@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/lib/models/formats/jwt.js

@@ -0,0 +1,198 @@
+import * as crypto from 'node:crypto';
+
+import * as JWT from '../../helpers/jwt.js';
+import instance from '../../helpers/weak_cache.js';
+import nanoid from '../../helpers/nanoid.js';
+import als from '../../helpers/als.js';
+
+export default (provider, { opaque }) => {
+  async function getResourceServerConfig(token) {
+    const { keystore, configuration } = instance(provider);
+    const { clientDefaults: { id_token_signed_response_alg: defaultAlg } } = configuration;
+
+    let sign;
+    let encrypt;
+
+    {
+      let alg;
+      let key;
+      let kid;
+
+      if (token.resourceServer) {
+        if (token.resourceServer.jwt?.sign) {
+          ({ alg = defaultAlg, key, kid } = token.resourceServer.jwt.sign);
+        } else if (
+          !token.resourceServer.jwt
+          || (!token.resourceServer.jwt.sign && !token.resourceServer.jwt.encrypt)
+        ) {
+          alg = defaultAlg;
+        }
+      }
+
+      if (alg === 'none') {
+        throw new Error('JWT Access Tokens may not use JWS algorithm "none"');
+      } else if (alg) {
+        if (alg.startsWith('HS')) {
+          if (!key) {
+            throw new Error('missing jwt.sign.key Resource Server configuration');
+          }
+          if (!(key instanceof crypto.KeyObject || key instanceof CryptoKey)) {
+            key = crypto.createSecretKey(key);
+          }
+          if (key.type !== 'secret') {
+            throw new Error('jwt.sign.key Resource Server configuration must be a secret (symmetric) key');
+          }
+        } else {
+          [key] = keystore.selectForVerify({ alg, use: 'sig', kid });
+          if (!key) {
+            throw new Error('resolved Resource Server jwt configuration has no corresponding key in the provider\'s keystore');
+          }
+          kid = key.kid;
+          key = keystore.getKeyObject(key);
+        }
+        if (kid !== undefined && typeof kid !== 'string') {
+          throw new Error('jwt.sign.kid must be a string when provided');
+        }
+        sign = { alg, key, kid };
+      }
+    }
+
+    if (token.resourceServer?.jwt?.encrypt) {
+      const { alg, enc, kid } = token.resourceServer.jwt.encrypt;
+      let { key } = token.resourceServer.jwt.encrypt;
+
+      if (!alg) {
+        throw new Error('missing jwt.encrypt.alg Resource Server configuration');
+      }
+      if (!enc) {
+        throw new Error('missing jwt.encrypt.enc Resource Server configuration');
+      }
+      if (!key) {
+        throw new Error('missing jwt.encrypt.key Resource Server configuration');
+      }
+
+      if (!(key instanceof crypto.KeyObject || key instanceof CryptoKey) && /^(A|dir$)/.test(alg)) {
+        key = crypto.createSecretKey(key);
+      }
+
+      if (key.type === 'private') throw new Error('jwt.encrypt.key Resource Server configuration must be a secret (symmetric) or a public key');
+      if (key.type === 'public' && !sign) throw new Error('missing jwt.sign Resource Server configuration');
+
+      if (kid !== undefined && typeof kid !== 'string') {
+        throw new Error('jwt.encrypt.kid must be a string when provided');
+      }
+      encrypt = {
+        alg, enc, key, kid,
+      };
+    }
+
+    return { sign, encrypt };
+  }
+
+  return {
+    generateTokenId() {
+      return nanoid();
+    },
+    async getValueAndPayload() {
+      const { payload } = await opaque.getValueAndPayload.call(this);
+      const {
+        aud, jti, iat, exp, scope, clientId, 'x5t#S256': x5t, jkt, extra, rar,
+      } = payload;
+      let { accountId: sub } = payload;
+
+      if (sub) {
+        const { client } = this;
+        if (client?.clientId !== clientId) {
+          throw new TypeError('clientId and client mismatch');
+        }
+        if (client.subjectType === 'pairwise') {
+          const { pairwiseIdentifier } = instance(provider).configuration;
