@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/lib/helpers/initialize_keystore.js

@@ -0,0 +1,310 @@
+import { strict as assert } from 'node:assert';
+import * as crypto from 'node:crypto';
+
+import { DEV_KEYSTORE } from '../consts/index.js';
+
+import * as attention from './attention.js';
+import instance from './weak_cache.js';
+import KeyStore, { ExternalSigningKey } from './keystore.js';
+
+const calculateKid = (jwk) => {
+  let components;
+
+  switch (jwk.kty) {
+    case 'RSA':
+      components = {
+        e: jwk.e, kty: 'RSA', n: jwk.n,
+      };
+      break;
+    case 'EC':
+      components = {
+        crv: jwk.crv, kty: 'EC', x: jwk.x, y: jwk.y,
+      };
+      break;
+    case 'OKP':
+      components = {
+        crv: jwk.crv, kty: 'OKP', x: jwk.x,
+      };
+      break;
+    case 'AKP':
+      components = {
+        alg: jwk.alg, kty: 'AKP', pub: jwk.pub,
+      };
+      break;
+    default:
+      return undefined;
+  }
+
+  return crypto.hash('sha256', JSON.stringify(components), 'base64url');
+};
+const KEY_TYPES = new Set(['RSA', 'EC', 'OKP', 'AKP']);
+
+const jwkSignatureAlgorithms = (jwk) => {
+  if (jwk.use !== 'sig' && jwk.use !== undefined) {
+    return [];
+  }
+
+  let available;
+
+  switch (jwk.kty) {
+    case 'RSA':
+      available = ['PS256', 'PS384', 'PS512', 'RS256', 'RS384', 'RS512'];
+      break;
+    case 'EC':
+      switch (jwk.crv) {
+        case 'P-256':
+          available = ['ES256'];
+          break;
+        case 'P-384':
+          available = ['ES384'];
+          break;
+        case 'P-521':
+          available = ['ES512'];
+          break;
+        default:
+      }
+      break;
+    case 'OKP':
+      switch (jwk.crv) {
+        case 'Ed25519':
+          available = ['EdDSA', 'Ed25519'];
+          break;
+        default:
+      }
+      break;
+    case 'AKP':
+      switch (jwk.alg) {
+        case 'ML-DSA-44':
+        case 'ML-DSA-65':
+        case 'ML-DSA-87':
+          available = [jwk.alg];
+          break;
+        default:
+      }
+      break;
+    default:
+  }
+
+  if (jwk.alg) {
+    if (available && available.includes(jwk.alg)) {
+      return [jwk.alg];
+    }
+    return [];
+  }
+
+  return available || [];
+};
+
+const jwkEncryptionAlgorithms = (jwk) => {
+  if (jwk.use !== 'enc' && jwk.use !== undefined) {
+    return [];
+  }
+
+  let available;
+
+  switch (jwk.kty) {
+    case 'RSA':
+      available = ['RSA-OAEP', 'RSA-OAEP-256', 'RSA-OAEP-384', 'RSA-OAEP-512'];
+      break;
+    case 'EC':
+      switch (jwk.crv) {
+        case 'P-256':
+        case 'P-384':
+        case 'P-521':
+          available = ['ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'];
+          break;
+        default:
+      }
+      break;
+    case 'OKP':
+      switch (jwk.crv) {
+        case 'X25519':
+          available = ['ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'];
+          break;
+        default:
+      }
+      break;
+    default:
+  }
+
+  if (jwk.alg) {
+    if (available && available.includes(jwk.alg)) {
+      return [jwk.alg];
+    }
+    return [];
+  }
+
+  return available || [];
+};
+
+function checkString(value, property, i) {
+  assert(typeof value === 'string' && value, `jwks.keys[${i}].${property} configuration must be a non-empty string`);
+}
+
+function isExternal(key) {
+  return key instanceof ExternalSigningKey;
+}
+
+function registerKey(input, i, keystore, kids) {
+  const { configuration, features } = instance(this);
+
+  let key;
+  if (isExternal(input)) {
+    assert(features.externalSigningSupport.enabled, 'features.externalSigningSupport must be enabled for ExternalSigningKey support');
+    key = input;
+  } else {
+    key = structuredClone(input);
+  }
+  assert(KEY_TYPES.has(key.kty), `only RSA, EC, OKP, or AKP keys should be part of jwks configuration (index ${i})`);
+  key.kid ??= calculateKid(key);
+  checkString(key.kid, 'kid', i);
+
+  assert(!kids.has(key.kid), 'jwks.keys configuration must not contain duplicate "kid" values');
+  kids.add(key.kid);
+
+  switch (key.kty) {
+    case 'AKP':
+      checkString(key.alg, 'alg', i);
+      checkString(key.pub, 'pub', i);
+      if (!(key instanceof ExternalSigningKey)) {
+        checkString(key.priv, 'priv', i);
+      }
+      break;
+    case 'OKP':
+      checkString(key.crv, 'crv', i);
