logto/packages/core/src/oidc/init.ts

/* istanbul ignore file */

import { CustomClientMetadataKey } from '@logto/schemas';
import { exportJWK } from 'jose';
import Koa from 'koa';
import mount from 'koa-mount';
import { Provider, errors } from 'oidc-provider';
import snakecaseKeys from 'snakecase-keys';

import envSet from '@/env-set';
import postgresAdapter from '@/oidc/adapter';
import { isOriginAllowed, validateCustomClientMetadata } from '@/oidc/utils';
import { findResourceByIndicator } from '@/queries/resource';
import { findUserById } from '@/queries/user';
import { routes } from '@/routes/consts';
import { addOidcEventListeners } from '@/utils/oidc-provider-event-listener';

export default async function initOidc(app: Koa): Promise<Provider> {
  const { issuer, cookieKeys, privateKey, defaultIdTokenTtl, defaultRefreshTokenTtl } =
    envSet.values.oidc;

  const keys = [await exportJWK(privateKey)];
  const cookieConfig = Object.freeze({
    sameSite: 'lax',
    path: '/',
    signed: true,
  } as const);
  const oidc = new Provider(issuer, {
    adapter: postgresAdapter,
    renderError: (_ctx, _out, error) => {
      console.log('OIDC error', error);
      throw error;
    },
    cookies: {
      keys: cookieKeys,
      long: cookieConfig,
      short: cookieConfig,
    },
    jwks: {
      keys,
    },
    features: {
      userinfo: { enabled: true },
      revocation: { enabled: true },
      devInteractions: { enabled: false },
      resourceIndicators: {
        enabled: true,
        // Disable the auto use of authorization_code granted resource feature
        // https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#usegrantedresource
        useGrantedResource: () => false,
        getResourceServerInfo: async (_, indicator) => {
          const resourceServer = await findResourceByIndicator(indicator);

          if (!resourceServer) {
            throw new errors.InvalidTarget();
          }

          const { accessTokenTtl: accessTokenTTL } = resourceServer;

          return {
            accessTokenFormat: 'jwt',
            scope: '',
            accessTokenTTL,
          };
        },
      },
    },
    interactions: {
      url: (_, interaction) => {
        switch (interaction.prompt.name) {
          case 'login':
            return routes.signIn.credentials;
          case 'consent':
            return routes.signIn.consent;
          default:
            throw new Error(`Prompt not supported: ${interaction.prompt.name}`);
        }
      },
    },
    extraClientMetadata: {
      properties: Object.values(CustomClientMetadataKey),
      validator: (_, key, value) => {
        validateCustomClientMetadata(key, value);
      },
    },
    // https://github.com/panva/node-oidc-provider/blob/main/recipes/client_based_origins.md
    clientBasedCORS: (ctx, origin, client) =>
      ctx.request.origin === origin || isOriginAllowed(origin, client.metadata()),
    // https://github.com/panva/node-oidc-provider/blob/main/recipes/claim_configuration.md
    claims: {
      profile: ['username', 'name', 'avatar', 'role_names', 'custom_data'],
    },
    // https://github.com/panva/node-oidc-provider/tree/main/docs#findaccount
    findAccount: async (_ctx, sub) => {
      const { username, name, avatar, roleNames, customData } = await findUserById(sub);

      return {
        accountId: sub,
        claims: async (use) => {
          return snakecaseKeys({
            sub,
            username,
            name,
            avatar,
            roleNames,
            ...(use === 'userinfo' && { customData }),
          });
        },
      };
    },
    ttl: {
      /**
       * [OIDC Provider Default Settings](https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#ttl)
       */
      IdToken: (_ctx, _token, client) => {
        const { idTokenTtl } = client.metadata();

        return idTokenTtl ?? defaultIdTokenTtl;
      },
      RefreshToken: (_ctx, _token, client) => {
        const { refreshTokenTtl } = client.metadata();

        return refreshTokenTtl ?? defaultRefreshTokenTtl;
      },
    },
    extraTokenClaims: async (_ctx, token) => {
      // AccessToken type is not exported by default, need to asset token is AccessToken
      if (token.kind === 'AccessToken') {
        const { accountId } = token;
        const { roleNames } = await findUserById(accountId);

