@blazedpath/commons 0.0.4

package/blz-security/middleware/HapiServerKeycloak.js

@@ -0,0 +1,840 @@
+/**
+ * @author Blazedpath Team
+ * @implements Protecting all resources through hapi middleware
+ * @description Hapi.js (derived from Http-API) is an open-source Node.js
+ * framework used to build powerful and scalable web applications.
+ * @see https://hapi.dev/api/
+ */
+const Uma = require('../implementations/uma')
+const Jsonwebtoken = require('jsonwebtoken') // Implementations of JSON Web Tokens.
+const {
+    Exception,
+    getFullUrl,
+    getHost,
+    getProtocol,
+    getPathname,
+    getTemplate,
+    getTokenTolerance,
+    trace,
+    errorResponse
+} = require('../helpers/utils')
+// HapiServer Modules
+const hapiYar = require('@hapi/yar');
+const hapiJwt = require('@hapi/jwt');
+const hapiCookie = require('@hapi/cookie')
+// Quick Http Fetch using axios
+const axios = require('axios');
+// Crypto for code_verifier in token exchange
+const crypto = require('crypto');
+// Uses Issue to cache manage and logout (generators/customs not sure why yet)
+const {
+    Issuer
+} = require('openid-client') // OpenID Certified Relying Party.
+const {
+    METADATA
+} = require('../helpers/consts')
+// Rotating key-certs, so we jwk used to routinly fetch them
+const jwksClient = require('jwks-rsa') // Retrieve RSA public keys from a JWKS.
+
+let contextConfig = {}
+let securityService = null
+
+class HapiServerKeycloak {
+    constructor(openIdConnect, cookiesName, cache) {
+        this.openIdConnect = openIdConnect
+        this.COOKIE_NAMES = cookiesName
+        this.activateTraceApiMethod = false
+        this.queryStringLimit = null;
+        this.securityLoginTokenExpToleranceSeconds = 3600 * 5; // Default 5 hours
+        this.authServerConfig = null;
+        this.authServerFullLoginUrl = null;
+        // This cache stores locally the jwt token set for refresh and logout.
+        this.cache = cache;
+        // To terminate sessions
+        this.clientOidc = null;
+        // This client keeps a refresh of the rotating keys
+        this.clientJwk = null;
+        this.publicKeyFetch = null;
+        // URL temporal hash
+        this.securityService = null;
+        this.securityUrlCookieKey = null;
+    }
+    async generateGuid() {
+        return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
+          const r = Math.random() * 16 | 0;
+          const v = (c === 'x') ? r : (r & 0x3 | 0x8);
+          return v.toString(16);
+        });
+      }
+
+    async connect(_securityService, hapiServer, config) {
+        contextConfig = config
+        this.authServerConfig = contextConfig;
+        securityService = _securityService
+        const {
+            authServer,
+            activateTraceApiMethod
+        } = config
+        if (activateTraceApiMethod) {
+            this.activateTraceApiMethod = activateTraceApiMethod
+        }
+        let oidcConfiguration = {}
+        const stateOption = {
+            clearInvalid: true,
+            encoding: 'base64',
+            isSecure: true,
+            isHttpOnly: true,
+            isSameSite: 'Lax',
+            path: '/',
+            strictHeader: true
+        }
+        try {
+            if (authServer.sessionCookiesDomain) {
+                stateOption.domain = authServer.sessionCookiesDomain
+            }
+            stateOption.isHttpOnly = authServer.isHttpOnlyForSessionState ?? false;
+            hapiServer.state(this.COOKIE_NAMES.SESSION_STATE, stateOption)
+            oidcConfiguration = await this.configuration(authServer)
+            if (oidcConfiguration.clientOidc) {
+                this.clientOidc = oidcConfiguration.clientOidc;
+            }
+            if (!authServer.scope || !authServer.scope.split(' ').some((reg) => reg === 'openid')) {
+                authServer.scope = `openid ${authServer.scope || ''}`
+                authServer.scope.trim();
+            }
+            this.authServerConfig.authServer.scope ? this.authServerConfig.authServer.scope.trim().replace(/\s+/g, '%20') : 'openid';
+            if (authServer.tokenEndpoint && !authServer.tokenEndpoint.match(/https.*/)) {
+                hapiServer.states.cookies[this.COOKIE_NAMES.SID].isSecure = false
+                hapiServer.states.cookies[this.COOKIE_NAMES.SESSION_STATE].isSecure = false
+            }
+            trace('INFO', 'The following configuration was initialized')
+            const securityConfiguration = Object.fromEntries(Object.entries(authServer).filter((entry) => !['clientSecret', 'PrivateKey', 'PublicKey'].includes(entry[0])))
+            trace('INFO', oidcConfiguration.tokenEndpoint ? oidcConfiguration : securityConfiguration)
+
+            // cookie specifically used for path hash
+            this.securityUrlCookieKey = securityService.getSecureUrlCookieKey();
+            if (this.securityUrlCookieKey) {
+                const securityUrlCookieStateOptions = {
+                    ...stateOption,
+                    isHttpOnly: false,
+                    ttl: null,
+                };
+                hapiServer.state(this.securityUrlCookieKey, securityUrlCookieStateOptions);
+            }
+        } catch (err) {