+          sub = await pairwiseIdentifier(als.getStore(), sub, client);
+        }
+      }
+
+      const tokenPayload = {
+        ...extra,
+        jti,
+        sub: sub || clientId,
+        iat,
+        exp,
+        authorization_details: rar,
+        scope: scope || undefined,
+        client_id: clientId,
+        iss: provider.issuer,
+        aud,
+        ...(x5t || jkt ? { cnf: {} } : undefined),
+      };
+
+      if (x5t) {
+        tokenPayload.cnf['x5t#S256'] = x5t;
+      }
+      if (jkt) {
+        tokenPayload.cnf.jkt = jkt;
+      }
+
+      const structuredToken = {
+        header: undefined,
+        payload: tokenPayload,
+      };
+
+      const customizer = instance(provider).configuration.formats.customizers.jwt;
+      if (customizer) {
+        await customizer(als.getStore(), this, structuredToken);
+      }
+
+      if (!structuredToken.payload.aud) {
+        throw new Error('JWT Access Tokens must contain an audience, for Access Tokens without audience (only usable at the userinfo_endpoint) use an opaque format');
+      }
+
+      const config = await getResourceServerConfig(this);
+
+      let signed;
+      if (config.sign) {
+        signed = await JWT.sign(structuredToken.payload, config.sign.key, config.sign.alg, {
+          typ: 'at+jwt',
+          fields: { kid: config.sign.kid, ...structuredToken.header },
+        });
+      }
+
+      if (config.sign && config.encrypt) {
+        const encrypted = await JWT.encrypt(signed, config.encrypt.key, {
+          fields: {
+            kid: config.encrypt.kid,
+            iss: provider.issuer,
+            aud: structuredToken.payload.aud,
+            cty: 'at+jwt',
+          },
+          enc: config.encrypt.enc,
+          alg: config.encrypt.alg,
+        });
+
+        return { value: encrypted };
+      }
+
+      if (config.sign) {
+        return { value: signed };
+      }
+
+      if (config.encrypt) {
+        const cleartext = JSON.stringify(structuredToken.payload);
+        const encrypted = await JWT.encrypt(cleartext, config.encrypt.key, {
+          fields: {
+            kid: config.encrypt.kid,
+            iss: provider.issuer,
+            aud: structuredToken.payload.aud,
+            typ: 'at+jwt',
+            ...structuredToken.header,
+          },
+          enc: config.encrypt.enc,
+          alg: config.encrypt.alg,
+        });
+
+        return { value: encrypted };
+      }
+
+      throw new Error('invalid Resource Server jwt configuration');
+    },
+  };
+};

package/dist/node_modules/oidc-provider/lib/models/formats/opaque.js

@@ -0,0 +1,58 @@
+import pickBy from '../../helpers/_/pick_by.js';
+import { assertPayload } from '../../helpers/jwt.js';
+import epochTime from '../../helpers/epoch_time.js';
+import instance from '../../helpers/weak_cache.js';
+import nanoid from '../../helpers/nanoid.js';
+import als from '../../helpers/als.js';
+
+const withExtra = new Set(['AccessToken', 'ClientCredentials']);
+const bitsPerSymbol = Math.log2(64);
+const tokenLength = (i) => Math.ceil(i / bitsPerSymbol);
+
+export default (provider) => ({
+  generateTokenId() {
+    let length;
+    if (this.kind !== 'PushedAuthorizationRequest') {
+      const { bitsOfOpaqueRandomness } = instance(provider).configuration.formats;
+      if (typeof bitsOfOpaqueRandomness === 'function') {
+        length = tokenLength(bitsOfOpaqueRandomness(als.getStore(), this));
+      } else {
+        length = tokenLength(bitsOfOpaqueRandomness);
+      }
+    }
+    return nanoid(length);
+  },
+  async getValueAndPayload() {
+    const { configuration } = instance(provider);
+    const now = epochTime();
+    const exp = this.exp || now + this.expiration;
+    const payload = {
+      iat: this.iat || epochTime(),
+      ...(exp ? { exp } : undefined),
+      ...pickBy(
+        this,
+        (val, key) => this.constructor.IN_PAYLOAD.includes(key) && typeof val !== 'undefined',
