From 241a701eca7fe1516f04861823c889d91bd7523d Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Sun, 30 Dec 2018 18:02:22 +0200
Subject: [PATCH 01/61] feat(oauth): merge pr from
 https://github.com/portainer/portainer/pull/2515

---
 api/cmd/portainer/main.go                     |   9 +
 api/http/handler/auth/authenticate.go         |  63 +++++++
 api/http/handler/auth/handler.go              |   3 +
 api/http/handler/handler.go                   |   2 +
 api/http/handler/settings/handler.go          |   2 +
 api/http/handler/settings/settings_public.go  |   8 +
 api/http/handler/settings/settings_update.go  |   7 +-
 api/http/server.go                            |   3 +
 api/oauth/oauth.go                            | 168 ++++++++++++++++++
 api/portainer.go                              |  22 +++
 app/constants.js                              |   1 +
 .../users-datatable/usersDatatable.html       |   3 +-
 app/portainer/models/settings.js              |  17 ++
 app/portainer/rest/oauth.js                   |   9 +
 app/portainer/services/authentication.js      |  21 ++-
 app/portainer/views/auth/auth.html            |   4 +-
 app/portainer/views/auth/authController.js    |  45 ++++-
 .../settingsAuthentication.html               | 120 ++++++++++++-
 .../settingsAuthenticationController.js       |   1 +
 19 files changed, 501 insertions(+), 7 deletions(-)
 create mode 100644 api/oauth/oauth.go
 create mode 100644 app/portainer/rest/oauth.js

diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index e0a9dd2f9..83f85aa8f 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -20,6 +20,7 @@ import (
 	"github.com/portainer/portainer/jwt"
 	"github.com/portainer/portainer/ldap"
 	"github.com/portainer/portainer/libcompose"
+	"github.com/portainer/portainer/oauth"
 
 	"log"
 )
@@ -100,6 +101,10 @@ func initLDAPService() portainer.LDAPService {
 	return &ldap.Service{}
 }
 
+func initOAuthService() portainer.OAuthService {
+	return &oauth.Service{}
+}
+
 func initGitService() portainer.GitService {
 	return &git.Service{}
 }
@@ -260,6 +265,7 @@ func initSettings(settingsService portainer.SettingsService, flags *portainer.CL
 					portainer.LDAPGroupSearchSettings{},
 				},
 			},
+			OAuthSettings:                      portainer.OAuthSettings{},
 			AllowBindMountsForRegularUsers:     true,
 			AllowPrivilegedModeForRegularUsers: true,
 			EnableHostManagementFeatures:       false,
@@ -520,6 +526,8 @@ func main() {
 
 	ldapService := initLDAPService()
 
+	oauthService := initOAuthService()
+
 	gitService := initGitService()
 
 	cryptoService := initCryptoService()
@@ -665,6 +673,7 @@ func main() {
 		JWTService:             jwtService,
 		FileService:            fileService,
 		LDAPService:            ldapService,
+		OAuthService:           oauthService,
 		GitService:             gitService,
 		SignatureService:       digitalSignatureService,
 		JobScheduler:           jobScheduler,
diff --git a/api/http/handler/auth/authenticate.go b/api/http/handler/auth/authenticate.go
index d5562edd3..163023d0e 100644
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -17,6 +17,10 @@ type authenticatePayload struct {
 	Password string
 }
 
+type oauthPayload struct {
+	Code string
+}
+
 type authenticateResponse struct {
 	JWT string `json:"jwt"`
 }
@@ -31,6 +35,13 @@ func (payload *authenticatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
+func (payload *oauthPayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Code) {
+		return portainer.Error("Invalid OAuth authorization code")
+	}
+	return nil
+}
+
 func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	if handler.authDisabled {
 		return &httperror.HandlerError{http.StatusServiceUnavailable, "Cannot authenticate user. Portainer was started with the --no-auth flag", ErrAuthDisabled}
@@ -82,6 +93,58 @@ func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.
 	return handler.writeToken(w, user)
 }
 
+func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload oauthPayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	settings, err := handler.SettingsService.Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	if settings.AuthenticationMethod != 3 {
+		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not being used", err}
+	}
+
+	token, err := handler.OAuthService.GetAccessToken(payload.Code, &settings.OAuthSettings)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid access token", portainer.ErrUnauthorized}
+	}
+
+	username, err := handler.OAuthService.GetUsername(token, &settings.OAuthSettings)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusForbidden, "Unable to acquire username", portainer.ErrUnauthorized}
+	}
+
+	u, err := handler.UserService.UserByUsername(username)
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
+	}
+
+	if u == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
+		return &httperror.HandlerError{http.StatusForbidden, "Unregistered account", portainer.ErrUnauthorized}
+	}
+
+	if u == nil {
+		user := &portainer.User{
+			Username: username,
+			Role:     portainer.StandardUserRole,
+		}
+
+		err = handler.UserService.CreateUser(user)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
+		}
+
+		return handler.writeToken(w, user)
+	}
+
+	return handler.writeToken(w, u)
+}
+
 func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portainer.User, password string) *httperror.HandlerError {
 	err := handler.CryptoService.CompareHashAndData(user.Password, password)
 	if err != nil {
diff --git a/api/http/handler/auth/handler.go b/api/http/handler/auth/handler.go
index 1f0769e08..073da3a69 100644
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@@ -25,6 +25,7 @@ type Handler struct {
 	CryptoService         portainer.CryptoService
 	JWTService            portainer.JWTService
 	LDAPService           portainer.LDAPService
+	OAuthService          portainer.OAuthService
 	SettingsService       portainer.SettingsService
 	TeamService           portainer.TeamService
 	TeamMembershipService portainer.TeamMembershipService
@@ -38,6 +39,8 @@ func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimi
 	}
 	h.Handle("/auth",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
+	h.Handle("/oauth",
+		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticateOAuth)))).Methods(http.MethodPost)
 
 	return h
 }
diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index 9cb3059df..f818edf4c 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -60,6 +60,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	switch {
 	case strings.HasPrefix(r.URL.Path, "/api/auth"):
 		http.StripPrefix("/api", h.AuthHandler).ServeHTTP(w, r)
+	case strings.HasPrefix(r.URL.Path, "/api/oauth"):
+		http.StripPrefix("/api", h.AuthHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/dockerhub"):
 		http.StripPrefix("/api", h.DockerHubHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/endpoint_groups"):
diff --git a/api/http/handler/settings/handler.go b/api/http/handler/settings/handler.go
index 0acbd2ca6..ee277d676 100644
--- a/api/http/handler/settings/handler.go
+++ b/api/http/handler/settings/handler.go
@@ -11,6 +11,7 @@ import (
 
 func hideFields(settings *portainer.Settings) {
 	settings.LDAPSettings.Password = ""
+	settings.OAuthSettings.ClientSecret = ""
 }
 
 // Handler is the HTTP handler used to handle settings operations.
@@ -18,6 +19,7 @@ type Handler struct {
 	*mux.Router
 	SettingsService portainer.SettingsService
 	LDAPService     portainer.LDAPService
+	OAuthService    portainer.OAuthService
 	FileService     portainer.FileService
 	JobScheduler    portainer.JobScheduler
 	ScheduleService portainer.ScheduleService
diff --git a/api/http/handler/settings/settings_public.go b/api/http/handler/settings/settings_public.go
index 9744b319a..a803c22a5 100644
--- a/api/http/handler/settings/settings_public.go
+++ b/api/http/handler/settings/settings_public.go
@@ -15,6 +15,10 @@ type publicSettingsResponse struct {
 	AllowPrivilegedModeForRegularUsers bool                           `json:"AllowPrivilegedModeForRegularUsers"`
 	EnableHostManagementFeatures       bool                           `json:"EnableHostManagementFeatures"`
 	ExternalTemplates                  bool                           `json:"ExternalTemplates"`
+	AuthorizationURI                   string                         `json:"AuthorizationURI"`
+	ClientID                           string                         `json:"ClientID"`
+	RedirectURI                        string                         `json:"RedirectURI"`
+	Scopes                             string                         `json:"Scopes"`
 }
 
 // GET request on /api/settings/public
@@ -31,6 +35,10 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
 		EnableHostManagementFeatures:       settings.EnableHostManagementFeatures,
 		ExternalTemplates:                  false,
+		AuthorizationURI:                   settings.OAuthSettings.AuthorizationURI,
+		ClientID:                           settings.OAuthSettings.ClientID,
+		RedirectURI:                        settings.OAuthSettings.RedirectURI,
+		Scopes:                             settings.OAuthSettings.Scopes,
 	}
 
 	if settings.TemplatesURL != "" {
diff --git a/api/http/handler/settings/settings_update.go b/api/http/handler/settings/settings_update.go
index 5b4d33ae3..57c6d1d0a 100644
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@@ -16,6 +16,7 @@ type settingsUpdatePayload struct {
 	BlackListedLabels                  []portainer.Pair
 	AuthenticationMethod               *int
 	LDAPSettings                       *portainer.LDAPSettings
+	OAuthSettings                      *portainer.OAuthSettings
 	AllowBindMountsForRegularUsers     *bool
 	AllowPrivilegedModeForRegularUsers *bool
 	EnableHostManagementFeatures       *bool
@@ -24,7 +25,7 @@ type settingsUpdatePayload struct {
 }
 
 func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
-	if *payload.AuthenticationMethod != 1 && *payload.AuthenticationMethod != 2 {
+	if *payload.AuthenticationMethod != 1 && *payload.AuthenticationMethod != 2 && *payload.AuthenticationMethod != 3 {
 		return portainer.Error("Invalid authentication method value. Value must be one of: 1 (internal) or 2 (LDAP/AD)")
 	}
 	if payload.LogoURL != nil && *payload.LogoURL != "" && !govalidator.IsURL(*payload.LogoURL) {
@@ -69,6 +70,10 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		settings.LDAPSettings = *payload.LDAPSettings
 	}
 
+	if payload.OAuthSettings != nil {
+		settings.OAuthSettings = *payload.OAuthSettings
+	}
+
 	if payload.AllowBindMountsForRegularUsers != nil {
 		settings.AllowBindMountsForRegularUsers = *payload.AllowBindMountsForRegularUsers
 	}
diff --git a/api/http/server.go b/api/http/server.go
index 1220d94d1..cf3c9ef2b 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -55,6 +55,7 @@ type Server struct {
 	GitService             portainer.GitService
 	JWTService             portainer.JWTService
 	LDAPService            portainer.LDAPService
+	OAuthService           portainer.OAuthService
 	ExtensionService       portainer.ExtensionService
 	RegistryService        portainer.RegistryService
 	ResourceControlService portainer.ResourceControlService
@@ -104,6 +105,7 @@ func (server *Server) Start() error {
 	authHandler.CryptoService = server.CryptoService
 	authHandler.JWTService = server.JWTService
 	authHandler.LDAPService = server.LDAPService
+	authHandler.OAuthService = server.OAuthService
 	authHandler.SettingsService = server.SettingsService
 	authHandler.TeamService = server.TeamService
 	authHandler.TeamMembershipService = server.TeamMembershipService
@@ -155,6 +157,7 @@ func (server *Server) Start() error {
 	var settingsHandler = settings.NewHandler(requestBouncer)
 	settingsHandler.SettingsService = server.SettingsService
 	settingsHandler.LDAPService = server.LDAPService
+	settingsHandler.OAuthService = server.OAuthService
 	settingsHandler.FileService = server.FileService
 	settingsHandler.JobScheduler = server.JobScheduler
 	settingsHandler.ScheduleService = server.ScheduleService
diff --git a/api/oauth/oauth.go b/api/oauth/oauth.go
new file mode 100644
index 000000000..bc175d46c
--- /dev/null
+++ b/api/oauth/oauth.go
@@ -0,0 +1,168 @@
+package oauth
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"mime"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/portainer/portainer"
+	"golang.org/x/oauth2"
+)
+
+const (
+	// ErrInvalidCode defines an error raised when the user authorization code is invalid
+	ErrInvalidCode = portainer.Error("Authorization code is invalid")
+)
+
+// Service represents a service used to authenticate users against an authorization server
+type Service struct{}
+
+// GetAccessToken takes an access code and exchanges it for an access token from portainer OAuthSettings token endpoint
+func (*Service) GetAccessToken(code string, settings *portainer.OAuthSettings) (string, error) {
+	v := url.Values{}
+	v.Set("client_id", settings.ClientID)
+	v.Set("client_secret", settings.ClientSecret)
+	v.Set("redirect_uri", settings.RedirectURI)
+	v.Set("code", code)
+	v.Set("grant_type", "authorization_code")
+
+	req, err := http.NewRequest("POST", settings.AccessTokenURI, strings.NewReader(v.Encode()))
+	if err != nil {
+		return "", err
+	}
+
+	client := &http.Client{}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	r, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+
+	body, err := ioutil.ReadAll(io.LimitReader(r.Body, 1<<20))
+	if err != nil {
+		return "", fmt.Errorf("oauth2: cannot fetch token: %v", err)
+	}
+
+	if r.StatusCode != http.StatusOK {
+		log.Printf("[Error] - request returned with bad status code %v, body is %v", r.StatusCode, string(body))
+		type ErrorMessage struct {
+			Message string
+			Type    string
+			Code    int
+		}
+		type ErrorResponse struct {
+			Error ErrorMessage
+		}
+
+		var response ErrorResponse
+		if err = json.Unmarshal(body, &response); err != nil {
+			// report also error
+			log.Printf("[Error] - Failed parsing error body: %v", err)
+			return "", errors.New("oauth2: cannot fetch token")
+		}
+
+		return "", errors.New(response.Error.Message)
+	}
+
+	content, _, _ := mime.ParseMediaType(r.Header.Get("Content-Type"))
+	if content == "application/x-www-form-urlencoded" || content == "text/plain" {
+		values, err := url.ParseQuery(string(body))
+		if err != nil {
+			return "", err
+		}
+
+		token := values.Get("access_token")
+		log.Printf("[DEBUG] - returned body %v", values)
+
+		if token == "" {
+			log.Printf("[DEBUG] - access token returned empty - %v", values)
+			return "", errors.New("oauth2: cannot fetch token")
+		}
+
+		return token, nil
+	}
+
+	type tokenJSON struct {
+		AccessToken string `json:"access_token"`
+	}
+
+	var tj tokenJSON
+	if err = json.Unmarshal(body, &tj); err != nil {
+		return "", err
+	}
+
+	token := tj.AccessToken
+
+	if token == "" {
+		log.Printf("[DEBUG] - access token returned empty - %v with status code", string(body), r.StatusCode)
+		return "", errors.New("oauth2: cannot fetch token")
+	}
+	return token, nil
+}
+
+// GetUsername takes a token and retrieves the portainer OAuthSettings user identifier from resource server.
+func (*Service) GetUsername(token string, settings *portainer.OAuthSettings) (string, error) {
+	req, err := http.NewRequest("GET", settings.ResourceURI, nil)
+	if err != nil {
+		return "", err
+	}
+
+	client := &http.Client{}
+	req.Header.Set("Authorization", "Bearer "+token)
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", &oauth2.RetrieveError{
+			Response: resp,
+			Body:     body,
+		}
+	}
+
+	content, _, _ := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+	if content == "application/x-www-form-urlencoded" || content == "text/plain" {
+		values, err := url.ParseQuery(string(body))
+		if err != nil {
+			return "", err
+		}
+
+		username := values.Get(settings.UserIdentifier)
+		return username, nil
+	}
+
+	var datamap map[string]interface{}
+	if err = json.Unmarshal(body, &datamap); err != nil {
+		return "", err
+	}
+
+	username, ok := datamap[settings.UserIdentifier].(string)
+	if ok && username != "" {
+		return username, nil
+	}
+
+	if !ok {
+		username, ok := datamap[settings.UserIdentifier].(float64)
+		if ok {
+			return fmt.Sprint(int(username)), nil
+		}
+	}
+	return "", &oauth2.RetrieveError{
+		Response: resp,
+		Body:     body,
+	}
+}
diff --git a/api/portainer.go b/api/portainer.go
index c8062ed7a..fe099769e 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -56,6 +56,19 @@ type (
 		AutoCreateUsers     bool                      `json:"AutoCreateUsers"`
 	}
 
+	// OAuthSettings represents the settings used to authorize with an authorization server
+	OAuthSettings struct {
+		ClientID             string `json:"ClientID"`
+		ClientSecret         string `json:"ClientSecret,omitempty"`
+		AccessTokenURI       string `json:"AccessTokenURI"`
+		AuthorizationURI     string `json:"AuthorizationURI"`
+		ResourceURI          string `json:"ResourceURI"`
+		RedirectURI          string `json:"RedirectURI"`
+		UserIdentifier       string `json:"UserIdentifier"`
+		Scopes               string `json:"Scopes"`
+		OAuthAutoCreateUsers bool   `json:"OAuthAutoCreateUsers"`
+	}
+
 	// TLSConfiguration represents a TLS configuration
 	TLSConfiguration struct {
 		TLS           bool   `json:"TLS"`
@@ -85,6 +98,7 @@ type (
 		BlackListedLabels                  []Pair               `json:"BlackListedLabels"`
 		AuthenticationMethod               AuthenticationMethod `json:"AuthenticationMethod"`
 		LDAPSettings                       LDAPSettings         `json:"LDAPSettings"`
+		OAuthSettings                      OAuthSettings        `json:"OAuthSettings"`
 		AllowBindMountsForRegularUsers     bool                 `json:"AllowBindMountsForRegularUsers"`
 		AllowPrivilegedModeForRegularUsers bool                 `json:"AllowPrivilegedModeForRegularUsers"`
 		SnapshotInterval                   string               `json:"SnapshotInterval"`
@@ -748,6 +762,12 @@ type (
 		GetUserGroups(username string, settings *LDAPSettings) ([]string, error)
 	}
 
+	// OAuthService represents a service used to authenticate users against an authorization server
+	OAuthService interface {
+		GetAccessToken(code string, settings *OAuthSettings) (string, error)
+		GetUsername(token string, settings *OAuthSettings) (string, error)
+	}
+
 	// SwarmStackManager represents a service to manage Swarm stacks
 	SwarmStackManager interface {
 		Login(dockerhub *DockerHub, registries []Registry, endpoint *Endpoint)
@@ -833,6 +853,8 @@ const (
 	AuthenticationInternal
 	// AuthenticationLDAP represents the LDAP authentication method (authentication against a LDAP server)
 	AuthenticationLDAP
+	//AuthenticationOAuth represents the OAuth authentication method (authentication against a authorization server)
+	AuthenticationOAuth
 )
 
 const (
diff --git a/app/constants.js b/app/constants.js
index 464089158..f1b941de6 100644
--- a/app/constants.js
+++ b/app/constants.js
@@ -4,6 +4,7 @@ angular.module('portainer')
 .constant('API_ENDPOINT_ENDPOINTS', 'api/endpoints')
 .constant('API_ENDPOINT_ENDPOINT_GROUPS', 'api/endpoint_groups')
 .constant('API_ENDPOINT_MOTD', 'api/motd')
+.constant('API_ENDPOINT_OAUTH', 'api/oauth')
 .constant('API_ENDPOINT_EXTENSIONS', 'api/extensions')
 .constant('API_ENDPOINT_REGISTRIES', 'api/registries')
 .constant('API_ENDPOINT_RESOURCE_CONTROLS', 'api/resource_controls')
diff --git a/app/portainer/components/datatables/users-datatable/usersDatatable.html b/app/portainer/components/datatables/users-datatable/usersDatatable.html
index 11692974d..e99fd16f5 100644
--- a/app/portainer/components/datatables/users-datatable/usersDatatable.html
+++ b/app/portainer/components/datatables/users-datatable/usersDatatable.html
@@ -65,8 +65,9 @@
                 </span>
               </td>
               <td>
-                <span ng-if="item.Id === 1 || $ctrl.authenticationMethod !== 2">Internal</span>
+                <span ng-if="item.Id === 1 || $ctrl.authenticationMethod !== 2 && $ctrl.authenticationMethod !== 3">Internal</span>
                 <span ng-if="item.Id !== 1 && $ctrl.authenticationMethod === 2">LDAP</span>
+                <span ng-if="item.Id !== 1 && $ctrl.authenticationMethod === 3">OAuth</span>
               </td>
             </tr>
             <tr ng-if="!$ctrl.dataset">
diff --git a/app/portainer/models/settings.js b/app/portainer/models/settings.js
index a4f2e8bf6..cbf0c958a 100644
--- a/app/portainer/models/settings.js
+++ b/app/portainer/models/settings.js
@@ -3,6 +3,11 @@ function SettingsViewModel(data) {
   this.BlackListedLabels = data.BlackListedLabels;
   this.AuthenticationMethod = data.AuthenticationMethod;
   this.LDAPSettings = data.LDAPSettings;
+  this.OAuthSettings = data.OAuthSettings;
+  this.ClientID = data.ClientID;
+  this.RedirectURI = data.RedirectURI;
+  this.Scopes = data.Scopes;
+  this.AuthorizationURI = data.AuthorizationURI;
   this.AllowBindMountsForRegularUsers = data.AllowBindMountsForRegularUsers;
   this.AllowPrivilegedModeForRegularUsers = data.AllowPrivilegedModeForRegularUsers;
   this.SnapshotInterval = data.SnapshotInterval;
@@ -31,3 +36,15 @@ function LDAPGroupSearchSettings(GroupBaseDN, GroupAttribute, GroupFilter) {
   this.GroupAttribute = GroupAttribute;
   this.GroupFilter = GroupFilter;
 }
+
+function OAuthSettingsViewModel(data) {
+  this.ClientID = data.ClientID;
+  this.ClientSecret = data.ClientSecret;
+  this.AccessTokenURI = data.AccessTokenURI;
+  this.AuthorizationURI = data.AuthorizationURI;
+  this.ResourceURI = data.ResourceURI;
+  this.RedirectURI = data.RedirectURI;
+  this.UserIdentifier = data.UserIdentifier;
+  this.Scopes = data.Scopes;
+  this.OAuthAutoCreateUsers = data.OAuthAutoCreateUsers;
+}
\ No newline at end of file
diff --git a/app/portainer/rest/oauth.js b/app/portainer/rest/oauth.js
new file mode 100644
index 000000000..c1d2a68ad
--- /dev/null
+++ b/app/portainer/rest/oauth.js
@@ -0,0 +1,9 @@
+angular.module('portainer.app')
+.factory('OAuth', ['$resource', 'API_ENDPOINT_OAUTH', function OAuthFactory($resource, API_ENDPOINT_OAUTH) {
+  'use strict';
+  return $resource(API_ENDPOINT_OAUTH, {}, {
+    login: {
+      method: 'POST', ignoreLoadingBar: true
+    }
+  });
+}]);
\ No newline at end of file
diff --git a/app/portainer/services/authentication.js b/app/portainer/services/authentication.js
index 0e9f19a93..e3ac610e9 100644
--- a/app/portainer/services/authentication.js
+++ b/app/portainer/services/authentication.js
@@ -1,11 +1,12 @@
 angular.module('portainer.app')
-.factory('Authentication', ['$q', 'Auth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', function AuthenticationFactory($q, Auth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
+.factory('Authentication', ['$q', 'Auth', 'OAuth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', function AuthenticationFactory($q, Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
   'use strict';
 
   var service = {};
   var user = {};
 
   service.init = init;
+  service.oAuthLogin = oAuthLogin;
   service.login = login;
   service.logout = logout;
   service.isAuthenticated = isAuthenticated;
@@ -22,6 +23,24 @@ angular.module('portainer.app')
     }
   }
 
+  function oAuthLogin(code) {
+    var deferred = $q.defer();
+
+    OAuth.login({code: code}).$promise
+    .then(function success(data) {
+      LocalStorage.storeJWT(data.jwt);
+      var tokenPayload = jwtHelper.decodeToken(data.jwt);
+      user.username = tokenPayload.username;
+      user.ID = tokenPayload.id;
+      user.role = tokenPayload.role;
+      deferred.resolve();
+    })
+    .catch(function error() {
+      deferred.reject();
+    });
+    return deferred.promise;
+  }
+
   function login(username, password) {
     var deferred = $q.defer();
 
diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index 6cde5c633..835303ff2 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -28,13 +28,15 @@
             <!-- login button -->
             <div class="form-group">
               <div class="col-sm-12">
+                <a ng-href="{{ AuthorizationURI }}?response_type=code&client_id={{ ClientID }}&redirect_uri={{ RedirectURI }}&scope={{ Scopes }}&state=portainer"><div class="btn btn-primary btn-sm pull-right" ng-if="AuthenticationMethod === 3" style="margin-left:2px"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> OAuth Login</div></a>
                 <button type="submit" class="btn btn-primary btn-sm pull-right" ng-click="authenticateUser()"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login</button>
-                <span class="pull-left" style="margin: 5px;" ng-if="state.AuthenticationError">
+                  <span class="pull-left" style="margin: 5px;" ng-if="state.AuthenticationError">
                   <i class="fa fa-exclamation-triangle red-icon" aria-hidden="true" style="margin-right: 2px;"></i>
                   <span class="small text-danger">{{ state.AuthenticationError }}</span>
                 </span>
               </div>
             </div>
+
             <!-- !login button -->
           </form>
           <!-- !login form -->
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 055d359be..6a04ecf36 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -1,6 +1,6 @@
 angular.module('portainer.app')
-.controller('AuthenticationController', ['$q', '$scope', '$state', '$transition$', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService',
-function ($q, $scope, $state, $transition$, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService) {
+.controller('AuthenticationController', ['$q', '$scope', '$state', '$transition$', '$sanitize', '$location', '$window', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService',
+function ($q, $scope, $state, $transition$, $sanitize, $location, $window, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService) {
 
   $scope.logo = StateManager.getState().application.logo;
 
@@ -12,6 +12,16 @@ function ($q, $scope, $state, $transition$, $sanitize, Authentication, UserServi
   $scope.state = {
     AuthenticationError: ''
   };
+  
+  SettingsService.publicSettings()
+  .then(function success(settings) {
+    $scope.AuthenticationMethod = settings.AuthenticationMethod;
+    $scope.ClientID = settings.ClientID;
+    $scope.RedirectURI = settings.RedirectURI;
+    $scope.Scopes = settings.Scopes;
+    $scope.AuthorizationURI = settings.AuthorizationURI;
+  });
+
 
   $scope.authenticateUser = function() {
     var username = $scope.formValues.Username;
@@ -74,6 +84,7 @@ function ($q, $scope, $state, $transition$, $sanitize, Authentication, UserServi
         $state.go('portainer.init.endpoint');
       } else {
         $state.go('portainer.home');
+        $window.location.search = '';
       }
     })
     .catch(function error(err) {
@@ -100,5 +111,35 @@ function ($q, $scope, $state, $transition$, $sanitize, Authentication, UserServi
     }
   }
 
+  function oAuthLogin(code) {
+    Authentication.oAuthLogin(code)
+    .then(function success() {
+      $state.go('portainer.home');
+      $window.location.search = '';
+    })
+    .catch(function error() {
+      $scope.state.AuthenticationError = 'Failed to authenticate with OAuth2 Provider';
+    });
+  }
+
+  function getParameter(param) {
+    var URL = $location.absUrl();
+    var params = URL.split('?')[1];
+    if (params === undefined) {
+      return null;
+    }
+    params = params.split('&');
+    for (var i = 0; i < params.length; i++) {
+      var parameter = params[i].split('=');
+        if (parameter[0] === param) {
+          return parameter[1].split('#')[0];
+        }
+    }
+    return null;
+  }
+
   initView();
+  if (getParameter('code') !== null) {
+    oAuthLogin(getParameter('code'));
+  }
 }]);
diff --git a/app/portainer/views/settings/authentication/settingsAuthentication.html b/app/portainer/views/settings/authentication/settingsAuthentication.html
index 72db0edef..1cef110f7 100644
--- a/app/portainer/views/settings/authentication/settingsAuthentication.html
+++ b/app/portainer/views/settings/authentication/settingsAuthentication.html
@@ -37,6 +37,16 @@
                   <p>LDAP authentication</p>
                 </label>
               </div>
+              <div>
+                <input type="radio" id="registry_auth" ng-model="settings.AuthenticationMethod" ng-value="3">
+                <label for="registry_auth">
+                  <div class="boxselector_header">
+                    <i class="fa fa-users" aria-hidden="true" style="margin-right: 2px;"></i>
+                    OAuth
+                  </div>
+                  <p>OAuth authentication</p>
+                </label>
+              </div>
             </div>
           </div>
           <div class="col-sm-12 form-section-title">
@@ -52,6 +62,11 @@
               When using LDAP authentication, Portainer will delegate user authentication to a LDAP server and fallback to internal authentication if LDAP authentication fails.
             </span>
           </div>
+          <div class="form-group" ng-if="settings.AuthenticationMethod === 3">
+            <span class="col-sm-12 text-muted small">
+                When using OAuth authentication, Portainer will allow users to optionally authenticate with an OAuth authorization server.
+            </span>
+          </div>
 
           <div ng-if="settings.AuthenticationMethod === 2">
             <div class="col-sm-12 form-section-title">
@@ -306,7 +321,110 @@
             <!-- !group-search-settings -->
           </div>
 
