@boxyhq/saml-jackson 1.33.0 → 1.33.1-beta.1

package/dist/src/controller/oauth.js

@@ -0,0 +1,1112 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+import crypto from 'crypto';
+import * as jose from 'jose';
+import { promisify } from 'util';
+import { deflateRaw } from 'zlib';
+import saml from '@boxyhq/saml20';
+import { clientIDFederatedPrefix, clientIDOIDCPrefix, relayStatePrefix, IndexNames, OAuthErrorResponse, getErrorMessage, loadJWSPrivateKey, computeKid, isJWSKeyPairLoaded, extractOIDCUserProfile, getScopeValues, getEncodedTenantProduct, isConnectionActive, } from './utils';
+import * as metrics from '../opentelemetry/metrics';
+import { JacksonError } from './error';
+import * as allowed from './oauth/allowed';
+import * as codeVerifier from './oauth/code-verifier';
+import * as redirect from './oauth/redirect';
+import { getDefaultCertificate } from '../saml/x509';
+import { SSOHandler } from './sso-handler';
+import { extractSAMLResponseAttributes } from '../saml/lib';
+import { oidcClientConfig } from './oauth/oidc-client';
+const deflateRawAsync = promisify(deflateRaw);
+export class OAuthController {
+    constructor({ connectionStore, sessionStore, codeStore, tokenStore, ssoTraces, opts, idFedApp }) {
+        this.connectionStore = connectionStore;
+        this.sessionStore = sessionStore;
+        this.codeStore = codeStore;
+        this.tokenStore = tokenStore;
+        this.ssoTraces = ssoTraces;
+        this.opts = opts;
+        this.idFedApp = idFedApp;
+        this.ssoHandler = new SSOHandler({
+            connection: connectionStore,
+            session: sessionStore,
+            opts,
+        });
+    }
+    authorize(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a, _b, _c;
+            const { tenant, product, access_type, resource, response_type = 'code', client_id, redirect_uri, state, scope, nonce, code_challenge, code_challenge_method = '', idp_hint, forceAuthn = 'false', login_hint } = body, oidcParams = __rest(body, ["tenant", "product", "access_type", "resource", "response_type", "client_id", "redirect_uri", "state", "scope", "nonce", "code_challenge", "code_challenge_method", "idp_hint", "forceAuthn", "login_hint"]) // Rest of the params will be assumed as OIDC params and will be forwarded to the IdP
+            ;
+            let requestedTenant;
+            let requestedProduct;
+            let requestedScopes;
+            let requestedOIDCFlow;
+            let isOIDCFederated;
+            let connection;
+            let fedApp;
+            try {
+                requestedTenant = tenant;
+                requestedProduct = product;
+                metrics.increment('oauthAuthorize');
+                if (!redirect_uri) {
+                    throw new JacksonError('Please specify a redirect URL.', 400);
+                }
+                requestedScopes = getScopeValues(scope);
+                requestedOIDCFlow = requestedScopes.includes('openid');
+                if (tenant && product) {
+                    const response = yield this.ssoHandler.resolveConnection({
+                        tenant,
+                        product,
+                        idp_hint,
+                        authFlow: 'oauth',
+                        originalParams: Object.assign({}, body),
+                    });
+                    if ('redirectUrl' in response) {
+                        return {
+                            redirect_url: response.redirectUrl,
+                        };
+                    }
+                    if ('connection' in response) {
+                        connection = response.connection;
+                    }
+                }
+                else if (client_id && client_id !== '' && client_id !== 'undefined' && client_id !== 'null') {
+                    // if tenant and product are encoded in the client_id then we parse it and check for the relevant connection(s)
+                    let sp = getEncodedTenantProduct(client_id);
+                    if (!sp && access_type) {
+                        sp = getEncodedTenantProduct(access_type);
+                    }
+                    if (!sp && resource) {
+                        sp = getEncodedTenantProduct(resource);
+                        if (sp === null) {
+                            oidcParams.resource = resource;
+                        }
+                    }
+                    if (!sp && requestedScopes) {
+                        const encodedParams = requestedScopes.find((scope) => scope.includes('=') && scope.includes('&')); // for now assume only one encoded param i.e. for tenant/product
+                        if (encodedParams) {
+                            sp = getEncodedTenantProduct(encodedParams);
+                        }
+                    }
+                    if (sp && sp.tenant && sp.product) {
+                        const { tenant, product } = sp;
+                        requestedTenant = tenant;
+                        requestedProduct = product;
+                        const response = yield this.ssoHandler.resolveConnection({
+                            tenant,
+                            product,
+                            idp_hint,
+                            authFlow: 'oauth',
+                            originalParams: Object.assign({}, body),
+                        });
+                        if ('redirectUrl' in response) {
+                            return {
+                                redirect_url: response.redirectUrl,
+                            };
+                        }
+                        if ('connection' in response) {
+                            connection = response.connection;
+                        }
+                    }
+                    else {
+                        // client_id is not encoded, so we look for the connection using the client_id
+                        // First we check if it's a federated connection
+                        if (client_id.startsWith(`${clientIDFederatedPrefix}${clientIDOIDCPrefix}`)) {
+                            isOIDCFederated = true;
+                            fedApp = yield this.idFedApp.get({
+                                id: client_id.replace(clientIDFederatedPrefix, ''),
+                            });
+                            const response = yield this.ssoHandler.resolveConnection({
+                                tenant: fedApp.tenant,
+                                product: fedApp.product,
+                                idp_hint,
+                                authFlow: 'oauth',