+      ),
+    };
+
+    if (withExtra.has(this.kind)) {
+      // eslint-disable-next-line no-multi-assign
+      payload.extra = this.extra = await configuration.extraTokenClaims(als.getStore(), this);
+    }
+
+    return { value: this.jti, payload };
+  },
+  async verify(stored, { ignoreExpiration } = {}) {
+    // checks that legacy tokens aren't accepted as opaque when their jti is passed
+    if (('jwt' in stored) || ('jwt-ietf' in stored) || ('paseto' in stored)) throw new TypeError();
+    if (('format' in stored) && stored.format !== 'opaque') throw new TypeError();
+
+    const { configuration } = instance(provider);
+    assertPayload(stored, {
+      ignoreExpiration,
+      clockTolerance: configuration.clockTolerance,
+    });
+
+    return stored;
+  },
+});

package/dist/node_modules/oidc-provider/lib/models/grant.js

@@ -0,0 +1,243 @@
+/* eslint-disable no-unused-expressions */
+/* eslint-disable no-param-reassign */
+
+import { NON_REJECTABLE_CLAIMS } from '../consts/non_rejectable_claims.js';
+
+import apply from './mixins/apply.js';
+import hasFormat from './mixins/has_format.js';
+
+export default (provider) => class Grant extends apply([
+  hasFormat(provider, 'Grant', provider.BaseToken),
+]) {
+  static get IN_PAYLOAD() {
+    return [
+      'accountId',
+      'clientId',
+      'resources',
+      'openid',
+      'rejected',
+      'rar',
+      ...super.IN_PAYLOAD,
+    ];
+  }
+
+  clean() {
+    if (
+      this.openid
+      && (!this.openid.scope && (!this.openid.claims || this.openid.claims.length === 0))
+    ) {
+      delete this.openid;
+    }
+
+    if (this.resources) {
+      for (const [identifier, value] of Object.entries(this.resources)) {
+        if (!value) {
+          delete this.resources[identifier];
+        }
+      }
+      if (Object.keys(this.resources).length === 0) {
+        delete this.resources;
+      }
+    }
+  }
+
+  async save(...args) {
+    this.clean();
+    if (this.rejected) this.clean.call(this.rejected);
+
+    return super.save(...args);
+  }
+
+  getOIDCScope() {
+    if (this.openid?.scope) {
+      if (this.rejected) {
+        const rejected = this.getOIDCScope.call(this.rejected).split(' ');
+        const granted = new Set(this.openid.scope.split(' '));
+        for (const scope of rejected) {
+          if (scope !== 'openid') {
+            granted.delete(scope);
+          }
+        }
+        return [...granted].join(' ');
+      }
+      return this.openid.scope;
+    }
+    return '';
+  }
+
+  getRejectedOIDCScope() {
+    this.rejected ||= {};
+    return this.getOIDCScope.call(this.rejected);
+  }
+
+  getOIDCScopeFiltered(filter) {
+    if (Array.isArray(filter)) {
+      filter = new Set(filter);
+    } else if (!(filter instanceof Set)) {
+      throw new TypeError('"filter" must be an instance of Set');
+    }
+    const granted = this.getOIDCScope().split(' ');
+    return granted.filter(Set.prototype.has.bind(filter)).join(' ');
+  }
+
+  addOIDCScope(scope) {
+    if (scope instanceof Set) {
+      scope = [...scope].join(' ');
+    } else if (Array.isArray(scope)) {
+      scope = scope.join(' ');
+    } else if (typeof scope !== 'string') {
+      throw new TypeError('"scope" must be a string');
+    }
+    this.openid ||= {};
+    if (this.openid.scope) {
+      this.openid.scope = [...new Set([...this.openid.scope.split(' '), ...scope.split(' ')])].join(' ');
+    } else {
+      this.openid.scope = scope;
+    }
+  }
+
+  rejectOIDCScope(...args) {
+    this.rejected ||= {};
+    this.addOIDCScope.call(this.rejected, ...args);
+  }
+
+  getOIDCScopeEncountered() {
+    const granted = this.getOIDCScope().split(' ');
+    const rejected = this.getRejectedOIDCScope().split(' ');
+    return granted.concat(rejected).join(' ');
+  }
+
+  getResourceScope(resource) {
+    if (typeof resource !== 'string') {
+      throw new TypeError('"resource" must be a string');
+    }