+      checkString(key.x, 'x', i);
+      if (!(key instanceof ExternalSigningKey)) {
+        checkString(key.d, 'd', i);
+      }
+      break;
+    case 'EC':
+      checkString(key.crv, 'crv', i);
+      checkString(key.x, 'x', i);
+      checkString(key.y, 'y', i);
+      if (!(key instanceof ExternalSigningKey)) {
+        checkString(key.d, 'd', i);
+      }
+      break;
+    case 'RSA':
+      checkString(key.e, 'e', i);
+      checkString(key.n, 'n', i);
+      if (!(key instanceof ExternalSigningKey)) {
+        checkString(key.d, 'd', i);
+        checkString(key.p, 'p', i);
+        checkString(key.q, 'q', i);
+        checkString(key.dp, 'dp', i);
+        checkString(key.dq, 'dq', i);
+        checkString(key.qi, 'qi', i);
+      }
+      break;
+    default:
+      throw new Error('unreachable');
+  }
+
+  if (key instanceof ExternalSigningKey) {
+    assert(key.use === 'sig', `jwks.keys[${i}] configuration "use" must be "sig"`);
+  }
+
+  if (key.key_ops !== undefined) {
+    assert(Array.isArray(key.key_ops) && key.key_ops.length && key.key_ops.every((x) => typeof x === 'string' && x), `jwks.keys[${i}].key_ops configuration must be an array of strings`);
+  }
+
+  if (key.x5c !== undefined) {
+    assert(Array.isArray(key.x5c) && key.x5c.length && key.x5c.every((x) => typeof x === 'string' && x), `jwks.keys[${i}].x5c configuration must be an array of strings`);
+  }
+
+  let encryptionAlgs;
+  if (features.encryption.enabled) {
+    encryptionAlgs = jwkEncryptionAlgorithms(key);
+
+    [
+      // 'idTokenEncryptionAlgValues',
+      'requestObjectEncryptionAlgValues',
+      // 'userinfoEncryptionAlgValues',
+    ].forEach((prop) => {
+      configuration[prop] = [...new Set([...configuration[prop], ...encryptionAlgs])]
+        .filter((v) => configuration.enabledJWA[prop].includes(v));
+    });
+  }
+
+  const signingAlgs = jwkSignatureAlgorithms(key);
+  [
+    'idTokenSigningAlgValues',
+    // 'requestObjectSigningAlgValues' uses client's keystore
+    // 'tokenEndpointAuthSigningAlgValues' uses client's keystore
+    'userinfoSigningAlgValues',
+    'introspectionSigningAlgValues',
+    'authorizationSigningAlgValues',
+  ].forEach((prop) => {
+    configuration[prop] = [...new Set([...configuration[prop], ...signingAlgs])]
+      .filter((v) => configuration.enabledJWA[prop].includes(v));
+  });
+
+  const combined = signingAlgs.concat(encryptionAlgs).filter(Boolean);
+
+  /* eslint-disable no-param-reassign */
+  if (combined.length === 1 && key.alg !== combined[0]) {
+    [key.alg] = combined;
+  }
+
+  if (isExternal(key) && combined.length > 1) {
+    checkString(key.alg, 'alg', i);
+  }
+
+  if (encryptionAlgs?.length && !signingAlgs.length && key.use !== 'enc') {
+    key.use = 'enc';
+  } else if (signingAlgs.length && !encryptionAlgs?.length && key.use !== 'sig') {
+    key.use = 'sig';
+  }
+
+  if (!Array.isArray(key.x5c) || !key.x5c.length) {
+    delete key.x5c;
+  }
+
+  assert(combined.length, `jwks.keys[${i}] is of no use given the other configuration, remove it`);
+  keystore.add(key);
+  /* eslint-enable */
+}
+
+export default function initialize(jwks) {
+  if (jwks === undefined) {
+    // eslint-disable-next-line no-param-reassign
+    jwks = structuredClone(DEV_KEYSTORE);
+    /* eslint-disable no-multi-str */
+    attention.warn('a quick start development-only signing keys are used, you are expected to \
+provide your own in the configuration "jwks" property');
+    /* eslint-enable */
+  }
+
+  const keystore = new KeyStore();
+  const kids = new Set();
+
+  try {
+    if (!Array.isArray(jwks.keys)) {
+      throw new Error();
+    }
+    // eslint-disable-next-line no-plusplus
+    for (let i = 0; i < jwks.keys.length; i++) {
+      registerKey.call(this, jwks.keys[i], i, keystore, kids);
+    }
+  } catch (err) {
+    throw new Error(err.message || 'keystore must be a JSON Web Key Set formatted object', { cause: err });
+  }
+
+  instance(this).keystore = keystore;
+  const keys = [...keystore].map((key) => ({
+    kty: key.kty,
+    use: key.use,
+    key_ops: key.key_ops ? [...key.key_ops] : undefined,
+    kid: key.kid,
+    alg: key.alg,
+    crv: key.crv,
+    e: key.e,
+    n: key.n,
+    x: key.x,
+    x5c: key.x5c ? [...key.x5c] : undefined,
+    y: key.y,
+    pub: key.pub,
+  }));
+  instance(this).jwks = { keys };
+}