-          <!-- actions -->
+          <div ng-if="settings.AuthenticationMethod === 3">
+
+            <div class="col-sm-12 form-section-title">
+              OAuth Configuration
+            </div>
+
+            <div class="form-group">
+              <label for="oauth_client_id" class="col-sm-3 col-lg-2 control-label text-left">
+                 Client ID
+                <portainer-tooltip position="bottom" message="Client ID that authorization server supports"></portainer-tooltip>
+              </label>
+              <div class="col-sm-9 col-lg-10">
+                <input type="text" class="form-control" id="oauth_client_id" ng-model="OAuthSettings.ClientID" placeholder="xxxxxxxxxxxxxxxxxxxx">
+              </div>
+            </div>
+
+            <div class="form-group">
+              <label for="oauth_client_secret" class="col-sm-3 col-lg-2 control-label text-left">
+                Client Secret
+                <portainer-tooltip position="bottom" message="Client secret that authorization server supports"></portainer-tooltip>
+              </label>
+                <div class="col-sm-9 col-lg-10">
+                  <input type="password" class="form-control" id="oauth_client_secret" ng-model="OAuthSettings.ClientSecret" placeholder="xxxxxxxxxxxxxxxxxxxx">
+	            </div>
+            </div>
+
+            <div class="form-group">
+              <label for="oauth_authorization_uri" class="col-sm-3 col-lg-2 control-label text-left">
+                Authorization URI
+                <portainer-tooltip position="bottom" message="URI where the user is redirected in order to login with OAuth provider"></portainer-tooltip>
+              </label>
+                <div class="col-sm-9 col-lg-10">
+                  <input type="text" class="form-control" id="oauth_authorization_uri" ng-model="OAuthSettings.AuthorizationURI" placeholder="https://example.com/oauth/authorize">
+                </div>
+            </div>
+
+            <div class="form-group">
+              <label for="oauth_access_token_uri" class="col-sm-3 col-lg-2 control-label text-left">
+                Access Token URI
+                <portainer-tooltip position="bottom" message="URI where portainer will attempt to obtain an access token"></portainer-tooltip>
+              </label>
+	          <div class="col-sm-9 col-lg-10">
+                <input type="text" class="form-control" id="oauth_access_token_uri" ng-model="OAuthSettings.AccessTokenURI" placeholder="https://example.com/oauth/token">
+              </div>
+            </div>
+
+            <div class="form-group">
+              <label for="oauth_resource_uri" class="col-sm-3 col-lg-2 control-label text-left">
+                Resource URI
+                <portainer-tooltip position="bottom" message="URI where portainer will attempt to retrieve the user identifier value"></portainer-tooltip>
+              </label>
+              <div class="col-sm-9 col-lg-10">
+                <input type="text" class="form-control" id="oauth_resource_uri" ng-model="OAuthSettings.ResourceURI" placeholder="https://example.com/user">
+              </div>
+            </div>
+
+            <div class="form-group">
+              <label for="oauth_redirect_uri" class="col-sm-3 col-lg-2 control-label text-left">
+                Redirect URI
+                <portainer-tooltip position="bottom" message="Set this as your portainer index"></portainer-tooltip>
+              </label>
+              <div class="col-sm-9 col-lg-10">
+                <input type="text" class="form-control" id="oauth_redirect_uri" ng-model="OAuthSettings.RedirectURI" placeholder="http://yourportainer.com/">
+              </div>
+            </div>
+
+            <div class="form-group">
+              <label for="oauth_user_identifier" class="col-sm-3 col-lg-2 control-label text-left">
+                User Identifier
+                <portainer-tooltip position="bottom" message="Key that identifies the user in the resource server request"></portainer-tooltip>
+              </label>
+              <div class="col-sm-9 col-lg-10">
+                <input type="text" class="form-control" id="oauth_user_identifier" ng-model="OAuthSettings.UserIdentifier" placeholder="id">
+              </div>
+            </div>
+
+            <div class="form-group">
+              <label for="oauth_scopes" class="col-sm-3 col-lg-2 control-label text-left">
+                Scopes
+                <portainer-tooltip position="bottom" message="Scopes that are required to obtain the user identifier separated by delimiter if server expects it"></portainer-tooltip>
+              </label>
+              <div class="col-sm-9 col-lg-10">
+                <input type="text" class="form-control" id="oauth_scopes" ng-model="OAuthSettings.Scopes" placeholder="id,email,name">
+              </div>
+            </div>
+
+            <div class="form-group">
+              <span class="col-sm-12 text-muted small">
+                With automatic user provisioning enabled, Portainer will create user(s) automatically with standard user role. If disabled, users must be created in Portainer in order to login.
+              </span>
+            </div>
+            <div class="form-group">
+              <div class="col-sm-12">
+                <label for="oauth_provisioning">
+                  Automatic user provisioning
+                </label>
+                <label class="switch" style="margin-left: 20px">
+                  <input type="checkbox" ng-model="OAuthSettings.OAuthAutoCreateUsers"><i></i>
+                </label>
+              </div>
+            </div>
+          </div>
+
+            <!-- actions -->
           <div class="form-group">
             <div class="col-sm-12">
               <button type="button" class="btn btn-primary btn-sm" ng-click="saveSettings()" ng-disabled="state.actionInProgress" button-spinner="state.actionInProgress">
diff --git a/app/portainer/views/settings/authentication/settingsAuthenticationController.js b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
index 1eea8dda3..81f096942 100644
--- a/app/portainer/views/settings/authentication/settingsAuthenticationController.js
+++ b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
@@ -97,6 +97,7 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService) {
       var settings = data;
       $scope.settings = settings;
       $scope.LDAPSettings = settings.LDAPSettings;
+      $scope.OAuthSettings = settings.OAuthSettings;
       $scope.formValues.TLSCACert = settings.LDAPSettings.TLSConfig.TLSCACert;
     })
     .catch(function error(err) {

From 2ee6f2780be9337a445f3ccd8487c2ea5874aaf5 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Sun, 30 Dec 2018 18:25:30 +0200
Subject: [PATCH 02/61] refactor(oauth): add debug logs

---
 api/http/handler/auth/authenticate.go | 2 ++
 api/oauth/oauth.go                    | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/api/http/handler/auth/authenticate.go b/api/http/handler/auth/authenticate.go
index 163023d0e..a0fbf7c51 100644
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -111,11 +111,13 @@ func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request
 
 	token, err := handler.OAuthService.GetAccessToken(payload.Code, &settings.OAuthSettings)
 	if err != nil {
+		log.Printf("[DEBUG] - Failed retrieving access token: %v", err)
 		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid access token", portainer.ErrUnauthorized}
 	}
 
 	username, err := handler.OAuthService.GetUsername(token, &settings.OAuthSettings)
 	if err != nil {
+		log.Printf("[DEBUG] - Failed acquiring username: %v", err)
 		return &httperror.HandlerError{http.StatusForbidden, "Unable to acquire username", portainer.ErrUnauthorized}
 	}
 
diff --git a/api/oauth/oauth.go b/api/oauth/oauth.go
index bc175d46c..d2ceffa55 100644
--- a/api/oauth/oauth.go
+++ b/api/oauth/oauth.go
@@ -51,7 +51,6 @@ func (*Service) GetAccessToken(code string, settings *portainer.OAuthSettings) (
 	}
 
 	if r.StatusCode != http.StatusOK {
-		log.Printf("[Error] - request returned with bad status code %v, body is %v", r.StatusCode, string(body))
 		type ErrorMessage struct {
 			Message string
 			Type    string
@@ -157,7 +156,7 @@ func (*Service) GetUsername(token string, settings *portainer.OAuthSettings) (st
 
 	if !ok {
 		username, ok := datamap[settings.UserIdentifier].(float64)
-		if ok {
+		if ok && username != 0 {
 			return fmt.Sprint(int(username)), nil
 		}
 	}

From 996319d29964c0bcf0b0854e11e5490632cc1515 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Sun, 30 Dec 2018 18:39:16 +0200
Subject: [PATCH 03/61] feat(auth): don't clear client secret on update

---
 api/http/handler/settings/settings_update.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/api/http/handler/settings/settings_update.go b/api/http/handler/settings/settings_update.go
index 57c6d1d0a..919d8a075 100644
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@@ -71,7 +71,12 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 	}
 
 	if payload.OAuthSettings != nil {
+		clientSecret := payload.OAuthSettings.ClientSecret
+		if clientSecret == "" {
+			clientSecret = settings.OAuthSettings.ClientSecret
+		}
 		settings.OAuthSettings = *payload.OAuthSettings
+		settings.OAuthSettings.ClientSecret = clientSecret
 	}
 
 	if payload.AllowBindMountsForRegularUsers != nil {

From 7494101a4da198f85773c5d07c6f4830a292f51e Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 2 Jan 2019 15:56:08 +0200
Subject: [PATCH 04/61] refactor(auth): refactor auth controller

---
 app/portainer/helpers/urlHelper.js         | 21 +++++++++
 app/portainer/views/auth/authController.js | 52 ++++++++--------------
 2 files changed, 40 insertions(+), 33 deletions(-)
 create mode 100644 app/portainer/helpers/urlHelper.js

diff --git a/app/portainer/helpers/urlHelper.js b/app/portainer/helpers/urlHelper.js
new file mode 100644
index 000000000..977e22751
--- /dev/null
+++ b/app/portainer/helpers/urlHelper.js
@@ -0,0 +1,21 @@
+angular.module('portainer.app').service('urlHelper', function urlHelper($location) {
+
+  this.getParameter = getParameter;
+
+  function getParameter(param) {
+    var url = $location.absUrl();
+    var index = url.indexOf('?');
+    if (index < 0) {
+      return;
+    }
+    var params = url.substring(index + 1);
+    params = params.split('&');
+    for (var i = 0; i < params.length; i++) {
+      var parameter = params[i].split('=');
+        if (parameter[0] === param) {
+          return parameter[1].split('#')[0];
+        }
+    }
+    return;
+  }
+});
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 6a04ecf36..8499a1a20 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -1,7 +1,6 @@
 angular.module('portainer.app')
-.controller('AuthenticationController', ['$q', '$scope', '$state', '$transition$', '$sanitize', '$location', '$window', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService',
-function ($q, $scope, $state, $transition$, $sanitize, $location, $window, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService) {
-
+.controller('AuthenticationController', ['urlHelper','$q', '$scope', '$state', '$stateParams', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService',
+function (urlHelper, $q, $scope, $state, $stateParams, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService) {
   $scope.logo = StateManager.getState().application.logo;
 
   $scope.formValues = {
@@ -13,14 +12,7 @@ function ($q, $scope, $state, $transition$, $sanitize, $location, $window, Authe
     AuthenticationError: ''
   };
   
-  SettingsService.publicSettings()
-  .then(function success(settings) {
-    $scope.AuthenticationMethod = settings.AuthenticationMethod;
-    $scope.ClientID = settings.ClientID;
-    $scope.RedirectURI = settings.RedirectURI;
-    $scope.Scopes = settings.Scopes;
-    $scope.AuthorizationURI = settings.AuthorizationURI;
-  });
+  
 
 
   $scope.authenticateUser = function() {
@@ -84,7 +76,6 @@ function ($q, $scope, $state, $transition$, $sanitize, $location, $window, Authe
         $state.go('portainer.init.endpoint');
       } else {
         $state.go('portainer.home');
-        $window.location.search = '';
       }
     })
     .catch(function error(err) {
@@ -93,9 +84,18 @@ function ($q, $scope, $state, $transition$, $sanitize, $location, $window, Authe
   }
 
   function initView() {
-    if ($transition$.params().logout || $transition$.params().error) {
+    SettingsService.publicSettings()
+      .then(function success(settings) {
+        $scope.AuthenticationMethod = settings.AuthenticationMethod;
+        $scope.ClientID = settings.ClientID;
+        $scope.RedirectURI = settings.RedirectURI;
+        $scope.Scopes = settings.Scopes;
+        $scope.AuthorizationURI = settings.AuthorizationURI;
+      });
+
+    if ($stateParams.logout || $stateParams.error) {
       Authentication.logout();
-      $scope.state.AuthenticationError = $transition$.params().error;
+      $scope.state.AuthenticationError = $stateParams.error;
       return;
     }
 
@@ -109,37 +109,23 @@ function ($q, $scope, $state, $transition$, $sanitize, $location, $window, Authe
     } else {
       authenticatedFlow();
     }
+
+    var code = urlHelper.getParameter('code');
+    if (code) {
+      oAuthLogin(code);
+    }
   }
 
   function oAuthLogin(code) {
     Authentication.oAuthLogin(code)
     .then(function success() {
       $state.go('portainer.home');
-      $window.location.search = '';
     })
     .catch(function error() {
       $scope.state.AuthenticationError = 'Failed to authenticate with OAuth2 Provider';
     });
   }
 
-  function getParameter(param) {
-    var URL = $location.absUrl();
-    var params = URL.split('?')[1];
-    if (params === undefined) {
-      return null;
-    }
-    params = params.split('&');
-    for (var i = 0; i < params.length; i++) {
-      var parameter = params[i].split('=');
-        if (parameter[0] === param) {
-          return parameter[1].split('#')[0];
-        }
-    }
-    return null;
-  }
 
   initView();
-  if (getParameter('code') !== null) {
-    oAuthLogin(getParameter('code'));
-  }
 }]);

From 38f24683a656ca0e5dcb08a645a5c1854ba951d5 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 2 Jan 2019 15:59:38 +0200
Subject: [PATCH 05/61] refactor(auth): remove empty $q.deffered

---
 app/portainer/services/authentication.js | 119 ++++++++++-------------
 1 file changed, 53 insertions(+), 66 deletions(-)

diff --git a/app/portainer/services/authentication.js b/app/portainer/services/authentication.js
index e3ac610e9..5b8ba3ca2 100644
--- a/app/portainer/services/authentication.js
+++ b/app/portainer/services/authentication.js
@@ -1,79 +1,66 @@
 angular.module('portainer.app')
-.factory('Authentication', ['$q', 'Auth', 'OAuth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', function AuthenticationFactory($q, Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
-  'use strict';
+.factory('Authentication', [
+  'Auth', 'OAuth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', 
+  function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
+    'use strict';
 
-  var service = {};
-  var user = {};
+    var service = {};
+    var user = {};
 
-  service.init = init;
-  service.oAuthLogin = oAuthLogin;
-  service.login = login;
-  service.logout = logout;
-  service.isAuthenticated = isAuthenticated;
-  service.getUserDetails = getUserDetails;
+    service.init = init;
+    service.oAuthLogin = oAuthLogin;
+    service.login = login;
+    service.logout = logout;
+    service.isAuthenticated = isAuthenticated;
+    service.getUserDetails = getUserDetails;
 
-  function init() {
-    var jwt = LocalStorage.getJWT();
+    function init() {
+      var jwt = LocalStorage.getJWT();
 
-    if (jwt) {
-      var tokenPayload = jwtHelper.decodeToken(jwt);
-      user.username = tokenPayload.username;
-      user.ID = tokenPayload.id;
-      user.role = tokenPayload.role;
+      if (jwt) {
+        var tokenPayload = jwtHelper.decodeToken(jwt);
+        user.username = tokenPayload.username;
+        user.ID = tokenPayload.id;
+        user.role = tokenPayload.role;
+      }
     }
-  }
 
-  function oAuthLogin(code) {
-    var deferred = $q.defer();
+    function oAuthLogin(code) {
+      return OAuth.login({code: code}).$promise
+      .then(function success(data) {
+        LocalStorage.storeJWT(data.jwt);
+        var tokenPayload = jwtHelper.decodeToken(data.jwt);
+        user.username = tokenPayload.username;
+        user.ID = tokenPayload.id;
+        user.role = tokenPayload.role;
+      });
+    }
 
-    OAuth.login({code: code}).$promise
-    .then(function success(data) {
-      LocalStorage.storeJWT(data.jwt);
-      var tokenPayload = jwtHelper.decodeToken(data.jwt);
-      user.username = tokenPayload.username;
-      user.ID = tokenPayload.id;
-      user.role = tokenPayload.role;
-      deferred.resolve();
-    })
-    .catch(function error() {
-      deferred.reject();
-    });
-    return deferred.promise;
-  }
+    function login(username, password) {
+      return Auth.login({username: username, password: password}).$promise
+      .then(function success(data) {
+        LocalStorage.storeJWT(data.jwt);
+        var tokenPayload = jwtHelper.decodeToken(data.jwt);
+        user.username = username;
+        user.ID = tokenPayload.id;
+        user.role = tokenPayload.role;
+      });
+    }
 
-  function login(username, password) {
-    var deferred = $q.defer();
+    function logout() {
+      StateManager.clean();
+      EndpointProvider.clean();
+      LocalStorage.clean();
+    }
 
-    Auth.login({username: username, password: password}).$promise
-    .then(function success(data) {
-      LocalStorage.storeJWT(data.jwt);
-      var tokenPayload = jwtHelper.decodeToken(data.jwt);
-      user.username = username;
-      user.ID = tokenPayload.id;
-      user.role = tokenPayload.role;
-      deferred.resolve();
-    })
-    .catch(function error() {
-      deferred.reject();
-    });
+    function isAuthenticated() {
+      var jwt = LocalStorage.getJWT();
+      return jwt && !jwtHelper.isTokenExpired(jwt);
+    }
 
-    return deferred.promise;
-  }
+    function getUserDetails() {
+      return user;
+    }
 
-  function logout() {
-    StateManager.clean();
-    EndpointProvider.clean();
-    LocalStorage.clean();
-  }
-
-  function isAuthenticated() {
-    var jwt = LocalStorage.getJWT();
-    return jwt && !jwtHelper.isTokenExpired(jwt);
-  }
-
-  function getUserDetails() {
-    return user;
-  }
-
-  return service;
+    return service;
 }]);

From 0a1643bbcf7a3def4e1abd9635ef9b61d1e4ca71 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 2 Jan 2019 16:01:10 +0200
Subject: [PATCH 06/61] style(auth): remove added spaces

---
 app/portainer/services/authentication.js | 104 +++++++++++------------
 1 file changed, 52 insertions(+), 52 deletions(-)

diff --git a/app/portainer/services/authentication.js b/app/portainer/services/authentication.js
index 5b8ba3ca2..b6b9c8071 100644
--- a/app/portainer/services/authentication.js
+++ b/app/portainer/services/authentication.js
@@ -1,66 +1,66 @@
 angular.module('portainer.app')
 .factory('Authentication', [
-  'Auth', 'OAuth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', 
-  function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
-    'use strict';
+'Auth', 'OAuth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', 
+function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
+  'use strict';
 
-    var service = {};
-    var user = {};
+  var service = {};
+  var user = {};
 
-    service.init = init;
-    service.oAuthLogin = oAuthLogin;
-    service.login = login;
-    service.logout = logout;
-    service.isAuthenticated = isAuthenticated;
-    service.getUserDetails = getUserDetails;
+  service.init = init;
+  service.oAuthLogin = oAuthLogin;
+  service.login = login;
+  service.logout = logout;
+  service.isAuthenticated = isAuthenticated;
+  service.getUserDetails = getUserDetails;
 
-    function init() {
-      var jwt = LocalStorage.getJWT();
+  function init() {
+    var jwt = LocalStorage.getJWT();
 
-      if (jwt) {
-        var tokenPayload = jwtHelper.decodeToken(jwt);
-        user.username = tokenPayload.username;
-        user.ID = tokenPayload.id;
-        user.role = tokenPayload.role;
-      }
+    if (jwt) {
+      var tokenPayload = jwtHelper.decodeToken(jwt);
+      user.username = tokenPayload.username;
+      user.ID = tokenPayload.id;
+      user.role = tokenPayload.role;
     }
+  }
 
-    function oAuthLogin(code) {
-      return OAuth.login({code: code}).$promise
-      .then(function success(data) {
-        LocalStorage.storeJWT(data.jwt);
-        var tokenPayload = jwtHelper.decodeToken(data.jwt);
-        user.username = tokenPayload.username;
-        user.ID = tokenPayload.id;
-        user.role = tokenPayload.role;
-      });
-    }
+  function oAuthLogin(code) {
+    return OAuth.login({code: code}).$promise
+    .then(function success(data) {
+      LocalStorage.storeJWT(data.jwt);
+      var tokenPayload = jwtHelper.decodeToken(data.jwt);
+      user.username = tokenPayload.username;
+      user.ID = tokenPayload.id;
+      user.role = tokenPayload.role;
+    });
+  }
 
-    function login(username, password) {
-      return Auth.login({username: username, password: password}).$promise
-      .then(function success(data) {
-        LocalStorage.storeJWT(data.jwt);
-        var tokenPayload = jwtHelper.decodeToken(data.jwt);
-        user.username = username;
-        user.ID = tokenPayload.id;
-        user.role = tokenPayload.role;
-      });
-    }
+  function login(username, password) {
+    return Auth.login({username: username, password: password}).$promise
+    .then(function success(data) {
+      LocalStorage.storeJWT(data.jwt);
+      var tokenPayload = jwtHelper.decodeToken(data.jwt);
+      user.username = username;
+      user.ID = tokenPayload.id;
+      user.role = tokenPayload.role;
+    });
+  }
 
-    function logout() {
-      StateManager.clean();
-      EndpointProvider.clean();
-      LocalStorage.clean();
-    }
+  function logout() {
+    StateManager.clean();
+    EndpointProvider.clean();
+    LocalStorage.clean();
+  }
 
-    function isAuthenticated() {
-      var jwt = LocalStorage.getJWT();
-      return jwt && !jwtHelper.isTokenExpired(jwt);
-    }
+  function isAuthenticated() {
+    var jwt = LocalStorage.getJWT();
+    return jwt && !jwtHelper.isTokenExpired(jwt);
+  }
 
-    function getUserDetails() {
-      return user;
-    }
+  function getUserDetails() {
+    return user;
+  }
 
-    return service;
+  return service;
 }]);

From 515daf6dba8e6ff78f7a1b2dc51638b8a3ff82d6 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 2 Jan 2019 16:21:36 +0200
Subject: [PATCH 07/61] refactor(auth): exprt oauth settings into extension

---
 app/extensions/_module.js                     |   3 +-
 app/extensions/oauth/__module.js              |   1 +
 .../oauth-settings-controller.js              |   0
 .../oauth-settings/oauth-settings.html        | 164 ++++++++++++++++++
 .../oauth-settings/oauth-settings.js          |   7 +
 app/portainer/views/auth/authController.js    |   3 -
 .../settingsAuthentication.html               | 103 +----------
 .../settingsAuthenticationController.js       |   4 +
 8 files changed, 179 insertions(+), 106 deletions(-)
 create mode 100644 app/extensions/oauth/__module.js
 create mode 100644 app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
 create mode 100644 app/extensions/oauth/components/oauth-settings/oauth-settings.html
 create mode 100644 app/extensions/oauth/components/oauth-settings/oauth-settings.js

diff --git a/app/extensions/_module.js b/app/extensions/_module.js
index 5a936d2cf..7ad877aa6 100644
--- a/app/extensions/_module.js
+++ b/app/extensions/_module.js
@@ -1,3 +1,4 @@
 angular.module('portainer.extensions', [
-  'portainer.extensions.registrymanagement'
+  'portainer.extensions.registrymanagement',
+  'portainer.extensions.oauth'
 ]);
diff --git a/app/extensions/oauth/__module.js b/app/extensions/oauth/__module.js
new file mode 100644
index 000000000..80b17e495
--- /dev/null
+++ b/app/extensions/oauth/__module.js
@@ -0,0 +1 @@
+angular.module('portainer.extensions.oauth', []);
\ No newline at end of file
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
new file mode 100644
index 000000000..e69de29bb
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
new file mode 100644
index 000000000..49f923e12
--- /dev/null
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -0,0 +1,164 @@
+<div>
+  <div class="col-sm-12 form-section-title">OAuth Configuration</div>
+
+  <div class="form-group">
+    <label for="oauth_client_id" class="col-sm-3 col-lg-2 control-label text-left">
+      Client ID
+      <portainer-tooltip position="bottom" message="Client ID that authorization server supports"></portainer-tooltip>
+    </label>
+    <div class="col-sm-9 col-lg-10">
+      <input
+        type="text"
+        class="form-control"
+        id="oauth_client_id"
+        ng-model="$ctrl.settings.ClientID"
+        placeholder="xxxxxxxxxxxxxxxxxxxx"
+      />
+    </div>
+  </div>
+
+  <div class="form-group">
+    <label for="oauth_client_secret" class="col-sm-3 col-lg-2 control-label text-left">
+      Client Secret
+      <portainer-tooltip
+        position="bottom"
+        message="Client secret that authorization server supports"
+      ></portainer-tooltip>
+    </label>
+    <div class="col-sm-9 col-lg-10">
+      <input
+        type="password"
+        class="form-control"
+        id="oauth_client_secret"
+        ng-model="$ctrl.settings.ClientSecret"
+        placeholder="xxxxxxxxxxxxxxxxxxxx"
+      />
+    </div>
+  </div>
+
+  <div class="form-group">
+    <label for="oauth_authorization_uri" class="col-sm-3 col-lg-2 control-label text-left">
+      Authorization URI
+      <portainer-tooltip
+        position="bottom"
+        message="URI where the user is redirected in order to login with OAuth provider"
+      ></portainer-tooltip>
+    </label>
+    <div class="col-sm-9 col-lg-10">
+      <input
+        type="text"
+        class="form-control"
+        id="oauth_authorization_uri"
+        ng-model="$ctrl.settings.AuthorizationURI"
+        placeholder="https://example.com/oauth/authorize"
+      />
+    </div>
+  </div>
+
+  <div class="form-group">
+    <label for="oauth_access_token_uri" class="col-sm-3 col-lg-2 control-label text-left">
+      Access Token URI
+      <portainer-tooltip
+        position="bottom"
+        message="URI where portainer will attempt to obtain an access token"
+      ></portainer-tooltip>
+    </label>
+    <div class="col-sm-9 col-lg-10">
+      <input
+        type="text"
+        class="form-control"
+        id="oauth_access_token_uri"
+        ng-model="$ctrl.settings.AccessTokenURI"
+        placeholder="https://example.com/oauth/token"
+      />
+    </div>
+  </div>
+
+  <div class="form-group">
+    <label for="oauth_resource_uri" class="col-sm-3 col-lg-2 control-label text-left">
+      Resource URI
+      <portainer-tooltip
+        position="bottom"
+        message="URI where portainer will attempt to retrieve the user identifier value"
+      ></portainer-tooltip>
+    </label>
+    <div class="col-sm-9 col-lg-10">
+      <input
+        type="text"
+        class="form-control"
+        id="oauth_resource_uri"
+        ng-model="$ctrl.settings.ResourceURI"
+        placeholder="https://example.com/user"
+      />
+    </div>
+  </div>
+
+  <div class="form-group">
+    <label for="oauth_redirect_uri" class="col-sm-3 col-lg-2 control-label text-left">
+      Redirect URI
+      <portainer-tooltip position="bottom" message="Set this as your portainer index"></portainer-tooltip>
+    </label>
+    <div class="col-sm-9 col-lg-10">
+      <input
+        type="text"
+        class="form-control"
+        id="oauth_redirect_uri"
+        ng-model="$ctrl.settings.RedirectURI"
+        placeholder="http://yourportainer.com/"
+      />
+    </div>
+  </div>
+
+  <div class="form-group">
+    <label for="oauth_user_identifier" class="col-sm-3 col-lg-2 control-label text-left">
+      User Identifier
+      <portainer-tooltip
+        position="bottom"
+        message="Key that identifies the user in the resource server request"
+      ></portainer-tooltip>
+    </label>
+    <div class="col-sm-9 col-lg-10">
+      <input
+        type="text"
+        class="form-control"
+        id="oauth_user_identifier"
+        ng-model="$ctrl.settings.UserIdentifier"
+        placeholder="id"
+      />
+    </div>
+  </div>
+
+  <div class="form-group">
+    <label for="oauth_scopes" class="col-sm-3 col-lg-2 control-label text-left">
+      Scopes
+      <portainer-tooltip
+        position="bottom"
+        message="Scopes that are required to obtain the user identifier separated by delimiter if server expects it"
+      ></portainer-tooltip>
+    </label>
+    <div class="col-sm-9 col-lg-10">
+      <input
+        type="text"
+        class="form-control"
+        id="oauth_scopes"
+        ng-model="$ctrl.settings.Scopes"
+        placeholder="id,email,name"
+      />
+    </div>
+  </div>
+
+  <div class="form-group">
+    <span class="col-sm-12 text-muted small">
+      With automatic user provisioning enabled, Portainer will create user(s) automatically with standard user role. If
+      disabled, users must be created in Portainer in order to login.
+    </span>
+  </div>
+  <div class="form-group">
+    <div class="col-sm-12">
+      <label for="oauth_provisioning"> Automatic user provisioning </label>
+      <label class="switch" style="margin-left: 20px">
+        <input type="checkbox" ng-model="$ctrl.settings.OAuthAutoCreateUsers" /><i></i>
+      </label>
+    </div>
+  </div>
+</div>
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.js b/app/extensions/oauth/components/oauth-settings/oauth-settings.js
new file mode 100644
index 000000000..9301a0e12
--- /dev/null
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.js
@@ -0,0 +1,7 @@
+angular.module('portainer.extensions.oauth').component('oauthSettings', {
+  templateUrl: 'app/extensions/oauth/components/oauth-settings/oauth-settings.html',
+  bindings: {
+    settings: '<'
+  }
+  // controller: 'oauthSettingsController'
+});
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 8499a1a20..9c80ba721 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -11,9 +11,6 @@ function (urlHelper, $q, $scope, $state, $stateParams, $sanitize, Authentication
   $scope.state = {
     AuthenticationError: ''
   };
-  
-  
-
 
   $scope.authenticateUser = function() {
     var username = $scope.formValues.Username;
diff --git a/app/portainer/views/settings/authentication/settingsAuthentication.html b/app/portainer/views/settings/authentication/settingsAuthentication.html
index 1cef110f7..8c46a5aca 100644
--- a/app/portainer/views/settings/authentication/settingsAuthentication.html
+++ b/app/portainer/views/settings/authentication/settingsAuthentication.html
@@ -321,108 +321,7 @@
             <!-- !group-search-settings -->
           </div>
 