+            trace('ERROR', `Exception ${err.message}`)
+            trace('ERROR', err.stack)
+        }
+        // set the scope
+        const me = this
+        // Add Plugins
+
+        this.configurePlugins(hapiServer);
+        // onPreAuth: Here we check if the jwtToken in yar, recompose the authorization header before hapi jwt module auth.
+        // Http protocol does not redirect all headers on a 3XX code.
+        hapiServer.ext('onPreAuth', async (request, h) => {
+            // add cookie para lo de flavio
+            if (this.securityUrlCookieKey){
+                const clientId = request.state[this.securityUrlCookieKey];
+                if (!clientId) {
+                    const securityUrlCookieKeyValue = await this.generateGuid();
+                    h.state(this.securityUrlCookieKey, securityUrlCookieKeyValue); // Set cookie
+                }
+            }
+
+            // Retrieve token info from yar storage
+            let tokenInfo = request.yar.get('jwtToken');
+            if (tokenInfo) {
+                // check if token is about to be expired or absent, if so, update
+                let aboutToExpire = await me.tokenAboutToExpire(tokenInfo.token, 10);
+                if (aboutToExpire) {
+                    // If refresh token is expired as well, then the user MUST re-login
+                    let isRefreshTokenExpired = await this.isRefreshTokenExpired(tokenInfo.refreshToken);
+                    let refreshTokenPresent = 'refreshToken' in tokenInfo;
+                    if (isRefreshTokenExpired && refreshTokenPresent) {
+                        // clear token from cookies and exit
+                        request.yar.get('jwtToken', true);
+                        delete request.headers.authorization; // Remove the authorization header
+                        await request.yar.commit(h);
+                        return h.continue;
+                    } else {
+                        // If refresh token is present and not expired, attempt refresh
+                        let refreshedTokens = await this.refreshToken(tokenInfo.refreshToken);
+                        // Check that this method returned a valid set of tokens
+                        if (refreshedTokens && refreshedTokens.token_type &&
+                            (refreshedTokens.id_token || refreshedTokens.access_token) && refreshedTokens.session_state &&
+                                refreshedTokens.refresh_token) {
+                            let refreshedTokenInfo = {
+                                tokenType: 'Bearer',
+                                token: refreshedTokens.id_token,
+                                tokenSubType: 'id_token',
+                                refreshToken: refreshedTokens.refresh_token
+                            };
+                            request.yar.set('jwtToken', refreshedTokenInfo);
+                            await request.yar.commit(h);
+                            tokenInfo = refreshedTokenInfo;
+                        } else {
+                            // Refresh token failed, clear and continue
+                            request.yar.get('jwtToken', true);
+                            delete request.headers.authorization;
+                            await request.yar.commit(h);
+                            return h.continue;
+                        }
+                    }
+                }
+                switch (tokenInfo.tokenType) {
+                    case 'Bearer':
+                    case 'bearer': {
+                        request.headers.authorization = `Bearer ${tokenInfo.token}`;
+                        break;
+                    }
+                    default:
+                        break;
+                }
+            }
+            return h.continue;
+        });
+        hapiServer.ext('onPreResponse', async (request, h) => {
+            const response = request.response;
+
+            let authError = request.yar.get('authError', true);
+            await request.yar.commit(h);
+            // By this point, token refresh was already attempted in onPreAuth event, so it redirects to login on unauthorized
+            if (response.isBoom && response.output.statusCode === 401 && !request.path.startsWith('/auth/callback') && !authError) {
+                // Create the url query string parameters. with a random code verifier, store in yar and get the codeChallenge
+                const codeVerifier = crypto.randomBytes(32).toString('base64url');
+                request.yar.set('code_verifier', codeVerifier); // For PKCE auth flow
+                request.yar.set('originalUrlPathName', me.getFullUrl(request)); // For redirect after login
+                await request.yar.commit(h);
+
+                const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
+                const responseType = 'code'; // Authorization code grant
+                const redirectUri = me.getRedirectUriPath(request, 'auth/callback');
+                const codeChallengeMethod = 'S256'; // PKCE method
+                const scope = (authServer.scope) ? authServer.scope.trim().replace(/\s+/g, '%20') : 'openid';
+
+                const authLoginUrlWithParams = new URL(authServer.authorizationEndpoint);