+    if (this.resources?.[resource]) {
+      if (this.rejected) {
+        const rejected = this.getResourceScope.call(this.rejected, resource).split(' ');
+        const granted = new Set(this.resources[resource].split(' '));
+        for (const scope of rejected) {
+          granted.delete(scope);
+        }
+        return [...granted].join(' ');
+      }
+      return this.resources[resource];
+    }
+    return '';
+  }
+
+  getRejectedResourceScope(...args) {
+    this.rejected ||= {};
+    return this.getResourceScope.call(this.rejected, ...args);
+  }
+
+  getResourceScopeFiltered(resource, filter) {
+    if (typeof resource !== 'string') {
+      throw new TypeError('"resource" must be a string');
+    }
+    if (Array.isArray(filter)) {
+      filter = new Set(filter);
+    } else if (!(filter instanceof Set)) {
+      throw new TypeError('"filter" must be an instance of Set');
+    }
+    const granted = this.getResourceScope(resource).split(' ');
+    return granted.filter(Set.prototype.has.bind(filter)).join(' ');
+  }
+
+  addResourceScope(resource, scope) {
+    if (typeof resource !== 'string') {
+      throw new TypeError('"resource" must be a string');
+    }
+    if (scope instanceof Set) {
+      scope = [...scope].join(' ');
+    } else if (Array.isArray(scope)) {
+      scope = scope.join(' ');
+    } else if (typeof scope !== 'string') {
+      throw new TypeError('"scope" must be a string');
+    }
+    this.resources ||= {};
+    if (this.resources[resource]) {
+      this.resources[resource] = [...new Set([...this.resources[resource].split(' '), ...scope.split(' ')])].join(' ');
+    } else {
+      this.resources[resource] = scope;
+    }
+  }
+
+  rejectResourceScope(...args) {
+    this.rejected ||= {};
+    this.addResourceScope.call(this.rejected, ...args);
+  }
+
+  getResourceScopeEncountered(resource) {
+    if (typeof resource !== 'string') {
+      throw new TypeError('"resource" must be a string');
+    }
+    const granted = this.getResourceScope(resource).split(' ');
+    const rejected = this.getRejectedResourceScope(resource).split(' ');
+    return granted.concat(rejected).join(' ');
+  }
+
+  getOIDCClaims() {
+    if (this.openid?.claims) {
+      if (this.rejected) {
+        const rejected = this.getOIDCClaims.call(this.rejected);
+        const granted = new Set(this.openid.claims);
+        for (const claim of rejected) {
+          if (!NON_REJECTABLE_CLAIMS.has(claim)) {
+            granted.delete(claim);
+          }
+        }
+        return [...granted];
+      }
+      return this.openid.claims;
+    }
+    return [];
+  }
+
+  getRejectedOIDCClaims() {
+    this.rejected ||= {};
+    return this.getOIDCClaims.call(this.rejected);
+  }
+
+  getOIDCClaimsFiltered(filter) {
+    if (Array.isArray(filter)) {
+      filter = new Set(filter);
+    } else if (!(filter instanceof Set)) {
+      throw new TypeError('"filter" must be an instance of Set');
+    }
+    const granted = this.getOIDCClaims();
+    return granted.filter(Set.prototype.has.bind(filter));
+  }
+
+  addOIDCClaims(claims) {
+    if (claims instanceof Set) {
+      claims = [...claims];
+    } else if (!Array.isArray(claims)) {
+      throw new TypeError('"claims" must be an array');
+    }
+    if (claims.some((claim) => typeof claim !== 'string')) {
+      throw new TypeError('"claims" must be an array of strings');
+    }
+    this.openid ||= {};
+    if (this.openid.claims) {
+      this.openid.claims = [...new Set([...this.openid.claims, ...claims])];
+    } else {
+      this.openid.claims = claims;
+    }
+  }
+
+  rejectOIDCClaims(...args) {
+    this.rejected ||= {};
+    this.addOIDCClaims.call(this.rejected, ...args);
+  }
+
+  getOIDCClaimsEncountered() {
+    const granted = this.getOIDCClaims();
+    const rejected = this.getRejectedOIDCClaims();
+    return granted.concat(rejected);
+  }
+
+  addRar(detail) {
+    this.rar ||= [];
+    this.rar.push(detail);
+  }
+};