Merge 60f5424af7 into 407aacfa19

3 weeks ago · 6a865e42f7
parent 407aacfa19 60f5424af7
commit 6a865e42f7
5 changed files with 149 additions and 55 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -8,7 +8,7 @@
    "vue"
  ],
  "editor.codeActionsOnSave": {
-    "source.fixAll.eslint": true
+    "source.fixAll.eslint": "explicit"
  },
  "i18n-ally.localesPaths": [
    "server/locales"
--- a/package.json
+++ b/package.json
@ -101,6 +101,7 @@
    "js-yaml": "3.14.0",
    "jsdom": "16.4.0",
    "jsonwebtoken": "9.0.0",
    "jwks-rsa": "3.1.0",
    "katex": "0.12.0",
    "klaw": "3.0.0",
    "knex": "0.21.7",
--- a/server/helpers/jwt.js
+++ b/server/helpers/jwt.js
@ -0,0 +1,47 @@
 const jwt = require('jsonwebtoken')
 const jwksClient = require('jwks-rsa')
 /**
 * Function to get the signing key for a specific token.
 * @param {Object} header - JWT header containing the `kid`.
 * @returns {Promise<string>} - Resolves with the signing key.
 */
 function getSigningKey(header, jwksUri) {
  return new Promise((resolve, reject) => {
    const client = jwksClient({ jwksUri })
    client.getSigningKey(header.kid, (err, key) => {
      if (err) {
        return reject(new Error('Error getting signing key: ' + err))
      }
      resolve(key.getPublicKey())
    })
  })
 }
 /**
 * Verifies a JWT token using a public key from JWKS.
 * @param {string} token - The JWT token to verify.
 * @param {Object} conf - Configuration object containing `issuer` and `clientId`.
 * @returns {Promise<Object>} - Resolves with the decoded token if verification is successful.
 */
 async function verifyJwt(token, conf) {
  try {
    const decodedHeader = jwt.decode(token, { complete: true })
    if (!decodedHeader || !decodedHeader.header) {
      throw new Error('JWT verification failed: Invalid token header')
    }
    const signingKey = await getSigningKey(decodedHeader.header, conf.jwksUri)
    const decoded = jwt.verify(token, signingKey, {
      algorithms: conf.algorithms || ['RS256'],
      issuer: conf.issuer,
      audience: conf.clientId
    })
    return decoded
  } catch (err) {
    throw new Error('JWT verification failed: ' + err.message)
  }
 }
 module.exports = {
  verifyJwt
 }
--- a/server/modules/authentication/oidc/authentication.js
+++ b/server/modules/authentication/oidc/authentication.js
@ -1,4 +1,5 @@
 const _ = require('lodash')
 const { verifyJwt } = require('../../../helpers/jwt')
 /* global WIKI */
@ -9,33 +10,60 @@ const _ = require('lodash')
 const OpenIDConnectStrategy = require('passport-openidconnect').Strategy
 module.exports = {
-  init (passport, conf) {
+  async init(passport, conf) {
-    passport.use(conf.key,
+    try {
-      new OpenIDConnectStrategy({
+      let oidcConfig = {
        issuer: conf.issuer,
        authorizationURL: conf.authorizationURL,
        tokenURL: conf.tokenURL,
        userInfoURL: conf.userInfoURL,
        clientID: conf.clientId,
        clientSecret: conf.clientSecret,
        issuer: conf.issuer,
        userInfoURL: conf.userInfoURL,
        callbackURL: conf.callbackURL,
        scope: 'profile email ' + conf.scope,
        passReqToCallback: true,
        skipUserProfile: conf.skipUserProfile,
        acrValues: conf.acrValues
-      }, async (req, iss, uiProfile, idProfile, context, idToken, accessToken, refreshToken, params, cb) => {
+      }
-        const profile = Object.assign({}, idProfile, uiProfile)
+      if (conf.wellKnownURL) {
-
+        try {
          const response = await fetch(conf.wellKnownURL)
          if (!response.ok) throw new Error(response.statusText)
          const wellKnown = await response.json()
          if (!oidcConfig.issuer) oidcConfig.issuer = wellKnown.issuer
          if (!oidcConfig.authorizationURL) oidcConfig.authorizationURL = wellKnown.authorization_endpoint
          if (!oidcConfig.tokenURL) oidcConfig.tokenURL = wellKnown.token_endpoint
          if (!oidcConfig.userInfoURL) oidcConfig.userInfoURL = wellKnown.userinfo_endpoint
          oidcConfig.jwksUri = wellKnown.jwks_uri
          oidcConfig.idTokenSigningAlgValuesSupported = wellKnown.id_token_signing_alg_values_supported
        } catch (error) {
          WIKI.logger.error('Error fetching OIDC well-known configuration:', error)
        }
      }
      passport.use(conf.key, new OpenIDConnectStrategy(oidcConfig, async (req, iss, uiProfile, idProfile, context, idToken, accessToken, refreshToken, params, cb) => {
        let idTokenClaims = {}
        if (conf.mergeIdTokenClaims && idToken) {
          idTokenClaims = await verifyJwt(idToken, {
            issuer: oidcConfig.issuer,
            clientId: oidcConfig.clientID,
            jwksUri: oidcConfig.jwksUri,
            algorithms: oidcConfig.idTokenSigningAlgValuesSupported
          })
        }
        // Merge claims from ID token and profile, with idProfile taking precedence
        const profile = { ...idTokenClaims, ...idProfile }
        try {
          const user = await WIKI.models.users.processProfile({