+                authLoginUrlWithParams.searchParams.set('client_id', me.authServerConfig.authServer.clientId);
+                authLoginUrlWithParams.searchParams.set('response_type', responseType);
+                authLoginUrlWithParams.searchParams.set('redirect_uri', redirectUri);
+                authLoginUrlWithParams.searchParams.set('scope', scope);
+                authLoginUrlWithParams.searchParams.set('code_challenge', codeChallenge);
+                authLoginUrlWithParams.searchParams.set('code_challenge_method', codeChallengeMethod);
+
+                // Redirect to Keycloak
+                return h.redirect(authLoginUrlWithParams.toString()).takeover();
+            }
+            return h.continue;
+        });
+        // /auth/callback : Resolves the jwt token on a callback after the login
+        hapiServer.route({
+            method: 'GET',
+            path: '/auth/callback',
+            options: {
+                auth: false, // Disable authentication for this route
+            },
+            handler: async (request, h) => {
+                const authCode = request.query.code;
+                if (!authCode) {
+                    return h.response('Authorization code missing').code(400);
+                }
+                try {
+                    // Grab the code verifier
+                    let codeVerifier = request.yar.get('code_verifier', true);
+                    let tokenResponse = await axios.post(
+                        me.authServerConfig.authServer.tokenEndpoint,
+                        new URLSearchParams({
+                            grant_type: 'authorization_code',
+                            client_id: me.authServerConfig.authServer.clientId,
+                            client_secret: me.authServerConfig.authServer.clientSecret, // If required
+                            code: authCode,
+                            redirect_uri: me.getRedirectUriPath(request, 'auth/callback'),
+                            code_verifier: codeVerifier
+                        }).toString(), {
+                            headers: {
+                                'Content-Type': 'application/x-www-form-urlencoded',
+                            },
+                        }
+                    );
+                    if (!tokenResponse.statusText === 'OK') {
+                        throw new Error('Failed to exchange code for tokens');
+                    }
+                    let obtainedTokens = {};
+                    obtainedTokens.tokenType = 'Bearer';
+                    if (tokenResponse.data.id_token) {
+                        obtainedTokens.token = tokenResponse.data.id_token;
+                        obtainedTokens.tokenSubType = 'id_token';
+                    } else {
+                        obtainedTokens.token = tokenResponse.data.access_token;
+                        obtainedTokens.tokenSubType = 'access_token';
+                    }
+                    obtainedTokens.refreshToken = tokenResponse.data.refresh_token;
+
+                    let originalUrlPathName = request.yar.get('originalUrlPathName') ?? '/'
+                    // Set session state
+                    const sessionState = request.query.session_state;
+                    h.state(this.COOKIE_NAMES.SESSION_STATE, sessionState);
+
+                    // Store the JWT token in the `Authorization` header or a cookie
+                    switch (obtainedTokens.tokenType) {
+                        case 'Bearer':
+                        case 'bearer': {
+                            request.yar.set('jwtToken', obtainedTokens);
+                            await request.yar.commit(h);
+                            return h.redirect(originalUrlPathName).takeover();
+                        }
+                        default: {
+                            break;
+                        }
+                    }
+                    return h.continue; // Continue in case no token_type -> no auth header configured
+                } catch (error) {
+                    request.yar.set('authError', false);
+                    await request.yar.commit(h);
+                    console.error('Failed to exchange code for token:', error.response?.data || error.message);
+                    return h.response('Failed to authenticate').code(500).takeover();
+                }
+            },
+        });
+        // /get-authorization
+        hapiServer.route({
+            method: 'GET',
+            path: '/get-authorization',
+            handler: async (request, h) => {
+                try {
+                    const {
+                        session_state: ckSessionState
+                    } = request.state
+                    if (!ckSessionState) {
+                        throw new Exception("Keycloack get-authorization: Session cookie doesn't exist.", 'CookiesError', 404)
+                    }
+                    const tokenSet = await me.openIdConnect.tokenSet()
+                    const tokens = await tokenSet.tokens(ckSessionState)
+                    const uma = await Uma.permission()
+                    const token = await uma.ticket({