+                                originalParams: Object.assign({}, body),
+                                tenants: fedApp.tenants,
+                                idFedAppId: fedApp.id,
+                                fedType: fedApp.type,
+                            });
+                            if ('redirectUrl' in response) {
+                                return {
+                                    redirect_url: response.redirectUrl,
+                                };
+                            }
+                            if ('connection' in response) {
+                                connection = response.connection;
+                                requestedTenant = fedApp.tenant;
+                                requestedProduct = fedApp.product;
+                            }
+                        }
+                        else {
+                            // If it's not a federated connection, we look for the connection using the client_id
+                            connection = yield this.connectionStore.get(client_id);
+                            if (connection) {
+                                requestedTenant = connection.tenant;
+                                requestedProduct = connection.product;
+                            }
+                        }
+                    }
+                }
+                else {
+                    throw new JacksonError('You need to specify client_id or tenant & product', 403);
+                }
+                if (!connection) {
+                    throw new JacksonError('IdP connection not found.', 403);
+                }
+                if (!allowed.redirect(redirect_uri, connection.redirectUrl)) {
+                    if (fedApp) {
+                        if (!allowed.redirect(redirect_uri, fedApp.redirectUrl)) {
+                            throw new JacksonError('Redirect URL is not allowed.', 403);
+                        }
+                    }
+                    else {
+                        throw new JacksonError('Redirect URL is not allowed.', 403);
+                    }
+                }
+                if (!isConnectionActive(connection)) {
+                    throw new JacksonError('SSO connection is deactivated. Please contact your administrator.', 403);
+                }
+            }
+            catch (err) {
+                const error_description = getErrorMessage(err);
+                // Save the error trace
+                yield this.ssoTraces.saveTrace({
+                    error: error_description,
+                    context: {
+                        tenant: requestedTenant || '',
+                        product: requestedProduct || '',
+                        clientID: (connection === null || connection === void 0 ? void 0 : connection.clientID) || '',
+                        requestedOIDCFlow,
+                        isOIDCFederated,
+                        redirectUri: redirect_uri,
+                    },
+                });
+                throw err;
+            }
+            const isMissingJWTKeysForOIDCFlow = requestedOIDCFlow &&
+                (!((_a = this.opts.openid) === null || _a === void 0 ? void 0 : _a.jwtSigningKeys) || !isJWSKeyPairLoaded(this.opts.openid.jwtSigningKeys));
+            const oAuthClientReqError = !state || response_type !== 'code';
+            const connectionIsSAML = 'idpMetadata' in connection && connection.idpMetadata !== undefined;
+            const connectionIsOIDC = 'oidcProvider' in connection && connection.oidcProvider !== undefined;
+            if (isMissingJWTKeysForOIDCFlow || oAuthClientReqError || (!connectionIsSAML && !connectionIsOIDC)) {
+                let error, error_description;
+                if (isMissingJWTKeysForOIDCFlow) {
+                    error = 'server_error';
+                    error_description =
+                        'OAuth server not configured correctly for openid flow, check if JWT signing keys are loaded';
+                }
+                if (!state) {
+                    error = 'invalid_request';
+                    error_description = 'Please specify a state to safeguard against XSRF attacks';
+                }
+                if (response_type !== 'code') {
+                    error = 'unsupported_response_type';
+                    error_description = 'Only Authorization Code grant is supported';
+                }
+                if (!connectionIsSAML && !connectionIsOIDC) {
+                    error = 'server_error';
+                    error_description = 'Connection appears to be misconfigured';
+                }
+                // Save the error trace
+                const traceId = yield this.ssoTraces.saveTrace({
+                    error: error_description,
+                    context: {
+                        tenant: requestedTenant,
+                        product: requestedProduct,
+                        clientID: connection.clientID,
+                        requestedOIDCFlow,
+                        isOIDCFederated,
+                        redirectUri: redirect_uri,
+                    },
+                });
+                return {
+                    redirect_url: OAuthErrorResponse({
+                        error,
+                        error_description: traceId ? `${traceId}: ${error_description}` : error_description,
+                        redirect_uri,
+                        state,
+                    }),
+                };
+            }
+            // Connection retrieved: Handover to IdP starts here
+            let ssoUrl;
+            let post = false;
+            // Init sessionId
+            const sessionId = crypto.randomBytes(16).toString('hex');
+            const relayState = relayStatePrefix + sessionId;
+            // SAML connection: SAML request will be constructed here
+            let samlReq;
+            if (connectionIsSAML) {
+                try {
+                    const { sso } = connection.idpMetadata;
+                    if ('redirectUrl' in sso) {
+                        // HTTP Redirect binding
+                        ssoUrl = sso.redirectUrl;
+                    }
+                    else if ('postUrl' in sso) {
+                        // HTTP-POST binding
+                        ssoUrl = sso.postUrl;
+                        post = true;
+                    }
+                    else {
+                        // This code here is kept for backward compatibility. We now have validation while adding the SSO connection to ensure binding is present.