        // Add User Roles to the AccessToken claims. Should be removed once we have RBAC implemented.
        // User Roles should be hidden and  determined by the AccessToken scope only.
        return {
          roleNames,
        };
      }
    },
  });

  addOidcEventListeners(oidc);

  app.use(mount('/oidc', oidc.app));

  return oidc;
}
test(oidc): add oidc adapter test case (#266) add oidc adapter test case 2022-02-23 09:42:29 +08:00			`/* istanbul ignore file */`

feat(core,schemas): cors allowed origins (#507) * feat(schemas): cors allowed origins of application in custom OIDC client metadata * refactor(schemas): rename CustomClientMetadataType to CustomClientMetadataKey * feat(core): cors allowed origins 2022-04-08 18:16:20 +08:00			`import { CustomClientMetadataKey } from '@logto/schemas';`
fix(deps): update dependency jose to v4 (#646) * fix(deps): update dependency jose to v4 * fix(deps): update jose usage Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Gao Sun <gao@silverhand.io> 2022-04-24 13:55:47 +08:00			`import { exportJWK } from 'jose';`
Provide OIDC jwk and reorg code 2021-06-27 20:44:05 +08:00			`import Koa from 'koa';`
			`import mount from 'koa-mount';`
feat: implement getResourceIndicators logic (#146) * fix(schema): fix typo remove trailing comma fix typo remove trailing comma * feat(core): add resouce server query logic add resource server & scopes query logic to oidc-provider resourceIndicator feature config * fix(chore): scope should join with scopes.name fix scope name join format bug * fix(core): cr fix use pool.any replace pool.many use pool.any replace pool.many 2021-12-02 14:08:15 +08:00			`import { Provider, errors } from 'oidc-provider';`
feat(core): set claims for `profile` scope (#1013) 2022-06-01 15:00:10 +08:00			`import snakecaseKeys from 'snakecase-keys';`
Provide OIDC jwk and reorg code 2021-06-27 20:44:05 +08:00
refactor(core): use SSOT for env variables (#578) * refactor(core): use SSOT for env variables * fix(core): tests 2022-04-20 14:14:37 +08:00			`import envSet from '@/env-set';`
chore: update eslint config (#98) 2021-08-30 11:30:54 +08:00			`import postgresAdapter from '@/oidc/adapter';`
feat(core,schemas): cors allowed origins (#507) * feat(schemas): cors allowed origins of application in custom OIDC client metadata * refactor(schemas): rename CustomClientMetadataType to CustomClientMetadataKey * feat(core): cors allowed origins 2022-04-08 18:16:20 +08:00			`import { isOriginAllowed, validateCustomClientMetadata } from '@/oidc/utils';`
fix(core): align resource_identifier namespace with OIDC provider (#224) * fix(core): align resource_identifier namespace with OIDC provider replace resource identifier name with resource_indicator align the usage with OIDC Provider * fix(cr): cr fix add empty line 2022-02-15 16:13:41 +08:00			`import { findResourceByIndicator } from '@/queries/resource';`
refactor: add @ path alias 2021-07-02 22:55:14 +08:00			`import { findUserById } from '@/queries/user';`
refactor(core): re-org files 2021-08-11 22:37:21 +08:00			`import { routes } from '@/routes/consts';`
feat(core): grantRevokedListener for logging revocation of access and refresh token (#900) * feat(core): grantRevokedListener for logging access and refresh token revocation * chore(core): improve description of grantRevokedListener test cases * refactor(core): extract addOidcEventListeners 2022-05-20 13:54:05 +08:00			`import { addOidcEventListeners } from '@/utils/oidc-provider-event-listener';`
chore: update eslint config (#98) 2021-08-30 11:30:54 +08:00
refactor: read issuer from env and fallback to localhost 2021-07-09 23:25:24 +08:00			`export default async function initOidc(app: Koa): Promise<Provider> {`
feat(core): cookie keys configuration (#902) * feat(core): cookie keys configuration * refactor: improved wording * refactor: improved wording * fix(core): test 2022-05-20 00:08:33 +08:00			`const { issuer, cookieKeys, privateKey, defaultIdTokenTtl, defaultRefreshTokenTtl } =`
