@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/lib/actions/end_session.js

@@ -0,0 +1,222 @@
+import * as crypto from 'node:crypto';
+
+import { InvalidClient, InvalidRequest, OIDCProviderError } from '../helpers/errors.js';
+import * as JWT from '../helpers/jwt.js';
+import redirectUri from '../helpers/redirect_uri.js';
+import instance from '../helpers/weak_cache.js';
+import rejectDupes from '../shared/reject_dupes.js';
+import bodyParser from '../shared/conditional_body.js';
+import paramsMiddleware from '../shared/assemble_params.js';
+import sessionMiddleware from '../shared/session.js';
+import revoke from '../helpers/revoke.js';
+import noCache from '../shared/no_cache.js';
+import formPost from '../response_modes/form_post.js';
+
+const parseBody = bodyParser.bind(undefined, 'application/x-www-form-urlencoded');
+
+export const init = [
+  noCache,
+  sessionMiddleware,
+  parseBody,
+  paramsMiddleware.bind(undefined, new Set(['id_token_hint', 'post_logout_redirect_uri', 'state', 'ui_locales', 'client_id', 'logout_hint'])),
+  rejectDupes.bind(undefined, {}),
+
+  async function endSessionChecks(ctx, next) {
+    const { params } = ctx.oidc;
+
+    let client;
+    if (params.id_token_hint) {
+      try {
+        const idTokenHint = JWT.decode(params.id_token_hint);
+        ctx.oidc.entity('IdTokenHint', idTokenHint);
+      } catch (err) {
+        throw new InvalidRequest('could not decode id_token_hint', undefined, err.message);
+      }
+      const { payload: { aud: clientId } } = ctx.oidc.entities.IdTokenHint;
+
+      if (params.client_id && params.client_id !== clientId) {
+        throw new InvalidRequest('client_id does not match the provided id_token_hint');
+      }
+      client = await ctx.oidc.provider.Client.find(clientId);
+      if (!client) {
+        throw new InvalidClient('unrecognized id_token_hint audience', 'client not found');
+      }
+      try {
+        await ctx.oidc.provider.IdToken.validate(params.id_token_hint, client);
+      } catch (err) {
+        if (err instanceof OIDCProviderError) {
+          throw err;
+        }
+
+        throw new InvalidRequest('could not validate id_token_hint', undefined, err.message);
+      }
+      ctx.oidc.entity('Client', client);
+    } else if (params.client_id) {
+      client = await ctx.oidc.provider.Client.find(params.client_id);
+      if (!client) {
+        throw new InvalidClient('client is invalid', 'client not found');
+      }
+      ctx.oidc.entity('Client', client);
+    }
+
+    if (client && params.post_logout_redirect_uri !== undefined) {
+      if (!client.postLogoutRedirectUriAllowed(params.post_logout_redirect_uri)) {
+        throw new InvalidRequest('post_logout_redirect_uri not registered');
+      }
+    } else if (params.post_logout_redirect_uri !== undefined) {
+      params.post_logout_redirect_uri = undefined;
+    }
+
+    await next();
+  },
+
+  async function renderLogout(ctx) {
+    // TODO: generic xsrf middleware to remove this
+    const secret = crypto.randomBytes(24).toString('hex');
+
+    ctx.oidc.session.state = {
+      secret,
+      clientId: ctx.oidc.client ? ctx.oidc.client.clientId : undefined,
+      state: ctx.oidc.params.state,
+      postLogoutRedirectUri: ctx.oidc.params.post_logout_redirect_uri,
+    };
+
+    const action = ctx.oidc.urlFor('end_session_confirm');
+
+    if (ctx.oidc.session.accountId) {
+      ctx.type = 'html';
+      ctx.status = 200;
+
+      const formHtml = `<form id="op.logoutForm" method="post" action="${action}"><input type="hidden" name="xsrf" value="${secret}"/></form>`;
+      await instance(ctx.oidc.provider).features.rpInitiatedLogout.logoutSource(ctx, formHtml);
+    } else {
+      formPost(ctx, action, {
+        xsrf: secret,
+        logout: 'yes',
+      });
+    }
+  },
+];
+
+export const confirm = [
+  noCache,
+  sessionMiddleware,
+  parseBody,
+  paramsMiddleware.bind(undefined, new Set(['xsrf', 'logout'])),
+  rejectDupes.bind(undefined, {}),
