npm - @camstack/addon-auth-oidc - Versions diffs - 0.1.0 - Mend

@camstack/addon-auth-oidc 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +259 -0
package/dist/auth-oidc.addon.js +314 -0
package/dist/auth-oidc.addon.js.map +1 -0
package/dist/auth-oidc.addon.mjs +297 -0
package/dist/auth-oidc.addon.mjs.map +1 -0
package/dist/index.js +6 -0
package/dist/index.js.map +1 -0
package/dist/index.mjs +6 -0
package/dist/index.mjs.map +1 -0
package/package.json +70 -0

package/README.md ADDED Viewed

@@ -0,0 +1,259 @@
+# `@camstack/addon-auth-oidc`
+Generic OpenID Connect (OIDC) authentication provider for CamStack. Plugs into the existing `auth-provider` collection capability so the login screen renders an SSO button next to the local username + password form.
+Supports any standards-compliant OIDC IdP: **Authentik**, **Keycloak**, **Google**, **Microsoft Entra ID** (formerly Azure AD), **Okta**, **Auth0**, and any other provider that publishes `/.well-known/openid-configuration`.
+---
+## Quick start (Authentik — recommended for self-hosted)
+[Authentik](https://goauthentik.io) is the most operator-friendly self-hosted IdP for home labs and small deployments. It also doubles as a SAML / LDAP gateway in front of your existing identity stores.
+### 1. Create the OIDC application in Authentik
+In the Authentik admin UI:
+1. **Applications → Providers → Create**
+   - Type: **OAuth2/OpenID Provider**
+   - Name: `CamStack`
+   - Authorization flow: `default-provider-authorization-implicit-consent`
+   - Client type: `Confidential`
+   - Client ID: *(leave the auto-generated value)*
+   - Client Secret: *(leave the auto-generated value)*
+   - Redirect URIs / Origins (RegEx):
+     ```
+     https://your-camstack.example.com/addon/auth-oidc/callback
+     ```
+   - Signing Key: any key (e.g. `authentik Self-signed Certificate`)
+   - Save
+2. **Applications → Applications → Create**
+   - Name: `CamStack`
+   - Slug: `camstack`
+   - Provider: select the provider you just created
+   - Launch URL: `https://your-camstack.example.com/admin`
+   - Save
+### 2. Install + configure the addon in CamStack
+1. **Admin UI → System → Addons → Install** → search `@camstack/addon-auth-oidc` → install
+2. **Admin UI → System → Authentication** — verify the new row appears (kind: `oidc`)
+3. Click the row → **Configure** → fill the global settings:
+| Field | Value |
+|---|---|
+| Display Name | `Continue with Authentik` |
+| Icon | `shield-check` (or `key`, `user`, …) |
+| Issuer URL | `https://authentik.your-domain.tld/application/o/camstack/` |
+| Client ID | *paste from Authentik provider* |
+| Client Secret | *paste from Authentik provider* |
+| Redirect URI | `https://your-camstack.example.com/addon/auth-oidc/callback` |
+| Scopes | `openid profile email` |
+| Username Claim | `preferred_username` |
+| Default Role | `viewer` |
+Save. The login screen now shows an **"Continue with Authentik"** button.
+> **Important**: the issuer URL **MUST** end with the trailing slash that Authentik adds to its application slug (`/application/o/<slug>/`). Without it the `.well-known/openid-configuration` discovery fetch returns 404.
+### 3. Test the flow
+1. Log out (or open an incognito window) → `/admin/login`
+2. Click **Continue with Authentik**
+3. Authentik prompts for credentials + consent → on success you land back on the CamStack admin UI as the OIDC user
+4. **Admin UI → System → Users** — the user is auto-provisioned with the configured `defaultRole`
+---
+## Other providers — discovery URL templates
+Configure exactly the same fields, only the **Issuer URL** changes:
+### Keycloak
+```
+Issuer URL: https://your-keycloak.example.com/realms/<realm-name>
+```
+In Keycloak: **Clients → Create** with type `OpenID Connect`, set Valid redirect URIs to `https://your-camstack.example.com/addon/auth-oidc/callback`. Username claim depends on your realm setup — `preferred_username` is the Keycloak default.
+### Google
+```
+Issuer URL: https://accounts.google.com
+```
+In **Google Cloud Console → APIs & Services → Credentials → OAuth 2.0 Client IDs**:
+- Application type: `Web application`
+- Authorized redirect URIs: `https://your-camstack.example.com/addon/auth-oidc/callback`
+Username Claim: `email` (Google doesn't issue `preferred_username`).
+### Microsoft Entra ID (formerly Azure AD)
+```
+Issuer URL: https://login.microsoftonline.com/<tenant-id>/v2.0
+```
+In **Entra → App registrations → New registration**:
+- Redirect URI: `Web` → `https://your-camstack.example.com/addon/auth-oidc/callback`
+- Generate a client secret under **Certificates & secrets**
+- Under **API permissions** add `openid`, `profile`, `email`
+Replace `<tenant-id>` with your tenant GUID. For multi-tenant apps use `common` as the tenant ID.
+Username Claim: `preferred_username` (Entra issues UPN-style logins) or `email`.
+### Okta
+```
+Issuer URL: https://<your-okta-domain>.okta.com/oauth2/default
+```
+In Okta: **Applications → Create App Integration → OIDC - Web Application**, sign-in redirect URI as above. Use the default Authorization Server (`/oauth2/default`) or substitute your custom one.
+### Auth0
+```
+Issuer URL: https://<your-tenant>.auth0.com
+```
+In Auth0: **Applications → Create Application → Regular Web Applications**, allowed callback URLs as above.
+---
+## Configuration reference
+| Setting | Default | Notes |
+|---|---|---|
+| `displayName` | `OpenID Connect` | Login button label |
+| `icon` | `shield-check` | lucide-react icon name |
+| `issuerUrl` | *(empty)* | IdP base URL — `<issuer>/.well-known/openid-configuration` MUST resolve |
+| `clientId` | *(empty)* | OAuth2 client ID issued by the IdP |
+| `clientSecret` | *(empty)* | OAuth2 client secret — server-side only, never exposed to the browser |
+| `redirectUri` | `<CAMSTACK_PUBLIC_ORIGIN>/addon/auth-oidc/callback` | Public callback URL the IdP redirects to. Override when the server is behind a reverse proxy with a different public origin |
+| `scopes` | `openid profile email` | Space-separated OAuth scopes |
+| `usernameClaim` | `preferred_username` | One of `preferred_username` / `email` / `sub` |
+| `defaultRole` | `viewer` | Role assigned to first-time SSO users — choose `admin` only when the IdP itself enforces operator vetting |
+---
+## Multi-IdP deployments
+Install the addon **multiple times** under different addon IDs to support multiple IdPs simultaneously. The Authentication page lists them all and the Login screen renders one button per provider.
+```
+Admin UI → Addons → Install → @camstack/addon-auth-oidc
+   (becomes auth-oidc with default settings)
+Admin UI → Addons → Install → @camstack/addon-auth-oidc-google
+   (cloned manifest with id=auth-oidc-google)
+```
+Each instance has its own settings panel and its own redirect URI: `/addon/<addonId>/callback`.
+---
+## Architecture
+```
+┌────────────────────────────────────────────────────────────────┐
+│ Browser                                                        │
+│                                                                │
+│  /admin/login ──┬─► local-auth (username + password)            │
+│                 └─► [SSO buttons rendered from                  │
+│                      authentication.listProviders()]            │
+└────────────────────────────────────────────────────────────────┘
+            │
+            ▼ click SSO button
+┌────────────────────────────────────────────────────────────────┐
+│ CamStack server                                                 │
+│                                                                │
+│  /addon/auth-oidc/start                                         │
+│    ├─ build PKCE pair                                           │
+│    ├─ generate state                                            │
+│    └─ 302 redirect → IdP authorization endpoint                 │
+└────────────────────────────────────────────────────────────────┘
+            │
+            ▼ user logs in at IdP
+┌────────────────────────────────────────────────────────────────┐
+│ IdP (Authentik / Keycloak / Google / …)                         │
+│                                                                │
+│  302 redirect with `code` + `state` parameters                  │
+└────────────────────────────────────────────────────────────────┘
+            │
+            ▼
+┌────────────────────────────────────────────────────────────────┐
+│ CamStack server                                                 │
+│                                                                │
+│  /addon/auth-oidc/callback                                      │
+│    ├─ verify state                                              │
+│    ├─ POST token endpoint with code + code_verifier             │
+│    ├─ decode id_token (no signature verify yet — see TODO)      │
+│    └─ 302 → /api/auth/sso/finish?userId=…&username=…&roles=…    │
+│                                                                │
+│  /api/auth/sso/finish                                           │
+│    ├─ authService.signToken(...) → 24h CamStack JWT             │
+│    └─ 302 → /admin/login#token=<jwt>&provider=<addonId>         │
+└────────────────────────────────────────────────────────────────┘
+            │
+            ▼
+  SPA picks token off URL fragment, persists to localStorage,
+  strips fragment → user is logged in.
+```
+---
+## Security notes
+This addon is **functional but not yet hardened for production**. Known gaps:
+1. **id_token signature is not verified against the IdP's JWKS.** The token is base64-decoded and trusted because:
+   - It arrived on the back-channel (server-to-server token exchange, not client-controlled)
+   - The exchange was bound to a `state` parameter we generated
+   For full RFC 7515 / OIDC Core compliance, replace `decodeJwtPayload` with `jose.jwtVerify(idToken, await jose.createRemoteJWKSet(new URL(jwks_uri)))`.
+2. **State + PKCE storage is in-memory.** A 5-minute TTL bounds the exposure but multi-replica deployments will lose state if the user's redirect lands on a different replica. Move to a settings-backed store (`ctx.api.settings.set/get`) when this becomes operationally relevant.
+3. **The `nonce` parameter is not implemented.** Replay protection currently relies on the IdP-issued `aud` and `iss` claims being checked downstream; for paranoid setups generate a `nonce`, include it in the auth URL, and validate it from the id_token.
+4. **The `/api/auth/sso/finish` endpoint trusts query parameters from the addon's own callback handler.** A misconfigured reverse proxy that re-emits client query strings could in theory inject claims. Defense-in-depth fix: have the callback handler sign the redirect parameters with `auth.jwtSecret` (HMAC) and verify on `/finish`.
+If you're running this in production, please open an issue or PR — these gaps are tracked in `packages/addon-auth-oidc/src/auth-oidc.addon.ts` (file-level docstring) and we'd like to close them.
+---
+## Troubleshooting
+### "OIDC discovery failed: 404 Not Found"
+The issuer URL is wrong. Hit `<issuer>/.well-known/openid-configuration` in your browser — you should see a JSON document. Common gotchas:
+- **Authentik** appends a trailing slash to application slugs (`/application/o/<slug>/`) — keep it
+- **Keycloak** is case-sensitive on realm names
+- **Cloudflare** in front of your IdP needs to allow the well-known path through
+### "Unknown or expired OIDC state"
+Either:
+- The user took longer than 5 minutes to complete login at the IdP
+- The user's redirect landed on a different replica (multi-replica issue — see Security note #2)
+- The IdP corrupted the state value (rare; check IdP logs)
+Just retry — this isn't a permanent failure.
+### "OIDC token exchange failed: 401 invalid_client"
+The clientSecret is wrong, or the IdP rejected the redirect URI. Check:
+- The redirect URI configured in the addon settings exactly matches the one registered at the IdP (case-sensitive, trailing slash matters)
+- The IdP's client allows `Confidential` / `Authorization Code` grant type
+### "Login succeeds but the SPA shows a blank page"
+Check the browser console — the most common cause is the JWT signing failed because `auth.jwtSecret` isn't set. CamStack auto-generates one on first boot but if `config.yaml` is read-only the secret can't persist. Set `CAMSTACK_JWT_SECRET` env var as a workaround.
+---
+## License
+MIT — same as the rest of CamStack.

package/dist/auth-oidc.addon.js ADDED Viewed

@@ -0,0 +1,314 @@
+"use strict";
+Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
+const crypto = require("node:crypto");
+const types = require("@camstack/types");
+function _interopNamespaceDefault(e) {
+  const n = Object.create(null, { [Symbol.toStringTag]: { value: "Module" } });
+  if (e) {
+    for (const k in e) {
+      if (k !== "default") {
+        const d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: () => e[k]
+        });
+      }
+    }
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+const crypto__namespace = /* @__PURE__ */ _interopNamespaceDefault(crypto);
+const DEFAULT_CONFIG = {
+  displayName: "OpenID Connect",
+  icon: "shield-check",
+  issuerUrl: "",
+  clientId: "",
+  clientSecret: "",
+  redirectUri: "",
+  scopes: "openid profile email",
+  usernameClaim: "preferred_username",
+  defaultRole: "viewer"
+};
+const STATE_TTL_MS = 5 * 6e4;
+class AuthOidcAddon extends types.BaseAddon {
+  discovery = null;
+  discoveryFetchedAt = 0;
+  pendingStates = /* @__PURE__ */ new Map();
+  // Provider metadata — read by the auth-orchestrator when the admin
+  // UI calls `authentication.listProviders`. Static fields on the
+  // provider object so the orchestrator's coercion picks them up.