package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/check.js

@@ -0,0 +1,21 @@
+/* eslint-disable no-param-reassign */
+
+class Check {
+  constructor(reason, description, error, check = () => {}, details = () => {}) {
+    if (typeof error === 'function') {
+      details = check;
+      check = error;
+      error = undefined;
+    }
+    this.reason = reason;
+    this.description = description;
+    this.error = error;
+    this.details = details;
+    this.check = check;
+  }
+}
+
+Check.REQUEST_PROMPT = true;
+Check.NO_NEED_TO_PROMPT = false;
+
+export default Check;

package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/index.js

@@ -0,0 +1,43 @@
+import Check from './check.js';
+import Prompt from './prompt.js';
+import login from './prompts/login.js';
+import consent from './prompts/consent.js';
+
+const base = () => {
+  const DEFAULT = [];
+
+  DEFAULT.get = function getPrompt(name) {
+    if (typeof name !== 'string') {
+      throw new TypeError('name must be a string');
+    }
+    return this.find((p) => p.name === name);
+  };
+
+  DEFAULT.remove = function removePrompt(name) {
+    if (typeof name !== 'string') {
+      throw new TypeError('name must be a string');
+    }
+    const i = this.findIndex((p) => p.name === name);
+    this.splice(i, 1);
+  };
+
+  DEFAULT.clear = function clearAll() {
+    while (this.length) {
+      this.splice(0, 1);
+    }
+  };
+
+  DEFAULT.add = function addPrompt(prompt, i = this.length) {
+    if (!(prompt instanceof Prompt)) {
+      throw new TypeError('argument must be an instance of Prompt');
+    }
+    this.splice(i, 0, prompt);
+  };
+
+  DEFAULT.add(login());
+  DEFAULT.add(consent());
+
+  return DEFAULT;
+};
+
+export { Check, Prompt, base };

package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/prompt.js

@@ -0,0 +1,95 @@
+/* eslint-disable no-param-reassign */
+
+import Check from './check.js';
+
+class Prompt {
+  // eslint-disable-next-line default-param-last
+  constructor({ name, requestable = false } = {}, details, ...checks) {
+    if (typeof requestable !== 'boolean') {
+      throw new Error('requestable argument must be provided as Boolean');
+    }
+
+    if (details instanceof Check) {
+      checks.unshift(details);
+      details = () => {};
+    }
+
+    if (typeof details === 'undefined') {
+      details = () => {};
+    }
+
+    let error;
+    switch (name) {
+      case 'none':
+        throw new Error('prompt none is special, cannot be registered like this');
+      case 'login':
+      case 'consent':
+        error = `${name}_required`;
+        break;
+      case 'select_account':
+        error = 'account_selection_required';
+        break;
+      default:
+        error = 'interaction_required';
+    }
+
+    checks.forEach((check) => {
+      if (check.error === undefined) {
+        check.error = error;
+      }
+    });
+
+    if (requestable) {
+      checks.unshift(new Check(`${name}_prompt`, `${name} prompt was not resolved`, error, (ctx) => {
+        const { oidc } = ctx;
+        if (oidc.prompts.has(name) && oidc.promptPending(name)) {
+          return true;
+        }
+
+        return false;
+      }));
+    }
+
+    this.name = name;
+    this.requestable = requestable;
+    this.details = details;
+    this.checks = checks;
+
+    Object.defineProperties(this.checks, {
+      get: {
+        value(reason) {
+          if (typeof reason !== 'string') {
+            throw new TypeError('reason must be a string');
+          }
+          return this.find((p) => p.reason === reason);
+        },
+      },
+      remove: {
+        value(reason) {
+          if (typeof reason !== 'string') {
+            throw new TypeError('reason must be a string');
+          }
+          const i = this.findIndex((p) => p.reason === reason);
+          this.splice(i, 1);
+        },
+      },
+      clear: {
+        value() {
+          while (this.length) {
+            this.splice(0, 1);
+          }
+        },
+      },
+      add: {
+        value(check, i = this.length) {
+          if (!(check instanceof Check)) {
+            throw new TypeError('argument must be an instance of Check');
+          }
+          this.splice(i, 0, check);
+        },
+      },
+    });
+  }
+}
+
+export default Prompt;

