@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/lib/shared/attest_client_auth.js

@@ -0,0 +1,111 @@
+import * as jose from 'jose';
+
+import { InvalidClientAuth, UseAttestationChallenge } from '../helpers/errors.js';
+import instance from '../helpers/weak_cache.js';
+import { CHALLENGE_OK_WINDOW } from '../helpers/challenge.js';
+import epochTime from '../helpers/epoch_time.js';
+
+export default async function attestationClientAuth(ctx) {
+  const {
+    configuration: {
+      clockTolerance,
+      features: { attestClientAuth },
+      attestSigningAlgValues,
+    },
+    AttestChallenges,
+  } = instance(ctx.oidc.provider);
+
+  const nextChallenge = AttestChallenges.nextChallenge();
+
+  const attestation = ctx.get('oauth-client-attestation');
+  let verifiedAttestation;
+  try {
+    verifiedAttestation = await jose.jwtVerify(
+      attestation,
+      async (header) => {
+        const payload = jose.decodeJwt(attestation);
+        if (typeof payload.iss !== 'string') {
+          throw new Error('iss must be a string');
+        }
+        const key = await attestClientAuth.getAttestationSignaturePublicKey(
+          ctx,
+          payload.iss,
+          header,
+          ctx.oidc.client,
+        );
+        return key;
+      },
+      {
+        algorithms: attestSigningAlgValues,
+        requiredClaims: ['iss', 'sub', 'exp', 'cnf'],
+        typ: 'oauth-client-attestation+jwt',
+        clockTolerance,
+        subject: ctx.oidc.client.clientId,
+      },
+    );
+    if (verifiedAttestation.key.type !== 'public') {
+      throw new Error('the resolved key must be a public key');
+    }
+    if (
+      typeof verifiedAttestation.payload.cnf?.jwk?.kty !== 'string'
+      || verifiedAttestation.payload.cnf?.jwk?.d !== undefined
+      || verifiedAttestation.payload.cnf?.jwk?.priv !== undefined
+      || verifiedAttestation.payload.cnf?.jwk?.k !== undefined
+    ) {
+      throw new Error('invalid cnf.jwk');
+    }
+  } catch (err) {
+    throw new InvalidClientAuth(`failed to validate oauth-client-attestation: ${err.message}`);
+  }
+
+  const pop = ctx.get('oauth-client-attestation-pop');
+  if (!pop) {
+    throw new InvalidClientAuth('oauth-client-attestation-pop missing');
+  }
+  let verifiedPoP;
+  try {
+    verifiedPoP = await jose.jwtVerify(
+      pop,
+      async (header) => jose.importJWK(verifiedAttestation.payload.cnf.jwk, header.alg),
+      {
+        algorithms: attestSigningAlgValues,
+        requiredClaims: ['iss', 'aud', 'jti'], // challenge is checked later
+        typ: 'oauth-client-attestation-pop+jwt',
+        clockTolerance,
+        issuer: ctx.oidc.client.clientId,
+        audience: ctx.oidc.issuer,
+      },
+    );
+    if (typeof verifiedPoP.payload.aud !== 'string') {
+      throw new Error('aud must be a string');
+    }
+  } catch (err) {
+    throw new InvalidClientAuth(`failed to validate oauth-client-attestation-pop: ${err.message}`);
+  }
+
+  await attestClientAuth.assertAttestationJwtAndPop(
+    ctx,
+    verifiedAttestation,
+    verifiedPoP,
+    ctx.oidc.client,
+  );
+
+  const unique = await ctx.oidc.provider.ReplayDetection.unique(
+    verifiedPoP.payload.iss,
+    verifiedPoP.payload.jti,
+    epochTime() + CHALLENGE_OK_WINDOW,
+  );
+
+  if (!unique) {
+    throw new InvalidClientAuth('oauth-client-attestation-pop tokens must only be used once');
+  }
+
+  if (typeof verifiedPoP.payload.challenge !== 'string' || !AttestChallenges.checkChallenge(verifiedPoP.payload.challenge)) {
+    ctx.set('oauth-client-attestation-challenge', nextChallenge);
+    throw new UseAttestationChallenge();
+  }
+
+  if (verifiedPoP.payload.challenge !== nextChallenge) {
+    ctx.set('oauth-client-attestation-challenge', nextChallenge);
+  }
+}

package/dist/node_modules/oidc-provider/lib/shared/authorization_error_handler.js

