msb-public
/
wiki
mirror of https://github.com/requarks/wiki
1
0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6a865e42f7'
${ noResults }
wiki/server/modules/authentication/oidc/authentication.js

91 lines
3.6 KiB
Raw Blame History

const _ = require('lodash')
const { verifyJwt } = require('../../../helpers/jwt')
/* global WIKI */
// ------------------------------------
// OpenID Connect Account
// ------------------------------------
const OpenIDConnectStrategy = require('passport-openidconnect').Strategy
module.exports = {
async init(passport, conf) {
try {
let oidcConfig = {
issuer: conf.issuer,
authorizationURL: conf.authorizationURL,
tokenURL: conf.tokenURL,
userInfoURL: conf.userInfoURL,
clientID: conf.clientId,
clientSecret: conf.clientSecret,
callbackURL: conf.callbackURL,
scope: 'profile email ' + conf.scope,
passReqToCallback: true,
skipUserProfile: conf.skipUserProfile,
acrValues: conf.acrValues
}
if (conf.wellKnownURL) {
try {
const response = await fetch(conf.wellKnownURL)
if (!response.ok) throw new Error(response.statusText)
const wellKnown = await response.json()
if (!oidcConfig.issuer) oidcConfig.issuer = wellKnown.issuer
if (!oidcConfig.authorizationURL) oidcConfig.authorizationURL = wellKnown.authorization_endpoint
if (!oidcConfig.tokenURL) oidcConfig.tokenURL = wellKnown.token_endpoint
if (!oidcConfig.userInfoURL) oidcConfig.userInfoURL = wellKnown.userinfo_endpoint
oidcConfig.jwksUri = wellKnown.jwks_uri
oidcConfig.idTokenSigningAlgValuesSupported = wellKnown.id_token_signing_alg_values_supported
} catch (error) {
WIKI.logger.error('Error fetching OIDC well-known configuration:', error)
}
}
passport.use(conf.key, new OpenIDConnectStrategy(oidcConfig, async (req, iss, uiProfile, idProfile, context, idToken, accessToken, refreshToken, params, cb) => {
let idTokenClaims = {}
if (conf.mergeIdTokenClaims && idToken) {
idTokenClaims = await verifyJwt(idToken, {
issuer: oidcConfig.issuer,
clientId: oidcConfig.clientID,
jwksUri: oidcConfig.jwksUri,
algorithms: oidcConfig.idTokenSigningAlgValuesSupported
})
}
// Merge claims from ID token and profile, with idProfile taking precedence
const profile = { ...idTokenClaims, ...idProfile }
try {
const user = await WIKI.models.users.processProfile({
providerKey: req.params.strategy,
profile: {
...profile,
id: _.get(profile, conf.userIdClaim),
displayName: _.get(profile, conf.displayNameClaim, 'Unknown User'),
email: _.get(profile, conf.emailClaim)
}
})
if (conf.mapGroups) {
const groups = _.get(profile, conf.groupsClaim)
if (groups && _.isArray(groups)) {
const currentGroups = (await user.$relatedQuery('groups').select('groups.id')).map(g => g.id)
const expectedGroups = Object.values(WIKI.auth.groups).filter(g => groups.includes(g.name)).map(g => g.id)
for (const groupId of _.difference(expectedGroups, currentGroups)) {
await user.$relatedQuery('groups').relate(groupId)
}
for (const groupId of _.difference(currentGroups, expectedGroups)) {
await user.$relatedQuery('groups').unrelate().where('groupId', groupId)
}
}
}
cb(null, user)
} catch (err) {
cb(err, null)
}
}))
} catch (err) {
WIKI.logger.error(`Error initializing OpenID Connect strategy: ${err}`)
}
},
logout(conf) {
return conf.logoutURL || '/'
}
}
Reference in new issue View Git Blame Copy Permalink