+
+  async function checkLogoutToken(ctx, next) {
+    if (!ctx.oidc.session.state) {
+      throw new InvalidRequest('could not find logout details');
+    }
+    if (ctx.oidc.session.state.secret !== ctx.oidc.params.xsrf) {
+      throw new InvalidRequest('xsrf token invalid');
+    }
+    await next();
+  },
+
+  async function endSession(ctx) {
+    const { oidc: { session, params } } = ctx;
+    const { state } = session;
+
+    const {
+      features: { backchannelLogout },
+      cookies: { long: opts },
+    } = instance(ctx.oidc.provider).configuration;
+
+    if (backchannelLogout.enabled) {
+      const clientIds = Object.keys(session.authorizations || {});
+
+      const back = [];
+
+      for (const clientId of clientIds) {
+        if (params.logout || clientId === state.clientId) {
+          const client = await ctx.oidc.provider.Client.find(clientId);
+          if (client) {
+            const sid = session.sidFor(client.clientId);
+            if (client.backchannelLogoutUri) {
+              const { accountId } = session;
+              back.push(client.backchannelLogout(accountId, sid)
+                .then(() => {
+                  ctx.oidc.provider.emit('backchannel.success', ctx, client, accountId, sid);
+                }, (err) => {
+                  ctx.oidc.provider.emit('backchannel.error', ctx, err, client, accountId, sid);
+                }));
+            }
+          }
+        }
+      }
+
+      await Promise.all(back);
+    }
+
+    if (state.clientId) {
+      ctx.oidc.entity('Client', await ctx.oidc.provider.Client.find(state.clientId));
+    }
+
+    if (params.logout) {
+      if (session.authorizations) {
+        await Promise.all(
+          Object.entries(session.authorizations).map(async ([clientId, { grantId }]) => {
+            // Drop the grants without offline_access
+            // Note: tokens that don't get dropped due to offline_access having being added
+            // later will still not work, as such they will be orphaned until their TTL hits
+            if (grantId && !session.authorizationFor(clientId).persistsLogout) {
+              await revoke(ctx, grantId);
+            }
+          }),
+        );
+      }
+
+      await session.destroy();
+
+      ctx.cookies.set(
+        ctx.oidc.provider.cookieName('session'),
+        null,
+        opts,
+      );
+    } else if (state.clientId) {
+      const grantId = session.grantIdFor(state.clientId);
+      if (grantId && !session.authorizationFor(state.clientId).persistsLogout) {
+        await revoke(ctx, grantId);
+        ctx.oidc.provider.emit('grant.revoked', ctx, grantId);
+      }
+      session.state = undefined;
+      if (session.authorizations) {
+        delete session.authorizations[state.clientId];
+      }
+      session.resetIdentifier();
+    }
+
+    const usePostLogoutUri = state.postLogoutRedirectUri;
+    const forwardClientId = !usePostLogoutUri && !params.logout && state.clientId;
+    const uri = redirectUri(
+      usePostLogoutUri ? state.postLogoutRedirectUri : ctx.oidc.urlFor('end_session_success'),
+      {
+        ...(usePostLogoutUri && state.state != null
+          ? { state: state.state } : undefined), // != intended
+        ...(forwardClientId ? { client_id: state.clientId } : undefined),
+      },
+    );
+
+    ctx.oidc.provider.emit('end_session.success', ctx);
+
+    ctx.status = 303;
+    ctx.redirect(uri);
+  },
+];
+
+export const success = [
+  noCache,
+  paramsMiddleware.bind(undefined, new Set(['client_id'])),
+  async function postLogoutSuccess(ctx) {
+    if (ctx.oidc.params.client_id) {
+      const client = await ctx.oidc.provider.Client.find(ctx.oidc.params.client_id);
+      if (!client) {
+        throw new InvalidClient('client is invalid', 'client not found');
+      }
+      ctx.oidc.entity('Client', client);
+    }
+    await instance(ctx.oidc.provider).features.rpInitiatedLogout.postLogoutSuccessSource(ctx);
+  },
+];