+  displayName;
+  kind = "oidc";
+  icon;
+  hasRedirectFlow = true;
+  hasCredentialFlow = false;
+  constructor() {
+    super({ ...DEFAULT_CONFIG });
+    this.displayName = DEFAULT_CONFIG.displayName;
+    this.icon = DEFAULT_CONFIG.icon;
+  }
+  async onInitialize() {
+    Object.assign(this, {
+      displayName: this.config.values.displayName || DEFAULT_CONFIG.displayName,
+      icon: this.config.values.icon || DEFAULT_CONFIG.icon
+    });
+    const authProvider = {
+      validateCredentials: async () => null,
+      // OIDC has no credential flow
+      validateToken: async ({ token }) => this.validateLocalSessionToken(token),
+      getLoginUrl: async ({ state }) => this.buildLoginUrl(state),
+      handleCallback: async (params) => {
+        const code = params["code"];
+        const state = params["state"];
+        if (!code || !state) {
+          throw new Error("Missing code or state in OIDC callback");
+        }
+        return this.handleCallback(code, state);
+      }
+    };
+    const routes = [
+      {
+        method: "GET",
+        path: "/start",
+        access: "public",
+        description: "Begin OIDC redirect login flow",
+        handler: async (req, reply) => this.handleStart(req, reply)
+      },
+      {
+        method: "GET",
+        path: "/callback",
+        access: "public",
+        description: "OIDC redirect callback — exchanges code for tokens",
+        handler: async (req, reply) => this.handleCallbackRoute(req, reply)
+      }
+    ];
+    const routeProvider = {
+      id: "auth-oidc",
+      getRoutes: () => routes
+    };
+    this.ctx.logger.info("OIDC auth provider initialized", {
+      meta: {
+        displayName: this.displayName,
+        issuerUrl: this.config.values.issuerUrl || "(not configured)"
+      }
+    });
+    return [
+      { capability: types.authProviderCapability, provider: authProvider },
+      { capability: types.addonRoutesCapability, provider: routeProvider }
+    ];
+  }
+  globalSettingsSchema() {
+    return this.schema({
+      sections: [{
+        id: "oidc",
+        title: "OIDC Provider Settings",
+        description: "Configure your IdP. The redirect URI must be registered at the IdP exactly as shown below.",
+        columns: 1,
+        fields: [
+          this.field({ type: "text", key: "displayName", label: "Display Name", description: 'Shown on the login button (e.g., "Continue with Google").', default: DEFAULT_CONFIG.displayName }),
+          this.field({ type: "text", key: "icon", label: "Icon", description: "lucide-react icon name. Default: shield-check.", default: DEFAULT_CONFIG.icon }),
+          this.field({ type: "text", key: "issuerUrl", label: "Issuer URL", description: "IdP base URL — discovery doc lives at <issuer>/.well-known/openid-configuration.", default: "" }),
+          this.field({ type: "text", key: "clientId", label: "Client ID", description: "OAuth2 client ID issued by the IdP.", default: "" }),
+          this.field({ type: "text", key: "clientSecret", label: "Client Secret", description: "OAuth2 client secret. Server-side only.", default: "" }),
+          this.field({ type: "text", key: "redirectUri", label: "Redirect URI", description: "Public callback URL. Default: <origin>/addon/auth-oidc/callback. Must match the IdP-registered URI.", default: "" }),
+          this.field({ type: "text", key: "scopes", label: "Scopes", description: "Space-separated OAuth scopes.", default: DEFAULT_CONFIG.scopes }),
+          this.field({
+            type: "select",
+            key: "usernameClaim",
+            label: "Username Claim",
+            description: "Which OIDC claim to use as the local username.",
+            default: DEFAULT_CONFIG.usernameClaim,
+            options: [
+              { value: "preferred_username", label: "preferred_username" },
+              { value: "email", label: "email" },
+              { value: "sub", label: "sub (user id)" }
+            ]
+          }),
+          this.field({
+            type: "select",
+            key: "defaultRole",
+            label: "Default Role",
+            description: "Role assigned to first-time SSO users.",
+            default: DEFAULT_CONFIG.defaultRole,
+            options: [
+              { value: "viewer", label: "Viewer" },
+              { value: "admin", label: "Admin" },
+              { value: "super_admin", label: "Super Admin" }
+            ]
+          })
+        ]
+      }]
+    });
+  }
+  // ─── OIDC discovery + URL building ─────────────────────────────────
+  /**
+   * Fetch + cache the IdP's discovery document. Refreshes every hour
+   * (issuer config rarely changes; refresh window keeps us correct
+   * without hammering on every login).
+   */
+  async getDiscovery() {
+    if (this.discovery && Date.now() - this.discoveryFetchedAt < 60 * 6e4) {
+      return this.discovery;
+    }
+    const issuer = this.config.values.issuerUrl?.replace(/\/+$/, "");
+    if (!issuer) throw new Error("OIDC issuerUrl not configured");
+    const url = `${issuer}/.well-known/openid-configuration`;
+    const res = await fetch(url);
+    if (!res.ok) {
+      throw new Error(`OIDC discovery failed: ${res.status} ${res.statusText}`);
+    }
+    const doc = await res.json();
+    if (!doc.authorization_endpoint || !doc.token_endpoint) {
+      throw new Error("OIDC discovery response missing required endpoints");
+    }
+    this.discovery = doc;
+    this.discoveryFetchedAt = Date.now();
+    return doc;
+  }
+  buildRedirectUri() {
+    const configured = this.config.values.redirectUri?.trim();
+    if (configured) return configured;
+    const origin = process.env["CAMSTACK_PUBLIC_ORIGIN"] || "https://localhost:4443";
+    return `${origin.replace(/\/+$/, "")}/addon/auth-oidc/callback`;
+  }
+  async buildLoginUrl(state) {
+    const doc = await this.getDiscovery();
+    const codeVerifier = crypto__namespace.randomBytes(32).toString("base64url");
+    const codeChallenge = crypto__namespace.createHash("sha256").update(codeVerifier).digest("base64url");
+    this.pruneExpiredStates();
+    this.pendingStates.set(state, { codeVerifier, createdAt: Date.now() });
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: this.config.values.clientId,
+      redirect_uri: this.buildRedirectUri(),
+      scope: this.config.values.scopes || DEFAULT_CONFIG.scopes,
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256"
+    });
+    return `${doc.authorization_endpoint}?${params.toString()}`;
+  }
+  pruneExpiredStates() {
+    const now = Date.now();
+    for (const [k, v] of this.pendingStates.entries()) {
+      if (now - v.createdAt > STATE_TTL_MS) this.pendingStates.delete(k);
+    }
+  }
+  // ─── Callback / token exchange ─────────────────────────────────────
+  async handleCallback(code, state) {
+    const pending = this.pendingStates.get(state);
+    if (!pending) {
+      throw new Error("Unknown or expired OIDC state — login session timed out, please retry");
+    }
+    this.pendingStates.delete(state);
+    const doc = await this.getDiscovery();
+    const tokenRes = await fetch(doc.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: this.buildRedirectUri(),
+        client_id: this.config.values.clientId,
+        client_secret: this.config.values.clientSecret,
+        code_verifier: pending.codeVerifier
+      })
+    });
+    if (!tokenRes.ok) {
+      const text = await tokenRes.text().catch(() => "");
+      throw new Error(`OIDC token exchange failed: ${tokenRes.status} ${tokenRes.statusText} — ${text.slice(0, 200)}`);
+    }
+    const tokens = await tokenRes.json();
+    let claims = null;
+    if (tokens.id_token) {
+      claims = decodeJwtPayload(tokens.id_token);
+    }
+    if (!claims && doc.userinfo_endpoint) {
+      const ui = await fetch(doc.userinfo_endpoint, {
+        headers: { Authorization: `Bearer ${tokens.access_token}` }
+      });
+      if (ui.ok) claims = await ui.json();
+    }
+    if (!claims?.sub) {
+      throw new Error("OIDC callback: id_token missing required `sub` claim");
+    }
+    const usernameClaim = this.config.values.usernameClaim;
+    const username = usernameClaim === "preferred_username" && claims.preferred_username || usernameClaim === "email" && claims.email || claims.sub;
+    const userId = `oidc:${claims.sub}`;
+    return {
+      userId,
+      username: String(username),
+      ...claims.email ? { email: claims.email } : {},
+      ...claims.name ? { displayName: claims.name } : {},
+      roles: [this.config.values.defaultRole]
+    };
+  }
+  validateLocalSessionToken(_token) {
+    return null;
+  }
+  // ─── HTTP route handlers ───────────────────────────────────────────
+  async handleStart(_req, reply) {
+    const state = crypto__namespace.randomBytes(16).toString("base64url");
+    try {
+      const url = await this.buildLoginUrl(state);
+      reply.code(302);
+      reply.header("Location", url);
+      reply.send("");
+    } catch (err) {
+      reply.code(500);
+      reply.send({ error: "OIDC start failed", message: types.errMsg(err) });
+    }
+  }
+  async handleCallbackRoute(req, reply) {
+    const query = req.query;
+    const code = query["code"];
+    const state = query["state"];
+    const errorParam = query["error"];
+    if (errorParam) {
+      reply.code(400);
+      reply.send({ error: "OIDC error", detail: errorParam, description: query["error_description"] });
+      return;
+    }
+    if (!code || !state) {
+      reply.code(400);
+      reply.send({ error: "Missing code or state" });
+      return;
+    }
+    try {
+      const result = await this.handleCallback(code, state);
+      const params = new URLSearchParams({
+        userId: result.userId,
+        username: result.username,
+        ...result.email ? { email: result.email } : {},
+        ...result.displayName ? { displayName: result.displayName } : {},
+        roles: result.roles.join(","),
+        provider: "auth-oidc"
+      });
+      reply.code(302);
+      reply.header("Location", `/api/auth/sso/finish?${params.toString()}`);
+      reply.send("");
+    } catch (err) {
+      reply.code(500);
+      reply.send({ error: "OIDC callback failed", message: types.errMsg(err) });
+    }
+  }
+}
+function decodeJwtPayload(jwt) {
+  const parts = jwt.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const payload = parts[1];