+                        const error_description = 'SAML binding could not be retrieved';
+                        // Save the error trace
+                        const traceId = yield this.ssoTraces.saveTrace({
+                            error: error_description,
+                            context: {
+                                tenant: requestedTenant,
+                                product: requestedProduct,
+                                clientID: connection.clientID,
+                                requestedOIDCFlow,
+                                isOIDCFederated,
+                                redirectUri: redirect_uri,
+                            },
+                        });
+                        return {
+                            redirect_url: OAuthErrorResponse({
+                                error: 'invalid_request',
+                                error_description: traceId ? `${traceId}: ${error_description}` : error_description,
+                                redirect_uri,
+                                state,
+                            }),
+                        };
+                    }
+                    const cert = yield getDefaultCertificate();
+                    samlReq = saml.request({
+                        ssoUrl,
+                        entityID: this.opts.samlAudience,
+                        callbackUrl: this.opts.externalUrl + this.opts.samlPath,
+                        signingKey: cert.privateKey,
+                        publicKey: cert.publicKey,
+                        forceAuthn: forceAuthn === 'true' ? true : !!connection.forceAuthn,
+                        identifierFormat: connection.identifierFormat
+                            ? connection.identifierFormat
+                            : 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+                    });
+                }
+                catch (err) {
+                    const error_description = getErrorMessage(err);
+                    // Save the error trace
+                    const traceId = yield this.ssoTraces.saveTrace({
+                        error: error_description,
+                        context: {
+                            tenant: requestedTenant,
+                            product: requestedProduct,
+                            clientID: connection.clientID,
+                            requestedOIDCFlow,
+                            isOIDCFederated,
+                            redirectUri: redirect_uri,
+                        },
+                    });
+                    return {
+                        redirect_url: OAuthErrorResponse({
+                            error: 'server_error',
+                            error_description: traceId ? `${traceId}: ${error_description}` : error_description,
+                            redirect_uri,
+                            state,
+                        }),
+                    };
+                }
+            }
+            // OIDC Connection: Issuer discovery, openid-client init and extraction of authorization endpoint happens here
+            let oidcCodeVerifier;
+            let oidcNonce;
+            if (connectionIsOIDC) {
+                const { discoveryUrl, metadata, clientId, clientSecret } = connection.oidcProvider;
+                const { ssoTraces } = this;
+                try {
+                    if (!this.opts.oidcPath) {
+                        throw new JacksonError('OpenID response handler path (oidcPath) is not set');
+                    }
+                    const client = yield import('openid-client');
+                    const oidcConfig = yield oidcClientConfig({
+                        discoveryUrl,
+                        metadata,
+                        clientId,
+                        clientSecret,
+                        ssoTraces: {
+                            instance: ssoTraces,
+                            context: {
+                                tenant: requestedTenant,
+                                product: requestedProduct,
+                                clientID: connection.clientID,
+                                requestedOIDCFlow,
+                                isOIDCFederated,
+                                redirectUri: redirect_uri,
+                            },
+                        },
+                    });
+                    oidcCodeVerifier = client.randomPKCECodeVerifier();
+                    const code_challenge = yield client.calculatePKCECodeChallenge(oidcCodeVerifier);
+                    oidcNonce = client.randomNonce();
+                    const standardScopes = ((_b = this.opts.openid) === null || _b === void 0 ? void 0 : _b.requestProfileScope)
+                        ? ['openid', 'email', 'profile']
+                        : ['openid', 'email'];
+                    const paramsToForward = ((_c = this.opts.openid) === null || _c === void 0 ? void 0 : _c.forwardOIDCParams) ? oidcParams : {};
+                    if (login_hint) {
+                        paramsToForward.login_hint = login_hint;
+                    }
+                    ssoUrl = client.buildAuthorizationUrl(oidcConfig, Object.assign({ scope: [...requestedScopes, ...standardScopes]
+                            .filter((value, index, self) => self.indexOf(value) === index) // filter out duplicates
+                            .join(' '), code_challenge, code_challenge_method: 'S256', state: relayState, nonce: oidcNonce, redirect_uri: this.opts.externalUrl + this.opts.oidcPath }, paramsToForward)).href;
+                }
+                catch (err) {
+                    const error_description = getErrorMessage(err);
+                    // Save the error trace
+                    const traceId = yield this.ssoTraces.saveTrace({
+                        error: error_description,
+                        context: {
+                            tenant: requestedTenant,
+                            product: requestedProduct,
+                            clientID: connection.clientID,
+                            requestedOIDCFlow,
+                            isOIDCFederated,
+                            redirectUri: redirect_uri,
+                        },
+                    });
+                    if (err) {
+                        return {
+                            redirect_url: OAuthErrorResponse({
+                                error: 'server_error',
+                                error_description: traceId ? `${traceId}: ${error_description}` : error_description,
+                                redirect_uri,
+                                state,
+                            }),
+                        };
+                    }
+                }
+            }
+            // Session persistence happens here
+            try {
+                const requested = { client_id, state, redirect_uri };
+                if (requestedTenant) {
+                    requested.tenant = requestedTenant;
+                }
+                if (requestedProduct) {
+                    requested.product = requestedProduct;
+                }
+                if (idp_hint) {
+                    requested.idp_hint = idp_hint;
