@flink-app/oidc-plugin 2.0.0-alpha.90 → 2.0.0-alpha.91

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/CHANGELOG.md +11 -0
  2. package/README.md +21 -0
  3. package/dist/OidcProviderConfig.d.ts +9 -0
  4. package/dist/OidcProviderConfig.d.ts.map +1 -1
  5. package/dist/handlers/CallbackOidc.js +2 -2
  6. package/dist/providers/OidcProvider.d.ts +1 -1
  7. package/dist/providers/OidcProvider.d.ts.map +1 -1
  8. package/package.json +6 -6
  9. package/src/OidcProviderConfig.ts +10 -0
  10. package/src/handlers/CallbackOidc.ts +2 -2
  11. package/src/providers/OidcProvider.ts +1 -1
package/CHANGELOG.md CHANGED
@@ -1,5 +1,16 @@
1
1
  # @flink-app/oidc-plugin
2
2
 
3
+ ## 2.0.0-alpha.91
4
+
5
+ ### Minor Changes
6
+
7
+ - 1bdbc82: feat(oidc-plugin): add per-provider `useUserInfoEndpoint` config flag (default `true`) to disable UserInfo calls for IdPs where the endpoint is unreliable or redundant with ID token claims
8
+
9
+ ### Patch Changes
10
+
11
+ - @flink-app/flink@2.0.0-alpha.91
12
+ - @flink-app/jwt-auth-plugin@2.0.0-alpha.91
13
+
3
14
  ## 2.0.0-alpha.90
4
15
 
5
16
  ### Patch Changes
package/README.md CHANGED
@@ -203,6 +203,26 @@ await app.start();
203
203
  }
204
204
  ```
205
205
 
206
+ #### Disabling the UserInfo endpoint
207
+
208
+ By default, the plugin calls the UserInfo endpoint after token exchange to
209
+ enrich the profile with additional claims. Some IdPs either don't expose
210
+ extra claims beyond the ID token or return unreliable 5xx errors from
211
+ UserInfo. In those cases, set `useUserInfoEndpoint: false` on the provider
212
+ config to skip the UserInfo call entirely and build profiles from ID token
213
+ claims only:
214
+
215
+ ```typescript
216
+ {
217
+ issuer: "https://idp.acme.com",
218
+ clientId: "your-client-id",
219
+ clientSecret: "your-client-secret",
220
+ callbackUrl: "https://myapp.com/oidc/acme/callback",
221
+ discoveryUrl: "https://idp.acme.com/.well-known/openid-configuration",
222
+ useUserInfoEndpoint: false, // skip UserInfo; use ID token claims only
223
+ }
224
+ ```
225
+
206
226
  ### Callback Functions
207
227
 
208
228
  #### onAuthSuccess
@@ -619,6 +639,7 @@ interface OidcProviderConfigDB {
619
639
  authorizationEndpoint?: string;
620
640
  tokenEndpoint?: string;
621
641
  userinfoEndpoint?: string;
642
+ useUserInfoEndpoint?: boolean; // default true
622
643
  jwksUri?: string;
623
644
  scope: string[];
624
645
  createdAt: Date;
package/dist/OidcProviderConfig.d.ts CHANGED
@@ -84,5 +84,14 @@ export interface OidcProviderConfig {
84
84
  * e.g., { "department": "custom:department", "role": "custom:role" }
85
85
  */
86
86
  claimMapping?: Record<string, string>;
87
+ /**
88
+ * Whether to fetch additional claims from the UserInfo endpoint.
89
+ * Default: true
90
+ *
91
+ * Set to `false` for IdPs whose UserInfo endpoint is unreliable or
92
+ * returns no additional data beyond what's already in the ID token.
93
+ * When disabled, profiles are built from ID token claims only.