package/dist/node_modules/oidc-provider/lib/actions/grants/authorization_code.js

@@ -0,0 +1,144 @@
+import { InvalidGrant } from '../../helpers/errors.js';
+import presence from '../../helpers/validate_presence.js';
+import instance from '../../helpers/weak_cache.js';
+import checkPKCE from '../../helpers/pkce.js';
+import revoke from '../../helpers/revoke.js';
+import dpopValidate from '../../helpers/validate_dpop.js';
+import checkRar from '../../shared/check_rar.js';
+import { checkAttestBinding } from '../../helpers/check_attest_binding.js';
+import {
+  checkMtlsCert,
+  checkDpopRequired,
+  validateGrant,
+  validateAccount,
+  checkAccountMismatch,
+  createAccessToken,
+  applyMtlsBinding,
+  applyDpopBinding,
+  resolveAndApplyResource,
+  createRefreshToken,
+  issueIdToken,
+  buildTokenResponse,
+} from '../../helpers/grant_common.js';
+
+const gty = 'authorization_code';
+
+export const handler = async function authorizationCodeHandler(ctx) {
+  const {
+    findAccount,
+    issueRefreshToken,
+    allowOmittingSingleRegisteredRedirectUri,
+    conformIdTokenClaims,
+    features: {
+      userinfo,
+      mTLS: { getCertificate },
+      resourceIndicators,
+      richAuthorizationRequests,
+      dPoP: { allowReplay },
+    },
+  } = instance(ctx.oidc.provider).configuration;
+
+  if (allowOmittingSingleRegisteredRedirectUri && ctx.oidc.params.redirect_uri === undefined) {
+    // It is permitted to omit the redirect_uri if only ONE is registered on the client
+    const { 0: uri, length } = ctx.oidc.client.redirectUris;
+    if (uri && length === 1) {
+      ctx.oidc.params.redirect_uri = uri;
+    }
+  }
+
+  presence(ctx, 'code', 'redirect_uri');
+
+  const dPoP = await dpopValidate(ctx);
+
+  const code = await ctx.oidc.provider.AuthorizationCode.find(ctx.oidc.params.code, {
+    ignoreExpiration: true,
+  });
+
+  if (!code) {
+    throw new InvalidGrant('authorization code not found');
+  }
+
+  if (code.clientId !== ctx.oidc.client.clientId) {
+    throw new InvalidGrant('client mismatch');
+  }
+
+  if (code.isExpired) {
+    throw new InvalidGrant('authorization code is expired');
+  }
+
+  const grant = await validateGrant(ctx, code.grantId);
+
+  checkPKCE(ctx.oidc.params.code_verifier, code.codeChallenge, code.codeChallengeMethod);
+
+  const cert = checkMtlsCert(ctx, getCertificate);
+  checkDpopRequired(ctx, dPoP);
+
+  if (code.redirectUri !== ctx.oidc.params.redirect_uri) {
+    throw new InvalidGrant('authorization code redirect_uri mismatch');
+  }
+
+  if (ctx.oidc.client.clientAuthMethod === 'attest_jwt_client_auth' && code.attestationJkt) {
+    await checkAttestBinding(ctx, code);
+  }
+
+  if (code.consumed) {
+    await revoke(ctx, code.grantId);
+    throw new InvalidGrant('authorization code already consumed');
+  }
+
+  await code.consume();
+
+  ctx.oidc.entity('AuthorizationCode', code);
+  ctx.oidc.entity('Grant', grant);
+
+  const account = await validateAccount(ctx, findAccount, code, 'authorization code');
+  checkAccountMismatch(code, grant);
+
+  ctx.oidc.entity('Account', account);
+
+  const { RefreshToken } = ctx.oidc.provider;
+
+  const at = createAccessToken(
+    ctx,
+    ctx.oidc.provider.AccessToken,
+    { ...code, accountId: account.accountId },
+    gty,
+  );
+  applyMtlsBinding(at, cert);
+
+  if (code.dpopJkt && !dPoP) {
+    throw new InvalidGrant('missing DPoP proof JWT');
+  }
+
+  await applyDpopBinding(ctx, dPoP, at, allowReplay);
+
+  if (dPoP && code.dpopJkt && code.dpopJkt !== dPoP.thumbprint) {
+    throw new InvalidGrant('DPoP proof key thumbprint does not match dpop_jkt');
+  }
+
+  await checkRar(ctx, () => {});
+  await resolveAndApplyResource(ctx, code, at, grant, { userinfo, resourceIndicators });
+
+  if (richAuthorizationRequests.enabled && at.resourceServer) {
+    at.rar = await richAuthorizationRequests.rarForCodeResponse(ctx, at.resourceServer);
+  }
+
+  ctx.oidc.entity('AccessToken', at);
+  const accessToken = await at.save();
+
+  const refreshToken = await createRefreshToken(ctx, code, at, gty, {
+    issueRefreshToken, RefreshToken,
+  });
+
+  const idToken = await issueIdToken(ctx, code, at, grant, {
+    conformIdTokenClaims, userinfo,
+  });
+
+  ctx.body = buildTokenResponse(at, accessToken, {
+    idToken, refreshToken, source: code, rar: at.rar,
+  });
+};
+
+export const parameters = new Set(['code', 'code_verifier', 'redirect_uri']);
+
+export const grantType = gty;