            providerKey: req.params.strategy,
            profile: {
              ...profile,
-              email: _.get(profile, '_json.' + conf.emailClaim),
+              id: _.get(profile, conf.userIdClaim),
-              displayName: _.get(profile, '_json.' + conf.displayNameClaim, '')
+              displayName: _.get(profile, conf.displayNameClaim, 'Unknown User'),
              email: _.get(profile, conf.emailClaim)
            }
          })
          if (conf.mapGroups) {
-            const groups = _.get(profile, '_json.' + conf.groupsClaim)
+            const groups = _.get(profile, conf.groupsClaim)
            if (groups && _.isArray(groups)) {
              const currentGroups = (await user.$relatedQuery('groups').select('groups.id')).map(g => g.id)
              const expectedGroups = Object.values(WIKI.auth.groups).filter(g => groups.includes(g.name)).map(g => g.id)
@ -51,14 +79,12 @@ module.exports = {
        } catch (err) {
          cb(err, null)
        }
-      })
+      }))
-    )
+    } catch (err) {
-  },
+      WIKI.logger.error(`Error initializing OpenID Connect strategy: ${err}`)
  logout (conf) {
    if (!conf.logoutURL) {
      return '/'
    } else {
      return conf.logoutURL
    }
  },
  logout(conf) {
    return conf.logoutURL || '/'
  }
 }
--- a/server/modules/authentication/oidc/definition.yml
+++ b/server/modules/authentication/oidc/definition.yml
@ -7,66 +7,62 @@ color: blue-grey darken-2
 website: http://openid.net/connect/
 isAvailable: true
 useForm: false
 scopes:
  - openid
  - profile
  - email
 props:
-  clientId:
+  wellKnownURL:
    type: String
-    title: Client ID
+    title: Well-Known Configuration URL
-    hint: Application Client ID
+    hint: The Well-Known configuration Endpoint URL (e.g. https://provider/.well-known/openid-configuration)
    order: 1
  clientSecret:
    type: String
    title: Client Secret
    hint: Application Client Secret
    order: 2
  authorizationURL:
    type: String
    title: Authorization Endpoint URL
-    hint: Application Authorization Endpoint URL
+    hint: Application Authorization Endpoint URL (overrides value from well-known URL if set)
-    order: 3
+    order: 2
  tokenURL:
    type: String
    title: Token Endpoint URL
-    hint: Application Token Endpoint URL
+    hint: Application Token Endpoint URL (overrides value from well-known URL if set)
-    order: 4
+    order: 3
  userInfoURL:
    type: String
    title: User Info Endpoint URL
-    hint: User Info Endpoint URL
+    hint: User Info Endpoint URL (overrides value from well-known URL if set)
    order: 4
  issuer:
    type: String
    title: Issuer URL
    hint: Issuer URL (overrides value from well-known URL if set)
    order: 5
-  skipUserProfile:
+  clientId:
-    type: Boolean
+    type: String
-    default: false
+    title: Client ID
-    title: Skip User Profile
+    hint: Application Client ID
    hint: Skips call to the OIDC UserInfo endpoint
    order: 6
-  issuer:
+  clientSecret:
    type: String
-    title: Issuer
+    title: Client Secret
-    hint: Issuer URL
+    hint: Application Client Secret
    order: 7
  userIdClaim:
    type: String
    title: User Id Claim
    hint: Field containing the unique user identifier
    default: sub
    maxWidth: 500
    order: 8
  emailClaim:
    type: String
    title: Email Claim
    hint: Field containing the email address
    default: email
    maxWidth: 500
-    order: 8
+    order: 9
  displayNameClaim:
    type: String
    title: Display Name Claim
    hint: Field containing the user display name
-    default: displayName
+    default: name
    maxWidth: 500
    order: 9
  mapGroups:
    type: Boolean
    title: Map Groups
    hint: Map groups matching names from the groups claim value
    default: false
    order: 10
  groupsClaim:
    type: String
@ -75,13 +71,37 @@ props:
    default: groups
    maxWidth: 500
    order: 11
  mergeIdTokenClaims:
    type: Boolean
    title: Merge ID Token Claims
    hint: If enabled, verifies the ID token and merges its claims into the user profile
    default: false
    order: 12
  mapGroups:
    type: Boolean
    title: Map Groups
    hint: Map groups matching names from the groups claim value
    default: false
    order: 13
  skipUserProfile:
    type: Boolean
    default: false
    title: Skip User Profile
    hint: Skips call to the OIDC UserInfo endpoint
    order: 14
  logoutURL:
    type: String
    title: Logout URL
    hint: (optional) Logout URL on the OAuth2 provider where the user will be redirected to complete the logout process.
-    order: 12
+    order: 15
  scope:
    type: String
    title: Additional Scopes
    hint: (optional) Additional space-separated OIDC scopes (e.g. 'offline_access groups') - openid, profile and email are always included
    maxWidth: 500
    order: 16
  acrValues:
    type: String
    title: ACR Values
    hint: (optional) Authentication Context Class Reference
-    order: 13
+    order: 17