			`envSet.values.oidc;`
refactor(core): use SSOT for env variables (#578) * refactor(core): use SSOT for env variables * fix(core): tests 2022-04-20 14:14:37 +08:00
fix(deps): update dependency jose to v4 (#646) * fix(deps): update dependency jose to v4 * fix(deps): update jose usage Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Gao Sun <gao@silverhand.io> 2022-04-24 13:55:47 +08:00			`const keys = [await exportJWK(privateKey)];`
api: add sign in / consent 2021-07-04 15:01:02 +08:00			`const cookieConfig = Object.freeze({`
			`sameSite: 'lax',`
			`path: '/',`
			`signed: true,`
			`} as const);`
feat: validate access token if needed 2021-08-15 23:39:03 +08:00			`const oidc = new Provider(issuer, {`
Provide OIDC jwk and reorg code 2021-06-27 20:44:05 +08:00			`adapter: postgresAdapter,`
feat(core): set claims for `profile` scope (#1013) 2022-06-01 15:00:10 +08:00			`renderError: (_ctx, _out, error) => {`
api: add sign in / consent 2021-07-04 15:01:02 +08:00			`console.log('OIDC error', error);`
chore(core): throw out oidc-provider error (#128) In order to display detailed error on the page we need to throw the oidc-provider error out and catched by koa-error-handler 2021-10-12 17:57:22 +08:00			`throw error;`
Provide OIDC jwk and reorg code 2021-06-27 20:44:05 +08:00			`},`
			`cookies: {`
feat(core): cookie keys configuration (#902) * feat(core): cookie keys configuration * refactor: improved wording * refactor: improved wording * fix(core): test 2022-05-20 00:08:33 +08:00			`keys: cookieKeys,`
api: add sign in / consent 2021-07-04 15:01:02 +08:00			`long: cookieConfig,`
			`short: cookieConfig,`
Provide OIDC jwk and reorg code 2021-06-27 20:44:05 +08:00			`},`
			`jwks: {`
			`keys,`
			`},`
feat: redirect to configured sign in URL 2021-07-02 22:09:38 +08:00			`features: {`
refactor(core): enable userinfo endpoint and resource scope consent (#187) * refactor(core): enable userinfo endpoint and resource scope consent enable userinfo endpoint and resource scope consent * fix(core): cr fix add comment add comment for useGrantedResource settigns reference 2022-01-24 10:13:18 +08:00			`userinfo: { enabled: true },`
feat: redirect to configured sign in URL 2021-07-02 22:09:38 +08:00			`revocation: { enabled: true },`
			`devInteractions: { enabled: false },`
feat: validate access token if needed 2021-08-15 23:39:03 +08:00			`resourceIndicators: {`
			`enabled: true,`
refactor(core): enable userinfo endpoint and resource scope consent (#187) * refactor(core): enable userinfo endpoint and resource scope consent enable userinfo endpoint and resource scope consent * fix(core): cr fix add comment add comment for useGrantedResource settigns reference 2022-01-24 10:13:18 +08:00			`// Disable the auto use of authorization_code granted resource feature`
			`// https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#usegrantedresource`
			`useGrantedResource: () => false,`
refactor(core): remove resource scopes 2022-04-08 16:07:34 +08:00			`getResourceServerInfo: async (_, indicator) => {`
fix(core): align resource_identifier namespace with OIDC provider (#224) * fix(core): align resource_identifier namespace with OIDC provider replace resource identifier name with resource_indicator align the usage with OIDC Provider * fix(cr): cr fix add empty line 2022-02-15 16:13:41 +08:00			`const resourceServer = await findResourceByIndicator(indicator);`
feat: implement getResourceIndicators logic (#146) * fix(schema): fix typo remove trailing comma fix typo remove trailing comma * feat(core): add resouce server query logic add resource server & scopes query logic to oidc-provider resourceIndicator feature config * fix(chore): scope should join with scopes.name fix scope name join format bug * fix(core): cr fix use pool.any replace pool.many use pool.any replace pool.many 2021-12-02 14:08:15 +08:00
			`if (!resourceServer) {`
			`throw new errors.InvalidTarget();`
			`}`