-          <div ng-if="settings.AuthenticationMethod === 3">
-
-            <div class="col-sm-12 form-section-title">
-              OAuth Configuration
-            </div>
-
-            <div class="form-group">
-              <label for="oauth_client_id" class="col-sm-3 col-lg-2 control-label text-left">
-                 Client ID
-                <portainer-tooltip position="bottom" message="Client ID that authorization server supports"></portainer-tooltip>
-              </label>
-              <div class="col-sm-9 col-lg-10">
-                <input type="text" class="form-control" id="oauth_client_id" ng-model="OAuthSettings.ClientID" placeholder="xxxxxxxxxxxxxxxxxxxx">
-              </div>
-            </div>
-
-            <div class="form-group">
-              <label for="oauth_client_secret" class="col-sm-3 col-lg-2 control-label text-left">
-                Client Secret
-                <portainer-tooltip position="bottom" message="Client secret that authorization server supports"></portainer-tooltip>
-              </label>
-                <div class="col-sm-9 col-lg-10">
-                  <input type="password" class="form-control" id="oauth_client_secret" ng-model="OAuthSettings.ClientSecret" placeholder="xxxxxxxxxxxxxxxxxxxx">
-	            </div>
-            </div>
-
-            <div class="form-group">
-              <label for="oauth_authorization_uri" class="col-sm-3 col-lg-2 control-label text-left">
-                Authorization URI
-                <portainer-tooltip position="bottom" message="URI where the user is redirected in order to login with OAuth provider"></portainer-tooltip>
-              </label>
-                <div class="col-sm-9 col-lg-10">
-                  <input type="text" class="form-control" id="oauth_authorization_uri" ng-model="OAuthSettings.AuthorizationURI" placeholder="https://example.com/oauth/authorize">
-                </div>
-            </div>
-
-            <div class="form-group">
-              <label for="oauth_access_token_uri" class="col-sm-3 col-lg-2 control-label text-left">
-                Access Token URI
-                <portainer-tooltip position="bottom" message="URI where portainer will attempt to obtain an access token"></portainer-tooltip>
-              </label>
-	          <div class="col-sm-9 col-lg-10">
-                <input type="text" class="form-control" id="oauth_access_token_uri" ng-model="OAuthSettings.AccessTokenURI" placeholder="https://example.com/oauth/token">
-              </div>
-            </div>
-
-            <div class="form-group">
-              <label for="oauth_resource_uri" class="col-sm-3 col-lg-2 control-label text-left">
-                Resource URI
-                <portainer-tooltip position="bottom" message="URI where portainer will attempt to retrieve the user identifier value"></portainer-tooltip>
-              </label>
-              <div class="col-sm-9 col-lg-10">
-                <input type="text" class="form-control" id="oauth_resource_uri" ng-model="OAuthSettings.ResourceURI" placeholder="https://example.com/user">
-              </div>
-            </div>
-
-            <div class="form-group">
-              <label for="oauth_redirect_uri" class="col-sm-3 col-lg-2 control-label text-left">
-                Redirect URI
-                <portainer-tooltip position="bottom" message="Set this as your portainer index"></portainer-tooltip>
-              </label>
-              <div class="col-sm-9 col-lg-10">
-                <input type="text" class="form-control" id="oauth_redirect_uri" ng-model="OAuthSettings.RedirectURI" placeholder="http://yourportainer.com/">
-              </div>
-            </div>
-
-            <div class="form-group">
-              <label for="oauth_user_identifier" class="col-sm-3 col-lg-2 control-label text-left">
-                User Identifier
-                <portainer-tooltip position="bottom" message="Key that identifies the user in the resource server request"></portainer-tooltip>
-              </label>
-              <div class="col-sm-9 col-lg-10">
-                <input type="text" class="form-control" id="oauth_user_identifier" ng-model="OAuthSettings.UserIdentifier" placeholder="id">
-              </div>
-            </div>
-
-            <div class="form-group">
-              <label for="oauth_scopes" class="col-sm-3 col-lg-2 control-label text-left">
-                Scopes
-                <portainer-tooltip position="bottom" message="Scopes that are required to obtain the user identifier separated by delimiter if server expects it"></portainer-tooltip>
-              </label>
-              <div class="col-sm-9 col-lg-10">
-                <input type="text" class="form-control" id="oauth_scopes" ng-model="OAuthSettings.Scopes" placeholder="id,email,name">
-              </div>
-            </div>
-
-            <div class="form-group">
-              <span class="col-sm-12 text-muted small">
-                With automatic user provisioning enabled, Portainer will create user(s) automatically with standard user role. If disabled, users must be created in Portainer in order to login.
-              </span>
-            </div>
-            <div class="form-group">
-              <div class="col-sm-12">
-                <label for="oauth_provisioning">
-                  Automatic user provisioning
-                </label>
-                <label class="switch" style="margin-left: 20px">
-                  <input type="checkbox" ng-model="OAuthSettings.OAuthAutoCreateUsers"><i></i>
-                </label>
-              </div>
-            </div>
-          </div>
+          <oauth-settings ng-if="settings.AuthenticationMethod === 3" settings="OAuthSettings"></oauth-settings>
 
             <!-- actions -->
           <div class="form-group">
diff --git a/app/portainer/views/settings/authentication/settingsAuthenticationController.js b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
index 81f096942..a94dfd658 100644
--- a/app/portainer/views/settings/authentication/settingsAuthenticationController.js
+++ b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
@@ -14,6 +14,10 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService) {
     TLSCACert: ''
   };
 
+  $scope.isOauthEnabled = function isOauthEnabled() {
+    return $scope.settings.AuthenticationMethod === 3;
+  };
+
   $scope.addSearchConfiguration = function() {
     $scope.LDAPSettings.SearchSettings.push({ BaseDN: '', UserNameAttribute: '', Filter: '' });
   };

From 7aaa9e58e90b5f37274f54d0d59d2b24af9ab61d Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 2 Jan 2019 16:24:10 +0200
Subject: [PATCH 08/61] refactor(auth): move oauth info to component

---
 .../oauth/components/oauth-settings/oauth-settings.html     | 6 ++++++
 .../settings/authentication/settingsAuthentication.html     | 6 +-----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index 49f923e12..f73415e25 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -1,4 +1,10 @@
+<div class="form-group">
+    <span class="col-sm-12 text-muted small">
+        When using OAuth authentication, Portainer will allow users to optionally authenticate with an OAuth authorization server.
+    </span>
+  </div>
 <div>
+
   <div class="col-sm-12 form-section-title">OAuth Configuration</div>
 
   <div class="form-group">
diff --git a/app/portainer/views/settings/authentication/settingsAuthentication.html b/app/portainer/views/settings/authentication/settingsAuthentication.html
index 8c46a5aca..ebab9dcf2 100644
--- a/app/portainer/views/settings/authentication/settingsAuthentication.html
+++ b/app/portainer/views/settings/authentication/settingsAuthentication.html
@@ -62,11 +62,7 @@
               When using LDAP authentication, Portainer will delegate user authentication to a LDAP server and fallback to internal authentication if LDAP authentication fails.
             </span>
           </div>
-          <div class="form-group" ng-if="settings.AuthenticationMethod === 3">
-            <span class="col-sm-12 text-muted small">
-                When using OAuth authentication, Portainer will allow users to optionally authenticate with an OAuth authorization server.
-            </span>
-          </div>
+          
 
           <div ng-if="settings.AuthenticationMethod === 2">
             <div class="col-sm-12 form-section-title">

From 15b6941872b4ca160719ba057b819d3505f405ad Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 2 Jan 2019 20:00:41 +0200
Subject: [PATCH 09/61] refactor(oauth): move oauth rest service to extension

---
 app/extensions/oauth/__module.js                           | 4 +++-
 app/{portainer => extensions/oauth/services}/rest/oauth.js | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)
 rename app/{portainer => extensions/oauth/services}/rest/oauth.js (83%)

diff --git a/app/extensions/oauth/__module.js b/app/extensions/oauth/__module.js
index 80b17e495..564c659f7 100644
--- a/app/extensions/oauth/__module.js
+++ b/app/extensions/oauth/__module.js
@@ -1 +1,3 @@
-angular.module('portainer.extensions.oauth', []);
\ No newline at end of file
+angular.module('portainer.extensions.oauth', [
+  'ngResource'
+]);
\ No newline at end of file
diff --git a/app/portainer/rest/oauth.js b/app/extensions/oauth/services/rest/oauth.js
similarity index 83%
rename from app/portainer/rest/oauth.js
rename to app/extensions/oauth/services/rest/oauth.js
index c1d2a68ad..a6eff3bf7 100644
--- a/app/portainer/rest/oauth.js
+++ b/app/extensions/oauth/services/rest/oauth.js
@@ -1,4 +1,4 @@
-angular.module('portainer.app')
+angular.module('portainer.extensions.oauth')
 .factory('OAuth', ['$resource', 'API_ENDPOINT_OAUTH', function OAuthFactory($resource, API_ENDPOINT_OAUTH) {
   'use strict';
   return $resource(API_ENDPOINT_OAUTH, {}, {

From 81e3ace232600be26b589e789a645402a0e07d1d Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 2 Jan 2019 20:01:06 +0200
Subject: [PATCH 10/61] fix(auth): fix oauh enabled function

---
 .../views/settings/authentication/settingsAuthentication.html   | 2 +-
 .../settings/authentication/settingsAuthenticationController.js | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/portainer/views/settings/authentication/settingsAuthentication.html b/app/portainer/views/settings/authentication/settingsAuthentication.html
index ebab9dcf2..8a1ac2e19 100644
--- a/app/portainer/views/settings/authentication/settingsAuthentication.html
+++ b/app/portainer/views/settings/authentication/settingsAuthentication.html
@@ -317,7 +317,7 @@
             <!-- !group-search-settings -->
           </div>
 
-          <oauth-settings ng-if="settings.AuthenticationMethod === 3" settings="OAuthSettings"></oauth-settings>
+          <oauth-settings ng-if="isOauthEnabled()" settings="OAuthSettings"></oauth-settings>
 
             <!-- actions -->
           <div class="form-group">
diff --git a/app/portainer/views/settings/authentication/settingsAuthenticationController.js b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
index a94dfd658..dc74a3b54 100644
--- a/app/portainer/views/settings/authentication/settingsAuthenticationController.js
+++ b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
@@ -15,7 +15,7 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService) {
   };
 
   $scope.isOauthEnabled = function isOauthEnabled() {
-    return $scope.settings.AuthenticationMethod === 3;
+    return $scope.settings && $scope.settings.AuthenticationMethod === 3;
   };
 
   $scope.addSearchConfiguration = function() {

From 9bebe9dee775d802c5b31fd390bd735d34399e0a Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 2 Jan 2019 20:01:23 +0200
Subject: [PATCH 11/61] refactor(auth): move user setter into function

---
 app/portainer/services/authentication.js | 37 +++++++++++-------------
 1 file changed, 17 insertions(+), 20 deletions(-)

diff --git a/app/portainer/services/authentication.js b/app/portainer/services/authentication.js
index b6b9c8071..7b334e10e 100644
--- a/app/portainer/services/authentication.js
+++ b/app/portainer/services/authentication.js
@@ -18,33 +18,22 @@ function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManage
     var jwt = LocalStorage.getJWT();
 
     if (jwt) {
-      var tokenPayload = jwtHelper.decodeToken(jwt);
-      user.username = tokenPayload.username;
-      user.ID = tokenPayload.id;
-      user.role = tokenPayload.role;
+      setUser(jwt);
     }
   }
 
   function oAuthLogin(code) {
-    return OAuth.login({code: code}).$promise
-    .then(function success(data) {
-      LocalStorage.storeJWT(data.jwt);
-      var tokenPayload = jwtHelper.decodeToken(data.jwt);
-      user.username = tokenPayload.username;
-      user.ID = tokenPayload.id;
-      user.role = tokenPayload.role;
-    });
+    return OAuth.login({ code: code }).$promise
+      .then(function onLoginSuccess(response) {
+        return setUser(response.jwt);
+      });
   }
 
   function login(username, password) {
-    return Auth.login({username: username, password: password}).$promise
-    .then(function success(data) {
-      LocalStorage.storeJWT(data.jwt);
-      var tokenPayload = jwtHelper.decodeToken(data.jwt);
-      user.username = username;
-      user.ID = tokenPayload.id;
-      user.role = tokenPayload.role;
-    });
+    return Auth.login({ username: username, password: password }).$promise
+      .then(function onLoginSuccess(response) {
+        return setUser(response.jwt);
+      });
   }
 
   function logout() {
@@ -62,5 +51,13 @@ function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManage
     return user;
   }
 
+  function setUser(jwt) {
+    LocalStorage.storeJWT(jwt);
+    var tokenPayload = jwtHelper.decodeToken(jwt);
+    user.username = tokenPayload.username;
+    user.ID = tokenPayload.id;
+    user.role = tokenPayload.role;
+  }
+
   return service;
 }]);

From 25620c50083f499ab6b1c5ae4f62797647ec0223 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 2 Jan 2019 20:49:25 +0200
Subject: [PATCH 12/61] refactor(auth): refactor get url params

---
 app/portainer/helpers/urlHelper.js         | 35 ++++++++++++----------
 app/portainer/views/auth/authController.js |  3 +-
 2 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/app/portainer/helpers/urlHelper.js b/app/portainer/helpers/urlHelper.js
index 977e22751..3125492a5 100644
--- a/app/portainer/helpers/urlHelper.js
+++ b/app/portainer/helpers/urlHelper.js
@@ -1,21 +1,24 @@
-angular.module('portainer.app').service('urlHelper', function urlHelper($location) {
-
+angular.module('portainer.app').service('urlHelper', function urlHelper($window) {
   this.getParameter = getParameter;
+  this.cleanParameters = cleanParameters;
 
   function getParameter(param) {
-    var url = $location.absUrl();
-    var index = url.indexOf('?');
-    if (index < 0) {
-      return;
-    }
-    var params = url.substring(index + 1);
-    params = params.split('&');
-    for (var i = 0; i < params.length; i++) {
-      var parameter = params[i].split('=');
-        if (parameter[0] === param) {
-          return parameter[1].split('#')[0];
-        }
-    }
-    return;
+    var parameters = extractParameters();
+    return parameters[param];
+  }
+
+  function extractParameters() {
+    var queryString = $window.location.search.replace(/.*?\?/,'').split('&');
+    return queryString.reduce(function(acc, keyValStr) {
+      var keyVal = keyValStr.split('=');
+      var key = keyVal[0];
+      var val = keyVal[1];
+      acc[key] = val;
+      return acc;
+    }, {});
+  }
+
+  function cleanParameters() {
+    $window.location.search = '';
   }
 });
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 9c80ba721..aab5905de 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -114,8 +114,9 @@ function (urlHelper, $q, $scope, $state, $stateParams, $sanitize, Authentication
   }
 
   function oAuthLogin(code) {
-    Authentication.oAuthLogin(code)
+    return Authentication.oAuthLogin(code)
     .then(function success() {
+      urlHelper.cleanParameters();
       $state.go('portainer.home');
     })
     .catch(function error() {

From 17ac3e5ed13a194323e7c7172187892d1b8daadf Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Thu, 3 Jan 2019 13:36:17 +0200
Subject: [PATCH 13/61] refactor(oauth): move enpoint constant to extension

---
 app/constants.js                 | 1 -
 app/extensions/oauth/__module.js | 5 ++---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/app/constants.js b/app/constants.js
index f1b941de6..464089158 100644
--- a/app/constants.js
+++ b/app/constants.js
@@ -4,7 +4,6 @@ angular.module('portainer')
 .constant('API_ENDPOINT_ENDPOINTS', 'api/endpoints')
 .constant('API_ENDPOINT_ENDPOINT_GROUPS', 'api/endpoint_groups')
 .constant('API_ENDPOINT_MOTD', 'api/motd')
-.constant('API_ENDPOINT_OAUTH', 'api/oauth')
 .constant('API_ENDPOINT_EXTENSIONS', 'api/extensions')
 .constant('API_ENDPOINT_REGISTRIES', 'api/registries')
 .constant('API_ENDPOINT_RESOURCE_CONTROLS', 'api/resource_controls')
diff --git a/app/extensions/oauth/__module.js b/app/extensions/oauth/__module.js
index 564c659f7..413d9d4f6 100644
--- a/app/extensions/oauth/__module.js
+++ b/app/extensions/oauth/__module.js
@@ -1,3 +1,2 @@
-angular.module('portainer.extensions.oauth', [
-  'ngResource'
-]);
\ No newline at end of file
+angular.module('portainer.extensions.oauth', ['ngResource'])
+  .constant('API_ENDPOINT_OAUTH', 'api/oauth');

From 44b7e0fdca5c421cd0e9c6fa81e93e1ffad587ca Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Wed, 16 Jan 2019 16:49:33 +0200
Subject: [PATCH 14/61] fix(auth): change error type

Co-Authored-By: chiptus <chiptus@users.noreply.github.com>
---
 api/http/handler/auth/authenticate.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/http/handler/auth/authenticate.go b/api/http/handler/auth/authenticate.go
index a0fbf7c51..eca24a902 100644
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -106,7 +106,7 @@ func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request
 	}
 
 	if settings.AuthenticationMethod != 3 {
-		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not being used", err}
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Authentication is not configured to use OAuth", err}
 	}
 
 	token, err := handler.OAuthService.GetAccessToken(payload.Code, &settings.OAuthSettings)

From fc8938e8719fdc16031b110c754287c7dc83368e Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Wed, 16 Jan 2019 16:50:19 +0200
Subject: [PATCH 15/61] fix(auth): change oauth error type

Co-Authored-By: chiptus <chiptus@users.noreply.github.com>
---
 api/http/handler/auth/authenticate.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/http/handler/auth/authenticate.go b/api/http/handler/auth/authenticate.go
index eca24a902..eb1b5128d 100644
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -127,7 +127,7 @@ func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request
 	}
 
 	if u == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
-		return &httperror.HandlerError{http.StatusForbidden, "Unregistered account", portainer.ErrUnauthorized}
+		return &httperror.HandlerError{http.StatusForbidden, "Account must be created inside Portainer beforehand", portainer.ErrUnauthorized}
 	}
 
 	if u == nil {

From c650fe56c29c0a1aeb7066533fd58aee66b1026c Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Wed, 16 Jan 2019 16:53:24 +0200
Subject: [PATCH 16/61] fix(auth): fix typos

Co-Authored-By: chiptus <chiptus@users.noreply.github.com>
---
 app/portainer/services/authentication.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/portainer/services/authentication.js b/app/portainer/services/authentication.js
index 7b334e10e..39b7ada24 100644
--- a/app/portainer/services/authentication.js
+++ b/app/portainer/services/authentication.js
@@ -8,7 +8,7 @@ function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManage
   var user = {};
 
   service.init = init;
-  service.oAuthLogin = oAuthLogin;
+  service.OAuthLogin = OAuthLogin;
   service.login = login;
   service.logout = logout;
   service.isAuthenticated = isAuthenticated;
@@ -22,7 +22,7 @@ function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManage
     }
   }
 
-  function oAuthLogin(code) {
+  function OAuthLogin(code) {
     return OAuth.login({ code: code }).$promise
       .then(function onLoginSuccess(response) {
         return setUser(response.jwt);

From f6bdc5c2b362db99bd9517f42795bdaba1049ce4 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 16 Jan 2019 17:01:38 +0200
Subject: [PATCH 17/61] refactor(auth): move oauth handler code to its own file

---
 api/http/handler/auth/authenticate.go       | 54 -----------------
 api/http/handler/auth/authenticate_oauth.go | 64 +++++++++++++++++++++
 2 files changed, 64 insertions(+), 54 deletions(-)
 create mode 100644 api/http/handler/auth/authenticate_oauth.go

diff --git a/api/http/handler/auth/authenticate.go b/api/http/handler/auth/authenticate.go
index a0fbf7c51..8183c2f7b 100644
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -93,60 +93,6 @@ func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.
 	return handler.writeToken(w, user)
 }
 
-func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	var payload oauthPayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	settings, err := handler.SettingsService.Settings()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
-	}
-
-	if settings.AuthenticationMethod != 3 {
-		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not being used", err}
-	}
-
-	token, err := handler.OAuthService.GetAccessToken(payload.Code, &settings.OAuthSettings)
-	if err != nil {
-		log.Printf("[DEBUG] - Failed retrieving access token: %v", err)
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid access token", portainer.ErrUnauthorized}
-	}
-
-	username, err := handler.OAuthService.GetUsername(token, &settings.OAuthSettings)
-	if err != nil {
-		log.Printf("[DEBUG] - Failed acquiring username: %v", err)
-		return &httperror.HandlerError{http.StatusForbidden, "Unable to acquire username", portainer.ErrUnauthorized}
-	}
-
-	u, err := handler.UserService.UserByUsername(username)
-	if err != nil && err != portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
-	}
-
-	if u == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
-		return &httperror.HandlerError{http.StatusForbidden, "Unregistered account", portainer.ErrUnauthorized}
-	}
-
-	if u == nil {
-		user := &portainer.User{
-			Username: username,
-			Role:     portainer.StandardUserRole,
-		}
-
-		err = handler.UserService.CreateUser(user)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
-		}
-
-		return handler.writeToken(w, user)
-	}
-
-	return handler.writeToken(w, u)
-}
-
 func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portainer.User, password string) *httperror.HandlerError {
 	err := handler.CryptoService.CompareHashAndData(user.Password, password)
 	if err != nil {
diff --git a/api/http/handler/auth/authenticate_oauth.go b/api/http/handler/auth/authenticate_oauth.go
new file mode 100644
index 000000000..58319b9df
--- /dev/null
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -0,0 +1,64 @@
+package auth
+
+import (
+	"log"
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/portainer"
+)
+
+func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload oauthPayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	settings, err := handler.SettingsService.Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	if settings.AuthenticationMethod != 3 {
+		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not being used", err}
+	}
+
+	token, err := handler.OAuthService.GetAccessToken(payload.Code, &settings.OAuthSettings)
+	if err != nil {
+		log.Printf("[DEBUG] - Failed retrieving access token: %v", err)
+		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid access token", portainer.ErrUnauthorized}
+	}
+
+	username, err := handler.OAuthService.GetUsername(token, &settings.OAuthSettings)
+	if err != nil {
+		log.Printf("[DEBUG] - Failed acquiring username: %v", err)
+		return &httperror.HandlerError{http.StatusForbidden, "Unable to acquire username", portainer.ErrUnauthorized}
+	}
+
+	u, err := handler.UserService.UserByUsername(username)
+	if err != nil && err != portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
+	}
+
+	if u == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
+		return &httperror.HandlerError{http.StatusForbidden, "Unregistered account", portainer.ErrUnauthorized}
+	}
+
+	if u == nil {
+		user := &portainer.User{
+			Username: username,
+			Role:     portainer.StandardUserRole,
+		}
+
+		err = handler.UserService.CreateUser(user)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
+		}
+
+		return handler.writeToken(w, user)
+	}
+
+	return handler.writeToken(w, u)
+}

From 4cbde7bb0d3b19bf57f5ee39d9244645fc873316 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 16 Jan 2019 17:24:58 +0200
Subject: [PATCH 18/61] refactor(auth): move oauth handler under auth

---
 api/http/handler/auth/handler.go | 5 +++--
 app/extensions/oauth/__module.js | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/api/http/handler/auth/handler.go b/api/http/handler/auth/handler.go
index 073da3a69..a97928150 100644
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@@ -37,10 +37,11 @@ func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimi
 		Router:       mux.NewRouter(),
 		authDisabled: authDisabled,
 	}
+
+	h.Handle("/auth/oauth",
+		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticateOAuth)))).Methods(http.MethodPost)
 	h.Handle("/auth",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
-	h.Handle("/oauth",
-		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticateOAuth)))).Methods(http.MethodPost)
 
 	return h
 }
diff --git a/app/extensions/oauth/__module.js b/app/extensions/oauth/__module.js
index 413d9d4f6..8292353a5 100644
--- a/app/extensions/oauth/__module.js
+++ b/app/extensions/oauth/__module.js
@@ -1,2 +1,2 @@
 angular.module('portainer.extensions.oauth', ['ngResource'])
-  .constant('API_ENDPOINT_OAUTH', 'api/oauth');
+  .constant('API_ENDPOINT_OAUTH', 'api/auth/oauth');

From 24f066716be39f989f2f87dcb990c9e4e9293959 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 16 Jan 2019 17:25:16 +0200
Subject: [PATCH 19/61] refactor(auth): expose only the login url

---
 api/http/handler/settings/settings_public.go | 15 +++++++--------
 app/portainer/views/auth/auth.html           |  2 +-
 app/portainer/views/auth/authController.js   |  5 +----
 3 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/api/http/handler/settings/settings_public.go b/api/http/handler/settings/settings_public.go
index a803c22a5..1cb59f8c6 100644
--- a/api/http/handler/settings/settings_public.go
+++ b/api/http/handler/settings/settings_public.go
@@ -1,6 +1,7 @@
 package settings
 
 import (
+	"fmt"
 	"net/http"
 
 	httperror "github.com/portainer/libhttp/error"
@@ -15,10 +16,7 @@ type publicSettingsResponse struct {
 	AllowPrivilegedModeForRegularUsers bool                           `json:"AllowPrivilegedModeForRegularUsers"`
 	EnableHostManagementFeatures       bool                           `json:"EnableHostManagementFeatures"`
 	ExternalTemplates                  bool                           `json:"ExternalTemplates"`
-	AuthorizationURI                   string                         `json:"AuthorizationURI"`
-	ClientID                           string                         `json:"ClientID"`
-	RedirectURI                        string                         `json:"RedirectURI"`
-	Scopes                             string                         `json:"Scopes"`
+	OAuthLoginURI                      string                         `json:"OAuthLoginURI"`
 }
 
 // GET request on /api/settings/public
@@ -35,10 +33,11 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
 		EnableHostManagementFeatures:       settings.EnableHostManagementFeatures,
 		ExternalTemplates:                  false,
-		AuthorizationURI:                   settings.OAuthSettings.AuthorizationURI,
-		ClientID:                           settings.OAuthSettings.ClientID,
-		RedirectURI:                        settings.OAuthSettings.RedirectURI,
-		Scopes:                             settings.OAuthSettings.Scopes,
+		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&state=portainer",
+			settings.OAuthSettings.AuthorizationURI,
+			settings.OAuthSettings.ClientID,
+			settings.OAuthSettings.RedirectURI,
+			settings.OAuthSettings.Scopes),
 	}
 
 	if settings.TemplatesURL != "" {
diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index 835303ff2..05024059f 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -28,7 +28,7 @@
             <!-- login button -->
             <div class="form-group">
               <div class="col-sm-12">
-                <a ng-href="{{ AuthorizationURI }}?response_type=code&client_id={{ ClientID }}&redirect_uri={{ RedirectURI }}&scope={{ Scopes }}&state=portainer"><div class="btn btn-primary btn-sm pull-right" ng-if="AuthenticationMethod === 3" style="margin-left:2px"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> OAuth Login</div></a>
+                <a ng-href="{{OAuthLoginURI}}"><div class="btn btn-primary btn-sm pull-right" ng-if="AuthenticationMethod === 3" style="margin-left:2px"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> OAuth Login</div></a>
                 <button type="submit" class="btn btn-primary btn-sm pull-right" ng-click="authenticateUser()"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login</button>
                   <span class="pull-left" style="margin: 5px;" ng-if="state.AuthenticationError">
                   <i class="fa fa-exclamation-triangle red-icon" aria-hidden="true" style="margin-right: 2px;"></i>
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index aab5905de..30ca6b42c 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -84,10 +84,7 @@ function (urlHelper, $q, $scope, $state, $stateParams, $sanitize, Authentication
     SettingsService.publicSettings()
       .then(function success(settings) {
         $scope.AuthenticationMethod = settings.AuthenticationMethod;
-        $scope.ClientID = settings.ClientID;
-        $scope.RedirectURI = settings.RedirectURI;
-        $scope.Scopes = settings.Scopes;
-        $scope.AuthorizationURI = settings.AuthorizationURI;
+        $scope.OAuthLoginURI = settings.OAuthLoginURI;
       });
 
     if ($stateParams.logout || $stateParams.error) {

From 80d570861dbafef1a661cb5efa9984a6cf3c1b4f Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 16 Jan 2019 17:34:12 +0200
Subject: [PATCH 20/61] refactor(auth): move public settings into view model

---
 app/portainer/models/settings.js              | 10 ++++++++++
 app/portainer/services/api/settingsService.js |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/portainer/models/settings.js b/app/portainer/models/settings.js
index cbf0c958a..6da0e8883 100644
--- a/app/portainer/models/settings.js
+++ b/app/portainer/models/settings.js
@@ -16,6 +16,16 @@ function SettingsViewModel(data) {
   this.EnableHostManagementFeatures = data.EnableHostManagementFeatures;
 }
 
+function PublicSettingsViewModel(settings) {
+  this.AllowBindMountsForRegularUsers = settings.AllowBindMountsForRegularUsers;
+  this.AllowPrivilegedModeForRegularUsers = settings.AllowPrivilegedModeForRegularUsers;
+  this.AuthenticationMethod = settings.AuthenticationMethod;
+  this.EnableHostManagementFeatures = settings.EnableHostManagementFeatures;
+  this.ExternalTemplates = settings.ExternalTemplates;
+  this.LogoURL = settings.LogoURL;
+  this.OAuthLoginURI = settings.OAuthLoginURI;
+}
+
 function LDAPSettingsViewModel(data) {
   this.ReaderDN = data.ReaderDN;
   this.Password = data.Password;
diff --git a/app/portainer/services/api/settingsService.js b/app/portainer/services/api/settingsService.js
index a725ce09c..c228e47bf 100644
--- a/app/portainer/services/api/settingsService.js
+++ b/app/portainer/services/api/settingsService.js
@@ -27,7 +27,7 @@ angular.module('portainer.app')
 
     Settings.publicSettings().$promise
     .then(function success(data) {
-      var settings = new SettingsViewModel(data);
+      var settings = new PublicSettingsViewModel(data);
       deferred.resolve(settings);
     })
     .catch(function error(err) {

From 3f44925d7e438ef42e3cdb7bc8cad3bd1ee545a7 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 16 Jan 2019 17:37:50 +0200
Subject: [PATCH 21/61] fix(auth): fix typo - missing function

---
 app/portainer/views/auth/authController.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 30ca6b42c..fb8968e48 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -111,7 +111,7 @@ function (urlHelper, $q, $scope, $state, $stateParams, $sanitize, Authentication
   }
 
   function oAuthLogin(code) {
-    return Authentication.oAuthLogin(code)
+    return Authentication.OAuthLogin(code)
     .then(function success() {
       urlHelper.cleanParameters();
       $state.go('portainer.home');

From b121f975fabde5c1b0576103605d6504c0ad7b2f Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 16 Jan 2019 17:38:07 +0200
Subject: [PATCH 22/61] refactor(settings): remove duplicate settings

