logto/packages/core/src/oidc/init.ts

import { customClientMetadataGuard, CustomClientMetadataType } from '@logto/schemas';
import { fromKeyLike } from 'jose/jwk/from_key_like';
import Koa from 'koa';
import mount from 'koa-mount';
import { Provider, errors } from 'oidc-provider';

import postgresAdapter from '@/oidc/adapter';
import { findResourceByIdentifier } from '@/queries/resource';
import { findAllScopesWithResourceId } from '@/queries/scope';
import { findUserById } from '@/queries/user';
import { routes } from '@/routes/consts';

import { issuer, privateKey, defaultIdTokenTtl, defaultRefreshTokenTtl } from './consts';

export default async function initOidc(app: Koa): Promise<Provider> {
  const keys = [await fromKeyLike(privateKey)];
  const cookieConfig = Object.freeze({
    sameSite: 'lax',
    path: '/',
    signed: true,
  } as const);
  const oidc = new Provider(issuer, {
    adapter: postgresAdapter,
    renderError: (ctx, out, error) => {
      console.log('OIDC error', error);
      throw error;
    },
    cookies: {
      // V2: Rotate this when necessary
      // https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#cookieskeys
      keys: ['LOGTOSEKRIT1'],
      long: cookieConfig,
      short: cookieConfig,
    },
    jwks: {
      keys,
    },
    features: {
      userinfo: { enabled: true },
      revocation: { enabled: true },
      introspection: { enabled: true },
      devInteractions: { enabled: false },
      resourceIndicators: {
        enabled: true,
        // Disable the auto use of authorization_code granted resource feature
        // https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#usegrantedresource
        useGrantedResource: () => false,
        getResourceServerInfo: async (ctx, indicator) => {
          const resourceServer = await findResourceByIdentifier(indicator);

          if (!resourceServer) {
            throw new errors.InvalidTarget();
          }

          const { id, accessTokenTtl: accessTokenTTL } = resourceServer;
          const scopes = await findAllScopesWithResourceId(id);
          const scope = scopes.map(({ name }) => name).join(' ');

          return {
            scope,
            accessTokenTTL,
          };
        },
      },
    },
    interactions: {
      url: (_, interaction) => {
        switch (interaction.prompt.name) {
          case 'login':
            return routes.signIn.credentials;
          case 'consent':
            return routes.signIn.consent;
          default:
            throw new Error(`Prompt not supported: ${interaction.prompt.name}`);
        }
      },
    },
    extraClientMetadata: {
      properties: Object.keys(CustomClientMetadataType),
      validator: (_ctx, key, value) => {
        const result = customClientMetadataGuard.pick({ [key]: true }).safeParse({ key: value });
        if (!result.success) {
          throw new errors.InvalidClientMetadata(key);
        }
      },
    },
    clientBasedCORS: (_, origin) => {
      console.log('origin', origin);
      return origin.startsWith('http://localhost:3000');
    },
    findAccount: async (ctx, sub) => {
      await findUserById(sub);