+    const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+    const buf = Buffer.from(padded, "base64url");
+    return JSON.parse(buf.toString("utf-8"));
+  } catch {
+    return null;
+  }
+}
+exports.AuthOidcAddon = AuthOidcAddon;
+exports.default = AuthOidcAddon;
+//# sourceMappingURL=auth-oidc.addon.js.map

package/dist/auth-oidc.addon.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-oidc.addon.js","sources":["../src/auth-oidc.addon.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-argument, @typescript-eslint/no-unsafe-return -- BaseAddon<TConfig>.config.values is typed-erased in the consumer's type tree under projectService context (the cap-router union resolves the generic at the call site, not in the addon's own dist). All sites flagged here are reads/writes of well-typed local fields; runtime contract is validated by Zod via globalSettingsSchema. */\n/**\n * Generic OpenID Connect (OIDC) authentication provider.\n *\n * Registers two capabilities:\n * - `auth-provider` (collection) — the standard CamStack auth surface.\n * `getLoginUrl({state})` returns the IdP's authorization URL with\n * state + PKCE; `handleCallback({code, state})` exchanges the code\n * for tokens and returns AuthResult.\n * - `addon-routes` (collection) — `/start` (302 to IdP) and\n * `/callback` (token exchange + redirect to admin UI with the\n * local session token in the URL fragment).\n *\n * Flow (login):\n * 1. Browser hits `/api/auth/sso/auth-oidc/start` (proxy to\n * `/addon/auth-oidc/start`)\n * 2. Addon redirects to `<issuer>/authorize?...&state=...&code_challenge=...`\n * 3. User authenticates at the IdP\n * 4. IdP redirects back to `/addon/auth-oidc/callback?code=...&state=...`\n * 5. Addon exchanges code for id_token + access_token, decodes claims,\n * mints local CamStack session, redirects to `/admin#token=...`\n *\n * Configuration: per-instance via global addon settings (issuer URL,\n * client ID/secret, scopes, displayName). Multiple OIDC providers can\n * coexist by installing this addon multiple times under different IDs.\n *\n * Production-readiness gaps (documented for follow-up):\n * - ID-token signature is NOT verified against JWKS. The token is\n * decoded as base64-url-JSON and trusted because the code came\n * from the IdP redirect (state param is verified). Add\n * `jose.jwtVerify(idToken, JWKS)` for full RFC 7515 compliance.\n * - State + PKCE are stored in-memory keyed by state value with a\n * 5-minute TTL. Survives addon restart only if the user retries\n * within the window. For production multi-replica deploys, move\n * to a settings-backed store.\n * - `nonce` parameter not yet implemented. Mitigate replay by\n * validating `aud` and `iss` from id_token claims.\n */\nimport * as crypto from 'node:crypto'\nimport {\n BaseAddon,\n authProviderCapability,\n addonRoutesCapability,\n errMsg,\n type ProviderRegistration,\n type IAuthProvider,\n type IAddonRouteProvider,\n type IAddonHttpRoute,\n type AddonHttpRequest,\n type AddonHttpReply,\n} from '@camstack/types'\n\ninterface OidcConfig {\n /** Display name shown on the login button + admin UI (\"Log in with Acme\"). */\n readonly displayName: string\n /** Operator-facing icon hint (lucide-react icon name). Defaults to 'shield-check'. */\n readonly icon: string\n /**\n * Issuer base URL — discovery document MUST live at\n * `<issuer>/.well-known/openid-configuration`. Examples:\n * - https://accounts.google.com\n * - https://login.microsoftonline.com/<tenant>/v2.0\n * - https://your-keycloak.example.com/realms/master\n */\n readonly issuerUrl: string\n /** OAuth2 client ID issued by the IdP. */\n readonly clientId: string\n /** OAuth2 client secret. Server-side only — never exposed to the browser. */\n readonly clientSecret: string\n /**\n * Public callback URL the IdP will redirect to. Must match what's\n * configured at the IdP. Default: `<server-origin>/addon/auth-oidc/callback`.\n * Override when the server is behind a reverse proxy with a different\n * public-facing origin (e.g. `https://hub.example.com/addon/auth-oidc/callback`).\n */\n readonly redirectUri: string\n /** Space-separated OAuth scopes. Default: 'openid profile email'. */\n readonly scopes: string\n /**\n * Scopes / claims used to derive the local username. The first\n * matching claim wins. Default order: preferred_username → email → sub.\n */\n readonly usernameClaim: 'preferred_username' | 'email' | 'sub'\n /** Default role assigned to first-time SSO users. */\n readonly defaultRole: 'viewer' | 'admin' | 'super_admin'\n}\n\nconst DEFAULT_CONFIG: OidcConfig = {\n displayName: 'OpenID Connect',\n icon: 'shield-check',\n issuerUrl: '',\n clientId: '',\n clientSecret: '',\n redirectUri: '',\n scopes: 'openid profile email',\n usernameClaim: 'preferred_username',\n defaultRole: 'viewer',\n}\n\ninterface DiscoveryDocument {\n readonly issuer: string\n readonly authorization_endpoint: string\n readonly token_endpoint: string\n readonly userinfo_endpoint?: string\n readonly jwks_uri?: string\n}\n\ninterface PendingState {\n readonly codeVerifier: string\n readonly createdAt: number\n}\n\ninterface OidcTokenResponse {\n readonly access_token: string\n readonly id_token?: string\n readonly token_type?: string\n readonly expires_in?: number\n readonly refresh_token?: string\n}\n\ninterface OidcClaims {\n readonly sub: string\n readonly iss?: string\n readonly aud?: string | readonly string[]\n readonly email?: string\n readonly preferred_username?: string\n readonly name?: string\n}\n\nconst STATE_TTL_MS = 5 * 60_000\n\nexport class AuthOidcAddon extends BaseAddon<OidcConfig> {\n private discovery: DiscoveryDocument | null = null\n private discoveryFetchedAt = 0\n private readonly pendingStates = new Map<string, PendingState>()\n\n // Provider metadata — read by the auth-orchestrator when the admin\n // UI calls `authentication.listProviders`. Static fields on the\n // provider object so the orchestrator's coercion picks them up.\n readonly displayName: string\n readonly kind = 'oidc' as const\n readonly icon: string\n readonly hasRedirectFlow = true\n readonly hasCredentialFlow = false\n\n constructor() {\n super({ ...DEFAULT_CONFIG })\n this.displayName = DEFAULT_CONFIG.displayName\n this.icon = DEFAULT_CONFIG.icon\n }\n\n protected async onInitialize(): Promise<ProviderRegistration[]> {\n // Override the static metadata with the configured displayName so\n // the orchestrator picks up the operator-chosen label.\n Object.assign(this, {\n displayName: this.config.values.displayName || DEFAULT_CONFIG.displayName,\n icon: this.config.values.icon || DEFAULT_CONFIG.icon,\n })\n\n const authProvider: IAuthProvider = {\n validateCredentials: async () => null, // OIDC has no credential flow\n validateToken: async ({ token }) => this.validateLocalSessionToken(token),\n getLoginUrl: async ({ state }) => this.buildLoginUrl(state),\n handleCallback: async (params) => {\n const code = params['code']\n const state = params['state']\n if (!code || !state) {\n throw new Error('Missing code or state in OIDC callback')\n }\n return this.handleCallback(code, state)\n },\n }\n\n const routes: IAddonHttpRoute[] = [\n {\n method: 'GET',\n path: '/start',\n access: 'public',\n description: 'Begin OIDC redirect login flow',\n handler: async (req, reply) => this.handleStart(req, reply),\n },\n {\n method: 'GET',\n path: '/callback',\n access: 'public',\n description: 'OIDC redirect callback — exchanges code for tokens',\n handler: async (req, reply) => this.handleCallbackRoute(req, reply),\n },\n ]\n const routeProvider: IAddonRouteProvider = {\n id: 'auth-oidc',\n getRoutes: () => routes,\n }\n\n this.ctx.logger.info('OIDC auth provider initialized', {\n meta: {\n displayName: this.displayName,\n issuerUrl: this.config.values.issuerUrl || '(not configured)',\n },\n })\n\n return [\n { capability: authProviderCapability, provider: authProvider as never },\n { capability: addonRoutesCapability, provider: routeProvider as never },\n ]\n }\n\n protected globalSettingsSchema() {\n return this.schema({\n sections: [{\n id: 'oidc',\n title: 'OIDC Provider Settings',\n description: 'Configure your IdP. The redirect URI must be registered at the IdP exactly as shown below.',\n columns: 1,\n fields: [\n this.field({ type: 'text', key: 'displayName', label: 'Display Name', description: 'Shown on the login button (e.g., \"Continue with Google\").', default: DEFAULT_CONFIG.displayName }),\n this.field({ type: 'text', key: 'icon', label: 'Icon', description: 'lucide-react icon name. Default: shield-check.', default: DEFAULT_CONFIG.icon }),\n this.field({ type: 'text', key: 'issuerUrl', label: 'Issuer URL', description: 'IdP base URL — discovery doc lives at <issuer>/.well-known/openid-configuration.', default: '' }),\n this.field({ type: 'text', key: 'clientId', label: 'Client ID', description: 'OAuth2 client ID issued by the IdP.', default: '' }),\n this.field({ type: 'text', key: 'clientSecret', label: 'Client Secret', description: 'OAuth2 client secret. Server-side only.', default: '' }),\n this.field({ type: 'text', key: 'redirectUri', label: 'Redirect URI', description: 'Public callback URL. Default: <origin>/addon/auth-oidc/callback. Must match the IdP-registered URI.', default: '' }),\n this.field({ type: 'text', key: 'scopes', label: 'Scopes', description: 'Space-separated OAuth scopes.', default: DEFAULT_CONFIG.scopes }),\n this.field({\n type: 'select',\n key: 'usernameClaim',\n label: 'Username Claim',\n description: 'Which OIDC claim to use as the local username.',\n default: DEFAULT_CONFIG.usernameClaim,\n options: [\n { value: 'preferred_username', label: 'preferred_username' },\n { value: 'email', label: 'email' },\n { value: 'sub', label: 'sub (user id)' },\n ],\n }),\n this.field({\n type: 'select',\n key: 'defaultRole',\n label: 'Default Role',\n description: 'Role assigned to first-time SSO users.',\n default: DEFAULT_CONFIG.defaultRole,\n options: [\n { value: 'viewer', label: 'Viewer' },\n { value: 'admin', label: 'Admin' },\n { value: 'super_admin', label: 'Super Admin' },\n ],\n }),\n ],\n }],\n })\n }\n\n // ─── OIDC discovery + URL building ─────────────────────────────────\n\n /**\n * Fetch + cache the IdP's discovery document. Refreshes every hour\n * (issuer config rarely changes; refresh window keeps us correct\n * without hammering on every login).