package/dist/node_modules/oidc-provider/lib/actions/grants/ciba.js

@@ -0,0 +1,127 @@
+import { AuthorizationPending, ExpiredToken, InvalidGrant } from '../../helpers/errors.js';
+import presence from '../../helpers/validate_presence.js';
+import instance from '../../helpers/weak_cache.js';
+import revoke from '../../helpers/revoke.js';
+import dpopValidate from '../../helpers/validate_dpop.js';
+import { checkAttestBinding } from '../../helpers/check_attest_binding.js';
+import checkRar from '../../shared/check_rar.js';
+import {
+  throwIfAsyncGrantError,
+  checkMtlsCert,
+  checkDpopRequired,
+  validateGrant,
+  validateAccount,
+  checkAccountMismatch,
+  createAccessToken,
+  applyMtlsBinding,
+  applyDpopBinding,
+  resolveAndApplyResource,
+  createRefreshToken,
+  issueIdToken,
+  buildTokenResponse,
+} from '../../helpers/grant_common.js';
+
+export const gty = 'ciba';
+
+export const handler = async function cibaHandler(ctx) {
+  presence(ctx, 'auth_req_id');
+
+  const {
+    findAccount,
+    issueRefreshToken,
+    conformIdTokenClaims,
+    features: {
+      userinfo,
+      mTLS: { getCertificate },
+      dPoP: { allowReplay },
+      resourceIndicators,
+      richAuthorizationRequests,
+    },
+  } = instance(ctx.oidc.provider).configuration;
+
+  const dPoP = await dpopValidate(ctx);
+
+  const request = await ctx.oidc.provider.BackchannelAuthenticationRequest.find(
+    ctx.oidc.params.auth_req_id,
+    { ignoreExpiration: true },
+  );
+
+  if (!request) {
+    throw new InvalidGrant('backchannel authentication request not found');
+  }
+
+  if (request.clientId !== ctx.oidc.client.clientId) {
+    throw new InvalidGrant('client mismatch');
+  }
+
+  const cert = checkMtlsCert(ctx, getCertificate);
+  checkDpopRequired(ctx, dPoP);
+
+  if (request.isExpired) {
+    throw new ExpiredToken('backchannel authentication request is expired');
+  }
+
+  if (!request.grantId && !request.error) {
+    throw new AuthorizationPending();
+  }
+
+  if (ctx.oidc.client.clientAuthMethod === 'attest_jwt_client_auth') {
+    await checkAttestBinding(ctx, request);
+  }
+
+  if (request.consumed) {
+    await revoke(ctx, request.grantId);
+    throw new InvalidGrant('backchannel authentication request already consumed');
+  }
+
+  await request.consume();
+
+  throwIfAsyncGrantError(request);
+
+  const grant = await validateGrant(ctx, request.grantId);
+
+  ctx.oidc.entity('BackchannelAuthenticationRequest', request);
+  ctx.oidc.entity('Grant', grant);
+
+  const account = await validateAccount(ctx, findAccount, request, 'backchannel authentication request');
+  checkAccountMismatch(request, grant);
+
+  ctx.oidc.entity('Account', account);
+
+  const { RefreshToken } = ctx.oidc.provider;
+
+  const at = createAccessToken(
+    ctx,
+    ctx.oidc.provider.AccessToken,
+    { ...request, accountId: account.accountId },
+    gty,
+  );
+  applyMtlsBinding(at, cert);
+  await applyDpopBinding(ctx, dPoP, at, allowReplay);
+
+  await checkRar(ctx, () => {});
+  await resolveAndApplyResource(ctx, request, at, grant, { userinfo, resourceIndicators });
+
+  if (richAuthorizationRequests.enabled && at.resourceServer) {
+    at.rar = await richAuthorizationRequests.rarForBackchannelResponse(ctx, at.resourceServer);
+  }
+
+  ctx.oidc.entity('AccessToken', at);
+  const accessToken = await at.save();
+
+  const refreshToken = await createRefreshToken(ctx, request, at, gty, {
+    issueRefreshToken, RefreshToken,
+  });
+
+  const idToken = await issueIdToken(ctx, request, at, grant, {
+    conformIdTokenClaims, userinfo,
+  });
+
+  ctx.body = buildTokenResponse(at, accessToken, {
+    idToken, refreshToken, source: request, rar: at.rar,
+  });
+};
+
+export const parameters = new Set(['auth_req_id']);
+
+export const grantType = 'urn:openid:params:grant-type:ciba';