---
 app/portainer/models/settings.js | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/app/portainer/models/settings.js b/app/portainer/models/settings.js
index 6da0e8883..930ae4da5 100644
--- a/app/portainer/models/settings.js
+++ b/app/portainer/models/settings.js
@@ -3,11 +3,7 @@ function SettingsViewModel(data) {
   this.BlackListedLabels = data.BlackListedLabels;
   this.AuthenticationMethod = data.AuthenticationMethod;
   this.LDAPSettings = data.LDAPSettings;
-  this.OAuthSettings = data.OAuthSettings;
-  this.ClientID = data.ClientID;
-  this.RedirectURI = data.RedirectURI;
-  this.Scopes = data.Scopes;
-  this.AuthorizationURI = data.AuthorizationURI;
+  this.OAuthSettings = new OAuthSettingsViewModel(data.OAuthSettings);
   this.AllowBindMountsForRegularUsers = data.AllowBindMountsForRegularUsers;
   this.AllowPrivilegedModeForRegularUsers = data.AllowPrivilegedModeForRegularUsers;
   this.SnapshotInterval = data.SnapshotInterval;

From dc067b3308e8469f2bd7a98180c5f40fe788d4f4 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 16 Jan 2019 17:41:56 +0200
Subject: [PATCH 23/61] refactor(http): remove old oauth handler

---
 api/http/handler/handler.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index f818edf4c..9cb3059df 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -60,8 +60,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	switch {
 	case strings.HasPrefix(r.URL.Path, "/api/auth"):
 		http.StripPrefix("/api", h.AuthHandler).ServeHTTP(w, r)
-	case strings.HasPrefix(r.URL.Path, "/api/oauth"):
-		http.StripPrefix("/api", h.AuthHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/dockerhub"):
 		http.StripPrefix("/api", h.DockerHubHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/endpoint_groups"):

From b09f491f6206fcd34b03387b948ae1c9436c6f73 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 16 Jan 2019 17:53:10 +0200
Subject: [PATCH 24/61] style(auth): remove comments and change error

---
 api/http/handler/settings/settings_update.go                    | 2 +-
 api/oauth/oauth.go                                              | 2 +-
 .../components/oauth-settings/oauth-settings-controller.js      | 0
 .../oauth/components/oauth-settings/oauth-settings.js           | 1 -
 4 files changed, 2 insertions(+), 3 deletions(-)
 delete mode 100644 app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js

diff --git a/api/http/handler/settings/settings_update.go b/api/http/handler/settings/settings_update.go
index 919d8a075..b4ddb9e96 100644
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@@ -26,7 +26,7 @@ type settingsUpdatePayload struct {
 
 func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
 	if *payload.AuthenticationMethod != 1 && *payload.AuthenticationMethod != 2 && *payload.AuthenticationMethod != 3 {
-		return portainer.Error("Invalid authentication method value. Value must be one of: 1 (internal) or 2 (LDAP/AD)")
+		return portainer.Error("Invalid authentication method value. Value must be one of: 1 (internal), 2 (LDAP/AD) or 3 (OAuth)")
 	}
 	if payload.LogoURL != nil && *payload.LogoURL != "" && !govalidator.IsURL(*payload.LogoURL) {
 		return portainer.Error("Invalid logo URL. Must correspond to a valid URL format")
diff --git a/api/oauth/oauth.go b/api/oauth/oauth.go
index d2ceffa55..bafd99443 100644
--- a/api/oauth/oauth.go
+++ b/api/oauth/oauth.go
@@ -18,7 +18,7 @@ import (
 
 const (
 	// ErrInvalidCode defines an error raised when the user authorization code is invalid
-	ErrInvalidCode = portainer.Error("Authorization code is invalid")
+	ErrInvalidCode = portainer.Error("Invalid OAuth authorization code")
 )
 
 // Service represents a service used to authenticate users against an authorization server
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
deleted file mode 100644
index e69de29bb..000000000
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.js b/app/extensions/oauth/components/oauth-settings/oauth-settings.js
index 9301a0e12..d5031d187 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.js
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.js
@@ -3,5 +3,4 @@ angular.module('portainer.extensions.oauth').component('oauthSettings', {
   bindings: {
     settings: '<'
   }
-  // controller: 'oauthSettingsController'
 });

From 0d4e1d00f06b95bec340ea7c87d673481578f553 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 16 Jan 2019 18:00:01 +0200
Subject: [PATCH 25/61] refactor(login): move oauth button to right

---
 app/portainer/views/auth/auth.html | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index 05024059f..62c26d8b6 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -27,10 +27,16 @@
             <!-- !password input -->
             <!-- login button -->
             <div class="form-group">
-              <div class="col-sm-12">
-                <a ng-href="{{OAuthLoginURI}}"><div class="btn btn-primary btn-sm pull-right" ng-if="AuthenticationMethod === 3" style="margin-left:2px"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> OAuth Login</div></a>
+              <div class="col-sm-12" >
+                <a ng-href="{{OAuthLoginURI}}" ng-if="AuthenticationMethod === 3">
+                  <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px">
+                    <i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login with OAuth
+                  </div>
+                </a>
+
                 <button type="submit" class="btn btn-primary btn-sm pull-right" ng-click="authenticateUser()"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login</button>
-                  <span class="pull-left" style="margin: 5px;" ng-if="state.AuthenticationError">
+                
+                <span class="pull-right" style="margin: 5px;" ng-if="state.AuthenticationError">
                   <i class="fa fa-exclamation-triangle red-icon" aria-hidden="true" style="margin-right: 2px;"></i>
                   <span class="small text-danger">{{ state.AuthenticationError }}</span>
                 </span>

From 0a439b3893808ee603d478762ff89b9b2b94b87b Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Wed, 16 Jan 2019 18:57:15 +0200
Subject: [PATCH 26/61] refactor(auth): extract oauth login mechanism to
 service

---
 .../oauth/services/oauth-service.js           | 53 +++++++++++++++++++
 app/portainer/helpers/urlHelper.js            |  8 +--
 app/portainer/services/authentication.js      | 14 ++---
 app/portainer/views/auth/auth.html            |  8 ++-
 app/portainer/views/auth/authController.js    | 32 ++++++-----
 5 files changed, 83 insertions(+), 32 deletions(-)
 create mode 100644 app/extensions/oauth/services/oauth-service.js

diff --git a/app/extensions/oauth/services/oauth-service.js b/app/extensions/oauth/services/oauth-service.js
new file mode 100644
index 000000000..d1985c693
--- /dev/null
+++ b/app/extensions/oauth/services/oauth-service.js
@@ -0,0 +1,53 @@
+angular.module('portainer.extensions.oauth').service('OAuthService', [
+  'SettingsService', 'OAuth', 'urlHelper',
+  function OAuthService(SettingsService, OAuth, urlHelper) {
+    this.login = login;
+
+    function login() {
+      return getLoginURI()
+        .then(function openPopup(loginUrl) {
+          var popup = window.open(loginUrl, 'login-popup', 'width=800, height=600');
+          if (!popup) {
+            throw new Error('Please enable popups for this page');
+          }
+          return waitForCode(popup);
+        })
+        .then(function onCodeReady(code) {
+          return OAuth.login({ code: code }).$promise;
+        });
+    }
+
+    function getLoginURI() {
+      return SettingsService.publicSettings().then(function onLoadSettings(settings) {
+        if (settings.AuthenticationMethod !== 3) {
+          throw new Error('OAuth is disabled');
+        }
+        return settings.OAuthLoginURI;
+      });
+    }
+
+    function waitForCode(popup) {
+      return waitFor(function checkIfCodeIsAvailable() {
+        if (popup.document.URL.indexOf('code') !== -1) {
+          var queryParams = popup.location.search;
+          popup.close();
+          return urlHelper.getParameter(queryParams, 'code');
+        }
+      });
+    }
+
+    function waitFor(clbk, interval) {
+      interval = interval || 100;
+      var intervalId;
+      return new Promise(function executor(resolve) {
+        intervalId = setInterval(function intervalFunction() {
+          var callbackReturn = clbk();
+          if (callbackReturn) {
+            clearInterval(intervalId);
+            resolve(callbackReturn);
+          }
+        }, interval);
+      });
+    }
+  }
+]);
diff --git a/app/portainer/helpers/urlHelper.js b/app/portainer/helpers/urlHelper.js
index 3125492a5..daacf0131 100644
--- a/app/portainer/helpers/urlHelper.js
+++ b/app/portainer/helpers/urlHelper.js
@@ -2,13 +2,13 @@ angular.module('portainer.app').service('urlHelper', function urlHelper($window)
   this.getParameter = getParameter;
   this.cleanParameters = cleanParameters;
 
-  function getParameter(param) {
-    var parameters = extractParameters();
+  function getParameter(queryParams, param) {
+    var parameters = extractParameters(queryParams);
     return parameters[param];
   }
 
-  function extractParameters() {
-    var queryString = $window.location.search.replace(/.*?\?/,'').split('&');
+  function extractParameters(queryParams) {
+    var queryString = queryParams.replace(/.*?\?/,'').split('&');
     return queryString.reduce(function(acc, keyValStr) {
       var keyVal = keyValStr.split('=');
       var key = keyVal[0];
diff --git a/app/portainer/services/authentication.js b/app/portainer/services/authentication.js
index 39b7ada24..ac03e1fde 100644
--- a/app/portainer/services/authentication.js
+++ b/app/portainer/services/authentication.js
@@ -1,7 +1,7 @@
 angular.module('portainer.app')
 .factory('Authentication', [
-'Auth', 'OAuth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', 
-function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
+'Auth', 'OAuthService', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', 
+function AuthenticationFactory(Auth, OAuthService, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
   'use strict';
 
   var service = {};
@@ -13,6 +13,8 @@ function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManage
   service.logout = logout;
   service.isAuthenticated = isAuthenticated;
   service.getUserDetails = getUserDetails;
+  
+  
 
   function init() {
     var jwt = LocalStorage.getJWT();
@@ -22,10 +24,10 @@ function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManage
     }
   }
 
-  function OAuthLogin(code) {
-    return OAuth.login({ code: code }).$promise
-      .then(function onLoginSuccess(response) {
-        return setUser(response.jwt);
+  function OAuthLogin() {
+    return OAuthService.login()
+      .then(function onLoginSuccess(loginResponse) {
+        setUser(loginResponse.jwt);
       });
   }
 
diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index 62c26d8b6..e32b7633a 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -28,11 +28,9 @@
             <!-- login button -->
             <div class="form-group">
               <div class="col-sm-12" >
-                <a ng-href="{{OAuthLoginURI}}" ng-if="AuthenticationMethod === 3">
-                  <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px">
-                    <i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login with OAuth
-                  </div>
-                </a>
+                <button class="btn btn-primary btn-sm pull-left" ng-click="oauthLogin()" style="margin-left:2px" ng-if="AuthenticationMethod === 3">
+                  <i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login with OAuth
+                </button>
 
                 <button type="submit" class="btn btn-primary btn-sm pull-right" ng-click="authenticateUser()"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login</button>
                 
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index fb8968e48..575ecdc6a 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -1,6 +1,6 @@
 angular.module('portainer.app')
-.controller('AuthenticationController', ['urlHelper','$q', '$scope', '$state', '$stateParams', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService',
-function (urlHelper, $q, $scope, $state, $stateParams, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService) {
+.controller('AuthenticationController', ['$q', '$scope', '$state', '$stateParams', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService',
+function ($q, $scope, $state, $stateParams, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService) {
   $scope.logo = StateManager.getState().application.logo;
 
   $scope.formValues = {
@@ -37,6 +37,17 @@ function (urlHelper, $q, $scope, $state, $stateParams, $sanitize, Authentication
     });
   };
 
+  $scope.oauthLogin = function oauthLogin() {
+    return Authentication.OAuthLogin()
+    .then(function onLoginSuccess() {
+      return $state.go('portainer.home');
+    })
+    .catch(function onError(error) {
+      $scope.state.AuthenticationError = error.message;
+    });
+  };
+
+
   function unauthenticatedFlow() {
     EndpointService.endpoints()
     .then(function success(endpoints) {
@@ -104,23 +115,10 @@ function (urlHelper, $q, $scope, $state, $stateParams, $sanitize, Authentication
       authenticatedFlow();
     }
 
-    var code = urlHelper.getParameter('code');
-    if (code) {
-      oAuthLogin(code);
-    }
-  }
-
-  function oAuthLogin(code) {
-    return Authentication.OAuthLogin(code)
-    .then(function success() {
-      urlHelper.cleanParameters();
-      $state.go('portainer.home');
-    })
-    .catch(function error() {
-      $scope.state.AuthenticationError = 'Failed to authenticate with OAuth2 Provider';
-    });
+    
   }
 
+  
 
   initView();
 }]);

From c28274667d643d3a34a0f01dc78fc5f993d85e27 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 18 Jan 2019 10:13:33 +0200
Subject: [PATCH 27/61] refactor(oauth): use oauth2 to generate login url

---
 api/http/handler/auth/authenticate.go         | 11 -----
 api/http/handler/auth/authenticate_oauth.go   | 43 +++++++++++++++++++
 api/http/handler/auth/handler.go              |  4 +-
 .../oauth/services/oauth-service.js           | 32 +++++---------
 app/extensions/oauth/services/rest/oauth.js   | 10 +++--
 5 files changed, 63 insertions(+), 37 deletions(-)

diff --git a/api/http/handler/auth/authenticate.go b/api/http/handler/auth/authenticate.go
index 8183c2f7b..d5562edd3 100644
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -17,10 +17,6 @@ type authenticatePayload struct {
 	Password string
 }
 
-type oauthPayload struct {
-	Code string
-}
-
 type authenticateResponse struct {
 	JWT string `json:"jwt"`
 }
@@ -35,13 +31,6 @@ func (payload *authenticatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-func (payload *oauthPayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.Code) {
-		return portainer.Error("Invalid OAuth authorization code")
-	}
-	return nil
-}
-
 func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	if handler.authDisabled {
 		return &httperror.HandlerError{http.StatusServiceUnavailable, "Cannot authenticate user. Portainer was started with the --no-auth flag", ErrAuthDisabled}
diff --git a/api/http/handler/auth/authenticate_oauth.go b/api/http/handler/auth/authenticate_oauth.go
index 58319b9df..2e311c8b8 100644
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -3,12 +3,27 @@ package auth
 import (
 	"log"
 	"net/http"
+	"strings"
 
+	"golang.org/x/oauth2"
+
+	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/portainer"
 )
 
+type oauthPayload struct {
+	Code string
+}
+
+func (payload *oauthPayload) Validate(r *http.Request) error {
+	if govalidator.IsNull(payload.Code) {
+		return portainer.Error("Invalid OAuth authorization code")
+	}
+	return nil
+}
+
 func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload oauthPayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
@@ -62,3 +77,31 @@ func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request
 
 	return handler.writeToken(w, u)
 }
+
+func (handler *Handler) loginOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	settings, err := handler.SettingsService.Settings()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+	}
+
+	if settings.AuthenticationMethod != 3 {
+		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is disabled", err}
+	}
+
+	endpoint := oauth2.Endpoint{
+		AuthURL:  settings.OAuthSettings.AuthorizationURI,
+		TokenURL: settings.OAuthSettings.AccessTokenURI,
+	}
+
+	oauthConfig := &oauth2.Config{
+		ClientID:     settings.OAuthSettings.ClientID,
+		ClientSecret: settings.OAuthSettings.ClientSecret,
+		Endpoint:     endpoint,
+		RedirectURL:  settings.OAuthSettings.RedirectURI,
+		Scopes:       strings.Split(settings.OAuthSettings.Scopes, ","),
+	}
+
+	url := oauthConfig.AuthCodeURL("portainer")
+	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
+	return nil
+}
diff --git a/api/http/handler/auth/handler.go b/api/http/handler/auth/handler.go
index a97928150..4bc440a63 100644
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@@ -38,7 +38,9 @@ func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimi
 		authDisabled: authDisabled,
 	}
 
-	h.Handle("/auth/oauth",
+	h.Handle("/auth/oauth/login",
+		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.loginOAuth)))).Methods(http.MethodGet)
+	h.Handle("/auth/oauth/validate",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticateOAuth)))).Methods(http.MethodPost)
 	h.Handle("/auth",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
diff --git a/app/extensions/oauth/services/oauth-service.js b/app/extensions/oauth/services/oauth-service.js
index d1985c693..88221dd5b 100644
--- a/app/extensions/oauth/services/oauth-service.js
+++ b/app/extensions/oauth/services/oauth-service.js
@@ -1,28 +1,16 @@
 angular.module('portainer.extensions.oauth').service('OAuthService', [
-  'SettingsService', 'OAuth', 'urlHelper',
-  function OAuthService(SettingsService, OAuth, urlHelper) {
+  'API_ENDPOINT_OAUTH', 'OAuth', 'urlHelper', 'Notifications',
+  function OAuthService(API_ENDPOINT_OAUTH, OAuth, urlHelper, Notifications) {
     this.login = login;
 
     function login() {
-      return getLoginURI()
-        .then(function openPopup(loginUrl) {
-          var popup = window.open(loginUrl, 'login-popup', 'width=800, height=600');
-          if (!popup) {
-            throw new Error('Please enable popups for this page');
-          }
-          return waitForCode(popup);
-        })
-        .then(function onCodeReady(code) {
-          return OAuth.login({ code: code }).$promise;
-        });
-    }
-
-    function getLoginURI() {
-      return SettingsService.publicSettings().then(function onLoadSettings(settings) {
-        if (settings.AuthenticationMethod !== 3) {
-          throw new Error('OAuth is disabled');
-        }
-        return settings.OAuthLoginURI;
+      var loginUrl = API_ENDPOINT_OAUTH + '/login';
+      var popup = window.open(loginUrl, 'login-popup', 'width=800, height=600');
+      if (!popup) {
+        Notifications.warn('Please enable popups for this page');
+      }
+      return waitForCode(popup).then(function onCodeReady(code) {
+        return OAuth.validate({ code: code }).$promise;
       });
     }
 
@@ -49,5 +37,5 @@ angular.module('portainer.extensions.oauth').service('OAuthService', [
         }, interval);
       });
     }
-  }
+  },
 ]);
diff --git a/app/extensions/oauth/services/rest/oauth.js b/app/extensions/oauth/services/rest/oauth.js
index a6eff3bf7..f33e7b30f 100644
--- a/app/extensions/oauth/services/rest/oauth.js
+++ b/app/extensions/oauth/services/rest/oauth.js
@@ -1,9 +1,13 @@
 angular.module('portainer.extensions.oauth')
 .factory('OAuth', ['$resource', 'API_ENDPOINT_OAUTH', function OAuthFactory($resource, API_ENDPOINT_OAUTH) {
   'use strict';
-  return $resource(API_ENDPOINT_OAUTH, {}, {
-    login: {
-      method: 'POST', ignoreLoadingBar: true
+  return $resource(API_ENDPOINT_OAUTH + '/:action', {}, {
+    validate: {
+      method: 'POST', 
+      ignoreLoadingBar: true,
+      params: {
+        action: 'validate'
+      }
     }
   });
 }]);
\ No newline at end of file

From c5c06b307af5884dcb7950b5e18c7c724edf1385 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 18 Jan 2019 10:15:02 +0200
Subject: [PATCH 28/61] refactor(oauth): rename authenticate function

---
 api/http/handler/auth/authenticate_oauth.go | 2 +-
 api/http/handler/auth/handler.go            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/http/handler/auth/authenticate_oauth.go b/api/http/handler/auth/authenticate_oauth.go
index 2e311c8b8..8e7542cb2 100644
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -24,7 +24,7 @@ func (payload *oauthPayload) Validate(r *http.Request) error {
 	return nil
 }
 
-func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload oauthPayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
diff --git a/api/http/handler/auth/handler.go b/api/http/handler/auth/handler.go
index 4bc440a63..50e956e76 100644
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@@ -41,7 +41,7 @@ func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimi
 	h.Handle("/auth/oauth/login",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.loginOAuth)))).Methods(http.MethodGet)
 	h.Handle("/auth/oauth/validate",
-		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticateOAuth)))).Methods(http.MethodPost)
+		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.validateOAuth)))).Methods(http.MethodPost)
 	h.Handle("/auth",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
 

From 60040e90d01a61a73ecc20b2c53c9e1a980466a9 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 18 Jan 2019 10:24:42 +0200
Subject: [PATCH 29/61] refactor(oauth): move build url logic to service

---
 api/http/handler/auth/authenticate_oauth.go | 18 +-----------------
 api/oauth/oauth.go                          | 18 ++++++++++++++++++
 api/portainer.go                            |  1 +
 3 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/api/http/handler/auth/authenticate_oauth.go b/api/http/handler/auth/authenticate_oauth.go
index 8e7542cb2..43dcdc33c 100644
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -3,9 +3,6 @@ package auth
 import (
 	"log"
 	"net/http"
-	"strings"
-
-	"golang.org/x/oauth2"
 
 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
@@ -88,20 +85,7 @@ func (handler *Handler) loginOAuth(w http.ResponseWriter, r *http.Request) *http
 		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is disabled", err}
 	}
 
-	endpoint := oauth2.Endpoint{
-		AuthURL:  settings.OAuthSettings.AuthorizationURI,
-		TokenURL: settings.OAuthSettings.AccessTokenURI,
-	}
-
-	oauthConfig := &oauth2.Config{
-		ClientID:     settings.OAuthSettings.ClientID,
-		ClientSecret: settings.OAuthSettings.ClientSecret,
-		Endpoint:     endpoint,
-		RedirectURL:  settings.OAuthSettings.RedirectURI,
-		Scopes:       strings.Split(settings.OAuthSettings.Scopes, ","),
-	}
-
-	url := oauthConfig.AuthCodeURL("portainer")
+	url := handler.OAuthService.BuildLoginURL(settings.OAuthSettings)
 	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 	return nil
 }
diff --git a/api/oauth/oauth.go b/api/oauth/oauth.go
index bafd99443..87439a636 100644
--- a/api/oauth/oauth.go
+++ b/api/oauth/oauth.go
@@ -165,3 +165,21 @@ func (*Service) GetUsername(token string, settings *portainer.OAuthSettings) (st
 		Body:     body,
 	}
 }
+
+// BuildLoginURL creates a login url for the oauth provider
+func (*Service) BuildLoginURL(oauthSettings portainer.OAuthSettings) string {
+	endpoint := oauth2.Endpoint{
+		AuthURL:  oauthSettings.AuthorizationURI,
+		TokenURL: oauthSettings.AccessTokenURI,
+	}
+
+	oauthConfig := &oauth2.Config{
+		ClientID:     oauthSettings.ClientID,
+		ClientSecret: oauthSettings.ClientSecret,
+		Endpoint:     endpoint,
+		RedirectURL:  oauthSettings.RedirectURI,
+		Scopes:       strings.Split(oauthSettings.Scopes, ","),
+	}
+
+	return oauthConfig.AuthCodeURL("portainer")
+}
diff --git a/api/portainer.go b/api/portainer.go
index fe099769e..b5682c344 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -766,6 +766,7 @@ type (
 	OAuthService interface {
 		GetAccessToken(code string, settings *OAuthSettings) (string, error)
 		GetUsername(token string, settings *OAuthSettings) (string, error)
+		BuildLoginURL(oauthSettings OAuthSettings) string
 	}
 
 	// SwarmStackManager represents a service to manage Swarm stacks

From 46e8f10aead6e12988219da488d3f6567888da21 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 18 Jan 2019 10:56:16 +0200
Subject: [PATCH 30/61] refactor(ouath): use oauth2 library to get token

---
 api/http/handler/auth/authenticate_oauth.go | 13 ++-
 api/oauth/oauth.go                          | 96 +++------------------
 api/portainer.go                            |  2 +-
 3 files changed, 18 insertions(+), 93 deletions(-)

diff --git a/api/http/handler/auth/authenticate_oauth.go b/api/http/handler/auth/authenticate_oauth.go
index 43dcdc33c..d8a446d3e 100644
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -49,17 +49,17 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 		return &httperror.HandlerError{http.StatusForbidden, "Unable to acquire username", portainer.ErrUnauthorized}
 	}
 
-	u, err := handler.UserService.UserByUsername(username)
+	user, err := handler.UserService.UserByUsername(username)
 	if err != nil && err != portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
 	}
 
-	if u == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
+	if user == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
 		return &httperror.HandlerError{http.StatusForbidden, "Unregistered account", portainer.ErrUnauthorized}
 	}
 
-	if u == nil {
-		user := &portainer.User{
+	if user == nil {
+		user = &portainer.User{
 			Username: username,
 			Role:     portainer.StandardUserRole,
 		}
@@ -69,10 +69,9 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
 		}
 
-		return handler.writeToken(w, user)
 	}
 
-	return handler.writeToken(w, u)
+	return handler.writeToken(w, user)
 }
 
 func (handler *Handler) loginOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
@@ -85,7 +84,7 @@ func (handler *Handler) loginOAuth(w http.ResponseWriter, r *http.Request) *http
 		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is disabled", err}
 	}
 
-	url := handler.OAuthService.BuildLoginURL(settings.OAuthSettings)
+	url := handler.OAuthService.BuildLoginURL(&settings.OAuthSettings)
 	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 	return nil
 }
diff --git a/api/oauth/oauth.go b/api/oauth/oauth.go
index 87439a636..c716ef90a 100644
--- a/api/oauth/oauth.go
+++ b/api/oauth/oauth.go
@@ -1,12 +1,10 @@
 package oauth
 
 import (
+	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"io"
 	"io/ioutil"
-	"log"
 	"mime"
 	"net/http"
 	"net/url"
@@ -26,84 +24,9 @@ type Service struct{}
 
 // GetAccessToken takes an access code and exchanges it for an access token from portainer OAuthSettings token endpoint
 func (*Service) GetAccessToken(code string, settings *portainer.OAuthSettings) (string, error) {
-	v := url.Values{}
-	v.Set("client_id", settings.ClientID)
-	v.Set("client_secret", settings.ClientSecret)
-	v.Set("redirect_uri", settings.RedirectURI)
-	v.Set("code", code)
-	v.Set("grant_type", "authorization_code")
-
-	req, err := http.NewRequest("POST", settings.AccessTokenURI, strings.NewReader(v.Encode()))
-	if err != nil {
-		return "", err
-	}
-
-	client := &http.Client{}
-	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-	r, err := client.Do(req)
-	if err != nil {
-		return "", err
-	}
-
-	body, err := ioutil.ReadAll(io.LimitReader(r.Body, 1<<20))
-	if err != nil {
-		return "", fmt.Errorf("oauth2: cannot fetch token: %v", err)
-	}
-
-	if r.StatusCode != http.StatusOK {
-		type ErrorMessage struct {
-			Message string
-			Type    string
-			Code    int
-		}
-		type ErrorResponse struct {
-			Error ErrorMessage
-		}
-
-		var response ErrorResponse
-		if err = json.Unmarshal(body, &response); err != nil {
-			// report also error
-			log.Printf("[Error] - Failed parsing error body: %v", err)
-			return "", errors.New("oauth2: cannot fetch token")
-		}
-
-		return "", errors.New(response.Error.Message)
-	}
-
-	content, _, _ := mime.ParseMediaType(r.Header.Get("Content-Type"))
-	if content == "application/x-www-form-urlencoded" || content == "text/plain" {
-		values, err := url.ParseQuery(string(body))
-		if err != nil {
-			return "", err
-		}
-
-		token := values.Get("access_token")
-		log.Printf("[DEBUG] - returned body %v", values)
-
-		if token == "" {
-			log.Printf("[DEBUG] - access token returned empty - %v", values)
-			return "", errors.New("oauth2: cannot fetch token")
-		}
-
-		return token, nil
-	}
-
-	type tokenJSON struct {
-		AccessToken string `json:"access_token"`
-	}
-
-	var tj tokenJSON
-	if err = json.Unmarshal(body, &tj); err != nil {
-		return "", err
-	}
-
-	token := tj.AccessToken
-
-	if token == "" {
-		log.Printf("[DEBUG] - access token returned empty - %v with status code", string(body), r.StatusCode)
-		return "", errors.New("oauth2: cannot fetch token")
-	}
-	return token, nil
+	config := buildConfig(settings)
+	token, err := config.Exchange(context.Background(), code)
+	return token.AccessToken, err
 }
 
 // GetUsername takes a token and retrieves the portainer OAuthSettings user identifier from resource server.
@@ -167,19 +90,22 @@ func (*Service) GetUsername(token string, settings *portainer.OAuthSettings) (st
 }
 
 // BuildLoginURL creates a login url for the oauth provider
-func (*Service) BuildLoginURL(oauthSettings portainer.OAuthSettings) string {
+func (*Service) BuildLoginURL(oauthSettings *portainer.OAuthSettings) string {
+	oauthConfig := buildConfig(oauthSettings)
+	return oauthConfig.AuthCodeURL("portainer")
+}
+
+func buildConfig(oauthSettings *portainer.OAuthSettings) *oauth2.Config {
 	endpoint := oauth2.Endpoint{
 		AuthURL:  oauthSettings.AuthorizationURI,
 		TokenURL: oauthSettings.AccessTokenURI,
 	}
 
-	oauthConfig := &oauth2.Config{
+	return &oauth2.Config{
 		ClientID:     oauthSettings.ClientID,
 		ClientSecret: oauthSettings.ClientSecret,
 		Endpoint:     endpoint,
 		RedirectURL:  oauthSettings.RedirectURI,
 		Scopes:       strings.Split(oauthSettings.Scopes, ","),
 	}
-
-	return oauthConfig.AuthCodeURL("portainer")
 }
diff --git a/api/portainer.go b/api/portainer.go
index b5682c344..63f886f0f 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -766,7 +766,7 @@ type (
 	OAuthService interface {
 		GetAccessToken(code string, settings *OAuthSettings) (string, error)
 		GetUsername(token string, settings *OAuthSettings) (string, error)
-		BuildLoginURL(oauthSettings OAuthSettings) string
+		BuildLoginURL(oauthSettings *OAuthSettings) string
 	}
 
 	// SwarmStackManager represents a service to manage Swarm stacks

From de5f6086d067034c938c272f70d11fd90cfe4fc5 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 18 Jan 2019 11:51:41 +0200
Subject: [PATCH 31/61] refactor(oauth): return parse content error

