@boxyhq/saml-jackson 1.0.7 → 1.1.2

package/dist/controller/api.js

@@ -187,7 +187,7 @@ class APIController {
             if (encodedRawMetadata) {
                 metaData = Buffer.from(encodedRawMetadata, 'base64').toString();
             }
-            const idpMetadata = yield saml20_1.default.parseMetadataAsync(metaData);
+            const idpMetadata = yield saml20_1.default.parseMetadata(metaData, {});
             // extract provider
             let providerName = extractHostName(idpMetadata.entityID);
             if (!providerName) {
@@ -323,7 +323,7 @@ class APIController {
             }
             let newMetadata;
             if (metaData) {
-                newMetadata = yield saml20_1.default.parseMetadataAsync(metaData);
+                newMetadata = yield saml20_1.default.parseMetadata(metaData, {});
                 // extract provider
                 let providerName = extractHostName(newMetadata.entityID);
                 if (!providerName) {

package/dist/controller/oauth.js

@@ -39,6 +39,7 @@ exports.OAuthController = void 0;
 const crypto_1 = __importDefault(require("crypto"));
 const util_1 = require("util");
 const zlib_1 = require("zlib");
+const jose = __importStar(require("jose"));
 const dbutils = __importStar(require("../db/utils"));
 const metrics = __importStar(require("../opentelemetry/metrics"));
 const saml20_1 = __importDefault(require("@boxyhq/saml20"));
@@ -78,6 +79,9 @@ function getEncodedTenantProduct(param) {
         return null;
     }
 }
+function getScopeValues(scope) {
+    return typeof scope === 'string' ? scope.split(' ').filter((s) => s.length > 0) : [];
+}
 class OAuthController {
     constructor({ configStore, sessionStore, codeStore, tokenStore, opts }) {
         this.configStore = configStore;
@@ -128,7 +132,7 @@ class OAuthController {
     }
     authorize(body) {
         return __awaiter(this, void 0, void 0, function* () {
-            const { response_type = 'code', client_id, redirect_uri, state, tenant, product, access_type, scope, code_challenge, code_challenge_method = '', 
+            const { response_type = 'code', client_id, redirect_uri, state, tenant, product, access_type, resource, scope, nonce, code_challenge, code_challenge_method = '', 
             // eslint-disable-next-line @typescript-eslint/no-unused-vars
             provider = 'saml', idp_hint, } = body;
             let requestedTenant = tenant;
@@ -138,6 +142,8 @@ class OAuthController {
                 throw new error_1.JacksonError('Please specify a redirect URL.', 400);
             }
             let samlConfig;
+            const requestedScopes = getScopeValues(scope);
+            const requestedOIDCFlow = requestedScopes.includes('openid');
             if (tenant && product) {
                 const samlConfigs = yield this.configStore.getByIndex({
                     name: utils_1.IndexNames.TenantProduct,
@@ -172,8 +178,14 @@ class OAuthController {
                 if (!sp && access_type) {
                     sp = getEncodedTenantProduct(access_type);
                 }
-                if (!sp && scope) {
-                    sp = getEncodedTenantProduct(scope);
+                if (!sp && resource) {
+                    sp = getEncodedTenantProduct(resource);
+                }
+                if (!sp && requestedScopes) {
+                    const encodedParams = requestedScopes.find((scope) => scope.includes('=') && scope.includes('&')); // for now assume only one encoded param i.e. for tenant/product
+                    if (encodedParams) {
+                        sp = getEncodedTenantProduct(encodedParams);
+                    }
                 }
                 if (sp && sp.tenant && sp.product) {
                     requestedTenant = sp.tenant;
@@ -222,6 +234,16 @@ class OAuthController {
             if (!allowed.redirect(redirect_uri, samlConfig.redirectUrl)) {
                 throw new error_1.JacksonError('Redirect URL is not allowed.', 403);
             }
+            if (requestedOIDCFlow &&
+                (!this.opts.openid.jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(this.opts.openid.jwtSigningKeys))) {
+                return {
+                    redirect_url: (0, utils_1.OAuthErrorResponse)({
+                        error: 'server_error',
+                        error_description: 'OAuth server not configured correctly for openid flow, check if JWT signing keys are loaded',
+                        redirect_uri,
+                    }),
+                };
+            }
             if (!state) {
                 return {
                     redirect_url: (0, utils_1.OAuthErrorResponse)({
@@ -282,6 +304,15 @@ class OAuthController {
                 if (idp_hint) {
                     requested.idp_hint = idp_hint;
                 }
+                if (requestedOIDCFlow) {
+                    requested.oidc = true;
+                    if (nonce) {
+                        requested.nonce = nonce;
+                    }
+                }
+                if (requestedScopes) {
+                    requested.scope = requestedScopes;
+                }
                 yield this.sessionStore.put(sessionId, {
                     id: samlReq.id,
                     redirect_uri,
@@ -563,6 +594,27 @@ class OAuthController {
             // store details against a token
             const token = crypto_1.default.randomBytes(20).toString('hex');
             const tokenVal = Object.assign(Object.assign({}, codeVal.profile), { requested: codeVal.requested });
+            const requestedOIDCFlow = !!codeVal.requested.oidc;
+            const requestHasNonce = !!codeVal.requested.nonce;
+            if (requestedOIDCFlow) {
+                const { jwtSigningKeys, jwsAlg } = this.opts.openid;
+                if (!jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(jwtSigningKeys)) {
+                    throw new error_1.JacksonError('JWT signing keys are not loaded', 500);
+                }
+                let claims = requestHasNonce ? { nonce: codeVal.requested.nonce } : {};
+                claims = Object.assign(Object.assign({}, claims), { id: codeVal.profile.claims.id, email: codeVal.profile.claims.email, firstName: codeVal.profile.claims.firstName, lastName: codeVal.profile.claims.lastName });
+                const signingKey = yield (0, utils_1.loadJWSPrivateKey)(jwtSigningKeys.private, jwsAlg);
+                const id_token = yield new jose.SignJWT(claims)
+                    .setProtectedHeader({ alg: jwsAlg })
+                    .setIssuedAt()
+                    .setIssuer(this.opts.samlAudience || '')
+                    .setSubject(codeVal.profile.claims.id)
+                    .setAudience(tokenVal.requested.client_id)
+                    .setExpirationTime(`${this.opts.db.ttl}s`) //  identity token only really needs to be valid long enough for it to be verified by the client application.
+                    .sign(signingKey);
+                tokenVal.id_token = id_token;
+                tokenVal.claims.sub = codeVal.profile.claims.id;
+            }
             yield this.tokenStore.put(token, tokenVal);
             // delete the code
             try {
@@ -571,11 +623,15 @@ class OAuthController {
             catch (_err) {
                 // ignore error
             }
-            return {
+            const tokenResponse = {
                 access_token: token,
                 token_type: 'bearer',
                 expires_in: this.opts.db.ttl,
             };
+            if (requestedOIDCFlow) {
+                tokenResponse.id_token = tokenVal.id_token;
+            }
+            return tokenResponse;
         });
     }
     /**