+                        tokenUrl: authServer.tokenEndpoint || authServer.tokenUrl,
+                        token: tokens.access_token,
+                        audience: authServer.clientId
+                    })
+                    const sourceData = Jsonwebtoken.decode(token.access_token)
+                    return h.response(JSON.stringify(sourceData.authorization)).takeover()
+                } catch (err) {
+                    return errorResponse(h, err, 401)
+                }
+            }
+        })
+        // /get-security-rules
+        hapiServer.route({
+            method: 'GET',
+            path: '/get-security-rules',
+            handler: async (request, h) => {
+                try {
+                    const securityRules = await securityService.getFrontendSecurityRules(request)
+                    return h.response(JSON.stringify(securityRules)).takeover()
+                } catch (err) {
+                    return errorResponse(h, err, 401)
+                }
+            }
+        })
+        // /get-permissions
+        hapiServer.route({
+            method: 'GET',
+            path: '/get-permissions',
+            handler: async (request, h) => {
+                try {
+                    const permissions = await securityService.getPermissions()
+                    return h.response(JSON.stringify(permissions)).takeover()
+                } catch (err) {
+                    return errorResponse(h, err, 401)
+                }
+            }
+        })
+        // /get-user-info
+        hapiServer.route({
+            method: 'GET',
+            path: '/get-user-info',
+            handler: async (request, h) => {
+                try {
+                    const userInfo = await securityService.getUserInfo(request)
+                    return h
+                        .response(JSON.stringify(userInfo))
+                        .takeover()
+                } catch (err) {
+                    return errorResponse(h, err, 500)
+                }
+            }
+        })
+        // /logout
+        hapiServer.route({
+            path: '/logout',
+            method: 'GET',
+            options: {
+                auth: false, // Disable authentication for this route TODO:
+            },
+            handler: async (request, h) => {
+                try {
+                    const ckSessionState = request.state[this.COOKIE_NAMES.SESSION_STATE]
+                    request.yar.clear('jwtToken');
+                    await request.yar.commit(h);
+                    let endSessionUrl = await me.endSessionUrl(me.getRedirectUri(request), me.clientOidc);
+                    return h
+                        .response()
+                        .unstate(this.COOKIE_NAMES.SID)
+                        .unstate(this.COOKIE_NAMES.SESSION_STATE)
+                        .unstate(this.COOKIE_NAMES.AUTH_TOKEN)
+                        .redirect(endSessionUrl)
+                        .takeover()
+                } catch (err) {
+                    return errorResponse(h, err, 500)
+                }
+            }
+        })
+        // /invalid-session
+        hapiServer.route({
+            path: '/invalid-session',
+            method: 'GET',
+            handler: async (request, h) => {
+                try {
+                    const endSessionUrl = await me.openIdConnect.endSessionUrl({
+                        redirectUri: this.getRedirectUri(request),
+                        sessionState: request.state[this.COOKIE_NAMES.SESSION_STATE]
+                    })
+                    return h
+                        .response()
+                        .unstate(this.COOKIE_NAMES.SID)
+                        .unstate(this.COOKIE_NAMES.SESSION_STATE)
+                        .redirect(endSessionUrl)
+                        .takeover()
+                } catch (err) {
+                    return errorResponse(h, err, 500)
+                }
+            }
+        })
+        // /check-session-iframe.html
+        hapiServer.route({
+            path: '/check-session-iframe.html',
+            method: 'GET',
+            handler: async (_request, h) => {
+                try {
+                    let content = '<html/>'
+                    if (authServer && authServer.checkSessionIframe) {
+                        const {
+                            checkSessionIframe: sessionIframeUrl,
+                            clientId,
+                            sessionCookiesPrefix
+                        } = authServer
+                        if (sessionIframeUrl && sessionIframeUrl.includes('https://')) {
+                            trace('INFO', `Session management url: ${sessionIframeUrl}`)
+                            content = getTemplate('session-iframe', {
+                                sessionIframeUrl,
+                                clientId,
+                                sessionCookiesPrefix: sessionCookiesPrefix || ''
+                            })
+                        } else {
+                            trace('WARN', 'For session management, it is necessary to get the value from a cookie called session_state, and as a good practice, it should have reached a secure context [TLS].')