\n */\n private async getDiscovery(): Promise<DiscoveryDocument> {\n if (this.discovery && Date.now() - this.discoveryFetchedAt < 60 * 60_000) {\n return this.discovery\n }\n const issuer = this.config.values.issuerUrl?.replace(/\\/+$/, '')\n if (!issuer) throw new Error('OIDC issuerUrl not configured')\n const url = `${issuer}/.well-known/openid-configuration`\n const res = await fetch(url)\n if (!res.ok) {\n throw new Error(`OIDC discovery failed: ${res.status} ${res.statusText}`)\n }\n const doc = (await res.json()) as DiscoveryDocument\n if (!doc.authorization_endpoint || !doc.token_endpoint) {\n throw new Error('OIDC discovery response missing required endpoints')\n }\n this.discovery = doc\n this.discoveryFetchedAt = Date.now()\n return doc\n }\n\n private buildRedirectUri(): string {\n const configured = this.config.values.redirectUri?.trim()\n if (configured) return configured\n // Fallback: server origin from env. In a multi-host deploy the\n // operator MUST set redirectUri explicitly.\n const origin = process.env['CAMSTACK_PUBLIC_ORIGIN'] || 'https://localhost:4443'\n return `${origin.replace(/\\/+$/, '')}/addon/auth-oidc/callback`\n }\n\n private async buildLoginUrl(state: string): Promise<string> {\n const doc = await this.getDiscovery()\n\n // PKCE: random code_verifier, S256 hash → code_challenge.\n const codeVerifier = crypto.randomBytes(32).toString('base64url')\n const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url')\n\n this.pruneExpiredStates()\n this.pendingStates.set(state, { codeVerifier, createdAt: Date.now() })\n\n const params = new URLSearchParams({\n response_type: 'code',\n client_id: this.config.values.clientId,\n redirect_uri: this.buildRedirectUri(),\n scope: this.config.values.scopes || DEFAULT_CONFIG.scopes,\n state,\n code_challenge: codeChallenge,\n code_challenge_method: 'S256',\n })\n return `${doc.authorization_endpoint}?${params.toString()}`\n }\n\n private pruneExpiredStates(): void {\n const now = Date.now()\n for (const [k, v] of this.pendingStates.entries()) {\n if (now - v.createdAt > STATE_TTL_MS) this.pendingStates.delete(k)\n }\n }\n\n // ─── Callback / token exchange ─────────────────────────────────────\n\n private async handleCallback(code: string, state: string): Promise<{\n userId: string\n username: string\n email?: string\n displayName?: string\n roles: readonly string[]\n }> {\n const pending = this.pendingStates.get(state)\n if (!pending) {\n throw new Error('Unknown or expired OIDC state — login session timed out, please retry')\n }\n this.pendingStates.delete(state)\n\n const doc = await this.getDiscovery()\n const tokenRes = await fetch(doc.token_endpoint, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n Accept: 'application/json',\n },\n body: new URLSearchParams({\n grant_type: 'authorization_code',\n code,\n redirect_uri: this.buildRedirectUri(),\n client_id: this.config.values.clientId,\n client_secret: this.config.values.clientSecret,\n code_verifier: pending.codeVerifier,\n }),\n })\n if (!tokenRes.ok) {\n const text = await tokenRes.text().catch(() => '')\n throw new Error(`OIDC token exchange failed: ${tokenRes.status} ${tokenRes.statusText} — ${text.slice(0, 200)}`)\n }\n const tokens = (await tokenRes.json()) as OidcTokenResponse\n\n // Decode id_token claims (no signature verification — see header\n // doc comment). For now we trust the token because it arrived via\n // the back-channel from a verified state-bound exchange. PRODUCTION:\n // call `jose.jwtVerify(id_token, await jose.createRemoteJWKSet(jwks_uri))`.\n let claims: OidcClaims | null = null\n if (tokens.id_token) {\n claims = decodeJwtPayload(tokens.id_token) as OidcClaims | null\n }\n // Fallback: query userinfo_endpoint with the access token\n if (!claims && doc.userinfo_endpoint) {\n const ui = await fetch(doc.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${tokens.access_token}` },\n })\n if (ui.ok) claims = (await ui.json()) as OidcClaims\n }\n if (!claims?.sub) {\n throw new Error('OIDC callback: id_token missing required `sub` claim')\n }\n\n const usernameClaim = this.config.values.usernameClaim\n const username =\n (usernameClaim === 'preferred_username' && claims.preferred_username) ||\n (usernameClaim === 'email' && claims.email) ||\n claims.sub\n\n const userId = `oidc:${claims.sub}`\n return {\n userId,\n username: String(username),\n ...(claims.email ? { email: claims.email } : {}),\n ...(claims.name ? { displayName: claims.name } : {}),\n roles: [this.config.values.defaultRole],\n }\n }\n\n private validateLocalSessionToken(_token: string): null {\n // The local CamStack session token is minted by the host's auth\n // subsystem after `handleCallback` returns. Token verification\n // remains the responsibility of `local-auth` / the auth-manager;\n // this provider only mints AuthResult.\n return null\n }\n\n // ─── HTTP route handlers ───────────────────────────────────────────\n\n private async handleStart(_req: AddonHttpRequest, reply: AddonHttpReply): Promise<void> {\n const state = crypto.randomBytes(16).toString('base64url')\n try {\n const url = await this.buildLoginUrl(state)\n reply.code(302)\n reply.header('Location', url)\n reply.send('')\n } catch (err) {\n reply.code(500)\n reply.send({ error: 'OIDC start failed', message: errMsg(err) })\n }\n }\n\n private async handleCallbackRoute(req: AddonHttpRequest, reply: AddonHttpReply): Promise<void> {\n const query = req.query as Record<string, string | undefined>\n const code = query['code']\n const state = query['state']\n const errorParam = query['error']\n\n if (errorParam) {\n reply.code(400)\n reply.send({ error: 'OIDC error', detail: errorParam, description: query['error_description'] })\n return\n }\n if (!code || !state) {\n reply.code(400)\n reply.send({ error: 'Missing code or state' })\n return\n }\n\n try {\n const result = await this.handleCallback(code, state)\n // The host's auth subsystem owns local session minting. We\n // signal success by redirecting to a known admin endpoint with\n // the OIDC result encoded in the query — the server's auth\n // route handler picks it up, mints a JWT, and redirects to the\n // admin UI with `#token=...`.\n const params = new URLSearchParams({\n userId: result.userId,\n username: result.username,\n ...(result.email ? { email: result.email } : {}),\n ...(result.displayName ? { displayName: result.displayName } : {}),\n roles: result.roles.join(','),\n provider: 'auth-oidc',\n })\n reply.code(302)\n reply.header('Location', `/api/auth/sso/finish?${params.toString()}`)\n reply.send('')\n } catch (err) {\n reply.code(500)\n reply.send({ error: 'OIDC callback failed', message: errMsg(err) })\n }\n }\n}\n\nexport default AuthOidcAddon\n\n/**\n * Decode a JWT's payload as JSON without verifying its signature.\n *\n * **NOT SAFE for general token validation** — only used here because\n * the id_token arrives via the back-channel token exchange against a\n * state-bound code, which gives us implicit transport-level trust. A\n * production-grade implementation must use `jose.jwtVerify` against\n * the issuer's published JWKS.\n */\nfunction decodeJwtPayload(jwt: string): unknown {\n const parts = jwt.split('.')\n if (parts.length !== 3) return null\n try {\n const payload = parts[1]!\n const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4)\n const buf = Buffer.from(padded, 'base64url')\n return JSON.parse(buf.toString('utf-8'))\n } catch {\n return null\n }\n}\n"],"names":["BaseAddon","authProviderCapability","addonRoutesCapability","crypto","errMsg"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAuFA,MAAM,iBAA6B;AAAA,EACjC,aAAa;AAAA,EACb,MAAM;AAAA,EACN,WAAW;AAAA,EACX,UAAU;AAAA,EACV,cAAc;AAAA,EACd,aAAa;AAAA,EACb,QAAQ;AAAA,EACR,eAAe;AAAA,EACf,aAAa;AACf;AAgCA,MAAM,eAAe,IAAI;AAElB,MAAM,sBAAsBA,MAAAA,UAAsB;AAAA,EAC/C,YAAsC;AAAA,EACtC,qBAAqB;AAAA,EACZ,oCAAoB,IAAA;AAAA;AAAA;AAAA;AAAA,EAK5B;AAAA,EACA,OAAO;AAAA,EACP;AAAA,EACA,kBAAkB;AAAA,EAClB,oBAAoB;AAAA,EAE7B,cAAc;AACZ,UAAM,EAAE,GAAG,gBAAgB;AAC3B,SAAK,cAAc,eAAe;AAClC,SAAK,OAAO,eAAe;AAAA,EAC7B;AAAA,EAEA,MAAgB,eAAgD;AAG9D,WAAO,OAAO,MAAM;AAAA,MAClB,aAAa,KAAK,OAAO,OAAO,eAAe,eAAe;AAAA,MAC9D,MAAM,KAAK,OAAO,OAAO,QAAQ,eAAe;AAAA,IAAA,CACjD;AAED,UAAM,eAA8B;AAAA,MAClC,qBAAqB,YAAY;AAAA;AAAA,MACjC,eAAe,OAAO,EAAE,YAAY,KAAK,0BAA0B,KAAK;AAAA,MACxE,aAAa,OAAO,EAAE,YAAY,KAAK,cAAc,KAAK;AAAA,MAC1D,gBAAgB,OAAO,WAAW;AAChC,cAAM,OAAO,OAAO,MAAM;AAC1B,cAAM,QAAQ,OAAO,OAAO;AAC5B,YAAI,CAAC,QAAQ,CAAC,OAAO;AACnB,gBAAM,IAAI,MAAM,wCAAwC;AAAA,QAC1D;AACA,eAAO,KAAK,eAAe,MAAM,KAAK;AAAA,MACxC;AAAA,IAAA;AAGF,UAAM,SAA4B;AAAA,MAChC;AAAA,QACE,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,SAAS,OAAO,KAAK,UAAU,KAAK,YAAY,KAAK,KAAK;AAAA,MAAA;AAAA,MAE5D;AAAA,QACE,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,SAAS,OAAO,KAAK,UAAU,KAAK,oBAAoB,KAAK,KAAK;AAAA,MAAA;AAAA,IACpE;AAEF,UAAM,gBAAqC;AAAA,MACzC,IAAI;AAAA,MACJ,WAAW,MAAM;AAAA,IAAA;AAGnB,SAAK,IAAI,OAAO,KAAK,kCAAkC;AAAA,MACrD,MAAM;AAAA,QACJ,aAAa,KAAK;AAAA,QAClB,WAAW,KAAK,OAAO,OAAO,aAAa;AAAA,MAAA;AAAA,IAC7C,CACD;AAED,WAAO;AAAA,MACL,EAAE,YAAYC,MAAAA,wBAAwB,UAAU,aAAA;AAAA,MAChD,EAAE,YAAYC,6BAAuB,UAAU,cAAA;AAAA,IAAuB;AAAA,EAE1E;AAAA,EAEU,uBAAuB;AAC/B,WAAO,KAAK,OAAO;AAAA,MACjB,UAAU,CAAC;AAAA,QACT,IAAI;AAAA,QACJ,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,QACT,QAAQ;AAAA,UACN,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,eAAe,OAAO,gBAAgB,aAAa,6DAA6D,SAAS,eAAe,aAAa;AAAA,UACrL,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,QAAQ,OAAO,QAAQ,aAAa,kDAAkD,SAAS,eAAe,MAAM;AAAA,UACpJ,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,aAAa,OAAO,cAAc,aAAa,oFAAoF,SAAS,IAAI;AAAA,UAChL,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,YAAY,OAAO,aAAa,aAAa,uCAAuC,SAAS,IAAI;AAAA,UACjI,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,gBAAgB,OAAO,iBAAiB,aAAa,2CAA2C,SAAS,IAAI;AAAA,UAC7I,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,eAAe,OAAO,gBAAgB,aAAa,uGAAuG,SAAS,IAAI;AAAA,UACvM,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,UAAU,OAAO,UAAU,aAAa,iCAAiC,SAAS,eAAe,QAAQ;AAAA,UACzI,KAAK,MAAM;AAAA,YACT,MAAM;AAAA,YACN,KAAK;AAAA,YACL,OAAO;AAAA,YACP,aAAa;AAAA,YACb,SAAS,eAAe;AAAA,YACxB,SAAS;AAAA,cACP,EAAE,OAAO,sBAAsB,OAAO,qBAAA;AAAA,cACtC,EAAE,OAAO,SAAS,OAAO,QAAA;AAAA,cACzB,EAAE,OAAO,OAAO,OAAO,gBAAA;AAAA,YAAgB;AAAA,UACzC,CACD;AAAA,UACD,KAAK,MAAM;AAAA,YACT,MAAM;AAAA,YACN,KAAK;AAAA,YACL,OAAO;AAAA,YACP,aAAa;AAAA,YACb,SAAS,eAAe;AAAA,YACxB,SAAS;AAAA,cACP,EAAE,OAAO,UAAU,OAAO,SAAA;AAAA,cAC1B,EAAE,OAAO,SAAS,OAAO,QAAA;AAAA,cACzB,EAAE,OAAO,eAAe,OAAO,cAAA;AAAA,YAAc;AAAA,UAC/C,CACD;AAAA,QAAA;AAAA,MACH,CACD;AAAA,IAAA,CACF;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,eAA2C;AACvD,QAAI,KAAK,aAAa,KAAK,IAAA,IAAQ,KAAK,qBAAqB,KAAK,KAAQ;AACxE,aAAO,KAAK;AAAA,IACd;AACA,UAAM,SAAS,KAAK,OAAO,OAAO,WAAW,QAAQ,QAAQ,EAAE;AAC/D,QAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,+BAA+B;AAC5D,UAAM,MAAM,GAAG,MAAM;AACrB,UAAM,MAAM,MAAM,MAAM,GAAG;AAC3B,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,IAAI,MAAM,0BAA0B,IAAI,MAAM,IAAI,IAAI,UAAU,EAAE;AAAA,IAC1E;AACA,UAAM,MAAO,MAAM,IAAI,KAAA;AACvB,QAAI,CAAC,IAAI,0BAA0B,CAAC,IAAI,gBAAgB;AACtD,YAAM,IAAI,MAAM,oDAAoD;AAAA,IACtE;AACA,SAAK,YAAY;AACjB,SAAK,qBAAqB,KAAK,IAAA;AAC/B,WAAO;AAAA,EACT;AAAA,EAEQ,mBAA2B;AACjC,UAAM,aAAa,KAAK,OAAO,OAAO,aAAa,KAAA;AACnD,QAAI,WAAY,QAAO;AAGvB,UAAM,SAAS,QAAQ,IAAI,wBAAwB,KAAK;AACxD,WAAO,GAAG,OAAO,QAAQ,QAAQ,EAAE,CAAC;AAAA,EACtC;AAAA,EAEA,MAAc,cAAc,OAAgC;AAC1D,UAAM,MAAM,MAAM,KAAK,aAAA;AAGvB,UAAM,eAAeC,kBAAO,YAAY,EAAE,EAAE,SAAS,WAAW;AAChE,UAAM,gBAAgBA,kBAAO,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AAEzF,SAAK,mBAAA;AACL,SAAK,cAAc,IAAI,OAAO,EAAE,cAAc,WAAW,KAAK,IAAA,GAAO;AAErE,UAAM,SAAS,IAAI,gBAAgB;AAAA,MACjC,eAAe;AAAA,MACf,WAAW,KAAK,OAAO,OAAO;AAAA,MAC9B,cAAc,KAAK,iBAAA;AAAA,MACnB,OAAO,KAAK,OAAO,OAAO,UAAU,eAAe;AAAA,MACnD;AAAA,MACA,gBAAgB;AAAA,MAChB,uBAAuB;AAAA,IAAA,CACxB;AACD,WAAO,GAAG,IAAI,sBAAsB,IAAI,OAAO,UAAU;AAAA,EAC3D;AAAA,EAEQ,qBAA2B;AACjC,UAAM,MAAM,KAAK,IAAA;AACjB,eAAW,CAAC,GAAG,CAAC,KAAK,KAAK,cAAc,WAAW;AACjD,UAAI,MAAM,EAAE,YAAY,aAAc,MAAK,cAAc,OAAO,CAAC;AAAA,IACnE;AAAA,EACF;AAAA;AAAA,EAIA,MAAc,eAAe,MAAc,OAMxC;AACD,UAAM,UAAU,KAAK,cAAc,IAAI,KAAK;AAC5C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,uEAAuE;AAAA,IACzF;AACA,SAAK,cAAc,OAAO,KAAK;AAE/B,UAAM,MAAM,MAAM,KAAK,aAAA;AACvB,UAAM,WAAW,MAAM,MAAM,IAAI,gBAAgB;AAAA,MAC/C,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,QAAQ;AAAA,MAAA;AAAA,MAEV,MAAM,IAAI,gBAAgB;AAAA,QACxB,YAAY;AAAA,QACZ;AAAA,QACA,cAAc,KAAK,iBAAA;AAAA,QACnB,WAAW,KAAK,OAAO,OAAO;AAAA,QAC9B,eAAe,KAAK,OAAO,OAAO;AAAA,QAClC,eAAe,QAAQ;AAAA,MAAA,CACxB;AAAA,IAAA,CACF;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,OAAO,MAAM,SAAS,OAAO,MAAM,MAAM,EAAE;AACjD,YAAM,IAAI,MAAM,+BAA+B,SAAS,MAAM,IAAI,SAAS,UAAU,MAAM,KAAK,MAAM,GAAG,GAAG,CAAC,EAAE;AAAA,IACjH;AACA,UAAM,SAAU,MAAM,SAAS,KAAA;AAM/B,QAAI,SAA4B;AAChC,QAAI,OAAO,UAAU;AACnB,eAAS,iBAAiB,OAAO,QAAQ;AAAA,IAC3C;AAEA,QAAI,CAAC,UAAU,IAAI,mBAAmB;AACpC,YAAM,KAAK,MAAM,MAAM,IAAI,mBAAmB;AAAA,QAC5C,SAAS,EAAE,eAAe,UAAU,OAAO,YAAY,GAAA;AAAA,MAAG,CAC3D;AACD,UAAI,GAAG,GAAI,UAAU,MAAM,GAAG,KAAA;AAAA,IAChC;AACA,QAAI,CAAC,QAAQ,KAAK;AAChB,YAAM,IAAI,MAAM,sDAAsD;AAAA,IACxE;AAEA,UAAM,gBAAgB,KAAK,OAAO,OAAO;AACzC,UAAM,WACH,kBAAkB,wBAAwB,OAAO,sBACjD,kBAAkB,WAAW,OAAO,SACrC,OAAO;AAET,UAAM,SAAS,QAAQ,OAAO,GAAG;AACjC,WAAO;AAAA,MACL;AAAA,MACA,UAAU,OAAO,QAAQ;AAAA,MACzB,GAAI,OAAO,QAAQ,EAAE,OAAO,OAAO,MAAA,IAAU,CAAA;AAAA,MAC7C,GAAI,OAAO,OAAO,EAAE,aAAa,OAAO,KAAA,IAAS,CAAA;AAAA,MACjD,OAAO,CAAC,KAAK,OAAO,OAAO,WAAW;AAAA,IAAA;AAAA,EAE1C;AAAA,EAEQ,0BAA0B,QAAsB;AAKtD,WAAO;AAAA,EACT;AAAA;AAAA,EAIA,MAAc,YAAY,MAAwB,OAAsC;AACtF,UAAM,QAAQA,kBAAO,YAAY,EAAE,EAAE,SAAS,WAAW;AACzD,QAAI;AACF,YAAM,MAAM,MAAM,KAAK,cAAc,KAAK;AAC1C,YAAM,KAAK,GAAG;AACd,YAAM,OAAO,YAAY,GAAG;AAC5B,YAAM,KAAK,EAAE;AAAA,IACf,SAAS,KAAK;AACZ,YAAM,KAAK,GAAG;AACd,YAAM,KAAK,EAAE,OAAO,qBAAqB,SAASC,MAAAA,OAAO,GAAG,GAAG;AAAA,IACjE;AAAA,EACF;AAAA,EAEA,MAAc,oBAAoB,KAAuB,OAAsC;AAC7F,UAAM,QAAQ,IAAI;AAClB,UAAM,OAAO,MAAM,MAAM;AACzB,UAAM,QAAQ,MAAM,OAAO;AAC3B,UAAM,aAAa,MAAM,OAAO;AAEhC,QAAI,YAAY;AACd,YAAM,KAAK,GAAG;AACd,YAAM,KAAK,EAAE,OAAO,cAAc,QAAQ,YAAY,aAAa,MAAM,mBAAmB,GAAG;AAC/F;AAAA,IACF;AACA,QAAI,CAAC,QAAQ,CAAC,OAAO;AACnB,YAAM,KAAK,GAAG;AACd,YAAM,KAAK,EAAE,OAAO,wBAAA,CAAyB;AAC7C;AAAA,IACF;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,eAAe,MAAM,KAAK;AAMpD,YAAM,SAAS,IAAI,gBAAgB;AAAA,QACjC,QAAQ,OAAO;AAAA,QACf,UAAU,OAAO;AAAA,QACjB,GAAI,OAAO,QAAQ,EAAE,OAAO,OAAO,MAAA,IAAU,CAAA;AAAA,QAC7C,GAAI,OAAO,cAAc,EAAE,aAAa,OAAO,YAAA,IAAgB,CAAA;AAAA,QAC/D,OAAO,OAAO,MAAM,KAAK,GAAG;AAAA,QAC5B,UAAU;AAAA,MAAA,CACX;AACD,YAAM,KAAK,GAAG;AACd,YAAM,OAAO,YAAY,wBAAwB,OAAO,SAAA,CAAU,EAAE;AACpE,YAAM,KAAK,EAAE;AAAA,IACf,SAAS,KAAK;AACZ,YAAM,KAAK,GAAG;AACd,YAAM,KAAK,EAAE,OAAO,wBAAwB,SAASA,MAAAA,OAAO,GAAG,GAAG;AAAA,IACpE;AAAA,EACF;AACF;AAaA,SAAS,iBAAiB,KAAsB;AAC9C,QAAM,QAAQ,IAAI,MAAM,GAAG;AAC3B,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,MAAI;AACF,UAAM,UAAU,MAAM,CAAC;AACvB,UAAM,SAAS,UAAU,IAAI,QAAQ,IAAK,QAAQ,SAAS,KAAM,CAAC;AAClE,UAAM,MAAM,OAAO,KAAK,QAAQ,WAAW;AAC3C,WAAO,KAAK,MAAM,IAAI,SAAS,OAAO,CAAC;AAAA,EACzC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;"}

package/dist/auth-oidc.addon.mjs ADDED Viewed

@@ -0,0 +1,297 @@
+import * as crypto from "node:crypto";
+import { BaseAddon, authProviderCapability, addonRoutesCapability, errMsg } from "@camstack/types";
+const DEFAULT_CONFIG = {
+  displayName: "OpenID Connect",
+  icon: "shield-check",
+  issuerUrl: "",
+  clientId: "",
+  clientSecret: "",
+  redirectUri: "",
+  scopes: "openid profile email",
+  usernameClaim: "preferred_username",
+  defaultRole: "viewer"
+};
+const STATE_TTL_MS = 5 * 6e4;
+class AuthOidcAddon extends BaseAddon {
+  discovery = null;
+  discoveryFetchedAt = 0;
+  pendingStates = /* @__PURE__ */ new Map();
+  // Provider metadata — read by the auth-orchestrator when the admin
+  // UI calls `authentication.listProviders`. Static fields on the
+  // provider object so the orchestrator's coercion picks them up.
+  displayName;
+  kind = "oidc";
+  icon;
+  hasRedirectFlow = true;
+  hasCredentialFlow = false;
+  constructor() {
+    super({ ...DEFAULT_CONFIG });
+    this.displayName = DEFAULT_CONFIG.displayName;
+    this.icon = DEFAULT_CONFIG.icon;
+  }
+  async onInitialize() {
+    Object.assign(this, {
+      displayName: this.config.values.displayName || DEFAULT_CONFIG.displayName,
+      icon: this.config.values.icon || DEFAULT_CONFIG.icon
+    });
+    const authProvider = {
+      validateCredentials: async () => null,
+      // OIDC has no credential flow
+      validateToken: async ({ token }) => this.validateLocalSessionToken(token),
+      getLoginUrl: async ({ state }) => this.buildLoginUrl(state),
+      handleCallback: async (params) => {
+        const code = params["code"];
+        const state = params["state"];
+        if (!code || !state) {
+          throw new Error("Missing code or state in OIDC callback");
+        }
+        return this.handleCallback(code, state);
+      }
+    };
+    const routes = [
+      {
+        method: "GET",
+        path: "/start",
+        access: "public",
+        description: "Begin OIDC redirect login flow",
+        handler: async (req, reply) => this.handleStart(req, reply)
+      },
+      {
+        method: "GET",
+        path: "/callback",
+        access: "public",
+        description: "OIDC redirect callback — exchanges code for tokens",
+        handler: async (req, reply) => this.handleCallbackRoute(req, reply)
+      }
+    ];
+    const routeProvider = {
+      id: "auth-oidc",
+      getRoutes: () => routes
+    };
+    this.ctx.logger.info("OIDC auth provider initialized", {
+      meta: {
+        displayName: this.displayName,
+        issuerUrl: this.config.values.issuerUrl || "(not configured)"
+      }
+    });
+    return [
+      { capability: authProviderCapability, provider: authProvider },
+      { capability: addonRoutesCapability, provider: routeProvider }
+    ];
+  }
+  globalSettingsSchema() {
+    return this.schema({
+      sections: [{
+        id: "oidc",
+        title: "OIDC Provider Settings",
+        description: "Configure your IdP. The redirect URI must be registered at the IdP exactly as shown below.",
+        columns: 1,
+        fields: [
+          this.field({ type: "text", key: "displayName", label: "Display Name", description: 'Shown on the login button (e.g., "Continue with Google").', default: DEFAULT_CONFIG.displayName }),
+          this.field({ type: "text", key: "icon", label: "Icon", description: "lucide-react icon name. Default: shield-check.", default: DEFAULT_CONFIG.icon }),
+          this.field({ type: "text", key: "issuerUrl", label: "Issuer URL", description: "IdP base URL — discovery doc lives at <issuer>/.well-known/openid-configuration.", default: "" }),
+          this.field({ type: "text", key: "clientId", label: "Client ID", description: "OAuth2 client ID issued by the IdP.", default: "" }),
+          this.field({ type: "text", key: "clientSecret", label: "Client Secret", description: "OAuth2 client secret. Server-side only.", default: "" }),
+          this.field({ type: "text", key: "redirectUri", label: "Redirect URI", description: "Public callback URL. Default: <origin>/addon/auth-oidc/callback. Must match the IdP-registered URI.", default: "" }),
+          this.field({ type: "text", key: "scopes", label: "Scopes", description: "Space-separated OAuth scopes.", default: DEFAULT_CONFIG.scopes }),
+          this.field({
+            type: "select",
+            key: "usernameClaim",
+            label: "Username Claim",
+            description: "Which OIDC claim to use as the local username.",
+            default: DEFAULT_CONFIG.usernameClaim,
+            options: [
+              { value: "preferred_username", label: "preferred_username" },
+              { value: "email", label: "email" },
+              { value: "sub", label: "sub (user id)" }
+            ]
+          }),
+          this.field({
+            type: "select",
+            key: "defaultRole",
+            label: "Default Role",
+            description: "Role assigned to first-time SSO users.",
+            default: DEFAULT_CONFIG.defaultRole,
+            options: [
+              { value: "viewer", label: "Viewer" },
+              { value: "admin", label: "Admin" },
+              { value: "super_admin", label: "Super Admin" }
+            ]
+          })
+        ]
+      }]
+    });
+  }
+  // ─── OIDC discovery + URL building ─────────────────────────────────
+  /**
+   * Fetch + cache the IdP's discovery document. Refreshes every hour
+   * (issuer config rarely changes; refresh window keeps us correct
+   * without hammering on every login).
