logto/packages/core/src/init/oidc.ts

import crypto from 'crypto';
import Koa from 'koa';
import mount from 'koa-mount';
import { Provider } from 'oidc-provider';
import postgresAdapter from '@/oidc/adapter';

import { fromKeyLike } from 'jose/jwk/from_key_like';
import { getEnv } from '@/utils';
import { findUserById } from '@/queries/user';
import { signInRoute } from '@/consts';

export default async function initOidc(app: Koa, port: number): Promise<void> {
  const privateKey = crypto.createPrivateKey(
    Buffer.from(getEnv('OIDC_PROVIDER_PRIVATE_KEY_BASE64'), 'base64')
  );
  const keys = [await fromKeyLike(privateKey)];
  const oidc = new Provider(`http://localhost:${port}/oidc`, {
    adapter: postgresAdapter,
    renderError: (ctx, out, error) => {
      console.log(error);
    },
    cookies: {
      // V2: Rotate this when necessary
      // https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#cookieskeys
      keys: ['LOGTOSEKRIT1'],
    },
    jwks: {
      keys,
    },
    clients: [
      {
        client_id: 'foo',
        redirect_uris: ['http://localhost:3000/callback'],
        grant_types: ['authorization_code', 'refresh_token'],
        token_endpoint_auth_method: 'none',
      },
    ],
    features: {
      revocation: { enabled: true },
      introspection: { enabled: true },
      devInteractions: { enabled: false },
    },
    interactions: {
      url: (_, interaction) => `${signInRoute}?uid=${interaction.uid}`,
    },
    clientBasedCORS: (_, origin) => {
      console.log('origin', origin);
      return origin.startsWith('http://localhost:3000');
    },
    findAccount: async (ctx, sub) => {
      await findUserById(sub);

      return {
        accountId: sub,
        claims: async (use, scope, claims, rejected) => {
          console.log('use:', use);
          console.log('scope:', scope);
          console.log('claims:', claims);
          console.log('rejected:', rejected);
          return { sub };
        },
      };
    },
  });
  app.use(mount('/oidc', oidc.app));
}
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`import crypto from 'crypto';`
			`import Koa from 'koa';`
			`import mount from 'koa-mount';`
			`import { Provider } from 'oidc-provider';`
refactor: add @ path alias 2021-07-02 09:55:14 -05:00			`import postgresAdapter from '@/oidc/adapter';`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00
			`import { fromKeyLike } from 'jose/jwk/from_key_like';`
refactor: add @ path alias 2021-07-02 09:55:14 -05:00			`import { getEnv } from '@/utils';`
			`import { findUserById } from '@/queries/user';`
			`import { signInRoute } from '@/consts';`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00
			`export default async function initOidc(app: Koa, port: number): Promise<void> {`
			`const privateKey = crypto.createPrivateKey(`
			`Buffer.from(getEnv('OIDC_PROVIDER_PRIVATE_KEY_BASE64'), 'base64')`
			`);`
			`const keys = [await fromKeyLike(privateKey)];`
			const oidc = new Provider(`http://localhost:${port}/oidc`, {
			`adapter: postgresAdapter,`
			`renderError: (ctx, out, error) => {`
			`console.log(error);`
			`},`
			`cookies: {`
			`// V2: Rotate this when necessary`
			`// https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#cookieskeys`
			`keys: ['LOGTOSEKRIT1'],`
			`},`
			`jwks: {`
			`keys,`
			`},`
			`clients: [`
			`{`
			`client_id: 'foo',`
			`redirect_uris: ['http://localhost:3000/callback'],`
			`grant_types: ['authorization_code', 'refresh_token'],`
			`token_endpoint_auth_method: 'none',`
			`},`
			`],`
feat: redirect to configured sign in URL 2021-07-02 09:09:38 -05:00			`features: {`
			`revocation: { enabled: true },`
			`introspection: { enabled: true },`
			`devInteractions: { enabled: false },`
			`},`
			`interactions: {`
			url: (_, interaction) => `${signInRoute}?uid=${interaction.uid}`,
			`},`
			`clientBasedCORS: (_, origin) => {`
feat: find user account from db, close #4 2021-07-02 08:14:18 -05:00			`console.log('origin', origin);`
Enable token revocation and OIDC CORS 2021-06-29 09:58:59 -05:00			`return origin.startsWith('http://localhost:3000');`
			`},`
feat: find user account from db, close #4 2021-07-02 08:14:18 -05:00			`findAccount: async (ctx, sub) => {`
			`await findUserById(sub);`

Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`return {`
			`accountId: sub,`
feat: redirect to configured sign in URL 2021-07-02 09:09:38 -05:00			`claims: async (use, scope, claims, rejected) => {`
			`console.log('use:', use);`
			`console.log('scope:', scope);`
			`console.log('claims:', claims);`
			`console.log('rejected:', rejected);`
Provide OIDC jwk and reorg code 2021-06-27 07:44:05 -05:00			`return { sub };`
			`},`
			`};`
			`},`
			`});`
			`app.use(mount('/oidc', oidc.app));`
			`}`