---
 api/oauth/oauth.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/api/oauth/oauth.go b/api/oauth/oauth.go
index c716ef90a..12d0d440c 100644
--- a/api/oauth/oauth.go
+++ b/api/oauth/oauth.go
@@ -56,7 +56,11 @@ func (*Service) GetUsername(token string, settings *portainer.OAuthSettings) (st
 		}
 	}
 
-	content, _, _ := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+	content, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+	if err != nil {
+		return "", err
+	}
+
 	if content == "application/x-www-form-urlencoded" || content == "text/plain" {
 		values, err := url.ParseQuery(string(body))
 		if err != nil {

From 193e7eb3f84ca62ebdeded3bbd29f5d52450c029 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 18 Jan 2019 11:53:44 +0200
Subject: [PATCH 32/61] refactor(oauth): remove separation of strings

---
 api/oauth/oauth.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/oauth/oauth.go b/api/oauth/oauth.go
index 12d0d440c..3b3d210bc 100644
--- a/api/oauth/oauth.go
+++ b/api/oauth/oauth.go
@@ -8,7 +8,6 @@ import (
 	"mime"
 	"net/http"
 	"net/url"
-	"strings"
 
 	"github.com/portainer/portainer"
 	"golang.org/x/oauth2"
@@ -110,6 +109,7 @@ func buildConfig(oauthSettings *portainer.OAuthSettings) *oauth2.Config {
 		ClientSecret: oauthSettings.ClientSecret,
 		Endpoint:     endpoint,
 		RedirectURL:  oauthSettings.RedirectURI,
-		Scopes:       strings.Split(oauthSettings.Scopes, ","),
+		// TODO figure out how to handle different providers, see https://github.com/golang/oauth2/issues/119
+		Scopes: []string{oauthSettings.Scopes},
 	}
 }

From 69252a8377bad49368767109218c5ec242b55906 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 18 Jan 2019 12:08:18 +0200
Subject: [PATCH 33/61] refactour(auth): move information body to each setting

---
 .../settingsAuthentication.html               | 29 +++++++++++--------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/app/portainer/views/settings/authentication/settingsAuthentication.html b/app/portainer/views/settings/authentication/settingsAuthentication.html
index 8a1ac2e19..d7427269c 100644
--- a/app/portainer/views/settings/authentication/settingsAuthentication.html
+++ b/app/portainer/views/settings/authentication/settingsAuthentication.html
@@ -49,26 +49,31 @@
               </div>
             </div>
           </div>
-          <div class="col-sm-12 form-section-title">
-            Information
-          </div>
-          <div class="form-group" ng-if="settings.AuthenticationMethod === 1">
-            <span class="col-sm-12 text-muted small">
+          
+          <div ng-if="settings.AuthenticationMethod === 1">
+            <div class="col-sm-12 form-section-title">
+              Information
+            </div>
+            <div class="form-group col-sm-12 text-muted small">
               When using internal authentication, Portainer will encrypt user passwords and store credentials locally.
-            </span>
-          </div>
-          <div class="form-group" ng-if="settings.AuthenticationMethod === 2">
-            <span class="col-sm-12 text-muted small">
-              When using LDAP authentication, Portainer will delegate user authentication to a LDAP server and fallback to internal authentication if LDAP authentication fails.
-            </span>
+            </div>
           </div>
           
 
           <div ng-if="settings.AuthenticationMethod === 2">
+            <div>
+              <div class="col-sm-12 form-section-title">
+                Information
+              </div>
+              <div class="form-group col-sm-12 text-muted small">
+                When using LDAP authentication, Portainer will delegate user authentication to a LDAP server and fallback to internal authentication if LDAP authentication fails.
+              </div>
+          </div>
+
             <div class="col-sm-12 form-section-title">
               LDAP configuration
             </div>
-
+            
             <div class="form-group">
               <label for="ldap_url" class="col-sm-3 col-lg-2 control-label text-left">
                 LDAP Server

From 3699b794ebf468f022697526397e016b18a37a9c Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 18 Jan 2019 12:14:12 +0200
Subject: [PATCH 34/61] feat(oauth): add providers selectors

---
 .../oauth-providers-selector.html               | 17 +++++++++++++++++
 .../oauth-providers-selector.js                 |  4 ++++
 2 files changed, 21 insertions(+)
 create mode 100644 app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
 create mode 100644 app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js

diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
new file mode 100644
index 000000000..ca2da3d44
--- /dev/null
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
@@ -0,0 +1,17 @@
+<div class="col-sm-12 form-section-title">
+    Provider
+  </div>
+
+
+<div class="form-group">
+  <div class="col-sm-12">
+    <select
+      class="form-control"
+      id="oauth-provider-selector"
+      ng-model="$ctrl.selectedProvider"
+      ng-options="provider as provider for provider in $ctrl.providers"
+    >
+    <option value="">Custom</option>
+  </select>
+  </div>
+</div>
diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js
new file mode 100644
index 000000000..9efd413b1
--- /dev/null
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js
@@ -0,0 +1,4 @@
+angular.module('portainer.extensions.oauth')
+  .component('oauthProvidersSelector', {
+    templateUrl: 'app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html'
+  });
\ No newline at end of file

From 41ded640374d176d246bfd37c8795d312ac28d35 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 25 Jan 2019 10:37:23 +0200
Subject: [PATCH 35/61] Revert "refactor(auth): extract oauth login mechanism
 to service"

This reverts commit 0a439b3893808ee603d478762ff89b9b2b94b87b.
---
 .../oauth/services/oauth-service.js           | 41 -------------------
 app/portainer/helpers/urlHelper.js            |  8 ++--
 app/portainer/services/authentication.js      | 14 +++----
 app/portainer/views/auth/auth.html            |  8 ++--
 app/portainer/views/auth/authController.js    | 32 ++++++++-------
 5 files changed, 32 insertions(+), 71 deletions(-)
 delete mode 100644 app/extensions/oauth/services/oauth-service.js

diff --git a/app/extensions/oauth/services/oauth-service.js b/app/extensions/oauth/services/oauth-service.js
deleted file mode 100644
index 88221dd5b..000000000
--- a/app/extensions/oauth/services/oauth-service.js
+++ /dev/null
@@ -1,41 +0,0 @@
-angular.module('portainer.extensions.oauth').service('OAuthService', [
-  'API_ENDPOINT_OAUTH', 'OAuth', 'urlHelper', 'Notifications',
-  function OAuthService(API_ENDPOINT_OAUTH, OAuth, urlHelper, Notifications) {
-    this.login = login;
-
-    function login() {
-      var loginUrl = API_ENDPOINT_OAUTH + '/login';
-      var popup = window.open(loginUrl, 'login-popup', 'width=800, height=600');
-      if (!popup) {
-        Notifications.warn('Please enable popups for this page');
-      }
-      return waitForCode(popup).then(function onCodeReady(code) {
-        return OAuth.validate({ code: code }).$promise;
-      });
-    }
-
-    function waitForCode(popup) {
-      return waitFor(function checkIfCodeIsAvailable() {
-        if (popup.document.URL.indexOf('code') !== -1) {
-          var queryParams = popup.location.search;
-          popup.close();
-          return urlHelper.getParameter(queryParams, 'code');
-        }
-      });
-    }
-
-    function waitFor(clbk, interval) {
-      interval = interval || 100;
-      var intervalId;
-      return new Promise(function executor(resolve) {
-        intervalId = setInterval(function intervalFunction() {
-          var callbackReturn = clbk();
-          if (callbackReturn) {
-            clearInterval(intervalId);
-            resolve(callbackReturn);
-          }
-        }, interval);
-      });
-    }
-  },
-]);
diff --git a/app/portainer/helpers/urlHelper.js b/app/portainer/helpers/urlHelper.js
index daacf0131..3125492a5 100644
--- a/app/portainer/helpers/urlHelper.js
+++ b/app/portainer/helpers/urlHelper.js
@@ -2,13 +2,13 @@ angular.module('portainer.app').service('urlHelper', function urlHelper($window)
   this.getParameter = getParameter;
   this.cleanParameters = cleanParameters;
 
-  function getParameter(queryParams, param) {
-    var parameters = extractParameters(queryParams);
+  function getParameter(param) {
+    var parameters = extractParameters();
     return parameters[param];
   }
 
-  function extractParameters(queryParams) {
-    var queryString = queryParams.replace(/.*?\?/,'').split('&');
+  function extractParameters() {
+    var queryString = $window.location.search.replace(/.*?\?/,'').split('&');
     return queryString.reduce(function(acc, keyValStr) {
       var keyVal = keyValStr.split('=');
       var key = keyVal[0];
diff --git a/app/portainer/services/authentication.js b/app/portainer/services/authentication.js
index ac03e1fde..39b7ada24 100644
--- a/app/portainer/services/authentication.js
+++ b/app/portainer/services/authentication.js
@@ -1,7 +1,7 @@
 angular.module('portainer.app')
 .factory('Authentication', [
-'Auth', 'OAuthService', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', 
-function AuthenticationFactory(Auth, OAuthService, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
+'Auth', 'OAuth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', 
+function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
   'use strict';
 
   var service = {};
@@ -13,8 +13,6 @@ function AuthenticationFactory(Auth, OAuthService, jwtHelper, LocalStorage, Stat
   service.logout = logout;
   service.isAuthenticated = isAuthenticated;
   service.getUserDetails = getUserDetails;
-  
-  
 
   function init() {
     var jwt = LocalStorage.getJWT();
@@ -24,10 +22,10 @@ function AuthenticationFactory(Auth, OAuthService, jwtHelper, LocalStorage, Stat
     }
   }
 
-  function OAuthLogin() {
-    return OAuthService.login()
-      .then(function onLoginSuccess(loginResponse) {
-        setUser(loginResponse.jwt);
+  function OAuthLogin(code) {
+    return OAuth.login({ code: code }).$promise
+      .then(function onLoginSuccess(response) {
+        return setUser(response.jwt);
       });
   }
 
diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index e32b7633a..62c26d8b6 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -28,9 +28,11 @@
             <!-- login button -->
             <div class="form-group">
               <div class="col-sm-12" >
-                <button class="btn btn-primary btn-sm pull-left" ng-click="oauthLogin()" style="margin-left:2px" ng-if="AuthenticationMethod === 3">
-                  <i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login with OAuth
-                </button>
+                <a ng-href="{{OAuthLoginURI}}" ng-if="AuthenticationMethod === 3">
+                  <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px">
+                    <i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login with OAuth
+                  </div>
+                </a>
 
                 <button type="submit" class="btn btn-primary btn-sm pull-right" ng-click="authenticateUser()"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login</button>
                 
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 575ecdc6a..fb8968e48 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -1,6 +1,6 @@
 angular.module('portainer.app')
-.controller('AuthenticationController', ['$q', '$scope', '$state', '$stateParams', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService',
-function ($q, $scope, $state, $stateParams, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService) {
+.controller('AuthenticationController', ['urlHelper','$q', '$scope', '$state', '$stateParams', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService',
+function (urlHelper, $q, $scope, $state, $stateParams, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService) {
   $scope.logo = StateManager.getState().application.logo;
 
   $scope.formValues = {
@@ -37,17 +37,6 @@ function ($q, $scope, $state, $stateParams, $sanitize, Authentication, UserServi
     });
   };
 
-  $scope.oauthLogin = function oauthLogin() {
-    return Authentication.OAuthLogin()
-    .then(function onLoginSuccess() {
-      return $state.go('portainer.home');
-    })
-    .catch(function onError(error) {
-      $scope.state.AuthenticationError = error.message;
-    });
-  };
-
-
   function unauthenticatedFlow() {
     EndpointService.endpoints()
     .then(function success(endpoints) {
@@ -115,10 +104,23 @@ function ($q, $scope, $state, $stateParams, $sanitize, Authentication, UserServi
       authenticatedFlow();
     }
 
-    
+    var code = urlHelper.getParameter('code');
+    if (code) {
+      oAuthLogin(code);
+    }
+  }
+
+  function oAuthLogin(code) {
+    return Authentication.OAuthLogin(code)
+    .then(function success() {
+      urlHelper.cleanParameters();
+      $state.go('portainer.home');
+    })
+    .catch(function error() {
+      $scope.state.AuthenticationError = 'Failed to authenticate with OAuth2 Provider';
+    });
   }
 
-  
 
   initView();
 }]);

From 50c604ee4c9e3d890e421594c0307dbaefdab069 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 25 Jan 2019 10:44:31 +0200
Subject: [PATCH 36/61] fix(auth): use the right function to oauth validate

---
 app/portainer/services/authentication.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/portainer/services/authentication.js b/app/portainer/services/authentication.js
index 39b7ada24..3396e3155 100644
--- a/app/portainer/services/authentication.js
+++ b/app/portainer/services/authentication.js
@@ -23,7 +23,7 @@ function AuthenticationFactory(Auth, OAuth, jwtHelper, LocalStorage, StateManage
   }
 
   function OAuthLogin(code) {
-    return OAuth.login({ code: code }).$promise
+    return OAuth.validate({ code: code }).$promise
       .then(function onLoginSuccess(response) {
         return setUser(response.jwt);
       });

From c1939f6070c7404fa76f4b818db743087b104cd8 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 25 Jan 2019 10:46:17 +0200
Subject: [PATCH 37/61] feature(oauth): add provider selector

---
 .../oauth-providers-selector/oauth-providers-selector.html  | 2 +-
 .../components/oauth-settings/oauth-settings-controller.js  | 6 ++++++
 .../oauth/components/oauth-settings/oauth-settings.html     | 6 +-----
 3 files changed, 8 insertions(+), 6 deletions(-)
 create mode 100644 app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js

diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
index ca2da3d44..16879b0ac 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
@@ -11,7 +11,7 @@
       ng-model="$ctrl.selectedProvider"
       ng-options="provider as provider for provider in $ctrl.providers"
     >
-    <option value="">Custom</option>
+    <option value="">Custom </option>
   </select>
   </div>
 </div>
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
new file mode 100644
index 000000000..b91aabc6a
--- /dev/null
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
@@ -0,0 +1,6 @@
+angular.module('portainer.extensions.oauth')
+  .controller('OAuthSettingsController', function OAuthSettingsController() {
+    this.providers = [
+      'facebook'
+    ]
+  });
\ No newline at end of file
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index f73415e25..f3307321d 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -1,9 +1,5 @@
-<div class="form-group">
-    <span class="col-sm-12 text-muted small">
-        When using OAuth authentication, Portainer will allow users to optionally authenticate with an OAuth authorization server.
-    </span>
-  </div>
 <div>
+  <!-- <oauth-providers-selector selected-provider="$ctrl.settings.provider" providers="$ctrl.providers"></oauth-providers-selector> -->
 
   <div class="col-sm-12 form-section-title">OAuth Configuration</div>
 

From 90281fd7f0e751ca53f54b56e4de4e9a4eb81e76 Mon Sep 17 00:00:00 2001
From: Chaim Lev Ari <chiptus@gmail.com>
Date: Fri, 25 Jan 2019 10:57:40 +0200
Subject: [PATCH 38/61] feat(oauth): add providers to providers-selector

---
 .../oauth-providers-selector.html             |  4 ++--
 .../oauth-providers-selector.js               | 24 +++++++++++++++----
 .../oauth-settings-controller.js              | 15 ++++++++----
 .../oauth-settings/oauth-settings.html        |  2 +-
 4 files changed, 33 insertions(+), 12 deletions(-)

diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
index 16879b0ac..f451768fe 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
@@ -9,9 +9,9 @@
       class="form-control"
       id="oauth-provider-selector"
       ng-model="$ctrl.selectedProvider"
-      ng-options="provider as provider for provider in $ctrl.providers"
+      ng-change="$ctrl.onSelect($ctrl.selectedProvider)"
+      ng-options="provider as provider.name for provider in $ctrl.providers"
     >
-    <option value="">Custom </option>
   </select>
   </div>
 </div>
diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js
index 9efd413b1..fa1cdb1e1 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js
@@ -1,4 +1,20 @@
-angular.module('portainer.extensions.oauth')
-  .component('oauthProvidersSelector', {
-    templateUrl: 'app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html'
-  });
\ No newline at end of file
+angular.module('portainer.extensions.oauth').component('oauthProvidersSelector', {
+  templateUrl: 'app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html',
+  bindings: {
+    onSelect: '<'
+  },
+  controller: function oauthProvidersSelectorController() {
+    this.providers = [
+      {
+        name: 'Facebook',
+        authUrl: 'https://www.facebook.com/v3.2/dialog/oauth',
+        accessTokenUrl: 'https://graph.facebook.com/v3.2/oauth/access_token',
+        resourceUrl: 'https://graph.facebook.com/v3.2/me?fields=email',
+        userIdentifier: 'email'
+      },
+      {
+        name: 'Custom'
+      }
+    ];
+  }
+});
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
index b91aabc6a..ba324c49b 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
@@ -1,6 +1,11 @@
 angular.module('portainer.extensions.oauth')
-  .controller('OAuthSettingsController', function OAuthSettingsController() {
-    this.providers = [
-      'facebook'
-    ]
-  });
\ No newline at end of file
+.controller('OAuthSettingsController', function OAuthSettingsController() {
+  this.onSelectProvider = onSelectProvider;
+
+  function onSelectProvider(provider) {
+    this.settings.AuthorizationURI = provider.authUrl;
+    this.settings.AccessTokenURI = provider.accessTokenUrl;
+    this.settings.ResourceURI = provider.resourceUrl;
+    this.settings.UserIdentifier = provider.userIdentifier;
+  }
+});
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index f3307321d..e2a5217e0 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -1,5 +1,5 @@
 <div>
-  <!-- <oauth-providers-selector selected-provider="$ctrl.settings.provider" providers="$ctrl.providers"></oauth-providers-selector> -->
+  <!-- <oauth-providers-selector on-select="$ctrl.onSelectProvider" selected-provider="$ctrl.settings.provider" providers="$ctrl.providers"></oauth-providers-selector> -->
 
   <div class="col-sm-12 form-section-title">OAuth Configuration</div>
 

From 4d8133f696e221c0de6899a7bb1575e179d9717a Mon Sep 17 00:00:00 2001
From: baron_l <baron_l@epitech.eu>
Date: Thu, 7 Feb 2019 15:07:10 +0100
Subject: [PATCH 39/61] feat(oauth): spinner on code evaluation after
 sucessfull oauth

---
 app/portainer/views/auth/auth.html         | 9 ++++++++-
 app/portainer/views/auth/authController.js | 7 ++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index 62c26d8b6..9c0ecfc2e 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -9,7 +9,7 @@
       </div>
       <!-- !login box logo -->
       <!-- login panel -->
-      <div class="panel panel-default">
+      <div class="panel panel-default" ng-show="!state.isInOAuthProcess">
         <div class="panel-body">
           <!-- login form -->
           <form class="simple-box-form form-horizontal">
@@ -49,6 +49,13 @@
         </div>
       </div>
       <!-- !login panel -->
+      <div class="panel panel-default" ng-show="state.isInOAuthProcess">
+        <div class="panel-body">
+          <div class="form-group">
+              Connecting with OAuth <span class="pull-right" button-spinner="true"></span>
+          </div>
+        </div>
+      </div>
     </div>
   </div>
   <!-- !login box -->
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 8f281a170..43aaebb08 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -8,7 +8,8 @@ angular.module('portainer.app').controller('AuthenticationController', ['$q', '$
     };
 
     $scope.state = {
-      AuthenticationError: ''
+      AuthenticationError: '',
+      isInOAuthProcess: true
     };
 
     $scope.authenticateUser = function() {
@@ -89,6 +90,7 @@ angular.module('portainer.app').controller('AuthenticationController', ['$q', '$
       if ($stateParams.logout || $stateParams.error) {
         Authentication.logout();
         $scope.state.AuthenticationError = $stateParams.error;
+        $scope.state.isInOAuthProcess = false;
         return;
       }
 
@@ -106,6 +108,8 @@ angular.module('portainer.app').controller('AuthenticationController', ['$q', '$
       var code = urlHelper.getParameter('code');
       if (code) {
         oAuthLogin(code);
+      } else {
+        $scope.state.isInOAuthProcess = false;
       }
     }
 
@@ -117,6 +121,7 @@ angular.module('portainer.app').controller('AuthenticationController', ['$q', '$
         })
         .catch(function error() {
           $scope.state.AuthenticationError = 'Failed to authenticate with OAuth2 Provider';
+          $scope.state.isInOAuthProcess = false;
         });
     }
 

From 2755527d28d4e4d3dd3670c9b59fcf6383bb221a Mon Sep 17 00:00:00 2001
From: baron_l <baron_l@epitech.eu>
Date: Thu, 7 Feb 2019 19:32:02 +0100
Subject: [PATCH 40/61] feat(oauth): default team for user on oauth settings

---
 api/portainer.go                              |  1 +
 .../oauth-settings/oauth-settings.html        | 24 +++++++++++++++++++
 .../oauth-settings/oauth-settings.js          |  3 ++-
 app/portainer/models/settings.js              |  1 +
 .../settingsAuthentication.html               |  2 +-
 .../settingsAuthenticationController.js       | 13 ++++++----
 6 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/api/portainer.go b/api/portainer.go
index 6f71dc176..de2511b37 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -67,6 +67,7 @@ type (
 		UserIdentifier       string `json:"UserIdentifier"`
 		Scopes               string `json:"Scopes"`
 		OAuthAutoCreateUsers bool   `json:"OAuthAutoCreateUsers"`
+		DefaultTeamID        TeamID     `json:"DefaultTeamID"`
 	}
 
 	// TLSConfiguration represents a TLS configuration
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index e2a5217e0..1a51eac59 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -149,6 +149,9 @@
     </div>
   </div>
 
+  <div class="col-sm-12 form-section-title">
+      Automatic user provisioning
+  </div>
   <div class="form-group">
     <span class="col-sm-12 text-muted small">
       With automatic user provisioning enabled, Portainer will create user(s) automatically with standard user role. If
@@ -163,4 +166,25 @@
       </label>
     </div>
   </div>
+
+  <div ng-if="$ctrl.settings.OAuthAutoCreateUsers">
+    <div class="form-group">
+      <span class="col-sm-12 text-muted small">
+        The users created by the automatic provisioning feature can be added to a default team on creation. This setting is optional.
+      </span>
+    </div>
+    <div class="form-group">
+      <label for="team_provisioning" class="col-sm-2 col-lg-1">Default team</label>
+      <div class="col-sm-1">
+        <button type="button" class="btn btn-sm btn-danger pull-right" ng-click="$ctrl.settings.DefaultTeamID = null"
+          ng-disabled="!$ctrl.settings.DefaultTeamID">
+          <i class="fa fa-times" aria-hidden="true"></i>
+        </button>
+      </div>
+      <div class="col-sm-9 col-lg-10">
+        <select class="form-control" ng-model="$ctrl.settings.DefaultTeamID" ng-options="team.Id as team.Name for team in $ctrl.teams">
+        </select>
+      </div>
+    </div>
+  </div>
 </div>
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.js b/app/extensions/oauth/components/oauth-settings/oauth-settings.js
index d5031d187..51a9ec553 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.js
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.js
@@ -1,6 +1,7 @@
 angular.module('portainer.extensions.oauth').component('oauthSettings', {
   templateUrl: 'app/extensions/oauth/components/oauth-settings/oauth-settings.html',
   bindings: {
-    settings: '<'
+    settings: '<',
+    teams: '<'
   }
 });
diff --git a/app/portainer/models/settings.js b/app/portainer/models/settings.js
index 930ae4da5..bdb8b8713 100644
--- a/app/portainer/models/settings.js
+++ b/app/portainer/models/settings.js
@@ -53,4 +53,5 @@ function OAuthSettingsViewModel(data) {
   this.UserIdentifier = data.UserIdentifier;
   this.Scopes = data.Scopes;
   this.OAuthAutoCreateUsers = data.OAuthAutoCreateUsers;
+  this.DefaultTeamID = data.DefaultTeamID;
 }
\ No newline at end of file
diff --git a/app/portainer/views/settings/authentication/settingsAuthentication.html b/app/portainer/views/settings/authentication/settingsAuthentication.html
index d7427269c..f47d02032 100644
--- a/app/portainer/views/settings/authentication/settingsAuthentication.html
+++ b/app/portainer/views/settings/authentication/settingsAuthentication.html
@@ -322,7 +322,7 @@
             <!-- !group-search-settings -->
           </div>
 
-          <oauth-settings ng-if="isOauthEnabled()" settings="OAuthSettings"></oauth-settings>
+          <oauth-settings ng-if="isOauthEnabled()" settings="OAuthSettings" teams="teams"></oauth-settings>
 
             <!-- actions -->
           <div class="form-group">
diff --git a/app/portainer/views/settings/authentication/settingsAuthenticationController.js b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
index dc74a3b54..8a22d1783 100644
--- a/app/portainer/views/settings/authentication/settingsAuthenticationController.js
+++ b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
@@ -1,6 +1,6 @@
 angular.module('portainer.app')
-.controller('SettingsAuthenticationController', ['$q', '$scope', 'Notifications', 'SettingsService', 'FileUploadService',
-function ($q, $scope, Notifications, SettingsService, FileUploadService) {
+.controller('SettingsAuthenticationController', ['$q', '$scope', 'Notifications', 'SettingsService', 'FileUploadService', 'TeamService',
+function ($q, $scope, Notifications, SettingsService, FileUploadService, TeamService) {
 
   $scope.state = {
     successfulConnectivityCheck: false,
@@ -96,9 +96,12 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService) {
   }
 
   function initView() {
-    SettingsService.settings()
-    .then(function success(data) {
-      var settings = data;
+    $q.all({
+      settings: SettingsService.settings(),
+      teams: TeamService.teams()
+    }).then(function success(data) {
+      var settings = data.settings;
+      $scope.teams = data.teams;
       $scope.settings = settings;
       $scope.LDAPSettings = settings.LDAPSettings;
       $scope.OAuthSettings = settings.OAuthSettings;

From 8f568c8699f3ae5103614cc65172e4dc0df64498 Mon Sep 17 00:00:00 2001
From: baron_l <baron_l@epitech.eu>
Date: Fri, 8 Feb 2019 16:07:16 +0100
Subject: [PATCH 41/61] style(oauth): oauth loading + oauth config rework

---
 .../oauth-settings/oauth-settings.html        | 79 ++++++++++---------
 app/portainer/views/auth/auth.html            |  4 +-
 2 files changed, 42 insertions(+), 41 deletions(-)

diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index 1a51eac59..dc13135f1 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -1,5 +1,45 @@
 <div>
   <!-- <oauth-providers-selector on-select="$ctrl.onSelectProvider" selected-provider="$ctrl.settings.provider" providers="$ctrl.providers"></oauth-providers-selector> -->
+<div class="col-sm-12 form-section-title">
+  Automatic user provisioning
+</div>
+<div class="form-group">
+  <span class="col-sm-12 text-muted small">
+    With automatic user provisioning enabled, Portainer will create user(s) automatically with standard user role. If
+    disabled, users must be created in Portainer in order to login.
+  </span>
+</div>
+<div class="form-group">
+  <div class="col-sm-12">
+    <label for="oauth_provisioning"> Automatic user provisioning </label>
+    <label class="switch" style="margin-left: 20px">
+      <input type="checkbox" ng-model="$ctrl.settings.OAuthAutoCreateUsers" /><i></i>
+    </label>
+  </div>
+</div>
+
+<div ng-if="$ctrl.settings.OAuthAutoCreateUsers">
+  <div class="form-group">
+    <span class="col-sm-12 text-muted small">
+      The users created by the automatic provisioning feature can be added to a default team on creation. This setting is optional.
+    </span>
+  </div>
+  <div class="form-group">
+    <label for="team_provisioning" class="col-sm-2">Default team</label>
+    <span class="small text-muted" style="margin-left: 20px;" ng-if="$ctrl.teams.length === 0">
+      You have not yet created any team. Head over the <a ui-sref="portainer.teams">teams view</a> to manage user teams.
+    </span>
+    <button type="button" class="btn btn-sm btn-danger" ng-click="$ctrl.settings.DefaultTeamID = null" ng-disabled="!$ctrl.settings.DefaultTeamID"
+      ng-if="$ctrl.teams.length > 0">
+      <i class="fa fa-times" aria-hidden="true"></i>
+    </button>
+    <div class="col-sm-9 col-lg-9" ng-if="$ctrl.teams.length > 0">
+      <select class="form-control" ng-model="$ctrl.settings.DefaultTeamID" ng-options="team.Id as team.Name for team in $ctrl.teams">
+      </select>
+    </div>
+  </div>
+</div>
+
 
   <div class="col-sm-12 form-section-title">OAuth Configuration</div>
 
@@ -148,43 +188,4 @@
       />
     </div>
   </div>
-
-  <div class="col-sm-12 form-section-title">
-      Automatic user provisioning
-  </div>
-  <div class="form-group">
-    <span class="col-sm-12 text-muted small">
-      With automatic user provisioning enabled, Portainer will create user(s) automatically with standard user role. If
-      disabled, users must be created in Portainer in order to login.
-    </span>
-  </div>
-  <div class="form-group">
-    <div class="col-sm-12">
-      <label for="oauth_provisioning"> Automatic user provisioning </label>
-      <label class="switch" style="margin-left: 20px">
-        <input type="checkbox" ng-model="$ctrl.settings.OAuthAutoCreateUsers" /><i></i>
-      </label>
-    </div>
-  </div>
-
-  <div ng-if="$ctrl.settings.OAuthAutoCreateUsers">
-    <div class="form-group">
-      <span class="col-sm-12 text-muted small">
-        The users created by the automatic provisioning feature can be added to a default team on creation. This setting is optional.
-      </span>
-    </div>
-    <div class="form-group">
-      <label for="team_provisioning" class="col-sm-2 col-lg-1">Default team</label>
-      <div class="col-sm-1">
-        <button type="button" class="btn btn-sm btn-danger pull-right" ng-click="$ctrl.settings.DefaultTeamID = null"
-          ng-disabled="!$ctrl.settings.DefaultTeamID">
-          <i class="fa fa-times" aria-hidden="true"></i>
-        </button>
-      </div>
-      <div class="col-sm-9 col-lg-10">
-        <select class="form-control" ng-model="$ctrl.settings.DefaultTeamID" ng-options="team.Id as team.Name for team in $ctrl.teams">
-        </select>
-      </div>
-    </div>
-  </div>
 </div>
diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index 9c0ecfc2e..8787121ba 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -51,8 +51,8 @@
       <!-- !login panel -->
       <div class="panel panel-default" ng-show="state.isInOAuthProcess">
         <div class="panel-body">
-          <div class="form-group">
-              Connecting with OAuth <span class="pull-right" button-spinner="true"></span>
+          <div class="form-group text-center">
+              <span class="small text-muted">Connecting with OAuth <span button-spinner="true"></span></span>
           </div>
         </div>
       </div>