+                }
+                else {
+                    if (fedApp) {
+                        requested.idp_hint = connection.clientID;
+                    }
+                }
+                if (requestedOIDCFlow) {
+                    requested.oidc = true;
+                    if (nonce) {
+                        requested.nonce = nonce;
+                    }
+                }
+                if (requestedScopes) {
+                    requested.scope = requestedScopes;
+                }
+                const sessionObj = {
+                    redirect_uri,
+                    response_type,
+                    state,
+                    code_challenge,
+                    code_challenge_method,
+                    requested,
+                    oidcFederated: fedApp
+                        ? {
+                            redirectUrl: fedApp.redirectUrl,
+                            id: fedApp.id,
+                            clientID: fedApp.clientID,
+                            clientSecret: fedApp.clientSecret,
+                        }
+                        : undefined,
+                };
+                yield this.sessionStore.put(sessionId, connectionIsSAML
+                    ? Object.assign(Object.assign({}, sessionObj), { id: samlReq === null || samlReq === void 0 ? void 0 : samlReq.id }) : Object.assign(Object.assign({}, sessionObj), { id: connection.clientID, oidcCodeVerifier, oidcNonce }));
+                // Redirect to IdP
+                if (connectionIsSAML) {
+                    let redirectUrl;
+                    let authorizeForm;
+                    if (!post) {
+                        // HTTP Redirect binding
+                        redirectUrl = redirect.success(ssoUrl, {
+                            RelayState: relayState,
+                            SAMLRequest: Buffer.from(yield deflateRawAsync(samlReq.request)).toString('base64'),
+                        });
+                    }
+                    else {
+                        // HTTP POST binding
+                        authorizeForm = saml.createPostForm(ssoUrl, [
+                            {
+                                name: 'RelayState',
+                                value: relayState,
+                            },
+                            {
+                                name: 'SAMLRequest',
+                                value: Buffer.from(samlReq.request).toString('base64'),
+                            },
+                        ]);
+                    }
+                    return {
+                        redirect_url: redirectUrl,
+                        authorize_form: authorizeForm,
+                    };
+                }
+                if (connectionIsOIDC) {
+                    return { redirect_url: ssoUrl };
+                }
+                throw 'Connection appears to be misconfigured';
+            }
+            catch (err) {
+                const error_description = getErrorMessage(err);
+                // Save the error trace
+                const traceId = yield this.ssoTraces.saveTrace({
+                    error: error_description,
+                    context: {
+                        tenant: requestedTenant,
+                        product: requestedProduct,
+                        clientID: connection.clientID,
+                        requestedOIDCFlow,
+                        isOIDCFederated,
+                        redirectUri: redirect_uri,
+                        samlRequest: (samlReq === null || samlReq === void 0 ? void 0 : samlReq.request) || '',
+                    },
+                });
+                return {
+                    redirect_url: OAuthErrorResponse({
+                        error: 'server_error',
+                        error_description: traceId ? `${traceId}: ${error_description}` : error_description,
+                        redirect_uri,
+                        state,
+                    }),
+                };
+            }
+        });
+    }
+    samlResponse(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
+            let connection;
+            let rawResponse;
+            let sessionId;
+            let session;
+            let issuer;
+            let isIdPFlow;
+            let isSAMLFederated;
+            let isOIDCFederated;
+            let validateOpts;
+            let redirect_uri;
+            const { SAMLResponse, idp_hint, RelayState = '' } = body;
+            try {
+                isIdPFlow = !RelayState.startsWith(relayStatePrefix);
+                rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
+                issuer = saml.parseIssuer(rawResponse);
+                if (!this.opts.idpEnabled && isIdPFlow) {
+                    // IdP login is disabled so block the request
+                    throw new JacksonError('IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.', 403);
+                }
+                sessionId = RelayState.replace(relayStatePrefix, '');
+                if (!issuer) {
+                    throw new JacksonError('Issuer not found.', 403);
+                }
+                const connections = (yield this.connectionStore.getByIndex({
+                    name: IndexNames.EntityID,
+                    value: issuer,
+                })).data;
+                if (!connections || connections.length === 0) {
+                    throw new JacksonError('SAML connection not found.', 403);
+                }
+                session = sessionId ? yield this.sessionStore.get(sessionId) : null;
+                if (!isIdPFlow && !session) {
+                    throw new JacksonError('Unable to validate state from the origin request.', 403);
+                }
+                isSAMLFederated = session && 'samlFederated' in session;
+                isOIDCFederated = session && 'oidcFederated' in session;
+                const isSPFlow = !isIdPFlow && !isSAMLFederated;
+                // IdP initiated SSO flow
+                if (isIdPFlow) {
+                    const response = yield this.ssoHandler.resolveConnection({
+                        idp_hint,
+                        authFlow: 'idp-initiated',
+                        entityId: issuer,
+                        originalParams: {
+                            SAMLResponse,
+                        },
+                    });
+                    // Redirect to the product selection page
+                    if ('postForm' in response) {
+                        return {
+                            app_select_form: response.postForm,
+                        };
+                    }
+                    // Found a connection
+                    if ('connection' in response) {
+                        connection = response.connection;
+                        if (!isConnectionActive(connection)) {
+                            throw new JacksonError('SSO connection is deactivated. Please contact your administrator.', 403);
+                        }
+                    }
+                }
+                // SP initiated SSO flow
+                // Resolve if there are multiple matches for SP login