@@ -0,0 +1,104 @@
+import debug from 'debug';
+
+import { InvalidRedirectUri } from '../helpers/errors.js';
+import instance from '../helpers/weak_cache.js';
+import errOut from '../helpers/err_out.js';
+import resolveResponseMode from '../helpers/resolve_response_mode.js';
+import oneRedirectUriClients from '../actions/authorization/one_redirect_uri_clients.js';
+
+const debugError = debug('oidc-provider:authentication:error');
+const serverError = debug('oidc-provider:server_error');
+const serverErrorTrace = debug('oidc-provider:server_error:trace');
+
+export default (provider) => {
+  const AD_ACTA_CHECKS = Object.entries({
+    redirect_uri: {
+      Err: InvalidRedirectUri,
+      method: 'redirectUriAllowed',
+      check: 'redirectUriCheckPerformed',
+      recovery: oneRedirectUriClients,
+    },
+  });
+
+  function getOutAndEmit(ctx, err, state) {
+    const out = { ...errOut(err, state), iss: ctx.oidc.provider.issuer };
+
+    if (err.expose) {
+      provider.emit('authorization.error', ctx, err);
+      debugError('%o', out);
+    } else {
+      provider.emit('server_error', ctx, err);
+      serverError('path=%s method=%s error=%o', ctx.path, ctx.method, err);
+      serverErrorTrace(err);
+    }
+
+    return out;
+  }
+
+  function safe(param) {
+    if (param && typeof param === 'string') {
+      return param;
+    }
+    return undefined;
+  }
+
+  return async function authorizationErrorHandler(ctx, next) {
+    try {
+      await next();
+    } catch (caught) {
+      let err = caught;
+      ctx.status = err.statusCode || 500;
+      const { oidc } = ctx;
+
+      const { params = (ctx.method === 'POST' ? oidc.body : ctx.query) || {} } = oidc;
+
+      if (!oidc.client && safe(params.client_id) && !ctx.oidc.noclient) {
+        try {
+          oidc.entity('Client', await provider.Client.find(safe(params.client_id)));
+        } catch (e) {}
+      }
+
+      for (const [param, {
+        Err, check, flag, method, recovery,
+      }] of AD_ACTA_CHECKS) {
+        if (
+          (!flag || instance(provider).configuration[flag])
+          && !(err instanceof Err) && oidc.client
+          && !oidc[check]
+        ) {
+          if (recovery && !safe(params[param])) {
+            recovery(ctx, () => {});
+          }
+
+          if (safe(params[param]) && !oidc.client[method](params[param])) {
+            getOutAndEmit(ctx, caught, safe(params.state));
+            err = new Err();
+            ctx.status = err.statusCode;
+            break;
+          }
+        }
+      }
+
+      const out = getOutAndEmit(ctx, err, safe(params.state));
+
+      // in case redirect_uri or client could not be verified no successful
+      // response should happen, render instead
+      if (
+        !safe(params.client_id)
+        || (safe(params.client_id) && !oidc.client)
+        || !safe(params.redirect_uri)
+        || !err.allow_redirect
+      ) {
+        const { renderError } = instance(provider).configuration;
+        await renderError(ctx, out, err);
+      } else {
+        let mode = safe(params.response_mode);
+        if (!instance(provider).responseModes.has(mode)) {
+          mode = resolveResponseMode(safe(params.response_type));
+        }
+        const handler = instance(provider).responseModes.get(mode);
+        await handler(ctx, safe(params.redirect_uri), out);
+      }
+    }
+  };
+};