package/dist/controller/oidc-discovery.d.ts

@@ -0,0 +1,50 @@
+import { IOidcDiscoveryController } from '../typings';
+export declare class OidcDiscoveryController implements IOidcDiscoveryController {
+    private opts;
+    constructor({ opts }: {
+        opts: any;
+    });
+    openidConfig(): {
+        issuer: string;
+        authorization_endpoint: string;
+        token_endpoint: string;
+        userinfo_endpoint: string;
+        jwks_uri: string;
+        response_types_supported: string[];
+        subject_types_supported: string[];
+        id_token_signing_alg_values_supported: string[];
+        grant_types_supported: string[];
+        code_challenge_methods_supported: string[];
+    };
+    jwks(): Promise<{
+        keys: {
+            kid: string;
+            alg: string | undefined;
+            use: string;
+            crv?: string | undefined;
+            d?: string | undefined;
+            dp?: string | undefined;
+            dq?: string | undefined;
+            e?: string | undefined;
+            ext?: boolean | undefined;
+            k?: string | undefined;
+            key_ops?: string[] | undefined;
+            kty?: string | undefined;
+            n?: string | undefined;
+            oth?: {
+                d?: string | undefined;
+                r?: string | undefined;
+                t?: string | undefined;
+            }[] | undefined;
+            p?: string | undefined;
+            q?: string | undefined;
+            qi?: string | undefined;
+            x?: string | undefined;
+            y?: string | undefined;
+            x5c?: string[] | undefined;
+            x5t?: string | undefined;
+            'x5t#S256'?: string | undefined;
+            x5u?: string | undefined;
+        }[];
+    }>;
+}