From de76ba4e676dc79cadf0842f556745144f008808 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Thu, 14 Feb 2019 15:58:45 +1300
Subject: [PATCH 42/61] feat(oauth): update OAuth UX

---
 api/http/handler/auth/authenticate_oauth.go   |   2 +-
 api/oauth/oauth.go                            |  16 +-
 .../oauth-provider-selector-controller.js     |  56 +++++
 .../oauth-providers-selector.html             |  58 +++--
 .../oauth-providers-selector.js               |  18 +-
 .../oauth-settings-controller.js              |  45 +++-
 .../oauth-settings/oauth-settings.html        | 206 ++++++++++--------
 .../oauth-settings/oauth-settings.js          |   5 +-
 app/portainer/views/auth/authController.js    |   2 +-
 .../settingsAuthentication.html               |   9 +-
 10 files changed, 278 insertions(+), 139 deletions(-)
 create mode 100644 app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js

diff --git a/api/http/handler/auth/authenticate_oauth.go b/api/http/handler/auth/authenticate_oauth.go
index d8a446d3e..89b828383 100644
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -55,7 +55,7 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 	}
 
 	if user == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
-		return &httperror.HandlerError{http.StatusForbidden, "Unregistered account", portainer.ErrUnauthorized}
+		return &httperror.HandlerError{http.StatusForbidden, "Account not created beforehand in Portainer and automatic user provisioning not enabled", portainer.ErrUnauthorized}
 	}
 
 	if user == nil {
diff --git a/api/oauth/oauth.go b/api/oauth/oauth.go
index 3b3d210bc..b7de6792f 100644
--- a/api/oauth/oauth.go
+++ b/api/oauth/oauth.go
@@ -23,9 +23,18 @@ type Service struct{}
 
 // GetAccessToken takes an access code and exchanges it for an access token from portainer OAuthSettings token endpoint
 func (*Service) GetAccessToken(code string, settings *portainer.OAuthSettings) (string, error) {
+	unescapedCode, err := url.QueryUnescape(code)
+	if err != nil {
+		return "", err
+	}
+
 	config := buildConfig(settings)
-	token, err := config.Exchange(context.Background(), code)
-	return token.AccessToken, err
+	token, err := config.Exchange(context.Background(), unescapedCode)
+	if err != nil {
+		return "", err
+	}
+
+	return token.AccessToken, nil
 }
 
 // GetUsername takes a token and retrieves the portainer OAuthSettings user identifier from resource server.
@@ -109,7 +118,6 @@ func buildConfig(oauthSettings *portainer.OAuthSettings) *oauth2.Config {
 		ClientSecret: oauthSettings.ClientSecret,
 		Endpoint:     endpoint,
 		RedirectURL:  oauthSettings.RedirectURI,
-		// TODO figure out how to handle different providers, see https://github.com/golang/oauth2/issues/119
-		Scopes: []string{oauthSettings.Scopes},
+		Scopes:       []string{oauthSettings.Scopes},
 	}
 }
diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
new file mode 100644
index 000000000..2f5be632a
--- /dev/null
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
@@ -0,0 +1,56 @@
+angular.module('portainer.extensions.oauth')
+  .controller('OAuthProviderSelectorController', function OAuthProviderSelectorController() {
+    var ctrl = this;
+
+    this.providers = [
+      {
+        userIdentifier: 'mail',
+        scope: 'id,email,name',
+        name: 'microsoft'
+      },
+      {
+        authUrl: 'https://accounts.google.com/o/oauth2/auth',
+        accessTokenUrl: 'https://accounts.google.com/o/oauth2/token',
+        resourceUrl: 'https://www.googleapis.com/oauth2/v1/userinfo?alt=json',
+        userIdentifier: 'email',
+        scopes: 'profile email',
+        name: 'google'
+      },
+      {
+        authUrl: 'https://github.com/login/oauth/authorize',
+        accessTokenUrl: 'https://github.com/login/oauth/access_token',
+        resourceUrl: 'https://api.github.com/user',
+        userIdentifier: 'login',
+        scopes: 'id email name',
+        name: 'github'
+      },
+      {
+        name: 'custom'
+      }
+    ];
+
+    this.$onInit = onInit;
+
+    function onInit() {
+      console.log(ctrl.provider.authUrl);
+      if (ctrl.provider.authUrl) {
+        ctrl.provider = getProviderByURL(ctrl.provider.authUrl);
+      } else {
+        ctrl.provider = ctrl.providers[0];
+      }
+      ctrl.onSelect(ctrl.provider);
+    }
+
+    function getProviderByURL(providerAuthURL) {
+      if (providerAuthURL.indexOf('login.microsoftonline.com') !== -1) {
+        return ctrl.providers[0];
+      }
+      else if (providerAuthURL.indexOf('accounts.google.com') !== -1) {
+        return ctrl.providers[1];
+      }
+      else if (providerAuthURL.indexOf('github.com') !== -1) {
+        return ctrl.providers[2];
+      }
+      return ctrl.provider[3];
+    }
+  });
diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
index f451768fe..8422f0900 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
@@ -1,17 +1,49 @@
 <div class="col-sm-12 form-section-title">
-    Provider
-  </div>
+  Provider
+</div>
 
-
-<div class="form-group">
-  <div class="col-sm-12">
-    <select
-      class="form-control"
-      id="oauth-provider-selector"
-      ng-model="$ctrl.selectedProvider"
-      ng-change="$ctrl.onSelect($ctrl.selectedProvider)"
-      ng-options="provider as provider.name for provider in $ctrl.providers"
-    >
-  </select>
+<div class="form-group"></div>
+<div class="form-group" style="margin-bottom: 0">
+  <div class="boxselector_wrapper">
+    <div ng-click="$ctrl.onSelect($ctrl.provider)">
+      <input type="radio" id="oauth_provider_microsoft" ng-model="$ctrl.provider" ng-value="$ctrl.providers[0]">
+      <label for="oauth_provider_microsoft">
+        <div class="boxselector_header">
+          <i class="fab fa-microsoft" aria-hidden="true" style="margin-right: 2px;"></i>
+          Microsoft
+        </div>
+        <p>Microsoft OAuth provider</p>
+      </label>
+    </div>
+    <div ng-click="$ctrl.onSelect($ctrl.provider)">
+      <input type="radio" id="oauth_provider_google" ng-model="$ctrl.provider" ng-value="$ctrl.providers[1]">
+      <label for="oauth_provider_google">
+        <div class="boxselector_header">
+          <i class="fab fa-google" aria-hidden="true" style="margin-right: 2px;"></i>
+          Google
+        </div>
+        <p>Google OAuth provider</p>
+      </label>
+    </div>
+    <div ng-click="$ctrl.onSelect($ctrl.provider)">
+      <input type="radio" id="oauth_provider_github" ng-model="$ctrl.provider" ng-value="$ctrl.providers[2]">
+      <label for="oauth_provider_github">
+        <div class="boxselector_header">
+          <i class="fab fa-github" aria-hidden="true" style="margin-right: 2px;"></i>
+          Github
+        </div>
+        <p>Github OAuth provider</p>
+      </label>
+    </div>
+    <div ng-click="$ctrl.onSelect($ctrl.provider)">
+      <input type="radio" id="oauth_provider_custom" ng-model="$ctrl.provider" ng-value="$ctrl.providers[3]">
+      <label for="oauth_provider_custom">
+        <div class="boxselector_header">
+          <i class="fa fa-user-check" aria-hidden="true" style="margin-right: 2px;"></i>
+          Custom
+        </div>
+        <p>Custom OAuth provider</p>
+      </label>
+    </div>
   </div>
 </div>
diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js
index fa1cdb1e1..1376671fe 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.js
@@ -1,20 +1,8 @@
 angular.module('portainer.extensions.oauth').component('oauthProvidersSelector', {
   templateUrl: 'app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html',
   bindings: {
-    onSelect: '<'
+    onSelect: '<',
+    provider: '='
   },
-  controller: function oauthProvidersSelectorController() {
-    this.providers = [
-      {
-        name: 'Facebook',
-        authUrl: 'https://www.facebook.com/v3.2/dialog/oauth',
-        accessTokenUrl: 'https://graph.facebook.com/v3.2/oauth/access_token',
-        resourceUrl: 'https://graph.facebook.com/v3.2/me?fields=email',
-        userIdentifier: 'email'
-      },
-      {
-        name: 'Custom'
-      }
-    ];
-  }
+  controller: 'OAuthProviderSelectorController'
 });
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
index ba324c49b..58690b511 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
@@ -1,11 +1,38 @@
 angular.module('portainer.extensions.oauth')
-.controller('OAuthSettingsController', function OAuthSettingsController() {
-  this.onSelectProvider = onSelectProvider;
+  .controller('OAuthSettingsController', function OAuthSettingsController() {
+    var ctrl = this;
 
-  function onSelectProvider(provider) {
-    this.settings.AuthorizationURI = provider.authUrl;
-    this.settings.AccessTokenURI = provider.accessTokenUrl;
-    this.settings.ResourceURI = provider.resourceUrl;
-    this.settings.UserIdentifier = provider.userIdentifier;
-  }
-});
+    this.state = {
+      provider: {},
+      overrideConfiguration: false,
+      microsoftTenantID: ''
+    };
+
+    this.$onInit = onInit;
+    this.onSelectProvider = onSelectProvider;
+    this.onMicrosoftTenantIDChange = onMicrosoftTenantIDChange;
+
+    function onMicrosoftTenantIDChange() {
+      var tenantID = ctrl.state.microsoftTenantID;
+
+      ctrl.settings.AuthorizationURI = _.replace('https://login.microsoftonline.com/TENANT_ID/oauth2/authorize', 'TENANT_ID', tenantID);
+      ctrl.settings.AccessTokenURI = _.replace('https://login.microsoftonline.com/TENANT_ID/oauth2/token', 'TENANT_ID', tenantID);
+      ctrl.settings.ResourceURI = _.replace('https://graph.windows.net/TENANT_ID/me?api-version=2013-11-08', 'TENANT_ID', tenantID);
+    }
+
+    function onSelectProvider(provider) {
+      ctrl.state.provider = provider;
+      ctrl.settings.AuthorizationURI = provider.authUrl;
+      ctrl.settings.AccessTokenURI = provider.accessTokenUrl;
+      ctrl.settings.ResourceURI = provider.resourceUrl;
+      ctrl.settings.UserIdentifier = provider.userIdentifier;
+      ctrl.settings.Scopes = provider.scopes;
+    }
+
+    function onInit() {
+      if (ctrl.settings.RedirectURI === '') {
+        ctrl.settings.RedirectURI = window.location.origin;
+      }
+      ctrl.state.provider.authUrl = ctrl.settings.AuthorizationURI;
+    }
+  });
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index dc13135f1..d71effc69 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -1,48 +1,61 @@
 <div>
-  <!-- <oauth-providers-selector on-select="$ctrl.onSelectProvider" selected-provider="$ctrl.settings.provider" providers="$ctrl.providers"></oauth-providers-selector> -->
-<div class="col-sm-12 form-section-title">
-  Automatic user provisioning
-</div>
-<div class="form-group">
-  <span class="col-sm-12 text-muted small">
-    With automatic user provisioning enabled, Portainer will create user(s) automatically with standard user role. If
-    disabled, users must be created in Portainer in order to login.
-  </span>
-</div>
-<div class="form-group">
-  <div class="col-sm-12">
-    <label for="oauth_provisioning"> Automatic user provisioning </label>
+  <div class="col-sm-12 form-section-title">
+    Automatic user provisioning
+  </div>
+  <div class="form-group">
+    <span class="col-sm-12 text-muted small">
+      With automatic user provisioning enabled, Portainer will create user(s) automatically with standard user role. If
+      disabled, users must be created in Portainer in order to login.
+    </span>
+  </div>
+  <div class="form-group">
+    <label class="col-sm-3 col-lg-2 control-label text-left">Automatic user provisioning</label>
     <label class="switch" style="margin-left: 20px">
       <input type="checkbox" ng-model="$ctrl.settings.OAuthAutoCreateUsers" /><i></i>
     </label>
   </div>
-</div>
 
-<div ng-if="$ctrl.settings.OAuthAutoCreateUsers">
-  <div class="form-group">
-    <span class="col-sm-12 text-muted small">
-      The users created by the automatic provisioning feature can be added to a default team on creation. This setting is optional.
-    </span>
-  </div>
-  <div class="form-group">
-    <label for="team_provisioning" class="col-sm-2">Default team</label>
-    <span class="small text-muted" style="margin-left: 20px;" ng-if="$ctrl.teams.length === 0">
-      You have not yet created any team. Head over the <a ui-sref="portainer.teams">teams view</a> to manage user teams.
-    </span>
-    <button type="button" class="btn btn-sm btn-danger" ng-click="$ctrl.settings.DefaultTeamID = null" ng-disabled="!$ctrl.settings.DefaultTeamID"
-      ng-if="$ctrl.teams.length > 0">
-      <i class="fa fa-times" aria-hidden="true"></i>
-    </button>
-    <div class="col-sm-9 col-lg-9" ng-if="$ctrl.teams.length > 0">
-      <select class="form-control" ng-model="$ctrl.settings.DefaultTeamID" ng-options="team.Id as team.Name for team in $ctrl.teams">
-      </select>
+  <div ng-if="$ctrl.settings.OAuthAutoCreateUsers">
+    <div class="form-group">
+      <span class="col-sm-12 text-muted small">
+        The users created by the automatic provisioning feature can be added to a default team on creation. This setting is optional.
+      </span>
+    </div>
+    <div class="form-group">
+      <label class="col-sm-3 col-lg-2 control-label text-left">Default team</label>
+      <span class="small text-muted" style="margin-left: 20px;" ng-if="$ctrl.teams.length === 0">
+        You have not yet created any team. Head over the <a ui-sref="portainer.teams">teams view</a> to manage user teams.
+      </span>
+      <button type="button" class="btn btn-sm btn-danger" ng-click="$ctrl.settings.DefaultTeamID = null" ng-disabled="!$ctrl.settings.DefaultTeamID" ng-if="$ctrl.teams.length > 0"><i class="fa fa-times" aria-hidden="true"></i></button>
+      <div class="col-sm-9 col-lg-9" ng-if="$ctrl.teams.length > 0">
+        <select class="form-control" ng-model="$ctrl.settings.DefaultTeamID" ng-options="team.Id as team.Name for team in $ctrl.teams">
+          <option value="">No team</option>
+        </select>
+      </div>
     </div>
   </div>
-</div>
 
+  <oauth-providers-selector on-select="$ctrl.onSelectProvider" provider="$ctrl.state.provider"></oauth-providers-selector>
 
   <div class="col-sm-12 form-section-title">OAuth Configuration</div>
 
+  <div class="form-group" ng-if="$ctrl.state.provider.name == 'microsoft'">
+    <label for="oauth_microsoft_tenant_id" class="col-sm-3 col-lg-2 control-label text-left">
+      Tenant ID
+      <portainer-tooltip position="bottom" message="ID of the Azure AD directory in which you created the OAuth application"></portainer-tooltip>
+    </label>
+    <div class="col-sm-9 col-lg-10">
+      <input
+      type="text"
+      class="form-control"
+      id="oauth_microsoft_tenant_id"
+      placeholder="xxxxxxxxxxxxxxxxxxxx"
+      ng-model="$ctrl.state.microsoftTenantID"
+      ng-change="$ctrl.onMicrosoftTenantIDChange()"
+      />
+    </div>
+  </div>
+
   <div class="form-group">
     <label for="oauth_client_id" class="col-sm-3 col-lg-2 control-label text-left">
       Client ID
@@ -50,11 +63,11 @@
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
-        type="text"
-        class="form-control"
-        id="oauth_client_id"
-        ng-model="$ctrl.settings.ClientID"
-        placeholder="xxxxxxxxxxxxxxxxxxxx"
+      type="text"
+      class="form-control"
+      id="oauth_client_id"
+      ng-model="$ctrl.settings.ClientID"
+      placeholder="xxxxxxxxxxxxxxxxxxxx"
       />
     </div>
   </div>
@@ -63,129 +76,140 @@
     <label for="oauth_client_secret" class="col-sm-3 col-lg-2 control-label text-left">
       Client Secret
       <portainer-tooltip
-        position="bottom"
-        message="Client secret that authorization server supports"
+      position="bottom"
+      message="Client secret that authorization server supports"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
-        type="password"
-        class="form-control"
-        id="oauth_client_secret"
-        ng-model="$ctrl.settings.ClientSecret"
-        placeholder="xxxxxxxxxxxxxxxxxxxx"
+      type="password"
+      class="form-control"
+      id="oauth_client_secret"
+      ng-model="$ctrl.settings.ClientSecret"
+      placeholder="xxxxxxxxxxxxxxxxxxxx"
       />
     </div>
   </div>
 
-  <div class="form-group">
+  <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_authorization_uri" class="col-sm-3 col-lg-2 control-label text-left">
       Authorization URI
       <portainer-tooltip
-        position="bottom"
-        message="URI where the user is redirected in order to login with OAuth provider"
+      position="bottom"
+      message="URI where the user is redirected in order to login with OAuth provider"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
-        type="text"
-        class="form-control"
-        id="oauth_authorization_uri"
-        ng-model="$ctrl.settings.AuthorizationURI"
-        placeholder="https://example.com/oauth/authorize"
+      type="text"
+      class="form-control"
+      id="oauth_authorization_uri"
+      ng-model="$ctrl.settings.AuthorizationURI"
+      placeholder="https://example.com/oauth/authorize"
       />
     </div>
   </div>
 
-  <div class="form-group">
+  <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_access_token_uri" class="col-sm-3 col-lg-2 control-label text-left">
       Access Token URI
       <portainer-tooltip
-        position="bottom"
-        message="URI where portainer will attempt to obtain an access token"
+      position="bottom"
+      message="URI where portainer will attempt to obtain an access token"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
-        type="text"
-        class="form-control"
-        id="oauth_access_token_uri"
-        ng-model="$ctrl.settings.AccessTokenURI"
-        placeholder="https://example.com/oauth/token"
+      type="text"
+      class="form-control"
+      id="oauth_access_token_uri"
+      ng-model="$ctrl.settings.AccessTokenURI"
+      placeholder="https://example.com/oauth/token"
       />
     </div>
   </div>
 
-  <div class="form-group">
+  <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_resource_uri" class="col-sm-3 col-lg-2 control-label text-left">
       Resource URI
       <portainer-tooltip
-        position="bottom"
-        message="URI where portainer will attempt to retrieve the user identifier value"
+      position="bottom"
+      message="URI where portainer will attempt to retrieve the user identifier value"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
-        type="text"
-        class="form-control"
-        id="oauth_resource_uri"
-        ng-model="$ctrl.settings.ResourceURI"
-        placeholder="https://example.com/user"
+      type="text"
+      class="form-control"
+      id="oauth_resource_uri"
+      ng-model="$ctrl.settings.ResourceURI"
+      placeholder="https://example.com/user"
       />
     </div>
   </div>
 
-  <div class="form-group">
+  <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_redirect_uri" class="col-sm-3 col-lg-2 control-label text-left">
       Redirect URI
       <portainer-tooltip position="bottom" message="Set this as your portainer index"></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
-        type="text"
-        class="form-control"
-        id="oauth_redirect_uri"
-        ng-model="$ctrl.settings.RedirectURI"
-        placeholder="http://yourportainer.com/"
+      type="text"
+      class="form-control"
+      id="oauth_redirect_uri"
+      ng-model="$ctrl.settings.RedirectURI"
+      placeholder="http://yourportainer.com/"
       />
     </div>
   </div>
 
-  <div class="form-group">
+  <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_user_identifier" class="col-sm-3 col-lg-2 control-label text-left">
       User Identifier
       <portainer-tooltip
-        position="bottom"
-        message="Key that identifies the user in the resource server request"
+      position="bottom"
+      message="Key that identifies the user in the resource server request"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
-        type="text"
-        class="form-control"
-        id="oauth_user_identifier"
-        ng-model="$ctrl.settings.UserIdentifier"
-        placeholder="id"
+      type="text"
+      class="form-control"
+      id="oauth_user_identifier"
+      ng-model="$ctrl.settings.UserIdentifier"
+      placeholder="id"
       />
     </div>
   </div>
 
-  <div class="form-group">
+  <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_scopes" class="col-sm-3 col-lg-2 control-label text-left">
       Scopes
       <portainer-tooltip
-        position="bottom"
-        message="Scopes that are required to obtain the user identifier separated by delimiter if server expects it"
+      position="bottom"
+      message="Scopes that are required to obtain the user identifier separated by delimiter if server expects it"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
-        type="text"
-        class="form-control"
-        id="oauth_scopes"
-        ng-model="$ctrl.settings.Scopes"
-        placeholder="id,email,name"
+      type="text"
+      class="form-control"
+      id="oauth_scopes"
+      ng-model="$ctrl.settings.Scopes"
+      placeholder="id,email,name"
       />
     </div>
   </div>
+
+  <div class="form-group" ng-if="$ctrl.state.provider.name != 'custom'">
+    <div class="col-sm-12">
+      <a class="small interactive" ng-if="!$ctrl.state.overrideConfiguration" ng-click="$ctrl.state.overrideConfiguration = true;">
+        <i class="fa fa-plus space-right" aria-hidden="true"></i> Override configuration
+      </a>
+      <a class="small interactive" ng-if="$ctrl.state.overrideConfiguration" ng-click="$ctrl.state.overrideConfiguration = false;">
+        <i class="fa fa-minus space-right" aria-hidden="true"></i> Hide advanced options
+      </a>
+    </div>
+  </div>
 </div>
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.js b/app/extensions/oauth/components/oauth-settings/oauth-settings.js
index 51a9ec553..f7a30e1c2 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.js
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.js
@@ -1,7 +1,8 @@
 angular.module('portainer.extensions.oauth').component('oauthSettings', {
   templateUrl: 'app/extensions/oauth/components/oauth-settings/oauth-settings.html',
   bindings: {
-    settings: '<',
+    settings: '=',
     teams: '<'
-  }
+  },
+  controller: 'OAuthSettingsController'
 });
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 43aaebb08..98de83580 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -120,7 +120,7 @@ angular.module('portainer.app').controller('AuthenticationController', ['$q', '$
           $state.go('portainer.home');
         })
         .catch(function error() {
-          $scope.state.AuthenticationError = 'Failed to authenticate with OAuth2 Provider';
+          $scope.state.AuthenticationError = 'Unable to login via OAuth';
           $scope.state.isInOAuthProcess = false;
         });
     }
diff --git a/app/portainer/views/settings/authentication/settingsAuthentication.html b/app/portainer/views/settings/authentication/settingsAuthentication.html
index f47d02032..1458dc076 100644
--- a/app/portainer/views/settings/authentication/settingsAuthentication.html
+++ b/app/portainer/views/settings/authentication/settingsAuthentication.html
@@ -49,7 +49,7 @@
               </div>
             </div>
           </div>
-          
+
           <div ng-if="settings.AuthenticationMethod === 1">
             <div class="col-sm-12 form-section-title">
               Information
@@ -58,7 +58,7 @@
               When using internal authentication, Portainer will encrypt user passwords and store credentials locally.
             </div>
           </div>
-          
+
 
           <div ng-if="settings.AuthenticationMethod === 2">
             <div>
@@ -73,7 +73,7 @@
             <div class="col-sm-12 form-section-title">
               LDAP configuration
             </div>
-            
+
             <div class="form-group">
               <label for="ldap_url" class="col-sm-3 col-lg-2 control-label text-left">
                 LDAP Server
@@ -325,6 +325,9 @@
           <oauth-settings ng-if="isOauthEnabled()" settings="OAuthSettings" teams="teams"></oauth-settings>
 
             <!-- actions -->
+          <div class="col-sm-12 form-section-title">
+            Actions
+          </div>
           <div class="form-group">
             <div class="col-sm-12">
               <button type="button" class="btn btn-primary btn-sm" ng-click="saveSettings()" ng-disabled="state.actionInProgress" button-spinner="state.actionInProgress">

From 78e2aaf7d4fa7f6b4256c2b8cf0b5a3a89eb82fa Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Sun, 17 Feb 2019 17:01:36 +1300
Subject: [PATCH 43/61] feat(oauth): update OAuth UX

---
 .../oauth-provider-selector-controller.js                     | 3 +++
 .../components/oauth-settings/oauth-settings-controller.js    | 4 ++++
 .../oauth/components/oauth-settings/oauth-settings.html       | 4 ++--
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
index 2f5be632a..b12549392 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
@@ -4,6 +4,9 @@ angular.module('portainer.extensions.oauth')
 
     this.providers = [
       {
+        authUrl: 'https://login.microsoftonline.com/TENANT_ID/oauth2/authorize',
+        accessTokenUrl: 'https://login.microsoftonline.com/TENANT_ID/oauth2/token',
+        resourceUrl: 'https://graph.windows.net/TENANT_ID/me?api-version=2013-11-08',
         userIdentifier: 'mail',
         scope: 'id,email,name',
         name: 'microsoft'
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
index 58690b511..c5015b5e8 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
@@ -27,6 +27,10 @@ angular.module('portainer.extensions.oauth')
       ctrl.settings.ResourceURI = provider.resourceUrl;
       ctrl.settings.UserIdentifier = provider.userIdentifier;
       ctrl.settings.Scopes = provider.scopes;
+
+      if (provider.name === 'microsoft' && ctrl.state.microsoftTenantID !== '') {
+        onMicrosoftTenantIDChange();
+      }
     }
 
     function onInit() {
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index d71effc69..e6f5e13e8 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -205,10 +205,10 @@
   <div class="form-group" ng-if="$ctrl.state.provider.name != 'custom'">
     <div class="col-sm-12">
       <a class="small interactive" ng-if="!$ctrl.state.overrideConfiguration" ng-click="$ctrl.state.overrideConfiguration = true;">
-        <i class="fa fa-plus space-right" aria-hidden="true"></i> Override configuration
+        <i class="fa fa-wrench space-right" aria-hidden="true"></i> Override configuration
       </a>
       <a class="small interactive" ng-if="$ctrl.state.overrideConfiguration" ng-click="$ctrl.state.overrideConfiguration = false;">
-        <i class="fa fa-minus space-right" aria-hidden="true"></i> Hide advanced options
+        <i class="fa fa-cogs space-right" aria-hidden="true"></i> Use default configuration
       </a>
     </div>
   </div>

From d768e72a217efccee579e95d7fcb570d1ff1045b Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Sun, 17 Feb 2019 19:01:42 +1300
Subject: [PATCH 44/61] feat(oauth): add support for default team

---
 api/http/handler/auth/authenticate_oauth.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/api/http/handler/auth/authenticate_oauth.go b/api/http/handler/auth/authenticate_oauth.go
index 89b828383..03031d6f0 100644
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -34,7 +34,7 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 	}
 
 	if settings.AuthenticationMethod != 3 {
-		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not being used", err}
+		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", err}
 	}
 
 	token, err := handler.OAuthService.GetAccessToken(payload.Code, &settings.OAuthSettings)
@@ -69,6 +69,18 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
 		}
 
+		if settings.OAuthSettings.DefaultTeamID != 0 {
+			membership := &portainer.TeamMembership{
+				UserID: user.ID,
+				TeamID: settings.OAuthSettings.DefaultTeamID,
+				Role:   portainer.TeamMember,
+			}
+
+			err = handler.TeamMembershipService.CreateTeamMembership(membership)
+			if err != nil {
+				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist team membership inside the database", err}
+			}
+		}
 	}
 
 	return handler.writeToken(w, user)

From 7643f8d08c922a00df6665f3583a2a6998d55e5b Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Mon, 18 Feb 2019 14:46:34 +1300
Subject: [PATCH 45/61] feat(oauth): dev build supporting Oauth extension

---
 api/cmd/portainer/main.go                     |   8 --
 api/exec/extension.go                         |   3 +-
 api/http/handler/auth/authenticate_oauth.go   |  80 ++++++++----
 api/http/handler/auth/handler.go              |   6 +-
 api/http/handler/settings/handler.go          |   1 -
 api/http/handler/settings/settings_public.go  |   1 +
 api/http/proxy/manager.go                     |   7 +-
 api/http/server.go                            |   5 +-
 api/oauth/oauth.go                            | 123 ------------------
 api/portainer.go                              |  14 +-
 .../services/api/extensionService.js          |  15 +++
 .../settingsAuthentication.html               |  12 +-
 .../settingsAuthenticationController.js       |  17 ++-
 13 files changed, 114 insertions(+), 178 deletions(-)
 delete mode 100644 api/oauth/oauth.go

diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index 76ef19ae4..f759285da 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -20,7 +20,6 @@ import (
 	"github.com/portainer/portainer/jwt"
 	"github.com/portainer/portainer/ldap"
 	"github.com/portainer/portainer/libcompose"
-	"github.com/portainer/portainer/oauth"
 
 	"log"
 )
@@ -101,10 +100,6 @@ func initLDAPService() portainer.LDAPService {
 	return &ldap.Service{}
 }
 
-func initOAuthService() portainer.OAuthService {
-	return &oauth.Service{}
-}
-
 func initGitService() portainer.GitService {
 	return &git.Service{}
 }
@@ -529,8 +524,6 @@ func main() {
 
 	ldapService := initLDAPService()
 