+                        }
+                    }
+                    return h
+                        .response(content)
+                        .header('Content-Type', 'text/html')
+                } catch (err) {
+                    return errorResponse(h, err, 500)
+                }
+            }
+        });
+        // /check-session
+        hapiServer.route({
+            path: '/check-session',
+            options: {
+                auth: false
+            },
+            method: 'GET',
+            handler: async (request, h) => {
+                let tokenInfo = request.yar.get('jwtToken');
+                let tokenIsExpired = { expired: false }
+                if (tokenInfo) {
+                    // check if refresh token is about to be expired
+                    tokenIsExpired.expired = await this.tokenAboutToExpire(tokenInfo.refreshToken, 0.5);
+                    if (tokenIsExpired.expired) {
+                        tokenIsExpired.redirectUrl = await this.getFullKeycloakLoginUri(request, h)
+                        request.yar.clear('jwtToken');
+                        request.yar.clear('userRelog');
+                    }
+                }
+                return h.response(tokenIsExpired);
+            }
+        });
+    }
+    // this function takes h, because i need to set yar storage, and avoid overprocessing
+    async getFullKeycloakLoginUri(request, h) {
+        const codeVerifier = crypto.randomBytes(32).toString('base64url');
+        request.yar.set('code_verifier', codeVerifier); // For PKCE auth flow
+        request.yar.set('originalUrlPathName', this.getBaseUrl(request) ); // For redirect after login
+        await request.yar.commit(h);
+
+        const responseType = 'code'; // Authorization code grant
+        const redirectUri = this.getRedirectUriPath(request, 'auth/callback');
+        const scope = this.authServerConfig.authServer.scope;
+        const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
+        const codeChallengeMethod = 'S256'; // PKCE method
+
+        const authLoginUrlWithParams = new URL(this.authServerConfig.authServer.authorizationEndpoint);
+        authLoginUrlWithParams.searchParams.set('client_id', this.authServerConfig.authServer.clientId);
+        authLoginUrlWithParams.searchParams.set('response_type', responseType);
+        authLoginUrlWithParams.searchParams.set('redirect_uri', redirectUri);
+        authLoginUrlWithParams.searchParams.set('scope', scope);
+        authLoginUrlWithParams.searchParams.set('code_challenge', codeChallenge);
+        authLoginUrlWithParams.searchParams.set('code_challenge_method', codeChallengeMethod);
+        return authLoginUrlWithParams.toString();
+    }
+    getRedirectUri(request) {
+        return contextConfig.authServer.redirectUri || getFullUrl(request)
+    }
+	getRedirectUriPath(request, redirectPath) {
+		const baseUrl = this.getBaseUrl(request);
+		const path = (redirectPath) ?? this.getPathname(request);
+		let url = new URL(path, baseUrl);
+
+		// If the hostname is not localhost, force HTTPS
+		if (url.hostname !== 'localhost') {
+			url.protocol = 'https:';
+		}
+		return url.toString();
+	}
+
+    getFullUrl(request) {
+        return `${getProtocol(request)}://${getHost(request)}${getPathname(request)}`
+    }
+    getBaseUrl(request) {
+        return `${getProtocol(request)}://${getHost(request)}/`
+    }
+    async authenticate(h, scope) {
+        const {
+            request
+        } = h
+        const pkceCode = await this.openIdConnect.pkceCode()
+        const requestUrl = getFullUrl(request)
+        let oidcMetadata = await this.openIdConnect.oidcMetadata()
+        if (!oidcMetadata || !oidcMetadata.openid_configuration) {
+            oidcMetadata = await this.configuration(contextConfig.authServer)
+        }
+        if (requestUrl.match(new RegExp(/^(https?:\/{2}.*):?(\d*)/.source + getHost(request) + /\/?$/.source))) {
+            const authorizationUrl = await this.openIdConnect.authorizationUrl({
+                scope,
+                redirectUri: this.getRedirectUri(request),
+                pkceCode
+            })
+            trace('INFO', `Authenticate redirecting to ${authorizationUrl}`)
