret=Setting().get('oidc_oauth_secret'),
-        api_base_url=Setting().get('oidc_oauth_api_url'),
-        request_token_url=None,
-        access_token_url=Setting().get('oidc_oauth_token_url'),
-        authorize_url=Setting().get('oidc_oauth_authorize_url'),
-        jwks_url=Setting().get('oidc_oauth_jwks_url'),
-        server_metadata_url=Setting().get('oidc_oauth_metadata_url'),
-        client_kwargs={'scope': Setting().get('oidc_oauth_scope')},
-        fetch_token=fetch_oidc_token,
-        update_token=update_token)
+        **authlib_params
+    )
 
     @current_app.route('/oidc/authorized')
     def oidc_authorized():
diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html
index c545958..cbe6800 100644
--- a/powerdnsadmin/templates/admin_setting_authentication.html
+++ b/powerdnsadmin/templates/admin_setting_authentication.html
@@ -806,17 +806,6 @@
                                                                            value="{{ SETTING.get('google_authorize_url') }}">
                                                                     <span class="help-block with-errors"></span>
                                                                 </div>
-                                                                <div class="form-group">
-                                                                    <label for="google_oauth_jwks_url">JWKS
-                                                                        URL</label>
-                                                                    <input type="text" class="form-control"
-                                                                           name="google_oauth_jwks_url"
-                                                                           id="google_oauth_jwks_url"
-                                                                           placeholder="e.g. https://{yourDomain}/.well-known/jwks.json"
-                                                                           data-error="Please input JWKS URL"
-                                                                           value="{{ SETTING.get('google_oauth_jwks_url') }}">
-                                                                    <span class="help-block with-errors"></span>
-                                                                </div>
                                                                 <div class="form-group">
                                                                     <label for="google_base_url">Base URL</label>
                                                                     <input type="text" class="form-control"
@@ -957,17 +946,6 @@
                                                                            value="{{ SETTING.get('github_oauth_authorize_url') }}">
                                                                     <span class="help-block with-errors"></span>
                                                                 </div>
-                                                                <div class="form-group">
-                                                                    <label for="github_oauth_jwks_url">JWKS
-                                                                        URL</label>
-                                                                    <input type="text" class="form-control"
-                                                                           name="github_oauth_jwks_url"
-                                                                           id="github_oauth_jwks_url"
-                                                                           placeholder="e.g. https://{yourDomain}/.well-known/jwks.json"
-                                                                           data-error="Please input JWKS URL"
-                                                                           value="{{ SETTING.get('github_oauth_jwks_url') }}">
-                                                                    <span class="help-block with-errors"></span>
-                                                                </div>
                                                             </fieldset>
                                                         </div>
                                                         <!-- /.card-body -->
@@ -1096,17 +1074,6 @@
                                                                            value="{{ SETTING.get('azure_oauth_authorize_url') }}">
                                                                     <span class="help-block with-errors"></span>
                                                                 </div>
-                                                                <div class="form-group">
-                                                                    <label for="azure_oauth_jwks_url">JWKS
-                                                                        URL</label>
-                                                                    <input type="text" class="form-control"
-                                                                           name="azure_oauth_jwks_url"
-                                                                           id="azure_oauth_jwks_url"
-                                                                           placeholder="e.g. https://{yourDomain}/.well-known/jwks.json"
-                                                                           data-error="Please input JWKS URL"
-                                                                           value="{{ SETTING.get('azure_oauth_jwks_url') }}">
-                                                                    <span class="help-block with-errors"></span>
-                                                                </div>
                                                             </fieldset>
                                                             <fieldset>
                                                                 <legend>Group Security</legend>
@@ -1413,17 +1380,6 @@
                                                                            value="{{ SETTING.get('oidc_oauth_authorize_url') }}">
                                                                     <span class="help-block with-errors"></span>
                                                                 </div>
-                                                                <div class="form-group">
-                                                                    <label for="oidc_oauth_jwks_url">JWKS
-                                                                        URL</label>
-                                                                    <input type="text" class="form-control"
-                                                                           name="oidc_oauth_jwks_url"
-                                                                           id="oidc_oauth_jwks_url"
-                                                                           placeholder="e.g. https://{yourDomain}/.well-known/jwks.json"
-                                                                           data-error="Please input JWKS URL"
-                                                                           value="{{ SETTING.get('oidc_oauth_jwks_url') }}">
-                                                                    <span class="help-block with-errors"></span>
-                                                                </div>
                                                                 <div class="form-group">
                                                                     <label for="oidc_oauth_logout_url">Logout
                                                                         URL</label>