package/dist/controller/oidc-discovery.js

@@ -0,0 +1,49 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OidcDiscoveryController = void 0;
+const error_1 = require("./error");
+const utils_1 = require("./utils");
+class OidcDiscoveryController {
+    constructor({ opts }) {
+        this.opts = opts;
+    }
+    openidConfig() {
+        return {
+            issuer: this.opts.samlAudience,
+            authorization_endpoint: `${this.opts.externalUrl}/api/oauth/authorize`,
+            token_endpoint: `${this.opts.externalUrl}/api/oauth/token`,
+            userinfo_endpoint: `${this.opts.externalUrl}/api/oauth/userinfo`,
+            jwks_uri: `${this.opts.externalUrl}/oauth/jwks`,
+            response_types_supported: ['code'],
+            subject_types_supported: ['public'],
+            id_token_signing_alg_values_supported: ['RS256'],
+            grant_types_supported: ['authorization_code'],
+            code_challenge_methods_supported: ['plain', 'S256'],
+        };
+    }
+    jwks() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { jwtSigningKeys, jwsAlg } = this.opts.openid;
+            if (!jwtSigningKeys || !(0, utils_1.isJWSKeyPairLoaded)(jwtSigningKeys)) {
+                throw new error_1.JacksonError('JWT signing keys are not loaded', 501);
+            }
+            const importedPublicKey = yield (0, utils_1.importJWTPublicKey)(jwtSigningKeys.public, jwsAlg);
+            const publicKeyJWK = yield (0, utils_1.exportPublicKeyJWK)(importedPublicKey);
+            const jwkThumbprint = yield (0, utils_1.generateJwkThumbprint)(publicKeyJWK);
+            const jwks = {
+                keys: [Object.assign(Object.assign({}, publicKeyJWK), { kid: jwkThumbprint, alg: jwsAlg, use: 'sig' })],
+            };
+            return jwks;
+        });
+    }
+}
+exports.OidcDiscoveryController = OidcDiscoveryController;

package/dist/controller/utils.d.ts

@@ -1,4 +1,5 @@
 import type { OAuthErrorHandlerParams } from '../typings';
+import * as jose from 'jose';
 export declare enum IndexNames {
     EntityID = "entityID",
     TenantProduct = "tenantProduct"
@@ -7,3 +8,11 @@ export declare const relayStatePrefix = "boxyhq_jackson_";
 export declare const validateAbsoluteUrl: (url: any, message: any) => void;
 export declare const OAuthErrorResponse: ({ error, error_description, redirect_uri, state, }: OAuthErrorHandlerParams) => string;
 export declare function getErrorMessage(error: unknown): string;
+export declare function loadJWSPrivateKey(key: string, alg: string): Promise<jose.KeyLike>;
+export declare function isJWSKeyPairLoaded(jwsKeyPair: {
+    private: string;
+    public: string;
+}): boolean;
+export declare const importJWTPublicKey: (key: string, jwsAlg: string) => Promise<jose.KeyLike>;
+export declare const exportPublicKeyJWK: (key: jose.KeyLike) => Promise<jose.JWK>;
+export declare const generateJwkThumbprint: (jwk: jose.JWK) => Promise<string>;