refactor(core): remove resource scopes 2022-04-08 16:07:34 +08:00			`const { accessTokenTtl: accessTokenTTL } = resourceServer;`
feat: implement getResourceIndicators logic (#146) * fix(schema): fix typo remove trailing comma fix typo remove trailing comma * feat(core): add resouce server query logic add resource server & scopes query logic to oidc-provider resourceIndicator feature config * fix(chore): scope should join with scopes.name fix scope name join format bug * fix(core): cr fix use pool.any replace pool.many use pool.any replace pool.many 2021-12-02 14:08:15 +08:00
			`return {`
fix(core): hard code resource access_token format (#216) 2022-02-08 14:06:13 +08:00			`accessTokenFormat: 'jwt',`
refactor(core): remove resource scopes 2022-04-08 16:07:34 +08:00			`scope: '',`
refactor(core): resources related db query cleanup (#179) * refactor(core): resources related db query cleanup clean resourece & scopes db queries * refactor(core): rename resources and scopes query file name rename plural filename 2022-01-14 11:54:09 +08:00			`accessTokenTTL,`
feat: implement getResourceIndicators logic (#146) * fix(schema): fix typo remove trailing comma fix typo remove trailing comma * feat(core): add resouce server query logic add resource server & scopes query logic to oidc-provider resourceIndicator feature config * fix(chore): scope should join with scopes.name fix scope name join format bug * fix(core): cr fix use pool.any replace pool.many use pool.any replace pool.many 2021-12-02 14:08:15 +08:00			`};`
			`},`
feat: validate access token if needed 2021-08-15 23:39:03 +08:00			`},`
feat: redirect to configured sign in URL 2021-07-02 22:09:38 +08:00			`},`
			`interactions: {`
api: add sign in / consent 2021-07-04 15:01:02 +08:00			`url: (_, interaction) => {`
			`switch (interaction.prompt.name) {`
			`case 'login':`
			`return routes.signIn.credentials;`
			`case 'consent':`
			`return routes.signIn.consent;`
			`default:`
			throw new Error(`Prompt not supported: ${interaction.prompt.name}`);
			`}`
			`},`
feat: redirect to configured sign in URL 2021-07-02 22:09:38 +08:00			`},`
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 14:15:13 +08:00			`extraClientMetadata: {`
fix(core): extraClientMetadata properties (#530) 2022-04-11 14:22:16 +08:00			`properties: Object.values(CustomClientMetadataKey),`
feat(core,schemas): cors allowed origins (#507) * feat(schemas): cors allowed origins of application in custom OIDC client metadata * refactor(schemas): rename CustomClientMetadataType to CustomClientMetadataKey * feat(core): cors allowed origins 2022-04-08 18:16:20 +08:00			`validator: (_, key, value) => {`
			`validateCustomClientMetadata(key, value);`
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 14:15:13 +08:00			`},`
			`},`
feat(core,schemas): cors allowed origins (#507) * feat(schemas): cors allowed origins of application in custom OIDC client metadata * refactor(schemas): rename CustomClientMetadataType to CustomClientMetadataKey * feat(core): cors allowed origins 2022-04-08 18:16:20 +08:00			`// https://github.com/panva/node-oidc-provider/blob/main/recipes/client_based_origins.md`
refactor: remove AC client dependency (#917) * refactor: remove AC client dependency * refactor: admin console URL and management API indicator * fix: typo 2022-05-23 19:18:48 +08:00			`clientBasedCORS: (ctx, origin, client) =>`
			`ctx.request.origin === origin \|\| isOriginAllowed(origin, client.metadata()),`
feat(core): set claims for `profile` scope (#1013) 2022-06-01 15:00:10 +08:00			`// https://github.com/panva/node-oidc-provider/blob/main/recipes/claim_configuration.md`
			`claims: {`
refactor(core): align `role_names` claim with DB (#1016) 2022-06-01 15:43:16 +08:00			`profile: ['username', 'name', 'avatar', 'role_names', 'custom_data'],`
feat(core): set claims for `profile` scope (#1013) 2022-06-01 15:00:10 +08:00			`},`
			`// https://github.com/panva/node-oidc-provider/tree/main/docs#findaccount`