package/dist/node_modules/oidc-provider/lib/shared/check_rar.js

@@ -0,0 +1,75 @@
+import { InvalidAuthorizationDetails, InvalidRequest } from '../helpers/errors.js';
+import instance from '../helpers/weak_cache.js';
+import isPlainObject from '../helpers/_/is_plain_object.js';
+
+export default async function checkRar(ctx, next) {
+  const { params, client } = ctx.oidc;
+
+  if (params.authorization_details !== undefined) {
+    const { richAuthorizationRequests } = instance(ctx.oidc.provider).features;
+
+    if (richAuthorizationRequests.enabled) {
+      if (
+        params.response_type?.split(' ').includes('code') === false
+        || params.response_type?.split(' ').includes('token')
+        || params.response_type === 'none'
+      ) {
+        throw new InvalidRequest('authorization_details parameter is not supported for this response_type');
+      }
+
+      let details;
+
+      try {
+        details = JSON.parse(params.authorization_details);
+      } catch (err) {
+        throw new InvalidRequest('could not parse the authorization_details parameter JSON');
+      }
+
+      if (!Array.isArray(details)) {
+        throw new InvalidRequest('authorization_details parameter should be a JSON array');
+      }
+
+      if (!details.length) {
+        params.authorization_details = undefined;
+        return next();
+      }
+
+      let i = 0;
+      for (const detail of details) {
+        if (!isPlainObject(detail)) {
+          throw new InvalidRequest('authorization_details parameter members should be a JSON object');
+        }
+
+        if (typeof detail.type !== 'string' || !detail.type.length) {
+          throw new InvalidAuthorizationDetails(`authorization_details parameter members' type attribute must be a non-empty string (authorization details index ${i})`);
+        }
+
+        const config = richAuthorizationRequests.types[detail.type];
+        if (!config) {
+          throw new InvalidAuthorizationDetails(`unsupported authorization details type value (authorization details index ${i})`);
+        }
+
+        if (client.authorizationDetailsTypes?.includes(detail.type) === false) {
+          throw new InvalidAuthorizationDetails(`authorization details type '${detail.type}' is not allowed for this client`);
+        }
+
+        // check common data fields
+        for (const field of ['locations', 'actions', 'datatypes', 'privileges']) {
+          if (field in detail && (!Array.isArray(detail[field]) || detail[field].some((value) => typeof value !== 'string' || !value.length))) {
+            throw new InvalidAuthorizationDetails(`'${field}' must be an array of non-empty strings (authorization details index ${i})`);
+          }
+        }
+        if ('identifier' in detail && (typeof detail.identifier !== 'string' || !detail.identifier.length)) {
+          throw new InvalidAuthorizationDetails(`'identifier' must be a non-empty string (authorization details index ${i})`);
+        }
+
+        await config.validate(ctx, detail, client);
+
+        // eslint-disable-next-line no-plusplus
+        i++;
+      }
+    }
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/shared/check_resource.js

@@ -0,0 +1,77 @@
+/* eslint-disable no-underscore-dangle */
+import instance from '../helpers/weak_cache.js';
+import { InvalidTarget } from '../helpers/errors.js';
+
+const filterStatics = (ctx) => {
+  if (ctx.oidc.params.scope && !ctx.oidc.params.resource) {
+    ctx.oidc.params.scope = [...ctx.oidc.requestParamOIDCScopes].join(' ');
+  }
+};
+
+function emptyResource(params) {
+  return !params.resource || (Array.isArray(params.resource) && !params.resource.length);
+}
+
+export default async function checkResource(ctx, next) {
+  const {
+    oidc: {
+      params,
+      provider,
+      client,
+      resourceServers,
+    },
+  } = ctx;
+
+  const {
+    defaultResource,
+    enabled,
+    getResourceServerInfo,
+  } = instance(provider).features.resourceIndicators;
+
+  if (!enabled) {
+    filterStatics(ctx);
+    return next();
+  }
+
+  if (params.resource === undefined) {
+    params.resource = await defaultResource(ctx, client);
+
+    if (params.authorization_details && emptyResource(params)) {
+      throw new InvalidTarget('resource indicator must be provided or defaulted to when Rich Authorization Requests are used');
+    }
+  }
+
+  if (params.scope && emptyResource(params)) {
+    filterStatics(ctx);
+    return next();
+  }
+
+  let { resource } = params;
+
+  if (params.resource === undefined) {
+    return next();
+  }
+
+  if (!Array.isArray(params.resource)) {
+    resource = [resource];
+  }
+
+  for (const identifier of resource) {
+    const href = URL.parse(identifier)?.href;
+
+    if (!href) {
+      throw new InvalidTarget('resource indicator must be an absolute URI');
+    }
+
+    // NOTE: we don't check for new URL() => search of hash because of an edge case
+    // new URL('https://example.com?#') => search and hash are empty, seems like an inconsistent validation
+    if (href.includes('#')) {
+      throw new InvalidTarget('resource indicator must not contain a fragment component');
+    }
+
+    const resourceServer = await getResourceServerInfo(ctx, identifier, client);
+    resourceServers[identifier] = new ctx.oidc.provider.ResourceServer(identifier, resourceServer);
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/shared/client_auth.js

