2022-02-22 20:42:29 -05:00
|
|
|
/* istanbul ignore file */
|
|
|
|
|
|
2022-04-08 05:16:20 -05:00
|
|
|
import { CustomClientMetadataKey } from '@logto/schemas';
|
2022-04-24 00:55:47 -05:00
|
|
|
import { exportJWK } from 'jose';
|
2021-06-27 07:44:05 -05:00
|
|
|
import Koa from 'koa';
|
|
|
|
|
import mount from 'koa-mount';
|
2021-12-02 01:08:15 -05:00
|
|
|
import { Provider, errors } from 'oidc-provider';
|
2021-06-27 07:44:05 -05:00
|
|
|
|
2022-04-20 01:14:37 -05:00
|
|
|
import envSet from '@/env-set';
|
2021-08-29 22:30:54 -05:00
|
|
|
import postgresAdapter from '@/oidc/adapter';
|
2022-04-08 05:16:20 -05:00
|
|
|
import { isOriginAllowed, validateCustomClientMetadata } from '@/oidc/utils';
|
2022-02-15 03:13:41 -05:00
|
|
|
import { findResourceByIndicator } from '@/queries/resource';
|
2021-07-02 09:55:14 -05:00
|
|
|
import { findUserById } from '@/queries/user';
|
2021-08-11 09:37:21 -05:00
|
|
|
import { routes } from '@/routes/consts';
|
2022-05-20 00:54:05 -05:00
|
|
|
import { addOidcEventListeners } from '@/utils/oidc-provider-event-listener';
|
2021-08-29 22:30:54 -05:00
|
|
|
|
2021-07-09 10:25:24 -05:00
|
|
|
export default async function initOidc(app: Koa): Promise<Provider> {
|
2022-05-19 11:08:33 -05:00
|
|
|
const { issuer, cookieKeys, privateKey, defaultIdTokenTtl, defaultRefreshTokenTtl } =
|
|
|
|
|
envSet.values.oidc;
|
2022-04-20 01:14:37 -05:00
|
|
|
|
2022-04-24 00:55:47 -05:00
|
|
|
const keys = [await exportJWK(privateKey)];
|
2021-07-04 02:01:02 -05:00
|
|
|
const cookieConfig = Object.freeze({
|
|
|
|
|
sameSite: 'lax',
|
|
|
|
|
path: '/',
|
|
|
|
|
signed: true,
|
|
|
|
|
} as const);
|
2021-08-15 10:39:03 -05:00
|
|
|
const oidc = new Provider(issuer, {
|
2021-06-27 07:44:05 -05:00
|
|
|
adapter: postgresAdapter,
|
|
|
|
|
renderError: (ctx, out, error) => {
|
2021-07-04 02:01:02 -05:00
|
|
|
console.log('OIDC error', error);
|
2021-10-12 04:57:22 -05:00
|
|
|
throw error;
|
2021-06-27 07:44:05 -05:00
|
|
|
},
|
|
|
|
|
cookies: {
|
2022-05-19 11:08:33 -05:00
|
|
|
keys: cookieKeys,
|
2021-07-04 02:01:02 -05:00
|
|
|
long: cookieConfig,
|
|
|
|
|
short: cookieConfig,
|
2021-06-27 07:44:05 -05:00
|
|
|
},
|
|
|
|
|
jwks: {
|
|
|
|
|
keys,
|
|
|
|
|
},
|
2021-07-02 09:09:38 -05:00
|
|
|
features: {
|
2022-01-23 21:13:18 -05:00
|
|
|
userinfo: { enabled: true },
|
2021-07-02 09:09:38 -05:00
|
|
|
revocation: { enabled: true },
|
|
|
|
|
devInteractions: { enabled: false },
|
2021-08-15 10:39:03 -05:00
|
|
|
resourceIndicators: {
|
|
|
|
|
enabled: true,
|
2022-01-23 21:13:18 -05:00
|
|
|
// Disable the auto use of authorization_code granted resource feature
|
|
|
|
|
// https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#usegrantedresource
|
|
|
|
|
useGrantedResource: () => false,
|
2022-04-08 03:07:34 -05:00
|
|
|
getResourceServerInfo: async (_, indicator) => {
|
2022-02-15 03:13:41 -05:00
|
|
|
const resourceServer = await findResourceByIndicator(indicator);
|
2021-12-02 01:08:15 -05:00
|
|
|
|
|
|
|
|
if (!resourceServer) {
|
|
|
|
|