package/dist/controller/utils.js

@@ -22,10 +22,20 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getErrorMessage = exports.OAuthErrorResponse = exports.validateAbsoluteUrl = exports.relayStatePrefix = exports.IndexNames = void 0;
+exports.generateJwkThumbprint = exports.exportPublicKeyJWK = exports.importJWTPublicKey = exports.isJWSKeyPairLoaded = exports.loadJWSPrivateKey = exports.getErrorMessage = exports.OAuthErrorResponse = exports.validateAbsoluteUrl = exports.relayStatePrefix = exports.IndexNames = void 0;
 const error_1 = require("./error");
 const redirect = __importStar(require("./oauth/redirect"));
+const jose = __importStar(require("jose"));
 var IndexNames;
 (function (IndexNames) {
     IndexNames["EntityID"] = "entityID";
@@ -53,3 +63,34 @@ function getErrorMessage(error) {
     return String(error);
 }
 exports.getErrorMessage = getErrorMessage;
+function loadJWSPrivateKey(key, alg) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const pkcs8 = Buffer.from(key, 'base64').toString('ascii');
+        const privateKey = yield jose.importPKCS8(pkcs8, alg);
+        return privateKey;
+    });
+}
+exports.loadJWSPrivateKey = loadJWSPrivateKey;
+function isJWSKeyPairLoaded(jwsKeyPair) {
+    if (!jwsKeyPair.private || !jwsKeyPair.public) {
+        return false;
+    }
+    return true;
+}
+exports.isJWSKeyPairLoaded = isJWSKeyPairLoaded;
+const importJWTPublicKey = (key, jwsAlg) => __awaiter(void 0, void 0, void 0, function* () {
+    const spki = Buffer.from(key, 'base64').toString('ascii');
+    const publicKey = yield jose.importSPKI(spki, jwsAlg);
+    return publicKey;
+});
+exports.importJWTPublicKey = importJWTPublicKey;
+const exportPublicKeyJWK = (key) => __awaiter(void 0, void 0, void 0, function* () {
+    const publicJWK = yield jose.exportJWK(key);
+    return publicJWK;
+});
+exports.exportPublicKeyJWK = exportPublicKeyJWK;
+const generateJwkThumbprint = (jwk) => __awaiter(void 0, void 0, void 0, function* () {
+    const thumbprint = yield jose.calculateJwkThumbprint(jwk);
+    return thumbprint;
+});
+exports.generateJwkThumbprint = generateJwkThumbprint;

package/dist/db/sql/sql.js

@@ -42,11 +42,11 @@ class Sql {
     }
     init({ JacksonStore, JacksonIndex, JacksonTTL }) {
         return __awaiter(this, void 0, void 0, function* () {
+            const sqlType = this.options.engine === 'planetscale' ? 'mysql' : this.options.type;
             while (true) {
                 try {
                     this.dataSource = new typeorm_1.DataSource({
-                        // name: this.options.type! + Math.floor(Math.random() * 100000),
-                        type: this.options.engine === 'planetscale' ? 'mysql' : this.options.type,
+                        type: sqlType,
                         url: this.options.url,
                         synchronize: this.options.engine !== 'planetscale',
                         migrationsTableName: '_jackson_migrations',
@@ -58,7 +58,7 @@ class Sql {
                     break;
                 }
                 catch (err) {
-                    console.error(`error connecting to ${this.options.type} db: ${err}`);
+                    console.error(`error connecting to engine: ${this.options.engine}, type: ${sqlType} db: ${err}`);
                     yield dbutils.sleep(1000);
                     continue;
                 }

package/dist/index.d.ts

@@ -3,6 +3,7 @@ import { APIController } from './controller/api';
 import { OAuthController } from './controller/oauth';
 import { HealthCheckController } from './controller/health-check';
 import { LogoutController } from './controller/logout';
+import { OidcDiscoveryController } from './controller/oidc-discovery';
 import { JacksonOption } from './typings';
 export declare const controllers: (opts: JacksonOption) => Promise<{
     apiController: APIController;
@@ -10,6 +11,7 @@ export declare const controllers: (opts: JacksonOption) => Promise<{
     adminController: AdminController;
     logoutController: LogoutController;
     healthCheckController: HealthCheckController;
+    oidcDiscoveryController: OidcDiscoveryController;
 }>;
 export default controllers;
 export * from './typings';

package/dist/index.js

@@ -32,6 +32,7 @@ const api_1 = require("./controller/api");
 const oauth_1 = require("./controller/oauth");
 const health_check_1 = require("./controller/health-check");
 const logout_1 = require("./controller/logout");
+const oidc_discovery_1 = require("./controller/oidc-discovery");
 const db_1 = __importDefault(require("./db/db"));
 const defaultDb_1 = __importDefault(require("./db/defaultDb"));
 const read_config_1 = __importDefault(require("./read-config"));
@@ -49,6 +50,8 @@ const defaultOpts = (opts) => {
     (0, defaultDb_1.default)(newOpts);
     newOpts.clientSecretVerifier = newOpts.clientSecretVerifier || 'dummy';
     newOpts.db.pageLimit = newOpts.db.pageLimit || 50;
+    newOpts.openid = newOpts.openid || {};
+    newOpts.openid.jwsAlg = newOpts.openid.jwsAlg || 'RS256';
     return newOpts;
 };
 const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
@@ -75,6 +78,7 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
         sessionStore,
         opts,
     });
+    const oidcDiscoveryController = new oidc_discovery_1.OidcDiscoveryController({ opts });
     // write pre-loaded config if present
     if (opts.preLoadedConfig && opts.preLoadedConfig.length > 0) {
         const configs = yield (0, read_config_1.default)(opts.preLoadedConfig);
@@ -91,6 +95,7 @@ const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
         adminController,
         logoutController,
         healthCheckController,
+        oidcDiscoveryController,
     };
 });
 exports.controllers = controllers;