@@ -0,0 +1,263 @@
+import { InvalidRequest, InvalidClientAuth } from '../helpers/errors.js';
+import appendWWWAuthenticate from '../helpers/append_www_authenticate.js';
+import * as JWT from '../helpers/jwt.js';
+import instance from '../helpers/weak_cache.js';
+import certificateThumbprint from '../helpers/certificate_thumbprint.js';
+import { noVSCHAR } from '../consts/client_attributes.js';
+
+import rejectDupes from './reject_dupes.js';
+import jwtClientAuth from './jwt_client_auth.js';
+import attestClientAuth from './attest_client_auth.js';
+
+const assertionType = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
+
+// see https://tools.ietf.org/html/rfc6749#appendix-B
+function decodeAuthToken(token) {
+  const authToken = decodeURIComponent(token.replace(/\+/g, '%20'));
+  if (noVSCHAR.test(authToken)) {
+    throw new Error('invalid character found');
+  }
+  return authToken;
+}
+
+export default function clientAuthentication(provider) {
+  const authParams = new Set(['client_id']);
+  const { configuration, features } = instance(provider);
+
+  configuration.clientAuthMethods.forEach((method) => {
+    switch (method) {
+      case 'client_secret_post':
+        authParams.add('client_secret');
+        break;
+      case 'client_secret_jwt':
+      case 'private_key_jwt':
+        authParams.add('client_assertion');
+        authParams.add('client_assertion_type');
+        break;
+      default:
+    }
+  });
+
+  authParams.forEach(Set.prototype.add.bind(instance(provider).grantTypeParams.get(undefined)));
+
+  return {
+    params: authParams,
+    middleware: [
+      rejectDupes.bind(undefined, { only: authParams }),
+      async function setWWWAuthenticateHeader(ctx, next) {
+        try {
+          await next();
+        } catch (err) {
+          if (err.statusCode === 401 && ctx.headers.authorization !== undefined) {
+            appendWWWAuthenticate(ctx, 'Basic', {
+              realm: provider.issuer,
+              error: err.message,
+              error_description: err.error_description,
+            });
+          }
+          throw err;
+        }
+      },
+      async function authenticateClient(ctx, next) {
+        let methods;
+        let clientId;
+        let clientSecret;
+
+        const setClientId = (value) => {
+          if (clientId !== undefined && value !== clientId) {
+            throw new InvalidRequest('client_id mismatch');
+          }
+          clientId = value;
+        };
+
+        const { length } = [
+          ctx.headers.authorization,
+          ctx.headers['oauth-client-attestation'],
+          ctx.oidc.params.client_assertion,
+          ctx.oidc.params.client_secret,
+        ].filter(Boolean);
+
+        if (length > 1) {
+          throw new InvalidRequest('client authentication must only be provided using one mechanism');
+        }
+
+        if (ctx.oidc.params.client_id !== undefined) {
+          setClientId(ctx.oidc.params.client_id);
+        }
+
+        if (ctx.oidc.params.client_secret) {
+          clientSecret = ctx.oidc.params.client_secret;
+          methods = ['client_secret_basic', 'client_secret_post'];
+        } else if (ctx.headers.authorization !== undefined) {
+          const parts = ctx.headers.authorization.split(' ');
+          if (parts.length !== 2 || parts[0].toLowerCase() !== 'basic') {
+            throw new InvalidRequest('invalid authorization header value format');
+          }
+
+          const basic = Buffer.from(parts[1], 'base64').toString('utf8');
+          const i = basic.indexOf(':');
+
+          if (i === -1) {
+            throw new InvalidRequest('invalid authorization header value format');
+          }
+
+          let basicClientId;
+          try {
+            basicClientId = decodeAuthToken(basic.slice(0, i));
+            clientSecret = decodeAuthToken(basic.slice(i + 1));
+          } catch (err) {
+            throw new InvalidRequest('client_id and client_secret in the authorization header are not properly encoded');
+          }
+
+          setClientId(basicClientId);
+
+          if (!clientSecret) {
+            throw new InvalidRequest('client_secret must be provided in the Authorization header');
+          }
+
+          methods = ['client_secret_basic', 'client_secret_post'];
+        } else if (ctx.headers['oauth-client-attestation'] !== undefined) {
+          let sub;
+          try {
+            ({ payload: { sub } } = JWT.decode(ctx.headers['oauth-client-attestation']));
+          } catch (err) {
+            throw new InvalidRequest('invalid OAuth-Client-Attestation format');
+          }
+
+          if (!sub) {
+            throw new InvalidClientAuth('sub (JWT subject) must be provided in the OAuth-Client-Attestation JWT');
+          }
+
+          setClientId(sub);