package/dist/node_modules/oidc-provider/lib/actions/grants/client_credentials.js

@@ -0,0 +1,79 @@
+import instance from '../../helpers/weak_cache.js';
+import {
+  InvalidTarget, InvalidScope, InvalidRequest,
+} from '../../helpers/errors.js';
+import dpopValidate from '../../helpers/validate_dpop.js';
+import checkResource from '../../shared/check_resource.js';
+import {
+  checkMtlsCert,
+  applyDpopBinding,
+  checkDpopRequired,
+} from '../../helpers/grant_common.js';
+
+export const handler = async function clientCredentialsHandler(ctx) {
+  const { client } = ctx.oidc;
+  const { ClientCredentials } = ctx.oidc.provider;
+  const {
+    features: {
+      mTLS: { getCertificate },
+      dPoP: { allowReplay },
+    },
+    scopes: statics,
+  } = instance(ctx.oidc.provider).configuration;
+
+  const dPoP = await dpopValidate(ctx);
+
+  if (ctx.oidc.params.authorization_details) {
+    throw new InvalidRequest('authorization_details is unsupported for this grant_type');
+  }
+
+  await checkResource(ctx, () => {});
+
+  const scopes = [...new Set(ctx.oidc.params.scope?.split(' '))];
+
+  if (client.scope) {
+    const allowList = new Set(client.scope.split(' '));
+
+    for (const scope of scopes.filter(Set.prototype.has.bind(statics))) {
+      if (!allowList.has(scope)) {
+        throw new InvalidScope('requested scope is not allowed', scope);
+      }
+    }
+  }
+
+  const token = new ClientCredentials({
+    client,
+    scope: scopes.join(' ') || undefined,
+  });
+
+  const { 0: resourceServer, length } = Object.values(ctx.oidc.resourceServers);
+  if (resourceServer) {
+    if (length !== 1) {
+      throw new InvalidTarget('only a single resource indicator value is supported for this grant type');
+    }
+    token.resourceServer = resourceServer;
+    token.scope = scopes.filter(Set.prototype.has.bind(new Set(resourceServer.scope.split(' ')))).join(' ') || undefined;
+  }
+
+  const cert = checkMtlsCert(ctx, getCertificate);
+  if (cert) {
+    token.setThumbprint('x5t', cert);
+  }
+
+  await applyDpopBinding(ctx, dPoP, token, allowReplay);
+  checkDpopRequired(ctx, dPoP);
+
+  ctx.oidc.entity('ClientCredentials', token);
+  const value = await token.save();
+
+  ctx.body = {
+    access_token: value,
+    expires_in: token.expiration,
+    token_type: token.tokenType,
+    scope: token.scope || undefined,
+  };
+};
+
+export const parameters = new Set(['scope']);
+
+export const grantType = 'client_credentials';