+                if (isSPFlow || isSAMLFederated || isOIDCFederated) {
+                    connection = connections.filter((c) => {
+                        return (c.clientID === session.requested.client_id ||
+                            c.clientID === session.requested.idp_hint ||
+                            (c.tenant === session.requested.tenant && c.product === session.requested.product));
+                    })[0];
+                }
+                if (!connection) {
+                    throw new JacksonError('SAML connection not found.', 403);
+                }
+                if (session &&
+                    session.redirect_uri &&
+                    !allowed.redirect(session.redirect_uri, connection.redirectUrl)) {
+                    if (isOIDCFederated) {
+                        if (!allowed.redirect(session.redirect_uri, (_a = session.oidcFederated) === null || _a === void 0 ? void 0 : _a.redirectUrl)) {
+                            throw new JacksonError('Redirect URL is not allowed.', 403);
+                        }
+                    }
+                    else {
+                        throw new JacksonError('Redirect URL is not allowed.', 403);
+                    }
+                }
+                const { privateKey } = yield getDefaultCertificate();
+                validateOpts = {
+                    audience: `${this.opts.samlAudience}`,
+                    privateKey,
+                };
+                if (connection.idpMetadata.publicKey) {
+                    validateOpts.publicKey = connection.idpMetadata.publicKey;
+                }
+                else if (connection.idpMetadata.thumbprint) {
+                    validateOpts.thumbprint = connection.idpMetadata.thumbprint;
+                }
+                if (session && session.id) {
+                    validateOpts['inResponseTo'] = session.id;
+                }
+                redirect_uri = (session && session.redirect_uri) || connection.defaultRedirectUrl;
+            }
+            catch (err) {
+                // Save the error trace
+                yield this.ssoTraces.saveTrace({
+                    error: getErrorMessage(err),
+                    context: {
+                        samlResponse: rawResponse,
+                        tenant: ((_b = session === null || session === void 0 ? void 0 : session.requested) === null || _b === void 0 ? void 0 : _b.tenant) || (connection === null || connection === void 0 ? void 0 : connection.tenant),
+                        product: ((_c = session === null || session === void 0 ? void 0 : session.requested) === null || _c === void 0 ? void 0 : _c.product) || (connection === null || connection === void 0 ? void 0 : connection.product),
+                        clientID: ((_d = session === null || session === void 0 ? void 0 : session.requested) === null || _d === void 0 ? void 0 : _d.client_id) || (connection === null || connection === void 0 ? void 0 : connection.clientID),
+                        providerName: (_e = connection === null || connection === void 0 ? void 0 : connection.idpMetadata) === null || _e === void 0 ? void 0 : _e.provider,
+                        redirectUri: isIdPFlow ? connection === null || connection === void 0 ? void 0 : connection.defaultRedirectUrl : session === null || session === void 0 ? void 0 : session.redirect_uri,
+                        issuer,
+                        isSAMLFederated,
+                        isOIDCFederated,
+                        isIdPFlow,
+                        requestedOIDCFlow: !!((_f = session === null || session === void 0 ? void 0 : session.requested) === null || _f === void 0 ? void 0 : _f.oidc),
+                        acsUrl: (_g = session === null || session === void 0 ? void 0 : session.requested) === null || _g === void 0 ? void 0 : _g.acsUrl,
+                        entityId: (_h = session === null || session === void 0 ? void 0 : session.requested) === null || _h === void 0 ? void 0 : _h.entityId,
+                        relayState: RelayState,
+                    },
+                });
+                throw err; // Rethrow the error
+            }
+            let profile;
+            try {
+                profile = yield extractSAMLResponseAttributes(rawResponse, validateOpts);
+                // This is a federated SAML flow, let's create a new SAMLResponse and POST it to the SP
+                if (isSAMLFederated) {
+                    const { responseForm } = yield this.ssoHandler.createSAMLResponse({ profile, session });
+                    yield this.sessionStore.delete(sessionId);
+                    return { response_form: responseForm };
+                }
+                const code = yield this._buildAuthorizationCode(connection, profile, session, isIdPFlow);
+                const params = {
+                    code,
+                };
+                if (session && session.state) {
+                    params['state'] = session.state;
+                }
+                yield this.sessionStore.delete(sessionId);
+                return { redirect_url: redirect.success(redirect_uri, params) };
+            }
+            catch (err) {
+                const error_description = getErrorMessage(err);
+                // Trace the error
+                const traceId = yield this.ssoTraces.saveTrace({
+                    error: error_description,
+                    context: {
+                        samlResponse: rawResponse,
+                        tenant: connection.tenant,
+                        product: connection.product,
+                        clientID: connection.clientID,
+                        providerName: (_j = connection === null || connection === void 0 ? void 0 : connection.idpMetadata) === null || _j === void 0 ? void 0 : _j.provider,
+                        redirectUri: isIdPFlow ? connection === null || connection === void 0 ? void 0 : connection.defaultRedirectUrl : session === null || session === void 0 ? void 0 : session.redirect_uri,
+                        isSAMLFederated,
+                        isOIDCFederated,
+                        isIdPFlow,
+                        acsUrl: (_k = session === null || session === void 0 ? void 0 : session.requested) === null || _k === void 0 ? void 0 : _k.acsUrl,
+                        entityId: (_l = session === null || session === void 0 ? void 0 : session.requested) === null || _l === void 0 ? void 0 : _l.entityId,
+                        requestedOIDCFlow: !!((_m = session === null || session === void 0 ? void 0 : session.requested) === null || _m === void 0 ? void 0 : _m.oidc),
+                        relayState: RelayState,
+                        issuer,
+                        profile,
+                    },
+                });
+                if (isSAMLFederated) {
+                    throw err;
+                }
+                return {
+                    redirect_url: OAuthErrorResponse({
+                        error: 'access_denied',
+                        error_description: traceId ? `${traceId}: ${error_description}` : error_description,
+                        redirect_uri,
+                        state: (_o = session === null || session === void 0 ? void 0 : session.requested) === null || _o === void 0 ? void 0 : _o.state,