+          methods = ['attest_jwt_client_auth'];
+        } else if (ctx.oidc.params.client_assertion !== undefined) {
+          let sub;
+          try {
+            ({ payload: { sub } } = JWT.decode(ctx.oidc.params.client_assertion));
+          } catch (err) {
+            throw new InvalidRequest('invalid client_assertion format');
+          }
+
+          if (!sub) {
+            throw new InvalidClientAuth('sub (JWT subject) must be provided in the client_assertion JWT');
+          }
+
+          if (ctx.oidc.params.client_assertion_type === undefined) {
+            throw new InvalidRequest('client_assertion_type must be provided');
+          }
+
+          if (ctx.oidc.params.client_assertion_type !== assertionType) {
+            throw new InvalidRequest(`client_assertion_type must have value ${assertionType}`);
+          }
+
+          setClientId(sub);
+          methods = ['client_secret_jwt', 'private_key_jwt'];
+        } else {
+          methods = ['none', 'tls_client_auth', 'self_signed_tls_client_auth'];
+        }
+
+        if (!clientId) {
+          throw new InvalidRequest('no client authentication mechanism provided');
+        }
+
+        const client = await provider.Client.find(clientId);
+
+        if (!client) {
+          throw new InvalidClientAuth('client not found');
+        }
+
+        ctx.oidc.entity('Client', client);
+
+        if (methods?.includes(ctx.oidc.client.clientAuthMethod) !== true) {
+          throw new InvalidClientAuth('the provided authentication mechanism does not match the registered client authentication method');
+        }
+
+        switch (ctx.oidc.client.clientAuthMethod) { // eslint-disable-line default-case
+          case 'none':
+            break;
+
+          case 'client_secret_basic':
+          case 'client_secret_post': {
+            ctx.oidc.client.checkClientSecretExpiration('could not authenticate the client - its client secret is expired');
+            const matches = await ctx.oidc.client.compareClientSecret(clientSecret);
+            if (!matches) {
+              throw new InvalidClientAuth('invalid secret provided');
+            }
+
+            break;
+          }
+
+          case 'client_secret_jwt':
+            ctx.oidc.client.checkClientSecretExpiration('could not authenticate the client - its client secret used for the client_assertion is expired');
+            await jwtClientAuth(ctx, ctx.oidc.client.symmetricKeyStore, (alg) => alg.startsWith('HS'));
+
+            break;
+
+          case 'private_key_jwt':
+            await jwtClientAuth(ctx, ctx.oidc.client.asymmetricKeyStore, (alg) => !alg.startsWith('HS'));
+
+            break;
+
+          case 'tls_client_auth': {
+            const {
+              getCertificate, certificateAuthorized, certificateSubjectMatches,
+            } = features.mTLS;
+
+            const cert = getCertificate(ctx);
+
+            if (!cert) {
+              throw new InvalidClientAuth('client certificate was not provided');
+            }
+
+            if (!certificateAuthorized(ctx)) {
+              throw new InvalidClientAuth('client certificate was not verified');
+            }
+
+            for (const [prop, key] of Object.entries({
+              tlsClientAuthSubjectDn: 'tls_client_auth_subject_dn',
+              tlsClientAuthSanDns: 'tls_client_auth_san_dns',
+              tlsClientAuthSanIp: 'tls_client_auth_san_ip',
+              tlsClientAuthSanEmail: 'tls_client_auth_san_email',
+              tlsClientAuthSanUri: 'tls_client_auth_san_uri',
+            })) {
+              const value = ctx.oidc.client[prop];
+              if (value) {
+                if (!certificateSubjectMatches(ctx, key, value)) {
+                  throw new InvalidClientAuth('certificate subject value does not match the registered one');
+                }
+                break;
+              }
+            }
+
+            break;
+          }
+          case 'self_signed_tls_client_auth': {
+            const { getCertificate } = features.mTLS;
+            const cert = getCertificate(ctx);
+
+            if (!cert) {
+              throw new InvalidClientAuth('client certificate was not provided');
+            }
+
+            await ctx.oidc.client.asymmetricKeyStore.refresh();
+            const expected = certificateThumbprint(cert);
+            const match = [...ctx.oidc.client.asymmetricKeyStore].find(({ 'x5t#S256': actual }) => actual === expected);
+
+            if (!match) {
+              throw new InvalidClientAuth('unregistered client certificate provided');
+            }
+
+            break;
+          }
+          case 'attest_jwt_client_auth': {
+            await attestClientAuth(ctx);
+
+            break;
+          }
+        }
+
+        await next();
+      },
+    ],
+  };
+}