      return {
        accountId: sub,
        claims: async (use, scope, claims, rejected) => {
          console.log('use:', use);
          console.log('scope:', scope);
          console.log('claims:', claims);
          console.log('rejected:', rejected);
          return { sub };
        },
      };
    },
    ttl: {
      /**
       * [OIDC Provider Default Settings](https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#ttl)
       */
      IdToken: (ctx, token, client) => {
        const { idTokenTtl } = client.metadata();
        return idTokenTtl ?? defaultIdTokenTtl;
      },
      RefreshToken: (ctx, token, client) => {
        const { refreshTokenTtl } = client.metadata();
        return refreshTokenTtl ?? defaultRefreshTokenTtl;
      },
    },
  });
  app.use(mount('/oidc', oidc.app));
  return oidc;
}
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 01:15:13 -05:00			`import { customClientMetadataGuard, CustomClientMetadataType } from '@logto/schemas';`
chore: update eslint config (#98) 2021-08-29 22:30:54 -05:00			`import { fromKeyLike } from 'jose/jwk/from_key_like';`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`import Koa from 'koa';`
			`import mount from 'koa-mount';`
feat: implement getResourceIndicators logic (#146) * fix(schema): fix typo remove trailing comma fix typo remove trailing comma * feat(core): add resouce server query logic add resource server & scopes query logic to oidc-provider resourceIndicator feature config * fix(chore): scope should join with scopes.name fix scope name join format bug * fix(core): cr fix use pool.any replace pool.many use pool.any replace pool.many 2021-12-02 01:08:15 -05:00			`import { Provider, errors } from 'oidc-provider';`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00
chore: update eslint config (#98) 2021-08-29 22:30:54 -05:00			`import postgresAdapter from '@/oidc/adapter';`
refactor(core): resources related db query cleanup (#179) * refactor(core): resources related db query cleanup clean resourece & scopes db queries * refactor(core): rename resources and scopes query file name rename plural filename 2022-01-13 22:54:09 -05:00			`import { findResourceByIdentifier } from '@/queries/resource';`
			`import { findAllScopesWithResourceId } from '@/queries/scope';`
refactor: add @ path alias 2021-07-02 09:55:14 -05:00			`import { findUserById } from '@/queries/user';`
refactor(core): re-org files 2021-08-11 09:37:21 -05:00			`import { routes } from '@/routes/consts';`
chore: update eslint config (#98) 2021-08-29 22:30:54 -05:00
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 01:15:13 -05:00			`import { issuer, privateKey, defaultIdTokenTtl, defaultRefreshTokenTtl } from './consts';`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00
refactor: read issuer from env and fallback to localhost 2021-07-09 10:25:24 -05:00			`export default async function initOidc(app: Koa): Promise<Provider> {`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`const keys = [await fromKeyLike(privateKey)];`
api: add sign in / consent 2021-07-04 02:01:02 -05:00			`const cookieConfig = Object.freeze({`
			`sameSite: 'lax',`
			`path: '/',`
			`signed: true,`
			`} as const);`
feat: validate access token if needed 2021-08-15 10:39:03 -05:00			`const oidc = new Provider(issuer, {`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`adapter: postgresAdapter,`
			`renderError: (ctx, out, error) => {`
api: add sign in / consent 2021-07-04 02:01:02 -05:00			`console.log('OIDC error', error);`
chore(core): throw out oidc-provider error (#128) In order to display detailed error on the page we need to throw the oidc-provider error out and catched by koa-error-handler 2021-10-12 04:57:22 -05:00			`throw error;`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`},`
			`cookies: {`
			`// V2: Rotate this when necessary`
			`// https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#cookieskeys`
			`keys: ['LOGTOSEKRIT1'],`
api: add sign in / consent 2021-07-04 02:01:02 -05:00			`long: cookieConfig,`
			`short: cookieConfig,`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`},`
			`jwks: {`
			`keys,`
			`},`
feat: redirect to configured sign in URL 2021-07-02 09:09:38 -05:00			`features: {`
refactor(core): enable userinfo endpoint and resource scope consent (#187) * refactor(core): enable userinfo endpoint and resource scope consent enable userinfo endpoint and resource scope consent * fix(core): cr fix add comment add comment for useGrantedResource settigns reference 2022-01-23 21:13:18 -05:00			`userinfo: { enabled: true },`
feat: redirect to configured sign in URL 2021-07-02 09:09:38 -05:00			`revocation: { enabled: true },`
			`introspection: { enabled: true },`
			`devInteractions: { enabled: false },`
feat: validate access token if needed 2021-08-15 10:39:03 -05:00			`resourceIndicators: {`
			`enabled: true,`
refactor(core): enable userinfo endpoint and resource scope consent (#187) * refactor(core): enable userinfo endpoint and resource scope consent enable userinfo endpoint and resource scope consent * fix(core): cr fix add comment add comment for useGrantedResource settigns reference 2022-01-23 21:13:18 -05:00			`// Disable the auto use of authorization_code granted resource feature`
			`// https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#usegrantedresource`
			`useGrantedResource: () => false,`
feat: implement getResourceIndicators logic (#146) * fix(schema): fix typo remove trailing comma fix typo remove trailing comma * feat(core): add resouce server query logic add resource server & scopes query logic to oidc-provider resourceIndicator feature config * fix(chore): scope should join with scopes.name fix scope name join format bug * fix(core): cr fix use pool.any replace pool.many use pool.any replace pool.many 2021-12-02 01:08:15 -05:00			`getResourceServerInfo: async (ctx, indicator) => {`
			`const resourceServer = await findResourceByIdentifier(indicator);`