+                    }),
+                };
+            }
+        });
+    }
+    oidcAuthzResponse(body) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l;
+            let oidcConnection;
+            let session;
+            let isSAMLFederated;
+            let isOIDCFederated;
+            let redirect_uri;
+            let profile;
+            const callbackParams = body;
+            let RelayState = callbackParams.state || '';
+            try {
+                if (!RelayState) {
+                    throw new JacksonError('State from original request is missing.', 403);
+                }
+                RelayState = RelayState.replace(relayStatePrefix, '');
+                session = yield this.sessionStore.get(RelayState);
+                if (!session) {
+                    throw new JacksonError('Unable to validate state from the original request.', 403);
+                }
+                isSAMLFederated = session && 'samlFederated' in session;
+                isOIDCFederated = session && 'oidcFederated' in session;
+                oidcConnection = yield this.connectionStore.get(session.id);
+                if (!oidcConnection) {
+                    throw new JacksonError('OIDC connection not found.', 403);
+                }
+                if (!isSAMLFederated) {
+                    redirect_uri = session && session.redirect_uri;
+                    if (!redirect_uri) {
+                        throw new JacksonError('Redirect URL from the authorization request could not be retrieved', 403);
+                    }
+                    if (redirect_uri && !allowed.redirect(redirect_uri, oidcConnection.redirectUrl)) {
+                        if (isOIDCFederated) {
+                            if (!allowed.redirect(redirect_uri, (_a = session.oidcFederated) === null || _a === void 0 ? void 0 : _a.redirectUrl)) {
+                                throw new JacksonError('Redirect URL is not allowed.', 403);
+                            }
+                        }
+                        else {
+                            throw new JacksonError('Redirect URL is not allowed.', 403);
+                        }
+                    }
+                }
+            }
+            catch (err) {
+                yield this.ssoTraces.saveTrace({
+                    error: getErrorMessage(err),
+                    context: {
+                        tenant: ((_b = session === null || session === void 0 ? void 0 : session.requested) === null || _b === void 0 ? void 0 : _b.tenant) || (oidcConnection === null || oidcConnection === void 0 ? void 0 : oidcConnection.tenant),
+                        product: ((_c = session === null || session === void 0 ? void 0 : session.requested) === null || _c === void 0 ? void 0 : _c.product) || (oidcConnection === null || oidcConnection === void 0 ? void 0 : oidcConnection.product),
+                        clientID: ((_d = session === null || session === void 0 ? void 0 : session.requested) === null || _d === void 0 ? void 0 : _d.client_id) || (oidcConnection === null || oidcConnection === void 0 ? void 0 : oidcConnection.clientID),
+                        providerName: (_e = oidcConnection === null || oidcConnection === void 0 ? void 0 : oidcConnection.oidcProvider) === null || _e === void 0 ? void 0 : _e.provider,
+                        acsUrl: (_f = session === null || session === void 0 ? void 0 : session.requested) === null || _f === void 0 ? void 0 : _f.acsUrl,
+                        entityId: (_g = session === null || session === void 0 ? void 0 : session.requested) === null || _g === void 0 ? void 0 : _g.entityId,
+                        redirectUri: redirect_uri,
+                        relayState: RelayState,
+                        isSAMLFederated,
+                        isOIDCFederated,
+                        requestedOIDCFlow: !!((_h = session === null || session === void 0 ? void 0 : session.requested) === null || _h === void 0 ? void 0 : _h.oidc),
+                        oidcIdPRequest: (_j = session === null || session === void 0 ? void 0 : session.requested) === null || _j === void 0 ? void 0 : _j.oidcIdPRequest,
+                    },
+                });
+                // Rethrow err and redirect to Jackson error page
+                throw err;
+            }
+            // Reconstruct the oidcClient, code exchange for token and user profile happens here
+            const { discoveryUrl, metadata, clientId, clientSecret } = oidcConnection.oidcProvider;
+            const { ssoTraces } = this;
+            let tokens = undefined;
+            try {
+                const client = yield import('openid-client');
+                const oidcConfig = yield oidcClientConfig({
+                    discoveryUrl,
+                    metadata,
+                    clientId,
+                    clientSecret,
+                    ssoTraces: {
+                        instance: ssoTraces,
+                        context: {
+                            tenant: oidcConnection.tenant,
+                            product: oidcConnection.product,
+                            clientID: oidcConnection.clientID,
+                            providerName: oidcConnection.oidcProvider.provider,
+                            redirectUri: redirect_uri,
+                            relayState: RelayState,
+                            isSAMLFederated,
+                            isOIDCFederated,
+                            acsUrl: session.requested.acsUrl,
+                            entityId: session.requested.entityId,
+                            requestedOIDCFlow: !!session.requested.oidc,
+                            oidcIdPRequest: (_k = session === null || session === void 0 ? void 0 : session.requested) === null || _k === void 0 ? void 0 : _k.oidcIdPRequest,
+                        },
+                    },
+                });
+                const currentUrl = new URL(this.opts.externalUrl + this.opts.oidcPath + '?' + new URLSearchParams(callbackParams));
+                tokens = yield client.authorizationCodeGrant(oidcConfig, currentUrl, {
+                    pkceCodeVerifier: session.oidcCodeVerifier,
+                    expectedNonce: session.oidcNonce,
+                    expectedState: callbackParams.state,
+                    idTokenExpected: true,
+                });
+                profile = yield extractOIDCUserProfile(tokens, oidcConfig);
+                if (isSAMLFederated) {
+                    const { responseForm } = yield this.ssoHandler.createSAMLResponse({ profile, session });
+                    yield this.sessionStore.delete(RelayState);
+                    return { response_form: responseForm };
+                }
+                const code = yield this._buildAuthorizationCode(oidcConnection, profile, session, false);
+                const params = {
+                    code,
+                };
+                if (session && session.state) {
+                    params['state'] = session.state;
+                }
+                yield this.sessionStore.delete(RelayState);
+                return { redirect_url: redirect.success(redirect_uri, params) };