package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/prompts/consent.js

@@ -0,0 +1,105 @@
+/* eslint-disable no-unused-expressions */
+/* eslint-disable camelcase */
+
+import Prompt from '../prompt.js';
+import Check from '../check.js';
+
+const missingOIDCScope = Symbol();
+const missingOIDCClaims = Symbol();
+const missingResourceScopes = Symbol();
+
+export default () => new Prompt(
+  { name: 'consent', requestable: true },
+
+  new Check('native_client_prompt', 'native clients require End-User interaction', 'interaction_required', (ctx) => {
+    const { oidc } = ctx;
+    if (
+      oidc.client.applicationType === 'native'
+      && oidc.params.response_type !== 'none'
+      && (!oidc.result?.consent)
+    ) {
+      return Check.REQUEST_PROMPT;
+    }
+
+    return Check.NO_NEED_TO_PROMPT;
+  }),
+
+  new Check('op_scopes_missing', 'requested scopes not granted', (ctx) => {
+    const { oidc } = ctx;
+    const encounteredScopes = new Set(oidc.grant.getOIDCScopeEncountered().split(' '));
+
+    let missing;
+    for (const scope of oidc.requestParamOIDCScopes) {
+      if (!encounteredScopes.has(scope)) {
+        missing ||= [];
+        missing.push(scope);
+      }
+    }
+
+    if (missing?.length) {
+      ctx.oidc[missingOIDCScope] = missing;
+      return Check.REQUEST_PROMPT;
+    }
+
+    return Check.NO_NEED_TO_PROMPT;
+  }, ({ oidc }) => ({ missingOIDCScope: oidc[missingOIDCScope] })),
+
+  new Check('op_claims_missing', 'requested claims not granted', (ctx) => {
+    const { oidc } = ctx;
+    const encounteredClaims = new Set(oidc.grant.getOIDCClaimsEncountered());
+
+    let missing;
+    for (const claim of oidc.requestParamClaims) {
+      if (!encounteredClaims.has(claim) && !['sub', 'sid', 'auth_time', 'acr', 'amr', 'iss'].includes(claim)) {
+        missing ||= [];
+        missing.push(claim);
+      }
+    }
+
+    if (missing?.length) {
+      ctx.oidc[missingOIDCClaims] = missing;
+      return Check.REQUEST_PROMPT;
+    }
+
+    return Check.NO_NEED_TO_PROMPT;
+  }, ({ oidc }) => ({ missingOIDCClaims: oidc[missingOIDCClaims] })),
+
+  // checks resource server scopes
+  new Check('rs_scopes_missing', 'requested scopes not granted', (ctx) => {
+    const { oidc } = ctx;
+
+    let missing;
+
+    for (const [indicator, resourceServer] of Object.entries(ctx.oidc.resourceServers)) {
+      const encounteredScopes = new Set(oidc.grant.getResourceScopeEncountered(indicator).split(' '));
+      const requestedScopes = ctx.oidc.requestParamScopes;
+      const availableScopes = resourceServer.scopes;
+
+      for (const scope of requestedScopes) {
+        if (availableScopes.has(scope) && !encounteredScopes.has(scope)) {
+          missing ||= {};
+          missing[indicator] ||= [];
+          missing[indicator].push(scope);
+        }
+      }
+    }
+
+    if (missing && Object.keys(missing).length) {
+      ctx.oidc[missingResourceScopes] = missing;
+      return Check.REQUEST_PROMPT;
+    }
+
+    return Check.NO_NEED_TO_PROMPT;
+  }, ({ oidc }) => ({ missingResourceScopes: oidc[missingResourceScopes] })),
+
+  // checks authorization_details
+  new Check('rar_prompt', 'authorization_details were requested', (ctx) => {
+    const { oidc } = ctx;
+
+    if (oidc.params.authorization_details && !oidc.result?.consent) {
+      return Check.REQUEST_PROMPT;
+    }
+
+    return Check.NO_NEED_TO_PROMPT;
+  }, ({ oidc }) => ({ rar: JSON.parse(oidc.params.authorization_details) })),
+);