-	oauthService := initOAuthService()
-
 	gitService := initGitService()
 
 	cryptoService := initCryptoService()
@@ -676,7 +669,6 @@ func main() {
 		JWTService:             jwtService,
 		FileService:            fileService,
 		LDAPService:            ldapService,
-		OAuthService:           oauthService,
 		GitService:             gitService,
 		SignatureService:       digitalSignatureService,
 		JobScheduler:           jobScheduler,
diff --git a/api/exec/extension.go b/api/exec/extension.go
index cb58ecad6..ab7880a1b 100644
--- a/api/exec/extension.go
+++ b/api/exec/extension.go
@@ -18,7 +18,8 @@ import (
 var extensionDownloadBaseURL = "https://portainer-io-assets.sfo2.digitaloceanspaces.com/extensions/"
 
 var extensionBinaryMap = map[portainer.ExtensionID]string{
-	portainer.RegistryManagementExtension: "extension-registry-management",
+	portainer.RegistryManagementExtension:  "extension-registry-management",
+	portainer.OAuthAuthenticationExtension: "extension-oauth-authentication",
 }
 
 // ExtensionManager represents a service used to
diff --git a/api/http/handler/auth/authenticate_oauth.go b/api/http/handler/auth/authenticate_oauth.go
index 03031d6f0..5eafe0d1b 100644
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -1,7 +1,8 @@
 package auth
 
 import (
-	"log"
+	"encoding/json"
+	"io/ioutil"
 	"net/http"
 
 	"github.com/asaskevich/govalidator"
@@ -21,6 +22,54 @@ func (payload *oauthPayload) Validate(r *http.Request) error {
 	return nil
 }
 
+func (handler *Handler) authenticateThroughExtension(code, licenseKey string, settings *portainer.OAuthSettings) (string, error) {
+	extensionURL := handler.ProxyManager.GetExtensionURL(portainer.OAuthAuthenticationExtension)
+
+	encodedConfiguration, err := json.Marshal(settings)
+	if err != nil {
+		return "", nil
+	}
+
+	req, err := http.NewRequest("GET", extensionURL+"/validate", nil)
+	if err != nil {
+		return "", err
+	}
+
+	client := &http.Client{}
+	req.Header.Set("X-OAuth-Config", string(encodedConfiguration))
+	req.Header.Set("X-OAuth-Code", code)
+	req.Header.Set("X-PortainerExtension-License", licenseKey)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	type extensionResponse struct {
+		Username string `json:"Username,omitempty"`
+		Err      string `json:"err,omitempty"`
+		Details  string `json:"details,omitempty"`
+	}
+
+	var extResp extensionResponse
+	err = json.Unmarshal(body, &extResp)
+	if err != nil {
+		return "", err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", portainer.Error(extResp.Err + ":" + extResp.Details)
+	}
+
+	return extResp.Username, nil
+}
+
 func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload oauthPayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
@@ -37,16 +86,16 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", err}
 	}
 
-	token, err := handler.OAuthService.GetAccessToken(payload.Code, &settings.OAuthSettings)
-	if err != nil {
-		log.Printf("[DEBUG] - Failed retrieving access token: %v", err)
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid access token", portainer.ErrUnauthorized}
+	extension, err := handler.ExtensionService.Extension(portainer.OAuthAuthenticationExtension)
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Oauth authentication extension is not enabled", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a extension with the specified identifier inside the database", err}
 	}
 
-	username, err := handler.OAuthService.GetUsername(token, &settings.OAuthSettings)
+	username, err := handler.authenticateThroughExtension(payload.Code, extension.License.LicenseKey, &settings.OAuthSettings)
 	if err != nil {
-		log.Printf("[DEBUG] - Failed acquiring username: %v", err)
-		return &httperror.HandlerError{http.StatusForbidden, "Unable to acquire username", portainer.ErrUnauthorized}
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate through OAuth", portainer.ErrUnauthorized}
 	}
 
 	user, err := handler.UserService.UserByUsername(username)
@@ -85,18 +134,3 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 
 	return handler.writeToken(w, user)
 }
-
-func (handler *Handler) loginOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	settings, err := handler.SettingsService.Settings()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
-	}
-
-	if settings.AuthenticationMethod != 3 {
-		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is disabled", err}
-	}
-
-	url := handler.OAuthService.BuildLoginURL(&settings.OAuthSettings)
-	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
-	return nil
-}
diff --git a/api/http/handler/auth/handler.go b/api/http/handler/auth/handler.go
index 50e956e76..75e343f23 100644
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@@ -6,6 +6,7 @@ import (
 	"github.com/gorilla/mux"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/proxy"
 	"github.com/portainer/portainer/http/security"
 )
 
@@ -25,10 +26,11 @@ type Handler struct {
 	CryptoService         portainer.CryptoService
 	JWTService            portainer.JWTService
 	LDAPService           portainer.LDAPService
-	OAuthService          portainer.OAuthService
 	SettingsService       portainer.SettingsService
 	TeamService           portainer.TeamService
 	TeamMembershipService portainer.TeamMembershipService
+	ExtensionService      portainer.ExtensionService
+	ProxyManager          *proxy.Manager
 }
 
 // NewHandler creates a handler to manage authentication operations.
@@ -38,8 +40,6 @@ func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimi
 		authDisabled: authDisabled,
 	}
 
-	h.Handle("/auth/oauth/login",
-		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.loginOAuth)))).Methods(http.MethodGet)
 	h.Handle("/auth/oauth/validate",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.validateOAuth)))).Methods(http.MethodPost)
 	h.Handle("/auth",
diff --git a/api/http/handler/settings/handler.go b/api/http/handler/settings/handler.go
index ee277d676..a9033c701 100644
--- a/api/http/handler/settings/handler.go
+++ b/api/http/handler/settings/handler.go
@@ -19,7 +19,6 @@ type Handler struct {
 	*mux.Router
 	SettingsService portainer.SettingsService
 	LDAPService     portainer.LDAPService
-	OAuthService    portainer.OAuthService
 	FileService     portainer.FileService
 	JobScheduler    portainer.JobScheduler
 	ScheduleService portainer.ScheduleService
diff --git a/api/http/handler/settings/settings_public.go b/api/http/handler/settings/settings_public.go
index 1cb59f8c6..e5fabd6d8 100644
--- a/api/http/handler/settings/settings_public.go
+++ b/api/http/handler/settings/settings_public.go
@@ -33,6 +33,7 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
 		EnableHostManagementFeatures:       settings.EnableHostManagementFeatures,
 		ExternalTemplates:                  false,
+		// TODO: check if state=portainer useful or not
 		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&state=portainer",
 			settings.OAuthSettings.AuthorizationURI,
 			settings.OAuthSettings.ClientID,
diff --git a/api/http/proxy/manager.go b/api/http/proxy/manager.go
index b1e2aa6f4..f7cbbd5dd 100644
--- a/api/http/proxy/manager.go
+++ b/api/http/proxy/manager.go
@@ -12,7 +12,8 @@ import (
 // TODO: contain code related to legacy extension management
 
 var extensionPorts = map[portainer.ExtensionID]string{
-	portainer.RegistryManagementExtension: "7001",
+	portainer.RegistryManagementExtension:  "7001",
+	portainer.OAuthAuthenticationExtension: "7002",
 }
 
 type (
@@ -103,6 +104,10 @@ func (manager *Manager) CreateExtensionProxy(extensionID portainer.ExtensionID)
 	return proxy, nil
 }
 
+func (manager *Manager) GetExtensionURL(extensionID portainer.ExtensionID) string {
+	return "http://localhost:" + extensionPorts[extensionID]
+}
+
 // DeleteExtensionProxy deletes the extension proxy associated to an extension identifier
 func (manager *Manager) DeleteExtensionProxy(extensionID portainer.ExtensionID) {
 	manager.extensionProxies.Remove(strconv.Itoa(int(extensionID)))
diff --git a/api/http/server.go b/api/http/server.go
index cf3c9ef2b..7f3368f25 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -55,7 +55,6 @@ type Server struct {
 	GitService             portainer.GitService
 	JWTService             portainer.JWTService
 	LDAPService            portainer.LDAPService
-	OAuthService           portainer.OAuthService
 	ExtensionService       portainer.ExtensionService
 	RegistryService        portainer.RegistryService
 	ResourceControlService portainer.ResourceControlService
@@ -105,10 +104,11 @@ func (server *Server) Start() error {
 	authHandler.CryptoService = server.CryptoService
 	authHandler.JWTService = server.JWTService
 	authHandler.LDAPService = server.LDAPService
-	authHandler.OAuthService = server.OAuthService
 	authHandler.SettingsService = server.SettingsService
 	authHandler.TeamService = server.TeamService
 	authHandler.TeamMembershipService = server.TeamMembershipService
+	authHandler.ExtensionService = server.ExtensionService
+	authHandler.ProxyManager = proxyManager
 
 	var dockerHubHandler = dockerhub.NewHandler(requestBouncer)
 	dockerHubHandler.DockerHubService = server.DockerHubService
@@ -157,7 +157,6 @@ func (server *Server) Start() error {
 	var settingsHandler = settings.NewHandler(requestBouncer)
 	settingsHandler.SettingsService = server.SettingsService
 	settingsHandler.LDAPService = server.LDAPService
-	settingsHandler.OAuthService = server.OAuthService
 	settingsHandler.FileService = server.FileService
 	settingsHandler.JobScheduler = server.JobScheduler
 	settingsHandler.ScheduleService = server.ScheduleService
diff --git a/api/oauth/oauth.go b/api/oauth/oauth.go
deleted file mode 100644
index b7de6792f..000000000
--- a/api/oauth/oauth.go
+++ /dev/null
@@ -1,123 +0,0 @@
-package oauth
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"mime"
-	"net/http"
-	"net/url"
-
-	"github.com/portainer/portainer"
-	"golang.org/x/oauth2"
-)
-
-const (
-	// ErrInvalidCode defines an error raised when the user authorization code is invalid
-	ErrInvalidCode = portainer.Error("Invalid OAuth authorization code")
-)
-
-// Service represents a service used to authenticate users against an authorization server
-type Service struct{}
-
-// GetAccessToken takes an access code and exchanges it for an access token from portainer OAuthSettings token endpoint
-func (*Service) GetAccessToken(code string, settings *portainer.OAuthSettings) (string, error) {
-	unescapedCode, err := url.QueryUnescape(code)
-	if err != nil {
-		return "", err
-	}
-
-	config := buildConfig(settings)
-	token, err := config.Exchange(context.Background(), unescapedCode)
-	if err != nil {
-		return "", err
-	}
-
-	return token.AccessToken, nil
-}
-
-// GetUsername takes a token and retrieves the portainer OAuthSettings user identifier from resource server.
-func (*Service) GetUsername(token string, settings *portainer.OAuthSettings) (string, error) {
-	req, err := http.NewRequest("GET", settings.ResourceURI, nil)
-	if err != nil {
-		return "", err
-	}
-
-	client := &http.Client{}
-	req.Header.Set("Authorization", "Bearer "+token)
-	resp, err := client.Do(req)
-	if err != nil {
-		return "", err
-	}
-
-	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return "", err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return "", &oauth2.RetrieveError{
-			Response: resp,
-			Body:     body,
-		}
-	}
-
-	content, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
-	if err != nil {
-		return "", err
-	}
-
-	if content == "application/x-www-form-urlencoded" || content == "text/plain" {
-		values, err := url.ParseQuery(string(body))
-		if err != nil {
-			return "", err
-		}
-
-		username := values.Get(settings.UserIdentifier)
-		return username, nil
-	}
-
-	var datamap map[string]interface{}
-	if err = json.Unmarshal(body, &datamap); err != nil {
-		return "", err
-	}
-
-	username, ok := datamap[settings.UserIdentifier].(string)
-	if ok && username != "" {
-		return username, nil
-	}
-
-	if !ok {
-		username, ok := datamap[settings.UserIdentifier].(float64)
-		if ok && username != 0 {
-			return fmt.Sprint(int(username)), nil
-		}
-	}
-	return "", &oauth2.RetrieveError{
-		Response: resp,
-		Body:     body,
-	}
-}
-
-// BuildLoginURL creates a login url for the oauth provider
-func (*Service) BuildLoginURL(oauthSettings *portainer.OAuthSettings) string {
-	oauthConfig := buildConfig(oauthSettings)
-	return oauthConfig.AuthCodeURL("portainer")
-}
-
-func buildConfig(oauthSettings *portainer.OAuthSettings) *oauth2.Config {
-	endpoint := oauth2.Endpoint{
-		AuthURL:  oauthSettings.AuthorizationURI,
-		TokenURL: oauthSettings.AccessTokenURI,
-	}
-
-	return &oauth2.Config{
-		ClientID:     oauthSettings.ClientID,
-		ClientSecret: oauthSettings.ClientSecret,
-		Endpoint:     endpoint,
-		RedirectURL:  oauthSettings.RedirectURI,
-		Scopes:       []string{oauthSettings.Scopes},
-	}
-}
diff --git a/api/portainer.go b/api/portainer.go
index de2511b37..1123e3b16 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -67,7 +67,7 @@ type (
 		UserIdentifier       string `json:"UserIdentifier"`
 		Scopes               string `json:"Scopes"`
 		OAuthAutoCreateUsers bool   `json:"OAuthAutoCreateUsers"`
-		DefaultTeamID        TeamID     `json:"DefaultTeamID"`
+		DefaultTeamID        TeamID `json:"DefaultTeamID"`
 	}
 
 	// TLSConfiguration represents a TLS configuration
@@ -764,13 +764,6 @@ type (
 		GetUserGroups(username string, settings *LDAPSettings) ([]string, error)
 	}
 
-	// OAuthService represents a service used to authenticate users against an authorization server
-	OAuthService interface {
-		GetAccessToken(code string, settings *OAuthSettings) (string, error)
-		GetUsername(token string, settings *OAuthSettings) (string, error)
-		BuildLoginURL(oauthSettings *OAuthSettings) string
-	}
-
 	// SwarmStackManager represents a service to manage Swarm stacks
 	SwarmStackManager interface {
 		Login(dockerhub *DockerHub, registries []Registry, endpoint *Endpoint)
@@ -809,7 +802,8 @@ const (
 	// MessageOfTheDayURL represents the URL where Portainer MOTD message can be retrieved
 	MessageOfTheDayURL = AssetsServerURL + "/motd.html"
 	// ExtensionDefinitionsURL represents the URL where Portainer extension definitions can be retrieved
-	ExtensionDefinitionsURL = AssetsServerURL + "/extensions.json"
+	// TODO: UPDATE URL to production URL
+	ExtensionDefinitionsURL = AssetsServerURL + "/extensions-dev.json"
 	// PortainerAgentHeader represents the name of the header available in any agent response
 	PortainerAgentHeader = "Portainer-Agent"
 	// PortainerAgentTargetHeader represent the name of the header containing the target node name
@@ -936,6 +930,8 @@ const (
 	_ ExtensionID = iota
 	// RegistryManagementExtension represents the registry management extension
 	RegistryManagementExtension
+	// OAuthAuthenticationExtension represents the OAuth authentication extension
+	OAuthAuthenticationExtension
 )
 
 const (
diff --git a/app/portainer/services/api/extensionService.js b/app/portainer/services/api/extensionService.js
index b7087f3fc..a715effea 100644
--- a/app/portainer/services/api/extensionService.js
+++ b/app/portainer/services/api/extensionService.js
@@ -62,5 +62,20 @@ angular.module('portainer.app')
     return deferred.promise;
   };
 
+  service.OAuthAuthenticationEnabled = function() {
+    var deferred = $q.defer();
+
+    service.extensions(false)
+    .then(function onSuccess(extensions) {
+      var extensionAvailable = _.find(extensions, { Id: 2, Enabled: true }) ? true : false;
+      deferred.resolve(extensionAvailable);
+    })
+    .catch(function onError(err) {
+      deferred.reject(err);
+    });
+
+    return deferred.promise;
+  };
+
   return service;
 }]);
diff --git a/app/portainer/views/settings/authentication/settingsAuthentication.html b/app/portainer/views/settings/authentication/settingsAuthentication.html
index 1458dc076..cddc54848 100644
--- a/app/portainer/views/settings/authentication/settingsAuthentication.html
+++ b/app/portainer/views/settings/authentication/settingsAuthentication.html
@@ -37,7 +37,7 @@
                   <p>LDAP authentication</p>
                 </label>
               </div>
-              <div>
+              <div ng-if="oauthAuthenticationAvailable">
                 <input type="radio" id="registry_auth" ng-model="settings.AuthenticationMethod" ng-value="3">
                 <label for="registry_auth">
                   <div class="boxselector_header">
@@ -47,6 +47,16 @@
                   <p>OAuth authentication</p>
                 </label>
               </div>
+              <div style="color: #767676;" ng-click="goToOAuthExtensionView()" ng-if="!oauthAuthenticationAvailable">
+                <input type="radio" id="registry_auth" ng-model="settings.AuthenticationMethod" ng-value="3" disabled>
+                <label for="registry_auth" tooltip-append-to-body="true" tooltip-placement="bottom" tooltip-class="portainer-tooltip" uib-tooltip="Feature available via an extension" style="cursor:pointer; border-color: #767676">
+                  <div class="boxselector_header">
+                    <i class="fa fa-users" aria-hidden="true" style="margin-right: 2px;"></i>
+                    OAuth (extension)
+                  </div>
+                  <p>OAuth authentication</p>
+                </label>
+              </div>
             </div>
           </div>
 
diff --git a/app/portainer/views/settings/authentication/settingsAuthenticationController.js b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
index 8a22d1783..f6f28b3be 100644
--- a/app/portainer/views/settings/authentication/settingsAuthenticationController.js
+++ b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
@@ -1,6 +1,6 @@
 angular.module('portainer.app')
-.controller('SettingsAuthenticationController', ['$q', '$scope', 'Notifications', 'SettingsService', 'FileUploadService', 'TeamService',
-function ($q, $scope, Notifications, SettingsService, FileUploadService, TeamService) {
+.controller('SettingsAuthenticationController', ['$q', '$scope', '$state', 'Notifications', 'SettingsService', 'FileUploadService', 'TeamService', 'ExtensionService',
+function($q, $scope, $state, Notifications, SettingsService, FileUploadService, TeamService, ExtensionService) {
 
   $scope.state = {
     successfulConnectivityCheck: false,
@@ -14,6 +14,10 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService, TeamSer
     TLSCACert: ''
   };
 
+  $scope.goToOAuthExtensionView = function() {
+    $state.go('portainer.extensions.extension', { id: 2 });
+  };
+
   $scope.isOauthEnabled = function isOauthEnabled() {
     return $scope.settings && $scope.settings.AuthenticationMethod === 3;
   };
@@ -25,7 +29,7 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService, TeamSer
   $scope.removeSearchConfiguration = function(index) {
     $scope.LDAPSettings.SearchSettings.splice(index, 1);
   };
-  
+
   $scope.addGroupSearchConfiguration = function() {
     $scope.LDAPSettings.GroupSearchSettings.push({ GroupBaseDN: '', GroupAttribute: '', GroupFilter: '' });
   };
@@ -98,14 +102,17 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService, TeamSer
   function initView() {
     $q.all({
       settings: SettingsService.settings(),
-      teams: TeamService.teams()
-    }).then(function success(data) {
+      teams: TeamService.teams(),
+      oauthAuthentication: ExtensionService.OAuthAuthenticationEnabled()
+    })
+    .then(function success(data) {
       var settings = data.settings;
       $scope.teams = data.teams;
       $scope.settings = settings;
       $scope.LDAPSettings = settings.LDAPSettings;
       $scope.OAuthSettings = settings.OAuthSettings;
       $scope.formValues.TLSCACert = settings.LDAPSettings.TLSConfig.TLSCACert;
+      $scope.oauthAuthenticationAvailable = data.oauthAuthentication;
     })
     .catch(function error(err) {
       Notifications.error('Failure', err, 'Unable to retrieve application settings');

From 2ef8c0b33e3b32a86e870636c4a74d54c512f991 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Mon, 18 Feb 2019 15:08:54 +1300
Subject: [PATCH 46/61] fix(app): rewrite URLHelper to avoid an issue with
 minification

---
 app/portainer/helpers/urlHelper.js         | 14 ++++++++++----
 app/portainer/views/auth/authController.js |  8 ++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/app/portainer/helpers/urlHelper.js b/app/portainer/helpers/urlHelper.js
index 3125492a5..2b40c7274 100644
--- a/app/portainer/helpers/urlHelper.js
+++ b/app/portainer/helpers/urlHelper.js
@@ -1,6 +1,10 @@
-angular.module('portainer.app').service('urlHelper', function urlHelper($window) {
-  this.getParameter = getParameter;
-  this.cleanParameters = cleanParameters;
+angular.module('portainer.app')
+.factory('URLHelper', ['$window', function URLHelperFactory($window) {
+  'use strict';
+  var helper = {};
+
+  helper.getParameter = getParameter;
+  helper.cleanParameters = cleanParameters;
 
   function getParameter(param) {
     var parameters = extractParameters();
@@ -21,4 +25,6 @@ angular.module('portainer.app').service('urlHelper', function urlHelper($window)
   function cleanParameters() {
     $window.location.search = '';
   }
-});
+
+  return helper;
+}]);
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 98de83580..3ba71c982 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -1,5 +1,5 @@
-angular.module('portainer.app').controller('AuthenticationController', ['$q', '$scope', '$state', '$stateParams', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService', 'urlHelper',
-  function($q, $scope, $state, $stateParams, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService, urlHelper) {
+angular.module('portainer.app').controller('AuthenticationController', ['$q', '$scope', '$state', '$stateParams', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService', 'URLHelper',
+  function($q, $scope, $state, $stateParams, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService, URLHelper) {
     $scope.logo = StateManager.getState().application.logo;
 
     $scope.formValues = {
@@ -105,7 +105,7 @@ angular.module('portainer.app').controller('AuthenticationController', ['$q', '$
         authenticatedFlow();
       }
 
-      var code = urlHelper.getParameter('code');
+      var code = URLHelper.getParameter('code');
       if (code) {
         oAuthLogin(code);
       } else {
@@ -116,7 +116,7 @@ angular.module('portainer.app').controller('AuthenticationController', ['$q', '$
     function oAuthLogin(code) {
       return Authentication.OAuthLogin(code)
         .then(function success() {
-          urlHelper.cleanParameters();
+          URLHelper.cleanParameters();
           $state.go('portainer.home');
         })
         .catch(function error() {

From b6f04c5e0dcd61719a305a7785a3c2aab2e26fb4 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Mon, 18 Feb 2019 15:21:06 +1300
Subject: [PATCH 47/61] fix(oauth): fix missing scopes for microsoft provider

---
 .../oauth-provider-selector-controller.js                       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
index b12549392..dfb38fafe 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
@@ -8,7 +8,7 @@ angular.module('portainer.extensions.oauth')
         accessTokenUrl: 'https://login.microsoftonline.com/TENANT_ID/oauth2/token',
         resourceUrl: 'https://graph.windows.net/TENANT_ID/me?api-version=2013-11-08',
         userIdentifier: 'mail',
-        scope: 'id,email,name',
+        scopes: 'id,email,name',
         name: 'microsoft'
       },
       {

From 73f20b515759166696616b1fec7fc6657ac8bf02 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Mon, 18 Feb 2019 15:21:34 +1300
Subject: [PATCH 48/61] refactor(oauth): remove console log statement

---
 .../oauth-provider-selector-controller.js                        | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
index dfb38fafe..82971ae1b 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
@@ -35,7 +35,6 @@ angular.module('portainer.extensions.oauth')
     this.$onInit = onInit;
 
     function onInit() {
-      console.log(ctrl.provider.authUrl);
       if (ctrl.provider.authUrl) {
         ctrl.provider = getProviderByURL(ctrl.provider.authUrl);
       } else {

From e325ad10dd0c7557f7e44a16e6d2d82e000e1c49 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Mon, 18 Feb 2019 16:18:48 +1300
Subject: [PATCH 49/61] fix(oauth): fix an UX issue when updating microsoft
 oauth settings

---
 .../oauth-settings/oauth-settings-controller.js        | 10 +++++++++-
 .../components/oauth-settings/oauth-settings.html      |  3 ++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
index c5015b5e8..c6808ebf0 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
@@ -37,6 +37,14 @@ angular.module('portainer.extensions.oauth')
       if (ctrl.settings.RedirectURI === '') {
         ctrl.settings.RedirectURI = window.location.origin;
       }
-      ctrl.state.provider.authUrl = ctrl.settings.AuthorizationURI;
+      if (ctrl.settings.AuthorizationURI !== '') {
+        ctrl.state.provider.authUrl = ctrl.settings.AuthorizationURI;
+
+        if (ctrl.settings.AuthorizationURI.indexOf('login.microsoftonline.com') > -1) {
+          var tenantID = ctrl.settings.AuthorizationURI.match(/login.microsoftonline.com\/(.*?)\//)[1];
+          ctrl.state.microsoftTenantID = tenantID;
+          onMicrosoftTenantIDChange();
+        }
+      }
     }
   });
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index e6f5e13e8..7a9593f6a 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -18,7 +18,8 @@
   <div ng-if="$ctrl.settings.OAuthAutoCreateUsers">
     <div class="form-group">
       <span class="col-sm-12 text-muted small">
-        The users created by the automatic provisioning feature can be added to a default team on creation. This setting is optional.
+        <p>The users created by the automatic provisioning feature can be added to a default team on creation.</p>
+        <p>By assigning newly created users to a team they will be able to access the environments associated to that team. This setting is optional and if not set newly created users won't be able to access any environments.</p>
       </span>
     </div>
     <div class="form-group">

From 9918c1260b2ec5147a5a699b1f1f24ba729fb7bb Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Tue, 19 Feb 2019 09:54:02 +1300
Subject: [PATCH 50/61] feat(oauth): update authentication panel with OAuth
 provider details

---
 app/portainer/views/auth/auth.html         |  15 +-
 app/portainer/views/auth/authController.js | 246 +++++++++++----------
 2 files changed, 143 insertions(+), 118 deletions(-)

diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index 8787121ba..1aea214f0 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -29,13 +29,22 @@
             <div class="form-group">
               <div class="col-sm-12" >
                 <a ng-href="{{OAuthLoginURI}}" ng-if="AuthenticationMethod === 3">
-                  <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px">
-                    <i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login with OAuth
+                  <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px" ng-if="state.OAuthProvider === 'Microsoft'">
+                    <i class="fab fa-microsoft" aria-hidden="true"></i> Login with Microsoft
+                  </div>
+                  <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px" ng-if="state.OAuthProvider === 'Google'">
+                    <i class="fab fa-google" aria-hidden="true" ></i> Login with Google
+                  </div>
+                  <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px" ng-if="state.OAuthProvider === 'Github'">
+                    <i class="fab fa-github" aria-hidden="true" ></i> Login with Github
+                  </div>
+                  <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px" ng-if="state.OAuthProvider === ''">
+                    <i class="fa fa-sign-in-alt" aria-hidden="true" ></i> Login with OAuth
                   </div>
                 </a>
 
                 <button type="submit" class="btn btn-primary btn-sm pull-right" ng-click="authenticateUser()"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login</button>
-                
+
                 <span class="pull-right" style="margin: 5px;" ng-if="state.AuthenticationError">
                   <i class="fa fa-exclamation-triangle red-icon" aria-hidden="true" style="margin-right: 2px;"></i>
                   <span class="small text-danger">{{ state.AuthenticationError }}</span>
diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index 3ba71c982..f4bb38da8 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -1,130 +1,146 @@
-angular.module('portainer.app').controller('AuthenticationController', ['$q', '$scope', '$state', '$stateParams', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService', 'URLHelper',
-  function($q, $scope, $state, $stateParams, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService, URLHelper) {
-    $scope.logo = StateManager.getState().application.logo;
+angular.module('portainer.app')
+.controller('AuthenticationController', ['$q', '$scope', '$state', '$stateParams', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService', 'URLHelper',
+function($q, $scope, $state, $stateParams, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService, URLHelper) {
+  $scope.logo = StateManager.getState().application.logo;
 
-    $scope.formValues = {
-      Username: '',
-      Password: ''
-    };
+  $scope.formValues = {
+    Username: '',
+    Password: ''
+  };
 
-    $scope.state = {
-      AuthenticationError: '',
-      isInOAuthProcess: true
-    };
+  $scope.state = {
+    AuthenticationError: '',
+    isInOAuthProcess: true,
+    OAuthProvider: ''
+  };
 
-    $scope.authenticateUser = function() {
-      var username = $scope.formValues.Username;
-      var password = $scope.formValues.Password;
+  $scope.authenticateUser = function() {
+    var username = $scope.formValues.Username;
+    var password = $scope.formValues.Password;
 
-      Authentication.login(username, password)
-        .then(function success() {
-          checkForEndpoints();
-        })
-        .catch(function error() {
-          SettingsService.publicSettings()
-            .then(function success(settings) {
-              if (settings.AuthenticationMethod === 1) {
-                return Authentication.login($sanitize(username), $sanitize(password));
-              }
-              return $q.reject();
-            })
-            .then(function success() {
-              $state.go('portainer.updatePassword');
-            })
-            .catch(function error() {
-              $scope.state.AuthenticationError = 'Invalid credentials';
-            });
-        });
-    };
-
-    function unauthenticatedFlow() {
-      EndpointService.endpoints()
-        .then(function success(endpoints) {
-          if (endpoints.length === 0) {
-            $state.go('portainer.init.endpoint');
-          } else {
-            $state.go($stateParams.redirect || 'portainer.home');
-          }
-        })
-        .catch(function error(err) {
-          Notifications.error('Failure', err, 'Unable to retrieve endpoints');
-        });
-    }
-
-    function authenticatedFlow() {
-      UserService.administratorExists()
-        .then(function success(exists) {
-          if (!exists) {
-            $state.go('portainer.init.admin');
-          }
-        })
-        .catch(function error(err) {
-          Notifications.error('Failure', err, 'Unable to verify administrator account existence');
-        });
-    }
-
-    function checkForEndpoints() {
-      EndpointService.endpoints()
-        .then(function success(data) {
-          var endpoints = data;
-          var userDetails = Authentication.getUserDetails();
-
-          if (endpoints.length === 0 && userDetails.role === 1) {
-            $state.go('portainer.init.endpoint');
-          } else {
-            $state.go($stateParams.redirect || 'portainer.home');
-          }
-        })
-        .catch(function error(err) {
-          Notifications.error('Failure', err, 'Unable to retrieve endpoints');
-        });
-    }
-
-    function initView() {
+    Authentication.login(username, password)
+    .then(function success() {
+      checkForEndpoints();
+    })
+    .catch(function error() {
       SettingsService.publicSettings()
-        .then(function success(settings) {
-          $scope.AuthenticationMethod = settings.AuthenticationMethod;
-          $scope.OAuthLoginURI = settings.OAuthLoginURI;
-        });
+      .then(function success(settings) {
+        if (settings.AuthenticationMethod === 1) {
+          return Authentication.login($sanitize(username), $sanitize(password));
+        }
+        return $q.reject();
+      })
+      .then(function success() {
+        $state.go('portainer.updatePassword');
+      })
+      .catch(function error() {
+        $scope.state.AuthenticationError = 'Invalid credentials';
+      });
+    });
+  };
 