+   */
+  async getDiscovery() {
+    if (this.discovery && Date.now() - this.discoveryFetchedAt < 60 * 6e4) {
+      return this.discovery;
+    }
+    const issuer = this.config.values.issuerUrl?.replace(/\/+$/, "");
+    if (!issuer) throw new Error("OIDC issuerUrl not configured");
+    const url = `${issuer}/.well-known/openid-configuration`;
+    const res = await fetch(url);
+    if (!res.ok) {
+      throw new Error(`OIDC discovery failed: ${res.status} ${res.statusText}`);
+    }
+    const doc = await res.json();
+    if (!doc.authorization_endpoint || !doc.token_endpoint) {
+      throw new Error("OIDC discovery response missing required endpoints");
+    }
+    this.discovery = doc;
+    this.discoveryFetchedAt = Date.now();
+    return doc;
+  }
+  buildRedirectUri() {
+    const configured = this.config.values.redirectUri?.trim();
+    if (configured) return configured;
+    const origin = process.env["CAMSTACK_PUBLIC_ORIGIN"] || "https://localhost:4443";
+    return `${origin.replace(/\/+$/, "")}/addon/auth-oidc/callback`;
+  }
+  async buildLoginUrl(state) {
+    const doc = await this.getDiscovery();
+    const codeVerifier = crypto.randomBytes(32).toString("base64url");
+    const codeChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
+    this.pruneExpiredStates();
+    this.pendingStates.set(state, { codeVerifier, createdAt: Date.now() });
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: this.config.values.clientId,
+      redirect_uri: this.buildRedirectUri(),
+      scope: this.config.values.scopes || DEFAULT_CONFIG.scopes,
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256"
+    });
+    return `${doc.authorization_endpoint}?${params.toString()}`;
+  }
+  pruneExpiredStates() {
+    const now = Date.now();
+    for (const [k, v] of this.pendingStates.entries()) {
+      if (now - v.createdAt > STATE_TTL_MS) this.pendingStates.delete(k);
+    }
+  }
+  // ─── Callback / token exchange ─────────────────────────────────────
+  async handleCallback(code, state) {
+    const pending = this.pendingStates.get(state);
+    if (!pending) {
+      throw new Error("Unknown or expired OIDC state — login session timed out, please retry");
+    }
+    this.pendingStates.delete(state);
+    const doc = await this.getDiscovery();
+    const tokenRes = await fetch(doc.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: this.buildRedirectUri(),
+        client_id: this.config.values.clientId,
+        client_secret: this.config.values.clientSecret,
+        code_verifier: pending.codeVerifier
+      })
+    });
+    if (!tokenRes.ok) {
+      const text = await tokenRes.text().catch(() => "");
+      throw new Error(`OIDC token exchange failed: ${tokenRes.status} ${tokenRes.statusText} — ${text.slice(0, 200)}`);
+    }
+    const tokens = await tokenRes.json();
+    let claims = null;
+    if (tokens.id_token) {
+      claims = decodeJwtPayload(tokens.id_token);
+    }
+    if (!claims && doc.userinfo_endpoint) {
+      const ui = await fetch(doc.userinfo_endpoint, {
+        headers: { Authorization: `Bearer ${tokens.access_token}` }
+      });
+      if (ui.ok) claims = await ui.json();
+    }
+    if (!claims?.sub) {
+      throw new Error("OIDC callback: id_token missing required `sub` claim");
+    }
+    const usernameClaim = this.config.values.usernameClaim;
+    const username = usernameClaim === "preferred_username" && claims.preferred_username || usernameClaim === "email" && claims.email || claims.sub;
+    const userId = `oidc:${claims.sub}`;
+    return {
+      userId,
+      username: String(username),
+      ...claims.email ? { email: claims.email } : {},
+      ...claims.name ? { displayName: claims.name } : {},
+      roles: [this.config.values.defaultRole]
+    };
+  }
+  validateLocalSessionToken(_token) {
+    return null;
+  }
+  // ─── HTTP route handlers ───────────────────────────────────────────
+  async handleStart(_req, reply) {
+    const state = crypto.randomBytes(16).toString("base64url");
+    try {
+      const url = await this.buildLoginUrl(state);
+      reply.code(302);
+      reply.header("Location", url);
+      reply.send("");
+    } catch (err) {
+      reply.code(500);
+      reply.send({ error: "OIDC start failed", message: errMsg(err) });
+    }
+  }
+  async handleCallbackRoute(req, reply) {
+    const query = req.query;
+    const code = query["code"];
+    const state = query["state"];
+    const errorParam = query["error"];
+    if (errorParam) {
+      reply.code(400);
+      reply.send({ error: "OIDC error", detail: errorParam, description: query["error_description"] });
+      return;
+    }
+    if (!code || !state) {
+      reply.code(400);
+      reply.send({ error: "Missing code or state" });
+      return;
+    }
+    try {
+      const result = await this.handleCallback(code, state);
+      const params = new URLSearchParams({
+        userId: result.userId,
+        username: result.username,
+        ...result.email ? { email: result.email } : {},
+        ...result.displayName ? { displayName: result.displayName } : {},
+        roles: result.roles.join(","),
+        provider: "auth-oidc"
+      });
+      reply.code(302);
+      reply.header("Location", `/api/auth/sso/finish?${params.toString()}`);
+      reply.send("");
+    } catch (err) {
+      reply.code(500);
+      reply.send({ error: "OIDC callback failed", message: errMsg(err) });
+    }
+  }
+}
+function decodeJwtPayload(jwt) {
+  const parts = jwt.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const payload = parts[1];
+    const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+    const buf = Buffer.from(padded, "base64url");
+    return JSON.parse(buf.toString("utf-8"));
+  } catch {
+    return null;
+  }
+}
+export {
+  AuthOidcAddon,
+  AuthOidcAddon as default
+};
+//# sourceMappingURL=auth-oidc.addon.mjs.map

package/dist/auth-oidc.addon.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth-oidc.addon.mjs","sources":["../src/auth-oidc.addon.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-argument, @typescript-eslint/no-unsafe-return -- BaseAddon<TConfig>.config.values is typed-erased in the consumer's type tree under projectService context (the cap-router union resolves the generic at the call site, not in the addon's own dist). All sites flagged here are reads/writes of well-typed local fields; runtime contract is validated by Zod via globalSettingsSchema. */\n/**\n * Generic OpenID Connect (OIDC) authentication provider.\n *\n * Registers two capabilities:\n * - `auth-provider` (collection) — the standard CamStack auth surface.\n * `getLoginUrl({state})` returns the IdP's authorization URL with\n * state + PKCE; `handleCallback({code, state})` exchanges the code\n * for tokens and returns AuthResult.\n * - `addon-routes` (collection) — `/start` (302 to IdP) and\n * `/callback` (token exchange + redirect to admin UI with the\n * local session token in the URL fragment).\n *\n * Flow (login):\n * 1. Browser hits `/api/auth/sso/auth-oidc/start` (proxy to\n * `/addon/auth-oidc/start`)\n * 2. Addon redirects to `<issuer>/authorize?...&state=...&code_challenge=...`\n * 3. User authenticates at the IdP\n * 4. IdP redirects back to `/addon/auth-oidc/callback?code=...&state=...`\n * 5. Addon exchanges code for id_token + access_token, decodes claims,\n * mints local CamStack session, redirects to `/admin#token=...`\n *\n * Configuration: per-instance via global addon settings (issuer URL,\n * client ID/secret, scopes, displayName). Multiple OIDC providers can\n * coexist by installing this addon multiple times under different IDs.\n *\n * Production-readiness gaps (documented for follow-up):\n * - ID-token signature is NOT verified against JWKS. The token is\n * decoded as base64-url-JSON and trusted because the code came\n * from the IdP redirect (state param is verified). Add\n * `jose.jwtVerify(idToken, JWKS)` for full RFC 7515 compliance.\n * - State + PKCE are stored in-memory keyed by state value with a\n * 5-minute TTL. Survives addon restart only if the user retries\n * within the window. For production multi-replica deploys, move\n * to a settings-backed store.\n * - `nonce` parameter not yet implemented. Mitigate replay by\n * validating `aud` and `iss` from id_token claims.\n */\nimport * as crypto from 'node:crypto'\nimport {\n BaseAddon,\n authProviderCapability,\n addonRoutesCapability,\n errMsg,\n type ProviderRegistration,\n type IAuthProvider,\n type IAddonRouteProvider,\n type IAddonHttpRoute,\n type AddonHttpRequest,\n type AddonHttpReply,\n} from '@camstack/types'\n\ninterface OidcConfig {\n /** Display name shown on the login button + admin UI (\"Log in with Acme\"). */\n readonly displayName: string\n /** Operator-facing icon hint (lucide-react icon name). Defaults to 'shield-check'. */\n readonly icon: string\n /**\n * Issuer base URL — discovery document MUST live at\n * `<issuer>/.well-known/openid-configuration`. Examples:\n * - https://accounts.google.com\n * - https://login.microsoftonline.com/<tenant>/v2.0\n * - https://your-keycloak.example.com/realms/master\n */\n readonly issuerUrl: string\n /** OAuth2 client ID issued by the IdP. */\n readonly clientId: string\n /** OAuth2 client secret. Server-side only — never exposed to the browser. */\n readonly clientSecret: string\n /**\n * Public callback URL the IdP will redirect to. Must match what's\n * configured at the IdP. Default: `<server-origin>/addon/auth-oidc/callback`.\n * Override when the server is behind a reverse proxy with a different\n * public-facing origin (e.g. `https://hub.example.com/addon/auth-oidc/callback`).\n */\n readonly redirectUri: string\n /** Space-separated OAuth scopes. Default: 'openid profile email'. */\n readonly scopes: string\n /**\n * Scopes / claims used to derive the local username. The first\n * matching claim wins. Default order: preferred_username → email → sub.\n */\n readonly usernameClaim: 'preferred_username' | 'email' | 'sub'\n /** Default role assigned to first-time SSO users. */\n readonly defaultRole: 'viewer' | 'admin' | 'super_admin'\n}\n\nconst DEFAULT_CONFIG: OidcConfig = {\n displayName: 'OpenID Connect',\n icon: 'shield-check',\n issuerUrl: '',\n clientId: '',\n clientSecret: '',\n redirectUri: '',\n scopes: 'openid profile email',\n usernameClaim: 'preferred_username',\n defaultRole: 'viewer',\n}\n\ninterface DiscoveryDocument {\n readonly issuer: string\n readonly authorization_endpoint: string\n readonly token_endpoint: string\n readonly userinfo_endpoint?: string\n readonly jwks_uri?: string\n}\n\ninterface PendingState {\n readonly codeVerifier: string\n readonly createdAt: number\n}\n\ninterface OidcTokenResponse {\n readonly access_token: string\n readonly id_token?: string\n readonly token_type?: string\n readonly expires_in?: number\n readonly refresh_token?: string\n}\n\ninterface OidcClaims {\n readonly sub: string\n readonly iss?: string\n readonly aud?: string | readonly string[]\n readonly email?: string\n readonly preferred_username?: string\n readonly name?: string\n}\n\nconst STATE_TTL_MS = 5 * 60_000\n\nexport class AuthOidcAddon extends BaseAddon<OidcConfig> {\n private discovery: DiscoveryDocument | null = null\n private discoveryFetchedAt = 0\n private readonly pendingStates = new Map<string, PendingState>()\n\n // Provider metadata — read by the auth-orchestrator when the admin\n // UI calls `authentication.listProviders`. Static fields on the\n // provider object so the orchestrator's coercion picks them up.