+            return h
+                .response()
+                .state(this.COOKIE_NAMES.SID, pkceCode)
+                .redirect(authorizationUrl)
+                .takeover()
+        } else if (getPathname(request) === '/logout') {
+            return h.continue
+        } else {
+            const tokenSet = await this.openIdConnect.tokenSet()
+            const {
+                state
+            } = request
+            if (tokenSet && state && state[this.COOKIE_NAMES.SESSION_STATE]) {
+                const tokens = await tokenSet.tokens(state[this.COOKIE_NAMES.SESSION_STATE])
+                if (!tokens || tokens.refresh_expires_in <= getTokenTolerance(0)) {
+                    throw new Exception('Error when getting token', 'ExpirationError', 403)
+                }
+                return h.continue
+            } else {
+                return h
+                    .response()
+                    .code(401)
+                    .takeover()
+            }
+        }
+    }
+    async configurePlugins(server) {
+        // Hapi Yar module, saves info in the cookies across session calls
+        const hapiYarPassword = process.env.blz_hapiYarPassword || 'your-super-secure-yar-atleast-32-bytes-password';
+        await server.register({
+            plugin: hapiYar,
+            options: {
+                cookieOptions: {
+                    password: hapiYarPassword,
+                    isSecure: true, // Use true in production
+                    isHttpOnly: true,
+                    isSameSite: 'Lax', // 'Strict', 'Lax', or 'None'
+                    clearInvalid: true,
+                    ignoreErrors: true
+                },
+                storeBlank: false, // Prevent saving blank sessions
+                maxCookieSize: 0 // Use server-side storage for larger payloads
+            }
+        });
+        // Register @hapi/jwt plugin
+        await server.register(hapiJwt);
+
+        // Use rotating certificates with keysFetch function for jwt module
+        this.startupJwksClient();
+        // set up the function in this.publickKeyFetch
+        this.startupPublickKeyFetch();
+
+        // Define the auth strategy
+        server.auth.strategy('jwtAuth', 'jwt', {
+            keys: this.publicKeyFetch,
+            verify: {
+                aud: this.authServerConfig.authServer.audience ?? false,
+                iss: this.authServerConfig.authServer.issuer,
+                exp: true,
+                sub: false
+            },
+            validate: false
+        });
+
+        // Register the @hapi/cookie plugin
+        await server.register(hapiCookie);
+
+        // Define the cookie-based auth strategy
+        server.auth.strategy('cookieAuth', 'cookie', {
+            cookie: {
+                name: 'sid', // Primary session cookie
+                password: 'supersecretpasswordmustbeatleast32characterslong', // Encryption key
+                isSecure: true, // Should be true in production
+                isHttpOnly: true, // Prevents client-side JavaScript access
+                isSameSite: 'Lax', // Protects against CSRF
+            },
+            keepAlive: true, // automatically sets the session cookie after validation to extend the current session for a new ttl duration. Defaults to false.
+            redirectTo: false, //function(request) {}, // Redirect if authentication fails
+        });
+        // Set default auth strategy to try both JWT and cookies
+        server.auth.default({
+            strategies: ['jwtAuth', 'cookieAuth'], // Try JWT first, then Cookie
+        });
+    }
+
+    async configuration(authServer) {
+        if (!authServer) {
+            throw new Exception('Error when getting configuration attributes ')
+        }
+        const {
+            clientId,
+            clientSecret
+        } = authServer
+        await this.openIdConnect.client({
+            clientId,
+            clientSecret
+        })
+        if (authServer.openIdConfigurationEndpoint) {
+            return await this.openIdConnect.configuration(authServer.openIdConfigurationEndpoint)
+        } else {
+            // If configuration uri does not exist but the auth server form has been filled in.