-      if ($stateParams.logout || $stateParams.error) {
-        Authentication.logout();
-        $scope.state.AuthenticationError = $stateParams.error;
-        $scope.state.isInOAuthProcess = false;
-        return;
-      }
-
-      if (Authentication.isAuthenticated()) {
-        $state.go('portainer.home');
-      }
-
-      var authenticationEnabled = $scope.applicationState.application.authentication;
-      if (!authenticationEnabled) {
-        unauthenticatedFlow();
+  function unauthenticatedFlow() {
+    EndpointService.endpoints()
+    .then(function success(endpoints) {
+      if (endpoints.length === 0) {
+        $state.go('portainer.init.endpoint');
       } else {
-        authenticatedFlow();
+        $state.go($stateParams.redirect || 'portainer.home');
       }
+    })
+    .catch(function error(err) {
+      Notifications.error('Failure', err, 'Unable to retrieve endpoints');
+    });
+  }
 
-      var code = URLHelper.getParameter('code');
-      if (code) {
-        oAuthLogin(code);
-      } else {
-        $scope.state.isInOAuthProcess = false;
+  function authenticatedFlow() {
+    UserService.administratorExists()
+    .then(function success(exists) {
+      if (!exists) {
+        $state.go('portainer.init.admin');
       }
+    })
+    .catch(function error(err) {
+      Notifications.error('Failure', err, 'Unable to verify administrator account existence');
+    });
+  }
+
+  function checkForEndpoints() {
+    EndpointService.endpoints()
+    .then(function success(data) {
+      var endpoints = data;
+      var userDetails = Authentication.getUserDetails();
+
+      if (endpoints.length === 0 && userDetails.role === 1) {
+        $state.go('portainer.init.endpoint');
+      } else {
+        $state.go($stateParams.redirect || 'portainer.home');
+      }
+    })
+    .catch(function error(err) {
+      Notifications.error('Failure', err, 'Unable to retrieve endpoints');
+    });
+  }
+
+  function determineOauthProvider(LoginURI) {
+    if (LoginURI.indexOf('login.microsoftonline.com') !== -1) {
+      return 'Microsoft';
+    }
+    else if (LoginURI.indexOf('accounts.google.com') !== -1) {
+      return 'Google';
+    }
+    else if (LoginURI.indexOf('github.com') !== -1) {
+      return 'Github';
+    }
+    return 'OAuth';
+  }
+
+  function initView() {
+    SettingsService.publicSettings()
+    .then(function success(settings) {
+      $scope.AuthenticationMethod = settings.AuthenticationMethod;
+      $scope.OAuthLoginURI = settings.OAuthLoginURI;
+      $scope.state.OAuthProvider = determineOauthProvider(settings.OAuthLoginURI);
+    });
+
+    if ($stateParams.logout || $stateParams.error) {
+      Authentication.logout();
+      $scope.state.AuthenticationError = $stateParams.error;
+      $scope.state.isInOAuthProcess = false;
+      return;
     }
 
-    function oAuthLogin(code) {
-      return Authentication.OAuthLogin(code)
-        .then(function success() {
-          URLHelper.cleanParameters();
-          $state.go('portainer.home');
-        })
-        .catch(function error() {
-          $scope.state.AuthenticationError = 'Unable to login via OAuth';
-          $scope.state.isInOAuthProcess = false;
-        });
+    if (Authentication.isAuthenticated()) {
+      $state.go('portainer.home');
     }
 
+    var authenticationEnabled = $scope.applicationState.application.authentication;
+    if (!authenticationEnabled) {
+      unauthenticatedFlow();
+    } else {
+      authenticatedFlow();
+    }
 
-    initView();
-  }]);
+    var code = URLHelper.getParameter('code');
+    if (code) {
+      oAuthLogin(code);
+    } else {
+      $scope.state.isInOAuthProcess = false;
+    }
+  }
+
+  function oAuthLogin(code) {
+    return Authentication.OAuthLogin(code)
+    .then(function success() {
+      URLHelper.cleanParameters();
+      $state.go('portainer.home');
+    })
+    .catch(function error() {
+      $scope.state.AuthenticationError = 'Unable to login via OAuth';
+      $scope.state.isInOAuthProcess = false;
+    });
+  }
+
+
+  initView();
+}]);

From ce9e009e2275637dc44adf50a5469300d2ab1113 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Tue, 19 Feb 2019 14:38:42 +1300
Subject: [PATCH 51/61] feat(oauth): update UI/UX

---
 .../oauth-settings/oauth-settings.html        | 35 +++++++++----------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index 7a9593f6a..0694026ab 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -5,7 +5,7 @@
   <div class="form-group">
     <span class="col-sm-12 text-muted small">
       With automatic user provisioning enabled, Portainer will create user(s) automatically with standard user role. If
-      disabled, users must be created in Portainer in order to login.
+      disabled, users must be created beforehand in Portainer in order to login.
     </span>
   </div>
   <div class="form-group">
@@ -60,7 +60,7 @@
   <div class="form-group">
     <label for="oauth_client_id" class="col-sm-3 col-lg-2 control-label text-left">
       Client ID
-      <portainer-tooltip position="bottom" message="Client ID that authorization server supports"></portainer-tooltip>
+      <portainer-tooltip position="bottom" message="Public identifier of the OAuth application"></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
@@ -75,11 +75,7 @@
 
   <div class="form-group">
     <label for="oauth_client_secret" class="col-sm-3 col-lg-2 control-label text-left">
-      Client Secret
-      <portainer-tooltip
-      position="bottom"
-      message="Client secret that authorization server supports"
-      ></portainer-tooltip>
+      Client secret
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
@@ -94,10 +90,10 @@
 
   <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_authorization_uri" class="col-sm-3 col-lg-2 control-label text-left">
-      Authorization URI
+      Authorization URL
       <portainer-tooltip
       position="bottom"
-      message="URI where the user is redirected in order to login with OAuth provider"
+      message="URL used to authenticate against the OAuth provider. Will redirect the user to the OAuth provider login view"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
@@ -113,10 +109,10 @@
 
   <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_access_token_uri" class="col-sm-3 col-lg-2 control-label text-left">
-      Access Token URI
+      Access token URL
       <portainer-tooltip
       position="bottom"
-      message="URI where portainer will attempt to obtain an access token"
+      message="URL used by Portainer to exchange a valid OAuth authentication code for an access token"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
@@ -132,10 +128,10 @@
 
   <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_resource_uri" class="col-sm-3 col-lg-2 control-label text-left">
-      Resource URI
+      Resource URL
       <portainer-tooltip
       position="bottom"
-      message="URI where portainer will attempt to retrieve the user identifier value"
+      message="URL used by Portainer to retrieve information about the authenticated user"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
@@ -151,8 +147,11 @@
 
   <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_redirect_uri" class="col-sm-3 col-lg-2 control-label text-left">
-      Redirect URI
-      <portainer-tooltip position="bottom" message="Set this as your portainer index"></portainer-tooltip>
+      Redirect URL
+      <portainer-tooltip
+      position="bottom"
+      message="URL used by the OAuth provider to redirect the user after successful authentication. Should be set to your Portainer instance URL"
+      ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
@@ -167,10 +166,10 @@
 
   <div class="form-group" ng-if="$ctrl.state.provider.name == 'custom' || $ctrl.state.overrideConfiguration">
     <label for="oauth_user_identifier" class="col-sm-3 col-lg-2 control-label text-left">
-      User Identifier
+      User identifier
       <portainer-tooltip
       position="bottom"
-      message="Key that identifies the user in the resource server request"
+      message="Identifier that will be used by Portainer to create an account for the authenticated user. Retrieved from the resource server specified via the Resource URL field"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
@@ -189,7 +188,7 @@
       Scopes
       <portainer-tooltip
       position="bottom"
-      message="Scopes that are required to obtain the user identifier separated by delimiter if server expects it"
+      message="Scopes required by the OAuth provider to retrieve information about the authenticated user. Refer to your OAuth provider documentation for more information about this"
       ></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">

From d510d23408ab0897d359bd11db88b3ca7025fa97 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Wed, 20 Feb 2019 13:53:25 +1300
Subject: [PATCH 52/61] feat(oauth): improve Azure OAuth support

---
 api/http/handler/auth/authenticate_oauth.go                   | 4 +++-
 api/http/handler/settings/settings_public.go                  | 2 +-
 .../oauth-provider-selector-controller.js                     | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/api/http/handler/auth/authenticate_oauth.go b/api/http/handler/auth/authenticate_oauth.go
index 5eafe0d1b..d8559e999 100644
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"io/ioutil"
 	"net/http"
+	"log"
 
 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
@@ -83,7 +84,7 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 	}
 
 	if settings.AuthenticationMethod != 3 {
-		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", err}
+		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", portainer.Error("OAuth authentication is not enabled")}
 	}
 
 	extension, err := handler.ExtensionService.Extension(portainer.OAuthAuthenticationExtension)
@@ -95,6 +96,7 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 
 	username, err := handler.authenticateThroughExtension(payload.Code, extension.License.LicenseKey, &settings.OAuthSettings)
 	if err != nil {
+		log.Printf("[DEBUG] - OAuth authentication error: %s", err)
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate through OAuth", portainer.ErrUnauthorized}
 	}
 
diff --git a/api/http/handler/settings/settings_public.go b/api/http/handler/settings/settings_public.go
index e5fabd6d8..800c43641 100644
--- a/api/http/handler/settings/settings_public.go
+++ b/api/http/handler/settings/settings_public.go
@@ -34,7 +34,7 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 		EnableHostManagementFeatures:       settings.EnableHostManagementFeatures,
 		ExternalTemplates:                  false,
 		// TODO: check if state=portainer useful or not
-		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&state=portainer",
+		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&state=portainer&prompt=login",
 			settings.OAuthSettings.AuthorizationURI,
 			settings.OAuthSettings.ClientID,
 			settings.OAuthSettings.RedirectURI,
diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
index 82971ae1b..73721cb1c 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
@@ -7,7 +7,7 @@ angular.module('portainer.extensions.oauth')
         authUrl: 'https://login.microsoftonline.com/TENANT_ID/oauth2/authorize',
         accessTokenUrl: 'https://login.microsoftonline.com/TENANT_ID/oauth2/token',
         resourceUrl: 'https://graph.windows.net/TENANT_ID/me?api-version=2013-11-08',
-        userIdentifier: 'mail',
+        userIdentifier: 'userPrincipalName',
         scopes: 'id,email,name',
         name: 'microsoft'
       },

From 4a5fa211a78a4811deb4b860891ba2ecc486cae0 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Wed, 20 Feb 2019 13:57:13 +1300
Subject: [PATCH 53/61] feat(account): display a warning message in the account
 view

---
 app/portainer/views/account/account.html | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/portainer/views/account/account.html b/app/portainer/views/account/account.html
index d8c6fe955..c289771cc 100644
--- a/app/portainer/views/account/account.html
+++ b/app/portainer/views/account/account.html
@@ -56,6 +56,10 @@
                 <i class="fa fa-exclamation-triangle" aria-hidden="true"></i>
                 You cannot change your password when using LDAP authentication.
               </span>
+              <span class="text-muted small" style="margin-left: 5px;" ng-if="AuthenticationMethod === 3 && userID !== 1">
+                <i class="fa fa-exclamation-triangle" aria-hidden="true"></i>
+                You cannot change your password when using OAuth authentication.
+              </span>
             </div>
           </div>
         </form>

From 6711e6c969ac139cbfe4bc700aa92b6ea22df394 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Thu, 21 Feb 2019 10:30:09 +1300
Subject: [PATCH 54/61] feat(oauth): update configuration override UX

---
 .../oauth-settings-controller.js              | 23 +++++++++++++++----
 .../oauth-settings/oauth-settings.html        |  4 ++--
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
index c6808ebf0..c7de7e428 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
@@ -11,6 +11,7 @@ angular.module('portainer.extensions.oauth')
     this.$onInit = onInit;
     this.onSelectProvider = onSelectProvider;
     this.onMicrosoftTenantIDChange = onMicrosoftTenantIDChange;
+    this.resetProviderConfiguration = resetProviderConfiguration;
 
     function onMicrosoftTenantIDChange() {
       var tenantID = ctrl.state.microsoftTenantID;
@@ -20,13 +21,25 @@ angular.module('portainer.extensions.oauth')
       ctrl.settings.ResourceURI = _.replace('https://graph.windows.net/TENANT_ID/me?api-version=2013-11-08', 'TENANT_ID', tenantID);
     }
 
+    function resetProviderConfiguration() {
+      ctrl.settings.AuthorizationURI = ctrl.state.provider.authUrl;
+      ctrl.settings.AccessTokenURI = ctrl.state.provider.accessTokenUrl;
+      ctrl.settings.ResourceURI = ctrl.state.provider.resourceUrl;
+      ctrl.settings.UserIdentifier = ctrl.state.provider.userIdentifier;
+      ctrl.settings.Scopes = ctrl.state.provider.scopes;
+
+      if (ctrl.state.provider.name === 'microsoft' && ctrl.state.microsoftTenantID !== '') {
+        onMicrosoftTenantIDChange();
+      }
+    }
+
     function onSelectProvider(provider) {
       ctrl.state.provider = provider;
-      ctrl.settings.AuthorizationURI = provider.authUrl;
-      ctrl.settings.AccessTokenURI = provider.accessTokenUrl;
-      ctrl.settings.ResourceURI = provider.resourceUrl;
-      ctrl.settings.UserIdentifier = provider.userIdentifier;
-      ctrl.settings.Scopes = provider.scopes;
+      ctrl.settings.AuthorizationURI = ctrl.settings.AuthorizationURI === '' ? provider.authUrl : ctrl.settings.AuthorizationURI;
+      ctrl.settings.AccessTokenURI = ctrl.settings.AccessTokenURI === '' ? provider.accessTokenUrl : ctrl.settings.AccessTokenURI;
+      ctrl.settings.ResourceURI = ctrl.settings.ResourceURI === '' ? provider.resourceUrl : ctrl.settings.ResourceURI;
+      ctrl.settings.UserIdentifier = ctrl.settings.UserIdentifier === '' ? provider.userIdentifier : ctrl.settings.UserIdentifier;
+      ctrl.settings.Scopes = ctrl.settings.Scopes === '' ? provider.scopes : ctrl.settings.Scopes;
 
       if (provider.name === 'microsoft' && ctrl.state.microsoftTenantID !== '') {
         onMicrosoftTenantIDChange();
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index 0694026ab..a3ec3169c 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -205,9 +205,9 @@
   <div class="form-group" ng-if="$ctrl.state.provider.name != 'custom'">
     <div class="col-sm-12">
       <a class="small interactive" ng-if="!$ctrl.state.overrideConfiguration" ng-click="$ctrl.state.overrideConfiguration = true;">
-        <i class="fa fa-wrench space-right" aria-hidden="true"></i> Override configuration
+        <i class="fa fa-wrench space-right" aria-hidden="true"></i> Override default configuration
       </a>
-      <a class="small interactive" ng-if="$ctrl.state.overrideConfiguration" ng-click="$ctrl.state.overrideConfiguration = false;">
+      <a class="small interactive" ng-if="$ctrl.state.overrideConfiguration" ng-click="$ctrl.state.overrideConfiguration = false; $ctrl.resetProviderConfiguration()">
         <i class="fa fa-cogs space-right" aria-hidden="true"></i> Use default configuration
       </a>
     </div>

From b9ac3d4286a214010d537a0ad62c451505ab27bb Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Thu, 21 Feb 2019 11:09:57 +1300
Subject: [PATCH 55/61] feat(oauth): fix the double refresh issue

---
 app/portainer/views/auth/authController.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/portainer/views/auth/authController.js b/app/portainer/views/auth/authController.js
index f4bb38da8..9f53b4231 100644
--- a/app/portainer/views/auth/authController.js
+++ b/app/portainer/views/auth/authController.js
@@ -133,7 +133,6 @@ function($q, $scope, $state, $stateParams, $sanitize, Authentication, UserServic
     return Authentication.OAuthLogin(code)
     .then(function success() {
       URLHelper.cleanParameters();
-      $state.go('portainer.home');
     })
     .catch(function error() {
       $scope.state.AuthenticationError = 'Unable to login via OAuth';

From dc2a8cf1f49e9f88544f0993a7d514f3f6ee4958 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Thu, 21 Feb 2019 14:02:25 +1300
Subject: [PATCH 56/61] feat(oauth): update OAuth configuration UX

---
 api/http/handler/settings/settings_public.go  |  3 +--
 .../oauth-provider-selector-controller.js     |  2 +-
 .../oauth-providers-selector.html             |  8 ++++----
 .../oauth-settings-controller.js              | 19 +++++++++++++++----
 .../oauth-settings/oauth-settings.html        |  2 +-
 app/portainer/views/auth/auth.html            |  2 +-
 6 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/api/http/handler/settings/settings_public.go b/api/http/handler/settings/settings_public.go
index 800c43641..cc1e07854 100644
--- a/api/http/handler/settings/settings_public.go
+++ b/api/http/handler/settings/settings_public.go
@@ -33,8 +33,7 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
 		EnableHostManagementFeatures:       settings.EnableHostManagementFeatures,
 		ExternalTemplates:                  false,
-		// TODO: check if state=portainer useful or not
-		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&state=portainer&prompt=login",
+		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&prompt=login",
 			settings.OAuthSettings.AuthorizationURI,
 			settings.OAuthSettings.ClientID,
 			settings.OAuthSettings.RedirectURI,
diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
index 73721cb1c..1cb1155cc 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
@@ -40,7 +40,7 @@ angular.module('portainer.extensions.oauth')
       } else {
         ctrl.provider = ctrl.providers[0];
       }
-      ctrl.onSelect(ctrl.provider);
+      ctrl.onSelect(ctrl.provider, false);
     }
 
     function getProviderByURL(providerAuthURL) {
diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
index 8422f0900..56023908e 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-providers-selector.html
@@ -5,7 +5,7 @@
 <div class="form-group"></div>
 <div class="form-group" style="margin-bottom: 0">
   <div class="boxselector_wrapper">
-    <div ng-click="$ctrl.onSelect($ctrl.provider)">
+    <div ng-click="$ctrl.onSelect($ctrl.provider, true)">
       <input type="radio" id="oauth_provider_microsoft" ng-model="$ctrl.provider" ng-value="$ctrl.providers[0]">
       <label for="oauth_provider_microsoft">
         <div class="boxselector_header">
@@ -15,7 +15,7 @@
         <p>Microsoft OAuth provider</p>
       </label>
     </div>
-    <div ng-click="$ctrl.onSelect($ctrl.provider)">
+    <div ng-click="$ctrl.onSelect($ctrl.provider, true)">
       <input type="radio" id="oauth_provider_google" ng-model="$ctrl.provider" ng-value="$ctrl.providers[1]">
       <label for="oauth_provider_google">
         <div class="boxselector_header">
@@ -25,7 +25,7 @@
         <p>Google OAuth provider</p>
       </label>
     </div>
-    <div ng-click="$ctrl.onSelect($ctrl.provider)">
+    <div ng-click="$ctrl.onSelect($ctrl.provider, true)">
       <input type="radio" id="oauth_provider_github" ng-model="$ctrl.provider" ng-value="$ctrl.providers[2]">
       <label for="oauth_provider_github">
         <div class="boxselector_header">
@@ -35,7 +35,7 @@
         <p>Github OAuth provider</p>
       </label>
     </div>
-    <div ng-click="$ctrl.onSelect($ctrl.provider)">
+    <div ng-click="$ctrl.onSelect($ctrl.provider, true)">
       <input type="radio" id="oauth_provider_custom" ng-model="$ctrl.provider" ng-value="$ctrl.providers[3]">
       <label for="oauth_provider_custom">
         <div class="boxselector_header">
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
index c7de7e428..07d39e6cc 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings-controller.js
@@ -11,7 +11,7 @@ angular.module('portainer.extensions.oauth')
     this.$onInit = onInit;
     this.onSelectProvider = onSelectProvider;
     this.onMicrosoftTenantIDChange = onMicrosoftTenantIDChange;
-    this.resetProviderConfiguration = resetProviderConfiguration;
+    this.useDefaultProviderConfiguration = useDefaultProviderConfiguration;
 
     function onMicrosoftTenantIDChange() {
       var tenantID = ctrl.state.microsoftTenantID;
@@ -21,7 +21,7 @@ angular.module('portainer.extensions.oauth')
       ctrl.settings.ResourceURI = _.replace('https://graph.windows.net/TENANT_ID/me?api-version=2013-11-08', 'TENANT_ID', tenantID);
     }
 
-    function resetProviderConfiguration() {
+    function useDefaultProviderConfiguration() {
       ctrl.settings.AuthorizationURI = ctrl.state.provider.authUrl;
       ctrl.settings.AccessTokenURI = ctrl.state.provider.accessTokenUrl;
       ctrl.settings.ResourceURI = ctrl.state.provider.resourceUrl;
@@ -33,8 +33,8 @@ angular.module('portainer.extensions.oauth')
       }
     }
 
-    function onSelectProvider(provider) {
-      ctrl.state.provider = provider;
+    function useExistingConfiguration() {
+      var provider = ctrl.state.provider;
       ctrl.settings.AuthorizationURI = ctrl.settings.AuthorizationURI === '' ? provider.authUrl : ctrl.settings.AuthorizationURI;
       ctrl.settings.AccessTokenURI = ctrl.settings.AccessTokenURI === '' ? provider.accessTokenUrl : ctrl.settings.AccessTokenURI;
       ctrl.settings.ResourceURI = ctrl.settings.ResourceURI === '' ? provider.resourceUrl : ctrl.settings.ResourceURI;
@@ -46,10 +46,21 @@ angular.module('portainer.extensions.oauth')
       }
     }
 
+    function onSelectProvider(provider, overrideConfiguration) {
+      ctrl.state.provider = provider;
+
+      if (overrideConfiguration) {
+        useDefaultProviderConfiguration();
+      } else {
+        useExistingConfiguration();
+      }
+    }
+
     function onInit() {
       if (ctrl.settings.RedirectURI === '') {
         ctrl.settings.RedirectURI = window.location.origin;
       }
+
       if (ctrl.settings.AuthorizationURI !== '') {
         ctrl.state.provider.authUrl = ctrl.settings.AuthorizationURI;
 
diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index a3ec3169c..1ea16c374 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -207,7 +207,7 @@
       <a class="small interactive" ng-if="!$ctrl.state.overrideConfiguration" ng-click="$ctrl.state.overrideConfiguration = true;">
         <i class="fa fa-wrench space-right" aria-hidden="true"></i> Override default configuration
       </a>
-      <a class="small interactive" ng-if="$ctrl.state.overrideConfiguration" ng-click="$ctrl.state.overrideConfiguration = false; $ctrl.resetProviderConfiguration()">
+      <a class="small interactive" ng-if="$ctrl.state.overrideConfiguration" ng-click="$ctrl.state.overrideConfiguration = false; $ctrl.useDefaultProviderConfiguration()">
         <i class="fa fa-cogs space-right" aria-hidden="true"></i> Use default configuration
       </a>
     </div>
diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index 1aea214f0..81f5a4251 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -61,7 +61,7 @@
       <div class="panel panel-default" ng-show="state.isInOAuthProcess">
         <div class="panel-body">
           <div class="form-group text-center">
-              <span class="small text-muted">Connecting with OAuth <span button-spinner="true"></span></span>
+              <span class="small text-muted">OAuth authentication in progress... <span button-spinner="true"></span></span>
           </div>
         </div>
       </div>

From 49516e2c3f05ed347b3d68ea18204ec0132123b8 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Mon, 25 Feb 2019 13:38:27 +1300
Subject: [PATCH 57/61] style(oauth): update Azure UI elements

---
 .../oauth/components/oauth-settings/oauth-settings.html     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/extensions/oauth/components/oauth-settings/oauth-settings.html b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
index 1ea16c374..955ad0665 100644
--- a/app/extensions/oauth/components/oauth-settings/oauth-settings.html
+++ b/app/extensions/oauth/components/oauth-settings/oauth-settings.html
@@ -43,7 +43,7 @@
   <div class="form-group" ng-if="$ctrl.state.provider.name == 'microsoft'">
     <label for="oauth_microsoft_tenant_id" class="col-sm-3 col-lg-2 control-label text-left">
       Tenant ID
-      <portainer-tooltip position="bottom" message="ID of the Azure AD directory in which you created the OAuth application"></portainer-tooltip>
+      <portainer-tooltip position="bottom" message="ID of the Azure Directory you wish to authenticate against. Also known as the Directory ID"></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
       <input
@@ -59,7 +59,7 @@
 
   <div class="form-group">
     <label for="oauth_client_id" class="col-sm-3 col-lg-2 control-label text-left">
-      Client ID
+      {{ $ctrl.state.provider.name == 'microsoft' ? 'Application ID' : 'Client ID' }}
       <portainer-tooltip position="bottom" message="Public identifier of the OAuth application"></portainer-tooltip>
     </label>
     <div class="col-sm-9 col-lg-10">
@@ -75,7 +75,7 @@
 
   <div class="form-group">
     <label for="oauth_client_secret" class="col-sm-3 col-lg-2 control-label text-left">
-      Client secret
+      {{ $ctrl.state.provider.name == 'microsoft' ? 'Application key' : 'Client secret' }}
     </label>
     <div class="col-sm-9 col-lg-10">
       <input

From 130baddea03271bf90e4e23280113eb4d5d48436 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Mon, 25 Feb 2019 18:54:21 +1300
Subject: [PATCH 58/61] fix(api): fix an issue when removing non local
 administrators

---
 api/http/handler/users/user_delete.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/http/handler/users/user_delete.go b/api/http/handler/users/user_delete.go
index 1c500bfc1..78f83fe57 100644
--- a/api/http/handler/users/user_delete.go
+++ b/api/http/handler/users/user_delete.go
@@ -41,6 +41,10 @@ func (handler *Handler) userDelete(w http.ResponseWriter, r *http.Request) *http
 }
 
 func (handler *Handler) deleteAdminUser(w http.ResponseWriter, user *portainer.User) *httperror.HandlerError {
+	if user.Password == "" {
+		return handler.deleteUser(w, user)
+	}
+
 	users, err := handler.UserService.Users()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve users from the database", err}

From f5091ce5fbcc4a8b591a3fc53346fb42815d97f8 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Fri, 1 Mar 2019 10:58:18 +1300
Subject: [PATCH 59/61] fix(auth): fix invalid condition to display OAuth login
 button

---
 app/portainer/views/auth/auth.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index 81f5a4251..28ff6a645 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -38,7 +38,7 @@
                   <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px" ng-if="state.OAuthProvider === 'Github'">
                     <i class="fab fa-github" aria-hidden="true" ></i> Login with Github
                   </div>
-                  <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px" ng-if="state.OAuthProvider === ''">
+                  <div class="btn btn-primary btn-sm pull-left" style="margin-left:2px" ng-if="state.OAuthProvider === 'OAuth'">
                     <i class="fa fa-sign-in-alt" aria-hidden="true" ></i> Login with OAuth
                   </div>
                 </a>

From 60fbfeba231acb867a6d391b2548336d93f6f8c0 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Fri, 1 Mar 2019 11:24:47 +1300
Subject: [PATCH 60/61] fix(oauth): fix settings displaying issue for custom
 OAuth configuration

---
 .../oauth-provider-selector-controller.js                  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
index 1cb1155cc..818fef20a 100644
--- a/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
+++ b/app/extensions/oauth/components/oauth-providers-selector/oauth-provider-selector-controller.js
@@ -28,6 +28,11 @@ angular.module('portainer.extensions.oauth')
         name: 'github'
       },
       {
+        authUrl: '',
+        accessTokenUrl: '',
+        resourceUrl: '',
+        userIdentifier: '',
+        scopes: '',
         name: 'custom'
       }
     ];
@@ -53,6 +58,6 @@ angular.module('portainer.extensions.oauth')
       else if (providerAuthURL.indexOf('github.com') !== -1) {
         return ctrl.providers[2];
       }
-      return ctrl.provider[3];
+      return ctrl.providers[3];
     }
   });

From db0091b46d4af64bf14f2b2e7580d84fbe38285c Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Fri, 1 Mar 2019 13:58:55 +1300
Subject: [PATCH 61/61] feat(api): revert extension URLs to correct one

---
 api/portainer.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/api/portainer.go b/api/portainer.go
index 1123e3b16..cba90a55e 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -802,8 +802,7 @@ const (
 	// MessageOfTheDayURL represents the URL where Portainer MOTD message can be retrieved
 	MessageOfTheDayURL = AssetsServerURL + "/motd.html"
 	// ExtensionDefinitionsURL represents the URL where Portainer extension definitions can be retrieved
-	// TODO: UPDATE URL to production URL
-	ExtensionDefinitionsURL = AssetsServerURL + "/extensions-dev.json"
+	ExtensionDefinitionsURL = AssetsServerURL + "/extensions.json"
 	// PortainerAgentHeader represents the name of the header available in any agent response
 	PortainerAgentHeader = "Portainer-Agent"
 	// PortainerAgentTargetHeader represent the name of the header containing the target node name