+            }
+            catch (err) {
+                const { error, error_description, error_uri, session_state, scope, stack } = err;
+                const error_message = error_description || getErrorMessage(err);
+                const traceId = yield this.ssoTraces.saveTrace({
+                    error: error_message,
+                    context: {
+                        tenant: oidcConnection.tenant,
+                        product: oidcConnection.product,
+                        clientID: oidcConnection.clientID,
+                        providerName: oidcConnection.oidcProvider.provider,
+                        redirectUri: redirect_uri,
+                        relayState: RelayState,
+                        isSAMLFederated,
+                        isOIDCFederated,
+                        acsUrl: session.requested.acsUrl,
+                        entityId: session.requested.entityId,
+                        requestedOIDCFlow: !!session.requested.oidc,
+                        oidcIdPRequest: (_l = session === null || session === void 0 ? void 0 : session.requested) === null || _l === void 0 ? void 0 : _l.oidcIdPRequest,
+                        profile,
+                        error,
+                        error_description,
+                        error_uri,
+                        session_state_from_op_error: session_state,
+                        scope_from_op_error: scope,
+                        stack,
+                        oidcTokenSet: { id_token: tokens === null || tokens === void 0 ? void 0 : tokens.id_token, access_token: tokens === null || tokens === void 0 ? void 0 : tokens.access_token },
+                    },
+                });
+                if (isSAMLFederated) {
+                    throw err;
+                }
+                return {
+                    redirect_url: OAuthErrorResponse({
+                        error: error || 'server_error',
+                        error_description: traceId ? `${traceId}: ${error_message}` : error_message,
+                        redirect_uri: redirect_uri,
+                        state: session.state,
+                    }),
+                };
+            }
+        });
+    }
+    // Build the authorization code for the session
+    _buildAuthorizationCode(connection, profile, session, isIdPFlow) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // Store details against a code
+            const code = crypto.randomBytes(20).toString('hex');
+            const requested = isIdPFlow
+                ? { isIdPFlow: true, tenant: connection.tenant, product: connection.product }
+                : session
+                    ? session.requested
+                    : null;
+            const codeVal = {
+                profile,
+                clientID: connection.clientID,
+                clientSecret: connection.clientSecret,
+                requested,
+                isIdPFlow,
+            };
+            if (session) {
+                codeVal['session'] = session;
+            }
+            yield this.codeStore.put(code, codeVal);
+            return code;
+        });
+    }
+    /**
+     * @swagger
+     *
+     * /oauth/token:
+     *   post:
+     *     summary: Code exchange
+     *     operationId: oauth-code-exchange
+     *     tags:
+     *       - OAuth
+     *     consumes:
+     *       - application/x-www-form-urlencoded
+     *     parameters:
+     *       - name: grant_type
+     *         in: formData
+     *         type: string
+     *         description: Grant type should be 'authorization_code'
+     *         default: authorization_code
+     *         required: true
+     *       - name: client_id
+     *         in: formData
+     *         type: string
+     *         description: Use the client_id returned by the SAML connection API
+     *         required: true
+     *       - name: client_secret
+     *         in: formData
+     *         type: string
+     *         description: Use the client_secret returned by the SAML connection API
+     *         required: true
+     *       - name: code_verifier
+     *         in: formData
+     *         type: string
+     *         description: code_verifier against the code_challenge in the authz request (relevant to PKCE flow)
+     *       - name: redirect_uri
+     *         in: formData
+     *         type: string
+     *         description: Redirect URI
+     *         required: true
+     *       - name: code
+     *         in: formData
+     *         type: string
+     *         description: Code
+     *         required: true
+     *     responses:
+     *       '200':
+     *         description: Success
+     *         schema:
+     *           type: object
+     *           properties:
+     *             access_token:
+     *               type: string
+     *             token_type:
+     *               type: string
+     *             expires_in:
+     *               type: string
+     *           example:
+     *             access_token: 8958e13053832b5af58fdf2ee83f35f5d013dc74
+     *             token_type: bearer
+     *             expires_in: 300
+     */
+    token(body, authHeader) {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l;
+            let basic_client_id;
+            let basic_client_secret;
+            try {
+                if (authHeader) {
+                    // Authorization: Basic {Base64(<client_id>:<client_secret>)}
+                    const base64Credentials = authHeader.split(' ')[1];
+                    const credentials = Buffer.from(base64Credentials, 'base64').toString('ascii');
+                    [basic_client_id, basic_client_secret] = credentials.split(':');
+                }
+                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+            }
+            catch (err) {
+                // no-op
+            }
+            const { code, grant_type = 'authorization_code', redirect_uri } = body;
+            const client_id = 'client_id' in body ? body.client_id : basic_client_id;
+            const client_secret = 'client_secret' in body ? body.client_secret : basic_client_secret;
+            const code_verifier = 'code_verifier' in body ? body.code_verifier : undefined;
+            metrics.increment('oauthToken');
+            if (grant_type !== 'authorization_code') {
+                throw new JacksonError('Unsupported grant_type', 400);
+            }
+            if (!code) {
+                throw new JacksonError('Please specify code', 400);
+            }
+            const codeVal = yield this.codeStore.get(code);
+            if (!codeVal || !codeVal.profile) {
+                throw new JacksonError('Invalid code', 403);
+            }
+            if ((_a = codeVal.requested) === null || _a === void 0 ? void 0 : _a.redirect_uri) {
+                if (redirect_uri !== codeVal.requested.redirect_uri) {
+                    throw new JacksonError(`Invalid request: ${!redirect_uri ? 'redirect_uri missing' : 'redirect_uri mismatch'}`, 400);
+                }
+            }
+            if (code_verifier) {
+                // PKCE flow
+                let cv = code_verifier;