+            return await this.openIdConnect.configuration({
+                issuer: authServer.issuer,
+                authorization_endpoint: authServer.authorizationEndpoint,
+                token_endpoint: authServer.tokenEndpoint,
+                userinfo_endpoint: authServer.userinfoEndpoint,
+                end_session_endpoint: authServer.endSessionEndpoint,
+                jwks_uri: authServer.jwksUri
+            })
+        }
+    }
+
+    async endSessionUrl(redirectUri, clientOidc) {
+        redirectUri = redirectUri.replace(/logout|invalid-session/gmi, '')
+        // Log off specific session.
+        if (!clientOidc) {
+            throw new Error('Unable to get configuration from identity provider', 'ConfigurationError', 404);
+        }
+        return clientOidc.endSessionUrl({
+            post_logout_redirect_uri: redirectUri
+        })
+    }
+    oidcMetadataKey() {
+        return this.authServerConfig.authServer.sessionCookiesDomain || 'oidcMetadata'
+    }
+    async configuration(context) {
+        let metadata = await this.cache.get(this.oidcMetadataKey())
+        if (typeof context === 'string' && !context.match(/(https?:\/\/.*):?(\d*)\/?(.*)/gi)) {
+            throw new Exception('Wrong OpenId Provider configuration URI entered', 'AttributeError', 403)
+        }
+        if (!metadata || !metadata.issuer) {
+            if (context.issuer) {
+                metadata = {
+                    ...(metadata || {}),
+                    ...context
+                }
+            } else {
+                metadata = metadata || {}
+                metadata.openid_configuration = context
+                metadata = {
+                    ...metadata,
+                    ...(await Issuer.discover(context.issuer))
+                } // Discover an issuer configuration, must be an url
+            }
+            await this.cache.set(this.oidcMetadataKey(), metadata, 864e5) // 1 day of cache
+        }
+        return new Iss(metadata)
+    }
+    async refreshToken(refreshToken) {
+        // Make a POST request to Keycloak to refresh the token
+        const response = await axios.post(this.authServerConfig.authServer.tokenEndpoint,
+            new URLSearchParams({
+                grant_type: 'refresh_token',
+                client_id: this.authServerConfig.authServer.clientId,
+                client_secret: this.authServerConfig.authServer.clientSecret,
+                refresh_token: refreshToken,
+            }).toString(), {
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                },
+            }
+        );
+
+        if (!(response.status === 200)) {
+            const errorResponse = await response.json();
+            console.error('Error refreshing token:', errorResponse);
+            return errorResponse;
+        }
+        // Refresh token response may change from time to time, here are two possible responses
+        try {
+            return await response.json(); // all tokens refershed
+
+        } catch (error) {
+
+        }
+        try {
+            return response.data;
+        } catch {
+
+        }
+
+    }
+    async decodeJwtToken(token) {
+        const decodedToken = hapiJwt.token.decode(token);
+        return decodedToken;
+    }
+    async tokenAboutToExpire(token, minutesBeforeExpiration = 0) {
+        if (!token)
+            return true;
+        const decodedToken = hapiJwt.token.decode(token);
+        const expirationTime = decodedToken.decoded.payload.exp * 1000; // Convert to milliseconds
+        const currentTime = Date.now();
+        const expirationThreshold = minutesBeforeExpiration * 60 * 1000; // Convert minutes to milliseconds
+
+        // Check if the token is expired or about to expire within the specified minutes
+        const isAboutToExpire = expirationTime - currentTime <= expirationThreshold;
+        return isAboutToExpire;
+    }
+    async isRefreshTokenExpired(refreshToken) {
+        try {
+            // Decode the token without verifying its signature.
+            const decodedRefreshToken = hapiJwt.token.decode(refreshToken);
+            // Get the current timestamp (in seconds).