\n readonly displayName: string\n readonly kind = 'oidc' as const\n readonly icon: string\n readonly hasRedirectFlow = true\n readonly hasCredentialFlow = false\n\n constructor() {\n super({ ...DEFAULT_CONFIG })\n this.displayName = DEFAULT_CONFIG.displayName\n this.icon = DEFAULT_CONFIG.icon\n }\n\n protected async onInitialize(): Promise<ProviderRegistration[]> {\n // Override the static metadata with the configured displayName so\n // the orchestrator picks up the operator-chosen label.\n Object.assign(this, {\n displayName: this.config.values.displayName || DEFAULT_CONFIG.displayName,\n icon: this.config.values.icon || DEFAULT_CONFIG.icon,\n })\n\n const authProvider: IAuthProvider = {\n validateCredentials: async () => null, // OIDC has no credential flow\n validateToken: async ({ token }) => this.validateLocalSessionToken(token),\n getLoginUrl: async ({ state }) => this.buildLoginUrl(state),\n handleCallback: async (params) => {\n const code = params['code']\n const state = params['state']\n if (!code || !state) {\n throw new Error('Missing code or state in OIDC callback')\n }\n return this.handleCallback(code, state)\n },\n }\n\n const routes: IAddonHttpRoute[] = [\n {\n method: 'GET',\n path: '/start',\n access: 'public',\n description: 'Begin OIDC redirect login flow',\n handler: async (req, reply) => this.handleStart(req, reply),\n },\n {\n method: 'GET',\n path: '/callback',\n access: 'public',\n description: 'OIDC redirect callback — exchanges code for tokens',\n handler: async (req, reply) => this.handleCallbackRoute(req, reply),\n },\n ]\n const routeProvider: IAddonRouteProvider = {\n id: 'auth-oidc',\n getRoutes: () => routes,\n }\n\n this.ctx.logger.info('OIDC auth provider initialized', {\n meta: {\n displayName: this.displayName,\n issuerUrl: this.config.values.issuerUrl || '(not configured)',\n },\n })\n\n return [\n { capability: authProviderCapability, provider: authProvider as never },\n { capability: addonRoutesCapability, provider: routeProvider as never },\n ]\n }\n\n protected globalSettingsSchema() {\n return this.schema({\n sections: [{\n id: 'oidc',\n title: 'OIDC Provider Settings',\n description: 'Configure your IdP. The redirect URI must be registered at the IdP exactly as shown below.',\n columns: 1,\n fields: [\n this.field({ type: 'text', key: 'displayName', label: 'Display Name', description: 'Shown on the login button (e.g., \"Continue with Google\").', default: DEFAULT_CONFIG.displayName }),\n this.field({ type: 'text', key: 'icon', label: 'Icon', description: 'lucide-react icon name. Default: shield-check.', default: DEFAULT_CONFIG.icon }),\n this.field({ type: 'text', key: 'issuerUrl', label: 'Issuer URL', description: 'IdP base URL — discovery doc lives at <issuer>/.well-known/openid-configuration.', default: '' }),\n this.field({ type: 'text', key: 'clientId', label: 'Client ID', description: 'OAuth2 client ID issued by the IdP.', default: '' }),\n this.field({ type: 'text', key: 'clientSecret', label: 'Client Secret', description: 'OAuth2 client secret. Server-side only.', default: '' }),\n this.field({ type: 'text', key: 'redirectUri', label: 'Redirect URI', description: 'Public callback URL. Default: <origin>/addon/auth-oidc/callback. Must match the IdP-registered URI.', default: '' }),\n this.field({ type: 'text', key: 'scopes', label: 'Scopes', description: 'Space-separated OAuth scopes.', default: DEFAULT_CONFIG.scopes }),\n this.field({\n type: 'select',\n key: 'usernameClaim',\n label: 'Username Claim',\n description: 'Which OIDC claim to use as the local username.',\n default: DEFAULT_CONFIG.usernameClaim,\n options: [\n { value: 'preferred_username', label: 'preferred_username' },\n { value: 'email', label: 'email' },\n { value: 'sub', label: 'sub (user id)' },\n ],\n }),\n this.field({\n type: 'select',\n key: 'defaultRole',\n label: 'Default Role',\n description: 'Role assigned to first-time SSO users.',\n default: DEFAULT_CONFIG.defaultRole,\n options: [\n { value: 'viewer', label: 'Viewer' },\n { value: 'admin', label: 'Admin' },\n { value: 'super_admin', label: 'Super Admin' },\n ],\n }),\n ],\n }],\n })\n }\n\n // ─── OIDC discovery + URL building ─────────────────────────────────\n\n /**\n * Fetch + cache the IdP's discovery document. Refreshes every hour\n * (issuer config rarely changes; refresh window keeps us correct\n * without hammering on every login).\n */\n private async getDiscovery(): Promise<DiscoveryDocument> {\n if (this.discovery && Date.now() - this.discoveryFetchedAt < 60 * 60_000) {\n return this.discovery\n }\n const issuer = this.config.values.issuerUrl?.replace(/\\/+$/, '')\n if (!issuer) throw new Error('OIDC issuerUrl not configured')\n const url = `${issuer}/.well-known/openid-configuration`\n const res = await fetch(url)\n if (!res.ok) {\n throw new Error(`OIDC discovery failed: ${res.status} ${res.statusText}`)\n }\n const doc = (await res.json()) as DiscoveryDocument\n if (!doc.authorization_endpoint || !doc.token_endpoint) {\n throw new Error('OIDC discovery response missing required endpoints')\n }\n this.discovery = doc\n this.discoveryFetchedAt = Date.now()\n return doc\n }\n\n private buildRedirectUri(): string {\n const configured = this.config.values.redirectUri?.trim()\n if (configured) return configured\n // Fallback: server origin from env. In a multi-host deploy the\n // operator MUST set redirectUri explicitly.\n const origin = process.env['CAMSTACK_PUBLIC_ORIGIN'] || 'https://localhost:4443'\n return `${origin.replace(/\\/+$/, '')}/addon/auth-oidc/callback`\n }\n\n private async buildLoginUrl(state: string): Promise<string> {\n const doc = await this.getDiscovery()\n\n // PKCE: random code_verifier, S256 hash → code_challenge.\n const codeVerifier = crypto.randomBytes(32).toString('base64url')\n const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url')\n\n this.pruneExpiredStates()\n this.pendingStates.set(state, { codeVerifier, createdAt: Date.now() })\n\n const params = new URLSearchParams({\n response_type: 'code',\n client_id: this.config.values.clientId,\n redirect_uri: this.buildRedirectUri(),\n scope: this.config.values.scopes || DEFAULT_CONFIG.scopes,\n state,\n code_challenge: codeChallenge,\n code_challenge_method: 'S256',\n })\n return `${doc.authorization_endpoint}?${params.toString()}`\n }\n\n private pruneExpiredStates(): void {\n const now = Date.now()\n for (const [k, v] of this.pendingStates.entries()) {\n if (now - v.createdAt > STATE_TTL_MS) this.pendingStates.delete(k)\n }\n }\n\n // ─── Callback / token exchange ─────────────────────────────────────\n\n private async handleCallback(code: string, state: string): Promise<{\n userId: string\n username: string\n email?: string\n displayName?: string\n roles: readonly string[]\n }> {\n const pending = this.pendingStates.get(state)\n if (!pending) {\n throw new Error('Unknown or expired OIDC state — login session timed out, please retry')\n }\n this.pendingStates.delete(state)\n\n const doc = await this.getDiscovery()\n const tokenRes = await fetch(doc.token_endpoint, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n Accept: 'application/json',\n },\n body: new URLSearchParams({\n grant_type: 'authorization_code',\n code,\n redirect_uri: this.buildRedirectUri(),\n client_id: this.config.values.clientId,\n client_secret: this.config.values.clientSecret,\n code_verifier: pending.codeVerifier,\n }),\n })\n if (!tokenRes.ok) {\n const text = await tokenRes.text().catch(() => '')\n throw new Error(`OIDC token exchange failed: ${tokenRes.status} ${tokenRes.statusText} — ${text.slice(0, 200)}`)\n }\n const tokens = (await tokenRes.json()) as OidcTokenResponse\n\n // Decode id_token claims (no signature verification — see header\n // doc comment). For now we trust the token because it arrived via\n // the back-channel from a verified state-bound exchange. PRODUCTION:\n // call `jose.jwtVerify(id_token, await jose.createRemoteJWKSet(jwks_uri))`.\n let claims: OidcClaims | null = null\n if (tokens.id_token) {\n claims = decodeJwtPayload(tokens.id_token) as OidcClaims | null\n }\n // Fallback: query userinfo_endpoint with the access token\n if (!claims && doc.userinfo_endpoint) {\n const ui = await fetch(doc.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${tokens.access_token}` },\n })\n if (ui.ok) claims = (await ui.json()) as OidcClaims\n }\n if (!claims?.sub) {\n throw new Error('OIDC callback: id_token missing required `sub` claim')\n }\n\n const usernameClaim = this.config.values.usernameClaim\n const username =\n (usernameClaim === 'preferred_username' && claims.preferred_username) ||\n (usernameClaim === 'email' && claims.email) ||\n claims.sub\n\n const userId = `oidc:${claims.sub}`\n return {\n userId,\n username: String(username),\n ...(claims.email ? { email: claims.email } : {}),\n ...(claims.name ? { displayName: claims.name } : {}),\n roles: [this.config.values.defaultRole],\n }\n }\n\n private validateLocalSessionToken(_token: string): null {\n // The local CamStack session token is minted by the host's auth\n // subsystem after `handleCallback` returns. Token verification\n // remains the responsibility of `local-auth` / the auth-manager;\n // this provider only mints AuthResult.\n return null\n }\n\n // ─── HTTP route handlers ───────────────────────────────────────────\n\n private async handleStart(_req: AddonHttpRequest, reply: AddonHttpReply): Promise<void> {\n const state = crypto.randomBytes(16).toString('base64url')\n try {\n const url = await this.buildLoginUrl(state)\n reply.code(302)\n reply.header('Location', url)\n reply.send('')\n } catch (err) {\n reply.code(500)\n reply.send({ error: 'OIDC start failed', message: errMsg(err) })\n }\n }\n\n private async handleCallbackRoute(req: AddonHttpRequest, reply: AddonHttpReply): Promise<void> {\n const query = req.query as Record<string, string | undefined>\n const code = query['code']\n const state = query['state']\n const errorParam = query['error']\n\n if (errorParam) {\n reply.code(400)\n reply.send({ error: 'OIDC error', detail: errorParam, description: query['error_description'] })\n return\n }\n if (!code || !state) {\n reply.code(400)\n reply.send({ error: 'Missing code or state' })\n return\n }\n\n try {\n const result = await this.handleCallback(code, state)\n // The host's auth subsystem owns local session minting. We\n // signal success by redirecting to a known admin endpoint with\n // the OIDC result encoded in the query — the server's auth\n // route handler picks it up, mints a JWT, and redirects to the\n // admin UI with `#token=...