+                if (((_b = codeVal.session.code_challenge_method) === null || _b === void 0 ? void 0 : _b.toLowerCase()) === 's256') {
+                    cv = codeVerifier.encode(code_verifier);
+                }
+                if (codeVal.session.code_challenge !== cv) {
+                    throw new JacksonError('Invalid code_verifier', 401);
+                }
+                // For Federation flow, we need to verify the client_secret
+                if (client_id === null || client_id === void 0 ? void 0 : client_id.startsWith(`${clientIDFederatedPrefix}${clientIDOIDCPrefix}`)) {
+                    if (client_id !== ((_d = (_c = codeVal.session) === null || _c === void 0 ? void 0 : _c.oidcFederated) === null || _d === void 0 ? void 0 : _d.clientID) ||
+                        client_secret !== ((_f = (_e = codeVal.session) === null || _e === void 0 ? void 0 : _e.oidcFederated) === null || _f === void 0 ? void 0 : _f.clientSecret)) {
+                        throw new JacksonError('Invalid client_id or client_secret', 401);
+                    }
+                }
+            }
+            else if (client_id && client_secret) {
+                // check if we have an encoded client_id
+                if (client_id !== 'dummy') {
+                    const sp = getEncodedTenantProduct(client_id);
+                    if (!sp) {
+                        // OAuth flow
+                        if (client_id !== codeVal.clientID || client_secret !== codeVal.clientSecret) {
+                            throw new JacksonError('Invalid client_id or client_secret', 401);
+                        }
+                    }
+                    else {
+                        if (!codeVal.isIdPFlow &&
+                            (sp.tenant !== ((_g = codeVal.requested) === null || _g === void 0 ? void 0 : _g.tenant) || sp.product !== ((_h = codeVal.requested) === null || _h === void 0 ? void 0 : _h.product))) {
+                            throw new JacksonError('Invalid tenant or product', 401);
+                        }
+                        // encoded client_id, verify client_secret
+                        if (client_secret !== this.opts.clientSecretVerifier) {
+                            throw new JacksonError('Invalid client_secret', 401);
+                        }
+                    }
+                }
+                else {
+                    if (client_secret !== this.opts.clientSecretVerifier && client_secret !== codeVal.clientSecret) {
+                        throw new JacksonError('Invalid client_secret', 401);
+                    }
+                }
+            }
+            else if (codeVal && codeVal.session) {
+                throw new JacksonError('Please specify client_secret or code_verifier', 401);
+            }
+            // store details against a token
+            const token = crypto.randomBytes(20).toString('hex');
+            const tokenVal = Object.assign(Object.assign({}, codeVal.profile), { requested: codeVal.requested });
+            const requestedOIDCFlow = !!((_j = codeVal.requested) === null || _j === void 0 ? void 0 : _j.oidc);
+            const requestHasNonce = !!((_k = codeVal.requested) === null || _k === void 0 ? void 0 : _k.nonce);
+            if (requestedOIDCFlow) {
+                const { jwtSigningKeys, jwsAlg } = (_l = this.opts.openid) !== null && _l !== void 0 ? _l : {};
+                if (!jwtSigningKeys || !isJWSKeyPairLoaded(jwtSigningKeys)) {
+                    throw new JacksonError('JWT signing keys are not loaded', 500);
+                }
+                let claims = requestHasNonce ? { nonce: codeVal.requested.nonce } : {};
+                claims = Object.assign(Object.assign({}, claims), { id: codeVal.profile.claims.id, email: codeVal.profile.claims.email, firstName: codeVal.profile.claims.firstName, lastName: codeVal.profile.claims.lastName, roles: codeVal.profile.claims.roles, groups: codeVal.profile.claims.groups });
+                const signingKey = yield loadJWSPrivateKey(jwtSigningKeys.private, jwsAlg);
+                const kid = yield computeKid(jwtSigningKeys.public, jwsAlg);
+                const id_token = yield new jose.SignJWT(claims)
+                    .setProtectedHeader({ alg: jwsAlg, kid })
+                    .setIssuedAt()
+                    .setIssuer(this.opts.externalUrl)
+                    .setSubject(codeVal.profile.claims.id)
+                    .setAudience(tokenVal.requested.client_id)
+                    .setExpirationTime(`${this.opts.db.ttl}s`) //  identity token only really needs to be valid long enough for it to be verified by the client application.
+                    .sign(signingKey);
+                tokenVal.id_token = id_token;
+                tokenVal.claims.sub = codeVal.profile.claims.id;
+            }
+            yield this.tokenStore.put(token, tokenVal);
+            // delete the code
+            try {
+                yield this.codeStore.delete(code);
+                // eslint-disable-next-line @typescript-eslint/no-unused-vars
+            }
+            catch (_err) {
+                // ignore error
+            }
+            const tokenResponse = {
+                access_token: token,
+                token_type: 'bearer',
+                expires_in: this.opts.db.ttl,
+            };
+            if (requestedOIDCFlow) {
+                tokenResponse.id_token = tokenVal.id_token;
+            }
+            return tokenResponse;
+        });
+    }
+    /**
+     * @swagger
+     *
+     * /oauth/userinfo:
+     *   get:
+     *     summary: Get profile
+     *     operationId: oauth-get-profile
+     *     tags:
+     *       - OAuth
+     *     responses:
+     *       '200':
+     *         description: Success
+     *         schema:
+     *           type: object
+     *           properties:
+     *             id:
+     *               type: string
+     *             email:
+     *               type: string
+     *             firstName:
+     *               type: string
+     *             lastName:
+     *               type: string
+     *             roles:
+     *               type: array
+     *               items:
+     *                 type: string
+     *             groups:
+     *               type: array
+     *               items:
+     *                 type: string
+     *             raw:
+     *               type: object
+     *             requested:
+     *               type: object
+     *           example:
+     *             id: 32b5af58fdf
+     *             email: jackson@coolstartup.com
+     *             firstName: SAML
+     *             lastName: Jackson
+     *             raw: {
+     *
+     *             }
+     *             requested: {
+     *
+     *             }
+     */
+    userInfo(token) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const rsp = yield this.tokenStore.get(token);
+            metrics.increment('oauthUserInfo');
+            if (!rsp || !rsp.claims) {
+                throw new JacksonError('Invalid token', 403);
+            }
+            return Object.assign(Object.assign({}, rsp.claims), { requested: rsp.requested });
+        });
+    }
+}
+//# sourceMappingURL=oauth.js.map