+            const currentTimestamp = Math.floor(Date.now() / 1000);
+
+            if (decodedRefreshToken && decodedRefreshToken.decoded && decodedRefreshToken.decoded.payload && decodedRefreshToken.decoded.payload.exp) {
+                return (decodedRefreshToken.decoded.payload.exp < currentTimestamp)
+            } else
+                return true;
+        } catch (error) {
+            // if there is an error treat as if expired, so a re-login is prompted
+            console.error('Failed to decode the token: Invalid Refresh token format', error);
+            return true;
+        }
+    }
+
+    async startupJwksClient() {
+        // Rotating certificates, prepare for the hapi jwt module
+        this.clientJwk = jwksClient({
+            jwksUri: this.authServerConfig.authServer.jwksUri,
+            cache: true, // Cache signing keys to avoid frequent network calls
+            rateLimit: true, // Rate limit the number of requests to the JWKS URI
+            jwksRequestsPerMinute: 10, // Limit to 10 requests per minute
+        });
+    }
+    async startupPublickKeyFetch() {
+        // Function to get the signing key
+        const getKey = async (kid) => {
+            return new Promise((resolve, reject) => {
+                this.clientJwk.getSigningKey(kid, (err, key) => {
+                    if (err) {
+                        return reject(err);
+                    }
+                    const signingKey = key.getPublicKey(); // Public key for signature verification
+                    resolve(signingKey);
+                });
+            });
+        };
+        this.publicKeyFetch = async (artifacts) => {
+            const kid = artifacts.decoded.header.kid; // Extract 'kid' from JWT header
+            return getKey(kid); // Fetch the corresponding public key
+        }
+    }
+}
+
+class Iss {
+    /**
+     * @constructor
+     * @param {Object} metadata
+     */
+    constructor(metadata) {
+        if (!metadata.id_token_signing_alg_values_supported) {
+            metadata.id_token_signing_alg_values_supported = ['RS256']
+        }
+        if (!metadata.response_types_supported) {
+            metadata.response_types_supported = ['code', 'none', 'id_token', 'token', 'id_token token', 'code id_token', 'code token', 'code id_token token']
+        }
+        if (!metadata.subject_types_supported) {
+            metadata.subject_types_supported = ['public']
+        }
+        const claimsRequired = METADATA.filter(({
+            type
+        }) => type === 'REQUIRED');
+        const missingClaims = [];
+
+        for (const claim of claimsRequired) {
+            const normalizedToCamelClaimName = claim.name.toLowerCase().replace(/_([a-z])/g, (_, letter) => letter.toUpperCase());
+            const attributeCamelCase = metadata[normalizedToCamelClaimName]; // Directly access metadata
+            const attributeSnakeCase = metadata[claim.name]; // Directly access metadata
+            if (!attributeSnakeCase && !attributeCamelCase) {
+                missingClaims.push(claim);
+            }
+        }
+
+        if (missingClaims.length > 0) {
+            console.error(JSON.stringify(missingClaims));
+            throw new Error(JSON.stringify(missingClaims));
+        }
+
+        // Issuer needs the metadata in snake_case
+        const issuer = metadata.Client ? metadata : new Issuer(this.#camelToSnakeCase(metadata))
+        // Client instance for the authorization server of that issuer.
+        const clientPayload = {
+            client_id: metadata.clientId,
+            response_type: 'code'
+        }
+        if (metadata.clientSecret) {
+            clientPayload.client_secret = metadata.clientSecret
+        }
+        this.clientOidc = new issuer.Client(clientPayload);
+    }
+    #camelToSnakeCase(obj) {
+        const toSnakeCase = str => str.replace(/[A-Z]/g, letter => `_${letter.toLowerCase()}`);
+
+        if (typeof obj !== 'object' || obj === null) return obj;
+
+        if (Array.isArray(obj)) {
+            return obj.map(item => this.#camelToSnakeCase(item));
+        }
+
+        return Object.entries(obj).reduce((acc, [key, value]) => {
+            const newKey = toSnakeCase(key);
+            acc[newKey] = typeof value === 'object' && value !== null ?
+                this.#camelToSnakeCase(value) :
+                value;
+            return acc;
+        }, {});
+    }
+}
+
+module.exports = {
+    HapiServerKeycloak
+}