throw new errors.InvalidTarget();
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-08 03:07:34 -05:00
|
|
|
const { accessTokenTtl: accessTokenTTL } = resourceServer;
|
2021-12-02 01:08:15 -05:00
|
|
|
|
|
|
|
|
return {
|
2022-02-08 01:06:13 -05:00
|
|
|
accessTokenFormat: 'jwt',
|
2022-04-08 03:07:34 -05:00
|
|
|
scope: '',
|
2022-01-13 22:54:09 -05:00
|
|
|
accessTokenTTL,
|
2021-12-02 01:08:15 -05:00
|
|
|
};
|
|
|
|
|
},
|
2021-08-15 10:39:03 -05:00
|
|
|
},
|
2021-07-02 09:09:38 -05:00
|
|
|
},
|
|
|
|
|
interactions: {
|
2021-07-04 02:01:02 -05:00
|
|
|
url: (_, interaction) => {
|
|
|
|
|
switch (interaction.prompt.name) {
|
|
|
|
|
case 'login':
|
|
|
|
|
return routes.signIn.credentials;
|
|
|
|
|
case 'consent':
|
|
|
|
|
return routes.signIn.consent;
|
|
|
|
|
default:
|
|
|
|
|
throw new Error(`Prompt not supported: ${interaction.prompt.name}`);
|
|
|
|
|
}
|
|
|
|
|
},
|
2021-07-02 09:09:38 -05:00
|
|
|
},
|
2022-01-13 01:15:13 -05:00
|
|
|
extraClientMetadata: {
|
2022-04-11 01:22:16 -05:00
|
|
|
properties: Object.values(CustomClientMetadataKey),
|
2022-04-08 05:16:20 -05:00
|
|
|
validator: (_, key, value) => {
|
|
|
|
|
validateCustomClientMetadata(key, value);
|
2022-01-13 01:15:13 -05:00
|
|
|
},
|
|
|
|
|
},
|
2022-04-08 05:16:20 -05:00
|
|
|
// https://github.com/panva/node-oidc-provider/blob/main/recipes/client_based_origins.md
|
|
|
|
|
clientBasedCORS: (_, origin, client) => isOriginAllowed(origin, client.metadata()),
|
2021-07-02 08:14:18 -05:00
|
|
|
findAccount: async (ctx, sub) => {
|
2022-05-21 22:33:13 -05:00
|
|
|
await findUserById(sub);
|
2021-07-02 08:14:18 -05:00
|
|
|
|
2021-06-27 07:44:05 -05:00
|
|
|
return {
|
|
|
|
|
accountId: sub,
|
2022-05-21 22:33:13 -05:00
|
|
|
claims: async (use, scope, claims, rejected) => {
|
|
|
|
|
console.log('use:', use);
|
|
|
|
|
console.log('scope:', scope);
|
|
|
|
|
console.log('claims:', claims);
|
|
|
|
|
console.log('rejected:', rejected);
|
|
|
|
|
|
|
|
|
|
return { sub };
|
|
|
|
|
},
|
2021-06-27 07:44:05 -05:00
|
|
|
};
|
|
|
|
|
},
|
2022-01-13 01:15:13 -05:00
|
|
|
ttl: {
|
|
|
|
|
/**
|
|
|
|
|
* [OIDC Provider Default Settings](https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#ttl)
|
|
|
|
|
*/
|
|
|
|
|
IdToken: (ctx, token, client) => {
|
|
|
|
|
const { idTokenTtl } = client.metadata();
|
2022-01-27 06:26:34 -05:00
|
|
|
|
2022-01-13 01:15:13 -05:00
|
|
|
return idTokenTtl ?? defaultIdTokenTtl;
|
|
|
|
|
},
|
|
|
|
|
RefreshToken: (ctx, token, client) => {
|
|
|
|
|
const { refreshTokenTtl } = client.metadata();
|
2022-01-27 06:26:34 -05:00
|
|
|
|
2022-01-13 01:15:13 -05:00
|
|
|
return refreshTokenTtl ?? defaultRefreshTokenTtl;
|
|
|
|
|
},
|
|
|
|
|
},
|
2021-06-27 07:44:05 -05:00
|
|
|
});
|
2022-05-18 22:24:26 -05:00
|
|
|
|
2022-05-20 00:54:05 -05:00
|
|
|
addOidcEventListeners(oidc);
|
2022-05-18 22:24:26 -05:00
|
|
|
|
2021-06-27 07:44:05 -05:00
|
|
|
app.use(mount('/oidc', oidc.app));
|
2022-01-27 06:26:34 -05:00
|
|
|
|
2021-07-03 08:19:20 -05:00
|
|
|
return oidc;
|
2021-06-27 07:44:05 -05:00
|
|
|
}
|