package/dist/typings.d.ts

@@ -1,3 +1,4 @@
+import { type JWK } from 'jose';
 export declare type IdPConfig = {
     defaultRedirectUrl: string;
     redirectUrl: string[] | string;
@@ -44,6 +45,23 @@ export interface IHealthCheckController {
     }>;
     init(): Promise<void>;
 }
+export interface IOidcDiscoveryController {
+    openidConfig(): {
+        issuer: string;
+        authorization_endpoint: string;
+        token_endpoint: string;
+        userinfo_endpoint: string;
+        jwks_uri: string;
+        response_types_supported: Array<string>;
+        subject_types_supported: Array<string>;
+        id_token_signing_alg_values_supported: Array<string>;
+        grant_types_supported: Array<string>;
+        code_challenge_methods_supported: Array<string>;
+    };
+    jwks(): Promise<{
+        keys: JWK[];
+    }>;
+}
 export interface OAuthReqBody {
     response_type: 'code';
     client_id: string;
@@ -52,7 +70,9 @@ export interface OAuthReqBody {
     tenant?: string;
     product?: string;
     access_type?: string;
+    resource?: string;
     scope?: string;
+    nonce?: string;
     code_challenge: string;
     code_challenge_method: 'plain' | 'S256' | '';
     provider: 'saml';
@@ -72,11 +92,13 @@ export interface OAuthTokenReq {
 }
 export interface OAuthTokenRes {
     access_token: string;
+    id_token?: string;
     token_type: 'bearer';
     expires_in: number;
 }
 export interface Profile {
     id: string;
+    sub?: string;
     email: string;
     firstName: string;
     lastName: string;
@@ -127,6 +149,13 @@ export interface JacksonOption {
     db: DatabaseOption;
     clientSecretVerifier?: string;
     idpDiscoveryPath?: string;
+    openid: {
+        jwsAlg?: string;
+        jwtSigningKeys?: {
+            private: string;
+            public: string;
+        };
+    };
 }
 export interface SLORequestParams {
     nameId: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "1.0.7",
+  "version": "1.1.2",
   "description": "SAML Jackson library",
   "keywords": [
     "SAML 2.0"
@@ -38,12 +38,13 @@
     "statements": 70
   },
   "dependencies": {
-    "@boxyhq/saml20": "1.0.3",
+    "@boxyhq/saml20": "1.0.5",
     "@opentelemetry/api-metrics": "0.27.0",
     "@opentelemetry/api": "1.0.4",
     "@peculiar/webcrypto": "1.4.0",
-    "@peculiar/x509": "1.7.2",
-    "mongodb": "4.7.0",
+    "@peculiar/x509": "1.8.1",
+    "jose": "4.8.3",
+    "mongodb": "4.8.1",
     "mysql2": "2.3.3",
     "pg": "8.7.3",
     "redis": "4.0.6",
@@ -54,18 +55,18 @@
     "xmlbuilder": "15.1.1"
   },
   "devDependencies": {
-    "@types/node": "18.0.3",
-    "@types/sinon": "10.0.12",
+    "@types/node": "18.6.3",
+    "@types/sinon": "10.0.13",
     "@types/tap": "15.0.7",
-    "@typescript-eslint/eslint-plugin": "5.30.5",
-    "@typescript-eslint/parser": "5.30.5",
+    "@typescript-eslint/eslint-plugin": "5.31.0",
+    "@typescript-eslint/parser": "5.31.0",
     "cross-env": "7.0.3",
-    "eslint": "8.19.0",
+    "eslint": "8.21.0",
     "eslint-config-prettier": "8.5.0",
     "prettier": "2.7.1",
     "sinon": "14.0.0",
     "tap": "16.3.0",
-    "ts-node": "10.8.2",
+    "ts-node": "10.9.1",
     "tsconfig-paths": "4.0.0",
     "typescript": "4.7.4"
   },