package/dist/node_modules/oidc-provider/lib/shared/conditional_body.js

@@ -0,0 +1,9 @@
+import bodyParser from './selective_body.js';
+
+export default async function parseBodyIfPost(cty, ctx, next) {
+  if (ctx.method === 'POST') {
+    await bodyParser(cty, ctx, next);
+  } else {
+    await next();
+  }
+}

package/dist/node_modules/oidc-provider/lib/shared/cors.js

@@ -0,0 +1,49 @@
+import cors from '@koa/cors';
+
+import { InvalidRequest } from '../helpers/errors.js';
+import instance from '../helpers/weak_cache.js';
+
+function checkClientCORS(ctx, client) {
+  const origin = ctx.get('Origin');
+  const { clientBasedCORS } = instance(ctx.oidc.provider).configuration;
+
+  const allowed = clientBasedCORS(ctx, origin, client);
+
+  if (typeof allowed !== 'boolean') {
+    throw new Error('clientBasedCORS helper must be a synchronous function returning a Boolean');
+  }
+
+  if (!allowed) {
+    ctx.remove('Access-Control-Allow-Origin');
+    throw new InvalidRequest(`origin ${origin} not allowed for client: ${client.clientId}`);
+  }
+}
+
+export default ({ clientBased = false, ...options }) => {
+  const builtin = cors({
+    keepHeadersOnError: false,
+    origin(ctx) {
+      return ctx.get('Origin') || '*';
+    },
+    ...options,
+  });
+
+  return async (ctx, next) => {
+    const headers = Object.keys(ctx.response.headers);
+
+    // ignore built in CORS handling since the developer wants to do it their way
+    if (headers.find((x) => x.toLowerCase().startsWith('access-control-'))) {
+      return next();
+    }
+
+    ctx.vary('Origin');
+    // preflights or generally available (e.g. discovery) -> CORS is allowed
+    if (ctx.method === 'OPTIONS' || !clientBased || !ctx.get('Origin')) {
+      return builtin(ctx, next);
+    }
+
+    ctx.oidc.once('assign.client', checkClientCORS);
+
+    return builtin(ctx, next);
+  };
+};