94
+ */
95
+ useUserInfoEndpoint?: boolean;
87
96
  }
88
97
  //# sourceMappingURL=OidcProviderConfig.d.ts.map
package/dist/OidcProviderConfig.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OidcProviderConfig.d.ts","sourceRoot":"","sources":["../src/OidcProviderConfig.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAC/B;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;;;;OAMG;IACH,uBAAuB,CAAC,EAAE,qBAAqB,GAAG,oBAAoB,GAAG,MAAM,CAAC;IAEhF;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;OAEG;IAEH;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAE/B;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACzC"}
1
+ {"version":3,"file":"OidcProviderConfig.d.ts","sourceRoot":"","sources":["../src/OidcProviderConfig.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAC/B;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;;;;OAMG;IACH,uBAAuB,CAAC,EAAE,qBAAqB,GAAG,oBAAoB,GAAG,MAAM,CAAC;IAEhF;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IAEjB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;OAEG;IAEH;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAE/B;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEtC;;;;;;;OAOG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;CACjC"}
package/dist/handlers/CallbackOidc.js CHANGED
@@ -121,8 +121,8 @@ const CallbackOidc = async ({ ctx, req }) => {
121
121
  nonce: session.nonce,
122
122
  });
123
123
  log_1.oidcLog.debug(`Callback: token exchange successful`, `sub="${tokenSet.claims.sub}"`, `iss="${tokenSet.claims.iss}"`, `email="${tokenSet.claims.email || "(none)"}"`, `hasRefreshToken=${!!tokenSet.refreshToken}`, `expiresIn=${tokenSet.expiresIn ?? "(none)"}s`);
124
- // Build user profile from ID token and UserInfo
125
- const profile = await oidcProvider.buildProfile(tokenSet, true);
124
+ // Build user profile from ID token and (optionally) UserInfo
125
+ const profile = await oidcProvider.buildProfile(tokenSet, oidcProvider.config.useUserInfoEndpoint ?? true);
126
126
  log_1.oidcLog.debug(`Callback: profile built id="${profile.id}" email="${profile.email || "(none)"}" name="${profile.name || "(none)"}"`);
127
127
  // Call onAuthSuccess callback to create/link user and generate JWT token
128
128
  const authSuccessParams = {
package/dist/providers/OidcProvider.d.ts CHANGED
@@ -14,7 +14,7 @@ import OidcTokenSet from "../schemas/OidcTokenSet";
14
14
  * - Claims mapping to profile
15
15
  */
16
16
  export declare class OidcProvider {
17
- private config;
17
+ readonly config: OidcProviderConfig;
18
18
  private issuer;
19
19
  private client;
20
20
  private initialized;
package/dist/providers/OidcProvider.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OidcProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwD,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACvG,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,WAAW,MAAM,wBAAwB,CAAC;AACjD,OAAO,YAAY,MAAM,yBAAyB,CAAC;AAKnD;;;;;;;;;;GAUG;AACH,qBAAa,YAAY;IACrB,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,MAAM,CAA+B;IAC7C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,kBAAkB;IAItC;;;;;;;OAOG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAsEjC;;;;;OAKG;IACG,mBAAmB,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAiB1G;;;;;;;OAOG;IACG,oBAAoB,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAoD/H;;;;;;;;OAQG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAsBjE;;;;;;;;;OASG;IACG,YAAY,CAAC,QAAQ,EAAE,YAAY,EAAE,eAAe,GAAE,OAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IAgCjG;;;;OAIG;YACW,iBAAiB;IAU/B;;;;OAIG;IACH,iBAAiB,IAAI,GAAG;CAM3B"}
1
