feat(docker-admin-ui): replace jwt token with reference token to access config-api

docker-admin-ui/Dockerfile

@@ -7,7 +7,7 @@ RUN apk update \
 # TODO:
 # - use NODE_ENV=production
 # - download build package (not git clone)
-ENV ADMIN_UI_VERSION=f74643c6aa0aee9d4c218b90fb1f9237171324f8
+ENV ADMIN_UI_VERSION=4485b8757999131d2d5d02fe7e0ef76abe652f0d
 
 RUN mkdir -p /opt/flex
 
@@ -68,7 +68,7 @@ RUN python3 -m ensurepip \
 # jans-linux-setup sync
 # =====================
 
-ENV JANS_SOURCE_VERSION=690fa33d511ce5c5ca31ba838ce30ad26c84652b
+ENV JANS_SOURCE_VERSION=2918c11a25b50a395c71ad5dc252cf49d319a407
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 
 # note that as we're pulling from a monorepo (with multiple project in it)

docker-admin-ui/scripts/bootstrap.py

@@ -183,7 +183,7 @@ def save_config(self):
             bucket = os.environ.get("CN_COUCHBASE_BUCKET_PREFIX", "jans")
             dn = id_from_dn(dn)
 
-            req = self.client.exec_query(f"SELECT META().id, {bucket}.* FROM {bucket} USE KEYS '{dn}'")
+            req = self.client.exec_query(f"SELECT META().id, {bucket}.* FROM {bucket} USE KEYS '{dn}'")  # nosec: B608
             entry = req.json()["results"][0]
 
             conf = entry.get("jansConfApp") or {}
@@ -196,7 +196,7 @@ def save_config(self):
             if should_update:
                 logger.info("Updating admin-ui config app")
                 rev = entry["jansRevision"] + 1
-                self.client.exec_query(f"UPDATE {bucket} USE KEYS '{dn}' SET jansConfApp={json.dumps(merged_conf)}, jansRevision={rev}")
+                self.client.exec_query(f"UPDATE {bucket} USE KEYS '{dn}' SET jansConfApp={json.dumps(merged_conf)}, jansRevision={rev}")  # nosec: B608
 
         else:
             entry = self.client.get(dn)
@@ -290,6 +290,16 @@ def resolve_conf_app(old_conf, new_conf):
                 old_conf["oidcConfig"][srv_client]["opHost"] = new_conf["oidcConfig"][srv_client]["opHost"]
                 should_update = True
 
+        # add missing introspectionEndpoint
+        if "introspectionEndpoint" not in old_conf["oidcConfig"]["auiBackendApiClient"]:
+            old_conf["oidcConfig"]["auiBackendApiClient"]["introspectionEndpoint"] = new_conf["oidcConfig"]["auiBackendApiClient"]["introspectionEndpoint"]
+            should_update = True
+
+        # set scope to openid only
+        if old_conf["oidcConfig"]["auiBackendApiClient"]["scopes"] != new_conf["oidcConfig"]["auiBackendApiClient"]["scopes"]:
+            old_conf["oidcConfig"]["auiBackendApiClient"]["scopes"] = new_conf["oidcConfig"]["auiBackendApiClient"]["scopes"]
+            should_update = True
+
     # finalized status and conf
     return should_update, old_conf
 

docker-admin-ui/scripts/entrypoint.sh

@@ -7,6 +7,7 @@ basedir=$(dirname "$(readlink -f -- "$0")")
 
 python3 "$basedir/wait.py"
 python3 "$basedir/bootstrap.py"
+python3 "$basedir/upgrade.py"
 python3 "$basedir/builder.py"
 
 if [ "$GLUU_ADMIN_UI_ENABLE_NGINX" = "true" ]; then

docker-admin-ui/scripts/ssa.py

@@ -90,4 +90,5 @@ def get_license_config(manager):
         "scan_license_api_hostname": scan_url,
         "op_host": auth_url,
         "ssa": ssa,
+        "org_id": payload.get("org_id", ""),
     }