mirror of
https://github.com/logto-io/logto.git
synced 2024-12-16 20:26:19 -05:00
fix: cloud connection should bypass custom JWT flow
This commit is contained in:
parent
084ced1bd6
commit
18fb88ecdd
2 changed files with 10 additions and 24 deletions
|
@ -34,20 +34,11 @@ const accessTokenExpirationMargin = 60;
|
|||
|
||||
/** The library for connecting to Logto Cloud service. */
|
||||
export class CloudConnectionLibrary {
|
||||
private _isAuthenticated = false;
|
||||
private client?: Client<typeof router>;
|
||||
private accessTokenCache?: { expiresAt: number; accessToken: string };
|
||||
|
||||
constructor(private readonly logtoConfigs: LogtoConfigLibrary) {}
|
||||
|
||||
get isAuthenticated() {
|
||||
return this._isAuthenticated;
|
||||
}
|
||||
|
||||
private set isAuthenticated(value: boolean) {
|
||||
this._isAuthenticated = value;
|
||||
}
|
||||
|
||||
public getCloudConnectionData = async (): Promise<CloudConnection> => {
|
||||
const { getCloudConnectionData: getCloudServiceM2mCredentials } = this.logtoConfigs;
|
||||
const credentials = await getCloudServiceM2mCredentials();
|
||||
|
@ -76,8 +67,6 @@ export class CloudConnectionLibrary {
|
|||
if (expiresAt > Date.now() / 1000 + accessTokenExpirationMargin) {
|
||||
return accessToken;
|
||||
}
|
||||
// Set the cloud connection to not authenticated if the access token is expired.
|
||||
this.isAuthenticated = false;
|
||||
}
|
||||
|
||||
const { tokenEndpoint, appId, appSecret, resource } = await this.getCloudConnectionData();
|
||||
|
@ -105,8 +94,6 @@ export class CloudConnectionLibrary {
|
|||
expiresAt: Date.now() / 1000 + result.data.expires_in,
|
||||
accessToken: result.data.access_token,
|
||||
};
|
||||
// Set the cloud connection to `authenticated` if the access token is valid.
|
||||
this.isAuthenticated = true;
|
||||
|
||||
return result.data.access_token;
|
||||
};
|
||||
|
|
|
@ -215,18 +215,17 @@ export default function initOidc(
|
|||
return;
|
||||
}
|
||||
|
||||
const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials;
|
||||
|
||||
/**
|
||||
* The execution on this function relies on the existence of authenticated cloud connection client.
|
||||
*
|
||||
* The process that cloud connection get access token also includes this function (`extraTokenClaims`
|
||||
* is a function that will always be executed during the process of generating an access token), it
|
||||
* could trigger infinite loop if we do not terminal the process early.
|
||||
* Cloud connection should not go through this custom JWT logic.
|
||||
*/
|
||||
if (!cloudConnection.isAuthenticated) {
|
||||
if (isTokenClientCredentials) {
|
||||
const { appId } = await cloudConnection.getCloudConnectionData();
|
||||
if (token.clientId === appId) {
|
||||
return;
|
||||
}
|
||||
|
||||
const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials;
|
||||
}
|
||||
|
||||
const {
|
||||
value: { script, envVars },
|
||||
|
|
Loading…
Reference in a new issue