+ {"version":3,"file":"OidcProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwD,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACvG,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,WAAW,MAAM,wBAAwB,CAAC;AACjD,OAAO,YAAY,MAAM,yBAAyB,CAAC;AAKnD;;;;;;;;;;GAUG;AACH,qBAAa,YAAY;IACrB,SAAgB,MAAM,EAAE,kBAAkB,CAAC;IAC3C,OAAO,CAAC,MAAM,CAA+B;IAC7C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,kBAAkB;IAItC;;;;;;;OAOG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAsEjC;;;;;OAKG;IACG,mBAAmB,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAiB1G;;;;;;;OAOG;IACG,oBAAoB,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAoD/H;;;;;;;;OAQG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAsBjE;;;;;;;;;OASG;IACG,YAAY,CAAC,QAAQ,EAAE,YAAY,EAAE,eAAe,GAAE,OAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IAgCjG;;;;OAIG;YACW,iBAAiB;IAU/B;;;;OAIG;IACH,iBAAiB,IAAI,GAAG;CAM3B"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@flink-app/oidc-plugin",
3
- "version": "2.0.0-alpha.90",
3
+ "version": "2.0.0-alpha.91",
4
4
  "description": "Flink plugin for OIDC authentication with generic IdP support",
5
5
  "author": "joel@frost.se",
6
6
  "license": "MIT",
@@ -11,10 +11,10 @@
11
11
  },
12
12
  "dependencies": {
13
13
  "openid-client": "^5.7.0",
14
- "@flink-app/jwt-auth-plugin": "2.0.0-alpha.90"
14
+ "@flink-app/jwt-auth-plugin": "2.0.0-alpha.91"
15
15
  },
16
16
  "peerDependencies": {
17
- "@flink-app/flink": ">=2.0.0-alpha.90",
17
+ "@flink-app/flink": ">=2.0.0-alpha.91",
18
18
  "mongodb": "^6.15.0"
19
19
  },
20
20
  "peerDependenciesMeta": {
@@ -27,9 +27,9 @@
27
27
  "@types/node": "22.13.10",
28
28
  "ts-node": "^10.9.2",
29
29
  "tsc-watch": "^4.2.9",
30
- "@flink-app/flink": "2.0.0-alpha.90",
31
- "@flink-app/jwt-auth-plugin": "2.0.0-alpha.90",
32
- "@flink-app/test-utils": "2.0.0-alpha.90"
30
+ "@flink-app/jwt-auth-plugin": "2.0.0-alpha.91",
31
+ "@flink-app/test-utils": "2.0.0-alpha.91",
32
+ "@flink-app/flink": "2.0.0-alpha.91"
33
33
  },
34
34
  "scripts": {
35
35
  "test": "jasmine-ts --config=./spec/support/jasmine.json",
package/src/OidcProviderConfig.ts CHANGED
@@ -96,4 +96,14 @@ export interface OidcProviderConfig {
96
96
  * e.g., { "department": "custom:department", "role": "custom:role" }
97
97
  */
98
98
  claimMapping?: Record<string, string>;
99
+
100
+ /**
101
+ * Whether to fetch additional claims from the UserInfo endpoint.
102
+ * Default: true
103
+ *
104
+ * Set to `false` for IdPs whose UserInfo endpoint is unreliable or
105
+ * returns no additional data beyond what's already in the ID token.
106
+ * When disabled, profiles are built from ID token claims only.
107
+ */
108
+ useUserInfoEndpoint?: boolean;
99
109
  }
package/src/handlers/CallbackOidc.ts CHANGED
@@ -158,8 +158,8 @@ const CallbackOidc: GetHandler<any, any, PathParams, CallbackRequest> = async ({
158
158
  `expiresIn=${tokenSet.expiresIn ?? "(none)"}s`
159
159
  );
160
160
 
161
- // Build user profile from ID token and UserInfo
162
- const profile = await oidcProvider.buildProfile(tokenSet, true);
161
+ // Build user profile from ID token and (optionally) UserInfo
162
+ const profile = await oidcProvider.buildProfile(tokenSet, oidcProvider.config.useUserInfoEndpoint ?? true);
163
163
  oidcLog.debug(`Callback: profile built id="${profile.id}" email="${profile.email || "(none)"}" name="${profile.name || "(none)"}"`);
164
164
 
165
165
  // Call onAuthSuccess callback to create/link user and generate JWT token
package/src/providers/OidcProvider.ts CHANGED
@@ -18,7 +18,7 @@ import { oidcLog } from "../log";
18
18
  * - Claims mapping to profile
19
19
  */
20
20
  export class OidcProvider {
21
- private config: OidcProviderConfig;
21
+ public readonly config: OidcProviderConfig;
22
22
  private issuer: Issuer<Client> | null = null;
23
23
  private client: Client | null = null;
24
24
  private initialized: boolean = false;