package/dist/node_modules/oidc-provider/lib/actions/grants/device_code.js

@@ -0,0 +1,125 @@
+import {
+  AuthorizationPending, ExpiredToken, InvalidGrant, InvalidRequest,
+} from '../../helpers/errors.js';
+import presence from '../../helpers/validate_presence.js';
+import instance from '../../helpers/weak_cache.js';
+import revoke from '../../helpers/revoke.js';
+import dpopValidate from '../../helpers/validate_dpop.js';
+import { checkAttestBinding } from '../../helpers/check_attest_binding.js';
+import {
+  throwIfAsyncGrantError,
+  checkMtlsCert,
+  checkDpopRequired,
+  validateGrant,
+  validateAccount,
+  checkAccountMismatch,
+  createAccessToken,
+  applyMtlsBinding,
+  applyDpopBinding,
+  resolveAndApplyResource,
+  createRefreshToken,
+  issueIdToken,
+  buildTokenResponse,
+} from '../../helpers/grant_common.js';
+
+export const gty = 'device_code';
+
+export const handler = async function deviceCodeHandler(ctx) {
+  presence(ctx, 'device_code');
+
+  if (ctx.oidc.params.authorization_details) {
+    throw new InvalidRequest('authorization_details is unsupported for this grant_type');
+  }
+
+  const {
+    findAccount,
+    issueRefreshToken,
+    conformIdTokenClaims,
+    features: {
+      userinfo,
+      mTLS: { getCertificate },
+      dPoP: { allowReplay },
+      resourceIndicators,
+    },
+  } = instance(ctx.oidc.provider).configuration;
+
+  const dPoP = await dpopValidate(ctx);
+
+  const code = await ctx.oidc.provider.DeviceCode.find(ctx.oidc.params.device_code, {
+    ignoreExpiration: true,
+  });
+
+  if (!code) {
+    throw new InvalidGrant('device code not found');
+  }
+
+  if (code.clientId !== ctx.oidc.client.clientId) {
+    throw new InvalidGrant('client mismatch');
+  }
+
+  if (ctx.oidc.client.clientAuthMethod === 'attest_jwt_client_auth') {
+    await checkAttestBinding(ctx, code);
+  }
+
+  const cert = checkMtlsCert(ctx, getCertificate);
+  checkDpopRequired(ctx, dPoP);
+
+  if (code.isExpired) {
+    throw new ExpiredToken('device code is expired');
+  }
+
+  if (!code.accountId && !code.error) {
+    throw new AuthorizationPending();
+  }
+
+  if (code.consumed) {
+    await revoke(ctx, code.grantId);
+    throw new InvalidGrant('device code already consumed');
+  }
+
+  await code.consume();
+
+  throwIfAsyncGrantError(code);
+
+  const grant = await validateGrant(ctx, code.grantId);
+
+  ctx.oidc.entity('DeviceCode', code);
+  ctx.oidc.entity('Grant', grant);
+
+  const account = await validateAccount(ctx, findAccount, code, 'device code');
+  checkAccountMismatch(code, grant);
+
+  ctx.oidc.entity('Account', account);
+
+  const { RefreshToken } = ctx.oidc.provider;
+
+  const at = createAccessToken(
+    ctx,
+    ctx.oidc.provider.AccessToken,
+    { ...code, accountId: account.accountId },
+    gty,
+  );
+  applyMtlsBinding(at, cert);
+  await applyDpopBinding(ctx, dPoP, at, allowReplay);
+
+  await resolveAndApplyResource(ctx, code, at, grant, { userinfo, resourceIndicators });
+
+  ctx.oidc.entity('AccessToken', at);
+  const accessToken = await at.save();
+
+  const refreshToken = await createRefreshToken(ctx, code, at, gty, {
+    issueRefreshToken, RefreshToken,
+  });
+
+  const idToken = await issueIdToken(ctx, code, at, grant, {
+    conformIdTokenClaims, userinfo,
+  });
+
+  ctx.body = buildTokenResponse(at, accessToken, {
+    idToken, refreshToken, source: code,
+  });
+};
+
+export const parameters = new Set(['device_code']);
+
+export const grantType = 'urn:ietf:params:oauth:grant-type:device_code';

package/dist/node_modules/oidc-provider/lib/actions/grants/index.js

@@ -0,0 +1,7 @@
+/* eslint-disable camelcase, import/export */
+
+export * as authorization_code from './authorization_code.js';
+export * as client_credentials from './client_credentials.js';
+export * as refresh_token from './refresh_token.js';
+export * as device_code from './device_code.js';
+export * as ciba from './ciba.js';