`.\n const params = new URLSearchParams({\n userId: result.userId,\n username: result.username,\n ...(result.email ? { email: result.email } : {}),\n ...(result.displayName ? { displayName: result.displayName } : {}),\n roles: result.roles.join(','),\n provider: 'auth-oidc',\n })\n reply.code(302)\n reply.header('Location', `/api/auth/sso/finish?${params.toString()}`)\n reply.send('')\n } catch (err) {\n reply.code(500)\n reply.send({ error: 'OIDC callback failed', message: errMsg(err) })\n }\n }\n}\n\nexport default AuthOidcAddon\n\n/**\n * Decode a JWT's payload as JSON without verifying its signature.\n *\n * **NOT SAFE for general token validation** — only used here because\n * the id_token arrives via the back-channel token exchange against a\n * state-bound code, which gives us implicit transport-level trust. A\n * production-grade implementation must use `jose.jwtVerify` against\n * the issuer's published JWKS.\n */\nfunction decodeJwtPayload(jwt: string): unknown {\n const parts = jwt.split('.')\n if (parts.length !== 3) return null\n try {\n const payload = parts[1]!\n const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4)\n const buf = Buffer.from(padded, 'base64url')\n return JSON.parse(buf.toString('utf-8'))\n } catch {\n return null\n }\n}\n"],"names":[],"mappings":";;AAuFA,MAAM,iBAA6B;AAAA,EACjC,aAAa;AAAA,EACb,MAAM;AAAA,EACN,WAAW;AAAA,EACX,UAAU;AAAA,EACV,cAAc;AAAA,EACd,aAAa;AAAA,EACb,QAAQ;AAAA,EACR,eAAe;AAAA,EACf,aAAa;AACf;AAgCA,MAAM,eAAe,IAAI;AAElB,MAAM,sBAAsB,UAAsB;AAAA,EAC/C,YAAsC;AAAA,EACtC,qBAAqB;AAAA,EACZ,oCAAoB,IAAA;AAAA;AAAA;AAAA;AAAA,EAK5B;AAAA,EACA,OAAO;AAAA,EACP;AAAA,EACA,kBAAkB;AAAA,EAClB,oBAAoB;AAAA,EAE7B,cAAc;AACZ,UAAM,EAAE,GAAG,gBAAgB;AAC3B,SAAK,cAAc,eAAe;AAClC,SAAK,OAAO,eAAe;AAAA,EAC7B;AAAA,EAEA,MAAgB,eAAgD;AAG9D,WAAO,OAAO,MAAM;AAAA,MAClB,aAAa,KAAK,OAAO,OAAO,eAAe,eAAe;AAAA,MAC9D,MAAM,KAAK,OAAO,OAAO,QAAQ,eAAe;AAAA,IAAA,CACjD;AAED,UAAM,eAA8B;AAAA,MAClC,qBAAqB,YAAY;AAAA;AAAA,MACjC,eAAe,OAAO,EAAE,YAAY,KAAK,0BAA0B,KAAK;AAAA,MACxE,aAAa,OAAO,EAAE,YAAY,KAAK,cAAc,KAAK;AAAA,MAC1D,gBAAgB,OAAO,WAAW;AAChC,cAAM,OAAO,OAAO,MAAM;AAC1B,cAAM,QAAQ,OAAO,OAAO;AAC5B,YAAI,CAAC,QAAQ,CAAC,OAAO;AACnB,gBAAM,IAAI,MAAM,wCAAwC;AAAA,QAC1D;AACA,eAAO,KAAK,eAAe,MAAM,KAAK;AAAA,MACxC;AAAA,IAAA;AAGF,UAAM,SAA4B;AAAA,MAChC;AAAA,QACE,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,SAAS,OAAO,KAAK,UAAU,KAAK,YAAY,KAAK,KAAK;AAAA,MAAA;AAAA,MAE5D;AAAA,QACE,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,SAAS,OAAO,KAAK,UAAU,KAAK,oBAAoB,KAAK,KAAK;AAAA,MAAA;AAAA,IACpE;AAEF,UAAM,gBAAqC;AAAA,MACzC,IAAI;AAAA,MACJ,WAAW,MAAM;AAAA,IAAA;AAGnB,SAAK,IAAI,OAAO,KAAK,kCAAkC;AAAA,MACrD,MAAM;AAAA,QACJ,aAAa,KAAK;AAAA,QAClB,WAAW,KAAK,OAAO,OAAO,aAAa;AAAA,MAAA;AAAA,IAC7C,CACD;AAED,WAAO;AAAA,MACL,EAAE,YAAY,wBAAwB,UAAU,aAAA;AAAA,MAChD,EAAE,YAAY,uBAAuB,UAAU,cAAA;AAAA,IAAuB;AAAA,EAE1E;AAAA,EAEU,uBAAuB;AAC/B,WAAO,KAAK,OAAO;AAAA,MACjB,UAAU,CAAC;AAAA,QACT,IAAI;AAAA,QACJ,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,QACT,QAAQ;AAAA,UACN,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,eAAe,OAAO,gBAAgB,aAAa,6DAA6D,SAAS,eAAe,aAAa;AAAA,UACrL,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,QAAQ,OAAO,QAAQ,aAAa,kDAAkD,SAAS,eAAe,MAAM;AAAA,UACpJ,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,aAAa,OAAO,cAAc,aAAa,oFAAoF,SAAS,IAAI;AAAA,UAChL,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,YAAY,OAAO,aAAa,aAAa,uCAAuC,SAAS,IAAI;AAAA,UACjI,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,gBAAgB,OAAO,iBAAiB,aAAa,2CAA2C,SAAS,IAAI;AAAA,UAC7I,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,eAAe,OAAO,gBAAgB,aAAa,uGAAuG,SAAS,IAAI;AAAA,UACvM,KAAK,MAAM,EAAE,MAAM,QAAQ,KAAK,UAAU,OAAO,UAAU,aAAa,iCAAiC,SAAS,eAAe,QAAQ;AAAA,UACzI,KAAK,MAAM;AAAA,YACT,MAAM;AAAA,YACN,KAAK;AAAA,YACL,OAAO;AAAA,YACP,aAAa;AAAA,YACb,SAAS,eAAe;AAAA,YACxB,SAAS;AAAA,cACP,EAAE,OAAO,sBAAsB,OAAO,qBAAA;AAAA,cACtC,EAAE,OAAO,SAAS,OAAO,QAAA;AAAA,cACzB,EAAE,OAAO,OAAO,OAAO,gBAAA;AAAA,YAAgB;AAAA,UACzC,CACD;AAAA,UACD,KAAK,MAAM;AAAA,YACT,MAAM;AAAA,YACN,KAAK;AAAA,YACL,OAAO;AAAA,YACP,aAAa;AAAA,YACb,SAAS,eAAe;AAAA,YACxB,SAAS;AAAA,cACP,EAAE,OAAO,UAAU,OAAO,SAAA;AAAA,cAC1B,EAAE,OAAO,SAAS,OAAO,QAAA;AAAA,cACzB,EAAE,OAAO,eAAe,OAAO,cAAA;AAAA,YAAc;AAAA,UAC/C,CACD;AAAA,QAAA;AAAA,MACH,CACD;AAAA,IAAA,CACF;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,eAA2C;AACvD,QAAI,KAAK,aAAa,KAAK,IAAA,IAAQ,KAAK,qBAAqB,KAAK,KAAQ;AACxE,aAAO,KAAK;AAAA,IACd;AACA,UAAM,SAAS,KAAK,OAAO,OAAO,WAAW,QAAQ,QAAQ,EAAE;AAC/D,QAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,+BAA+B;AAC5D,UAAM,MAAM,GAAG,MAAM;AACrB,UAAM,MAAM,MAAM,MAAM,GAAG;AAC3B,QAAI,CAAC,IAAI,IAAI;AACX,YAAM,IAAI,MAAM,0BAA0B,IAAI,MAAM,IAAI,IAAI,UAAU,EAAE;AAAA,IAC1E;AACA,UAAM,MAAO,MAAM,IAAI,KAAA;AACvB,QAAI,CAAC,IAAI,0BAA0B,CAAC,IAAI,gBAAgB;AACtD,YAAM,IAAI,MAAM,oDAAoD;AAAA,IACtE;AACA,SAAK,YAAY;AACjB,SAAK,qBAAqB,KAAK,IAAA;AAC/B,WAAO;AAAA,EACT;AAAA,EAEQ,mBAA2B;AACjC,UAAM,aAAa,KAAK,OAAO,OAAO,aAAa,KAAA;AACnD,QAAI,WAAY,QAAO;AAGvB,UAAM,SAAS,QAAQ,IAAI,wBAAwB,KAAK;AACxD,WAAO,GAAG,OAAO,QAAQ,QAAQ,EAAE,CAAC;AAAA,EACtC;AAAA,EAEA,MAAc,cAAc,OAAgC;AAC1D,UAAM,MAAM,MAAM,KAAK,aAAA;AAGvB,UAAM,eAAe,OAAO,YAAY,EAAE,EAAE,SAAS,WAAW;AAChE,UAAM,gBAAgB,OAAO,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AAEzF,SAAK,mBAAA;AACL,SAAK,cAAc,IAAI,OAAO,EAAE,cAAc,WAAW,KAAK,IAAA,GAAO;AAErE,UAAM,SAAS,IAAI,gBAAgB;AAAA,MACjC,eAAe;AAAA,MACf,WAAW,KAAK,OAAO,OAAO;AAAA,MAC9B,cAAc,KAAK,iBAAA;AAAA,MACnB,OAAO,KAAK,OAAO,OAAO,UAAU,eAAe;AAAA,MACnD;AAAA,MACA,gBAAgB;AAAA,MAChB,uBAAuB;AAAA,IAAA,CACxB;AACD,WAAO,GAAG,IAAI,sBAAsB,IAAI,OAAO,UAAU;AAAA,EAC3D;AAAA,EAEQ,qBAA2B;AACjC,UAAM,MAAM,KAAK,IAAA;AACjB,eAAW,CAAC,GAAG,CAAC,KAAK,KAAK,cAAc,WAAW;AACjD,UAAI,MAAM,EAAE,YAAY,aAAc,MAAK,cAAc,OAAO,CAAC;AAAA,IACnE;AAAA,EACF;AAAA;AAAA,EAIA,MAAc,eAAe,MAAc,OAMxC;AACD,UAAM,UAAU,KAAK,cAAc,IAAI,KAAK;AAC5C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,uEAAuE;AAAA,IACzF;AACA,SAAK,cAAc,OAAO,KAAK;AAE/B,UAAM,MAAM,MAAM,KAAK,aAAA;AACvB,UAAM,WAAW,MAAM,MAAM,IAAI,gBAAgB;AAAA,MAC/C,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,QAAQ;AAAA,MAAA;AAAA,MAEV,MAAM,IAAI,gBAAgB;AAAA,QACxB,YAAY;AAAA,QACZ;AAAA,QACA,cAAc,KAAK,iBAAA;AAAA,QACnB,WAAW,KAAK,OAAO,OAAO;AAAA,QAC9B,eAAe,KAAK,OAAO,OAAO;AAAA,QAClC,eAAe,QAAQ;AAAA,MAAA,CACxB;AAAA,IAAA,CACF;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,OAAO,MAAM,SAAS,OAAO,MAAM,MAAM,EAAE;AACjD,YAAM,IAAI,MAAM,+BAA+B,SAAS,MAAM,IAAI,SAAS,UAAU,MAAM,KAAK,MAAM,GAAG,GAAG,CAAC,EAAE;AAAA,IACjH;AACA,UAAM,SAAU,MAAM,SAAS,KAAA;AAM/B,QAAI,SAA4B;AAChC,QAAI,OAAO,UAAU;AACnB,eAAS,iBAAiB,OAAO,QAAQ;AAAA,IAC3C;AAEA,QAAI,CAAC,UAAU,IAAI,mBAAmB;AACpC,YAAM,KAAK,MAAM,MAAM,IAAI,mBAAmB;AAAA,QAC5C,SAAS,EAAE,eAAe,UAAU,OAAO,YAAY,GAAA;AAAA,MAAG,CAC3D;AACD,UAAI,GAAG,GAAI,UAAU,MAAM,GAAG,KAAA;AAAA,IAChC;AACA,QAAI,CAAC,QAAQ,KAAK;AAChB,YAAM,IAAI,MAAM,sDAAsD;AAAA,IACxE;AAEA,UAAM,gBAAgB,KAAK,OAAO,OAAO;AACzC,UAAM,WACH,kBAAkB,wBAAwB,OAAO,sBACjD,kBAAkB,WAAW,OAAO,SACrC,OAAO;AAET,UAAM,SAAS,QAAQ,OAAO,GAAG;AACjC,WAAO;AAAA,MACL;AAAA,MACA,UAAU,OAAO,QAAQ;AAAA,MACzB,GAAI,OAAO,QAAQ,EAAE,OAAO,OAAO,MAAA,IAAU,CAAA;AAAA,MAC7C,GAAI,OAAO,OAAO,EAAE,aAAa,OAAO,KAAA,IAAS,CAAA;AAAA,MACjD,OAAO,CAAC,KAAK,OAAO,OAAO,WAAW;AAAA,IAAA;AAAA,EAE1C;AAAA,EAEQ,0BAA0B,QAAsB;AAKtD,WAAO;AAAA,EACT;AAAA;AAAA,EAIA,MAAc,YAAY,MAAwB,OAAsC;AACtF,UAAM,QAAQ,OAAO,YAAY,EAAE,EAAE,SAAS,WAAW;AACzD,QAAI;AACF,YAAM,MAAM,MAAM,KAAK,cAAc,KAAK;AAC1C,YAAM,KAAK,GAAG;AACd,YAAM,OAAO,YAAY,GAAG;AAC5B,YAAM,KAAK,EAAE;AAAA,IACf,SAAS,KAAK;AACZ,YAAM,KAAK,GAAG;AACd,YAAM,KAAK,EAAE,OAAO,qBAAqB,SAAS,OAAO,GAAG,GAAG;AAAA,IACjE;AAAA,EACF;AAAA,EAEA,MAAc,oBAAoB,KAAuB,OAAsC;AAC7F,UAAM,QAAQ,IAAI;AAClB,UAAM,OAAO,MAAM,MAAM;AACzB,UAAM,QAAQ,MAAM,OAAO;AAC3B,UAAM,aAAa,MAAM,OAAO;AAEhC,QAAI,YAAY;AACd,YAAM,KAAK,GAAG;AACd,YAAM,KAAK,EAAE,OAAO,cAAc,QAAQ,YAAY,aAAa,MAAM,mBAAmB,GAAG;AAC/F;AAAA,IACF;AACA,QAAI,CAAC,QAAQ,CAAC,OAAO;AACnB,YAAM,KAAK,GAAG;AACd,YAAM,KAAK,EAAE,OAAO,wBAAA,CAAyB;AAC7C;AAAA,IACF;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,eAAe,MAAM,KAAK;AAMpD,YAAM,SAAS,IAAI,gBAAgB;AAAA,QACjC,QAAQ,OAAO;AAAA,QACf,UAAU,OAAO;AAAA,QACjB,GAAI,OAAO,QAAQ,EAAE,OAAO,OAAO,MAAA,IAAU,CAAA;AAAA,QAC7C,GAAI,OAAO,cAAc,EAAE,aAAa,OAAO,YAAA,IAAgB,CAAA;AAAA,QAC/D,OAAO,OAAO,MAAM,KAAK,GAAG;AAAA,QAC5B,UAAU;AAAA,MAAA,CACX;AACD,YAAM,KAAK,GAAG;AACd,YAAM,OAAO,YAAY,wBAAwB,OAAO,SAAA,CAAU,EAAE;AACpE,YAAM,KAAK,EAAE;AAAA,IACf,SAAS,KAAK;AACZ,YAAM,KAAK,GAAG;AACd,YAAM,KAAK,EAAE,OAAO,wBAAwB,SAAS,OAAO,GAAG,GAAG;AAAA,IACpE;AAAA,EACF;AACF;AAaA,SAAS,iBAAiB,KAAsB;AAC9C,QAAM,QAAQ,IAAI,MAAM,GAAG;AAC3B,MAAI,MAAM,WAAW,EAAG,QAAO;AAC/B,MAAI;AACF,UAAM,UAAU,MAAM,CAAC;AACvB,UAAM,SAAS,UAAU,IAAI,QAAQ,IAAK,QAAQ,SAAS,KAAM,CAAC;AAClE,UAAM,MAAM,OAAO,KAAK,QAAQ,WAAW;AAC3C,WAAO,KAAK,MAAM,IAAI,SAAS,OAAO,CAAC;AAAA,EACzC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperties(exports, { __esModule: { value: true }, [Symbol.toStringTag]: { value: "Module" } });
+const authOidc_addon = require("./auth-oidc.addon.js");
+exports.AuthOidcAddon = authOidc_addon.AuthOidcAddon;
+exports.default = authOidc_addon.AuthOidcAddon;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;;"}

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,6 @@
+import { AuthOidcAddon, AuthOidcAddon as AuthOidcAddon2 } from "./auth-oidc.addon.mjs";
+export {
+  AuthOidcAddon,
+  AuthOidcAddon2 as default
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.mjs","sources":[],"sourcesContent":[],"names":[],"mappings":";"}

package/package.json ADDED Viewed

@@ -0,0 +1,70 @@
+{
+  "name": "@camstack/addon-auth-oidc",
+  "version": "0.1.0",
+  "description": "OpenID Connect (OIDC) authentication provider for CamStack — Google, Microsoft, Okta, Keycloak, and any standards-compliant OIDC IdP.",
+  "keywords": [
+    "camstack",
+    "addon",
+    "camstack-addon",
+    "auth",
+    "oidc",
+    "sso"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/camstack/server"
+  },
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "camstack": {
+    "displayName": "OIDC Authentication",
+    "addons": [
+      {
+        "id": "auth-oidc",
+        "name": "OpenID Connect",
+        "description": "Standards-compliant OIDC authentication. Configure issuer URL + client credentials to enable SSO via Google, Microsoft, Okta, Keycloak, etc.",
+        "entry": "./dist/auth-oidc.addon.js",
+        "execution": {
+          "placement": "hub-only"
+        },
+        "capabilities": [
+          {
+            "name": "auth-provider"
+          },
+          {
+            "name": "addon-routes"
+          }
+        ]
+      }
+    ]
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "vite build",
+    "typecheck": "tsc --noEmit",
+    "publish": "npm publish --access public"
+  },
+  "peerDependencies": {
+    "@camstack/types": "^0.1.0"
+  },
+  "dependencies": {
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@camstack/types": "*",
+    "tsup": "^8.0.0",
+    "typescript": "~5.9.0"
+  }
+}