			`findAccount: async (_ctx, sub) => {`
			`const { username, name, avatar, roleNames, customData } = await findUserById(sub);`
feat: find user account from db, close #4 2021-07-02 21:14:18 +08:00
Provide OIDC jwk and reorg code 2021-06-27 20:44:05 +08:00			`return {`
			`accountId: sub,`
feat(core): set claims for `profile` scope (#1013) 2022-06-01 15:00:10 +08:00			`claims: async (use) => {`
			`return snakecaseKeys({`
			`sub,`
			`username,`
			`name,`
			`avatar,`
refactor(core): align `role_names` claim with DB (#1016) 2022-06-01 15:43:16 +08:00			`roleNames,`
feat(core): set claims for `profile` scope (#1013) 2022-06-01 15:00:10 +08:00			`...(use === 'userinfo' && { customData }),`
			`});`
fix(core): revert add custom claims to id token (#919) This reverts commit 9ccda932a45816be2089d3e58c8e91f55b9ecce9. 2022-05-22 11:33:13 +08:00			`},`
Provide OIDC jwk and reorg code 2021-06-27 20:44:05 +08:00			`};`
			`},`
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 14:15:13 +08:00			`ttl: {`
			`/**`
			`* [OIDC Provider Default Settings](https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#ttl)`
			`*/`
feat(core): set claims for `profile` scope (#1013) 2022-06-01 15:00:10 +08:00			`IdToken: (_ctx, _token, client) => {`
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 14:15:13 +08:00			`const { idTokenTtl } = client.metadata();`
chore: upgrade eslint-config to v0.6.1 2022-01-27 19:26:34 +08:00
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 14:15:13 +08:00			`return idTokenTtl ?? defaultIdTokenTtl;`
			`},`
feat(core): set claims for `profile` scope (#1013) 2022-06-01 15:00:10 +08:00			`RefreshToken: (_ctx, _token, client) => {`
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 14:15:13 +08:00			`const { refreshTokenTtl } = client.metadata();`
chore: upgrade eslint-config to v0.6.1 2022-01-27 19:26:34 +08:00
feat(application): set idToken and refreshToken ttl based on client metadata (#176) * feat(application): set idtoken and refresh token ttl based on client metadata add idToken and refreshToken ttl metadata * fix(application): cr fix cr fix add default constant & set custom client metadata not null 2022-01-13 14:15:13 +08:00			`return refreshTokenTtl ?? defaultRefreshTokenTtl;`
			`},`
			`},`
feat(core): set claims for `profile` scope (#1013) 2022-06-01 15:00:10 +08:00			`extraTokenClaims: async (_ctx, token) => {`
feat(core): add admin role validation to the koaAuth (#920) * feat(core): add admin role validation to the koaAuth add admin role validation to the koaAuth * fix(core): cr fix cr fix 2022-05-24 16:42:28 +08:00			`// AccessToken type is not exported by default, need to asset token is AccessToken`
			`if (token.kind === 'AccessToken') {`
			`const { accountId } = token;`
			`const { roleNames } = await findUserById(accountId);`

			`// Add User Roles to the AccessToken claims. Should be removed once we have RBAC implemented.`
			`// User Roles should be hidden and determined by the AccessToken scope only.`
			`return {`
			`roleNames,`
			`};`
			`}`
			`},`
Provide OIDC jwk and reorg code 2021-06-27 20:44:05 +08:00			`});`
feat(core,schemas): log token exchange success (#809) 2022-05-19 11:24:26 +08:00
feat(core): grantRevokedListener for logging revocation of access and refresh token (#900) * feat(core): grantRevokedListener for logging access and refresh token revocation * chore(core): improve description of grantRevokedListener test cases * refactor(core): extract addOidcEventListeners 2022-05-20 13:54:05 +08:00			`addOidcEventListeners(oidc);`
feat(core,schemas): log token exchange success (#809) 2022-05-19 11:24:26 +08:00
Provide OIDC jwk and reorg code 2021-06-27 20:44:05 +08:00			`app.use(mount('/oidc', oidc.app));`
chore: upgrade eslint-config to v0.6.1 2022-01-27 19:26:34 +08:00
feat: sign in API via user id + password 2021-07-03 21:19:20 +08:00			`return oidc;`
Provide OIDC jwk and reorg code 2021-06-27 20:44:05 +08:00			`}`