			`if (!resourceServer) {`
			`throw new errors.InvalidTarget();`
			`}`

refactor(core): resources related db query cleanup (#179) * refactor(core): resources related db query cleanup clean resourece & scopes db queries * refactor(core): rename resources and scopes query file name rename plural filename 2022-01-13 22:54:09 -05:00			`const { id, accessTokenTtl: accessTokenTTL } = resourceServer;`
feat: implement getResourceIndicators logic (#146) * fix(schema): fix typo remove trailing comma fix typo remove trailing comma * feat(core): add resouce server query logic add resource server & scopes query logic to oidc-provider resourceIndicator feature config * fix(chore): scope should join with scopes.name fix scope name join format bug * fix(core): cr fix use pool.any replace pool.many use pool.any replace pool.many 2021-12-02 01:08:15 -05:00			`const scopes = await findAllScopesWithResourceId(id);`
			`const scope = scopes.map(({ name }) => name).join(' ');`

			`return {`
			`scope,`
refactor(core): resources related db query cleanup (#179) * refactor(core): resources related db query cleanup clean resourece & scopes db queries * refactor(core): rename resources and scopes query file name rename plural filename 2022-01-13 22:54:09 -05:00			`accessTokenTTL,`
feat: implement getResourceIndicators logic (#146) * fix(schema): fix typo remove trailing comma fix typo remove trailing comma * feat(core): add resouce server query logic add resource server & scopes query logic to oidc-provider resourceIndicator feature config * fix(chore): scope should join with scopes.name fix scope name join format bug * fix(core): cr fix use pool.any replace pool.many use pool.any replace pool.many 2021-12-02 01:08:15 -05:00			`};`
			`},`
feat: validate access token if needed 2021-08-15 10:39:03 -05:00			`},`
feat: redirect to configured sign in URL 2021-07-02 09:09:38 -05:00			`},`
			`interactions: {`
api: add sign in / consent 2021-07-04 02:01:02 -05:00			`url: (_, interaction) => {`
			`switch (interaction.prompt.name) {`
			`case 'login':`
			`return routes.signIn.credentials;`
			`case 'consent':`
			`return routes.signIn.consent;`
			`default:`
			throw new Error(`Prompt not supported: ${interaction.prompt.name}`);
			`}`
			`},`
feat: redirect to configured sign in URL 2021-07-02 09:09:38 -05:00			`},`
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 01:15:13 -05:00			`extraClientMetadata: {`
			`properties: Object.keys(CustomClientMetadataType),`
			`validator: (_ctx, key, value) => {`
			`const result = customClientMetadataGuard.pick({ [key]: true }).safeParse({ key: value });`
			`if (!result.success) {`
			`throw new errors.InvalidClientMetadata(key);`
			`}`
			`},`
			`},`
feat: redirect to configured sign in URL 2021-07-02 09:09:38 -05:00			`clientBasedCORS: (_, origin) => {`
feat: find user account from db, close #4 2021-07-02 08:14:18 -05:00			`console.log('origin', origin);`
Enable token revocation and OIDC CORS 2021-06-29 09:58:59 -05:00			`return origin.startsWith('http://localhost:3000');`
			`},`
feat: find user account from db, close #4 2021-07-02 08:14:18 -05:00			`findAccount: async (ctx, sub) => {`
			`await findUserById(sub);`

Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`return {`
			`accountId: sub,`
feat: redirect to configured sign in URL 2021-07-02 09:09:38 -05:00			`claims: async (use, scope, claims, rejected) => {`
			`console.log('use:', use);`
			`console.log('scope:', scope);`
			`console.log('claims:', claims);`
			`console.log('rejected:', rejected);`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`return { sub };`
			`},`
			`};`
			`},`
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 01:15:13 -05:00			`ttl: {`
			`/**`
			`* [OIDC Provider Default Settings](https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#ttl)`
			`*/`
			`IdToken: (ctx, token, client) => {`
			`const { idTokenTtl } = client.metadata();`
			`return idTokenTtl ?? defaultIdTokenTtl;`
			`},`
			`RefreshToken: (ctx, token, client) => {`
			`const { refreshTokenTtl } = client.metadata();`
			`return refreshTokenTtl ?? defaultRefreshTokenTtl;`
			`},`
			`},`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`});`
			`app.use(mount('/oidc', oidc.app));`
feat: sign in API via user id + password 2021-07-03 08:19:20 -05:00			`return oidc;`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`}`