@node-c/domain-iam 1.0.0-beta6 → 1.0.0-beta8

package/src/services/authenticationOAuth2/iam.authenticationOAuth2.service.ts

@@ -11,7 +11,6 @@ import {
   httpRequest
 } from '@node-c/core';
 
-import * as jwt from 'jsonwebtoken';
 import ld from 'lodash';
 
 import {
@@ -21,7 +20,7 @@ import {
   IAMAuthenticationOAuth2CompleteResult,
   IAMAuthenticationOAuth2GetPayloadsFromExternalTokensData,
   IAMAuthenticationOAuth2GetPayloadsFromExternalTokensResult,
-  IAMAuthenticationOAuth2GetUserCreateAccessTokenConfigResult,
+  IAMAuthenticationOAuth2GetUserAuthenticationConfigResult,
   IAMAuthenticationOAuth2InitiateData,
   IAMAuthenticationOAuth2InitiateOptions,
   IAMAuthenticationOAuth2InitiateResult,
@@ -32,44 +31,53 @@ import {
 import { Constants } from '../../common/definitions';
 import { IAMAuthenticationService } from '../authentication';
 
-/*
- * This method is meant to support the OAuth2.0 flow w/ a PKCE challenge. The default, non-PKCE flow is intentionally not supported, in preparation for the upcoming OAuth2.0 spec.
+// TODO: provider param name mapping, in case a specific provider has custom parameter names
+// TODO: validate access_token flow - endpont
+// TODO: refresh access_token flow - local (JWT), endpont
+// TODO: move the verifyToken method to the base authentication service.
+/**
+ * This service is meant to support the OAuth2.0 flow w/ a PKCE challenge. The default, non-PKCE flow is intentionally not supported, in preparation for the upcoming OAuth2.0 spec.
+ *
  * The default case assumes the user is found based on the decoded access token content after the complete method, but these settings can be overwritten in the config for the authService.
+ *
+ * This service is intended for use by the provider environment.
+ *
  * 1. IAMAuthenticationOAuth2Service.initiate
+ *
  * 2. (outside of this service) Save the challenge, verifier and state in the data, linking it to the provided user.
+ *
  * 3. (outside of this service) Send an authorization code request on the prvodied URL to the OAuth2.0 provider.
+ *
  * 4. (outside of this service) Receive a response with the state and an authorization code.
+ *
  * 5. (outside of this service) Find the previously saved data for the user based on the state and send it to this service, along with the repsonse data.
+ *
  * 6. IAMAuthenticationOAuth2Service.complete
+ *
  * 7. (outside this service) Generate a local access & refresh JWT pair with the same expiry time as the provider tokens.
+ *
  * 8. (outside this service) Save the provider's access token and (refersh or ID) tokens in the data along with the JWTs, linking them to the user.
- * *
- * TODO: provider param name mapping, in case a specific provider has custom parameter names
- * TODO: validate access_token flow - endpont
- * TODO: refresh access_token flow - local (JWT), endpont
  */
 export class IAMAuthenticationOAuth2Service<
   CompleteContext extends object,
   InitiateContext extends object
 > extends IAMAuthenticationService<CompleteContext, InitiateContext> {
-  constructor(
-    protected configProvider: ConfigProviderService,
-    protected logger: LoggerService,
-    protected moduleName: string,
-    // eslint-disable-next-line no-unused-vars
-    protected serviceName: string
-  ) {
-    super(configProvider, logger, moduleName);
+  constructor(configProvider: ConfigProviderService, logger: LoggerService, moduleName: string, serviceName: string) {
+    super(configProvider, logger, moduleName, serviceName);
     this.isLocal = false;
   }
 
-  /*
+  // TODO: the custom param mapping will potentially be needed here.
+  /**
    * 6. IAMAuthenticationOAuth2Service.complete:
+   *
    * Incoming for the http redirect - state & code
+   *
    * 6.1. Send an access token request to the provider using the following params: grant_type=authorization_code, client_id, client_secret, redirect_uri, code, code_verifier.
+   *
    * 6.2. Receive the access and refresh tokens - expires_in, access_token, scope, refresh_token OR id_token (OIDC only).
+   *
    * 6.3. Return the access and (refresh or ID) tokens.
-   * TODO: the custom param mapping will potentially be needed here.
    */
   async complete(
     data: IAMAuthenticationOAuth2CompleteData,
@@ -78,17 +86,37 @@ export class IAMAuthenticationOAuth2Service<
   ): Promise<IAMAuthenticationOAuth2CompleteResult> {
     const { configProvider, logger, moduleName, serviceName } = this;
     const moduleConfig = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
-    const { accessTokenGrantUrl, clientId, clientSecret, redirectUri } =
-      moduleConfig.authServiceSettings![serviceName].oauth2!;
+    const {
+      accessTokenGrantUrl,
+      allowedIncomingRedirectUris,
+      clientId,
+      clientSecret,
+      redirectUri: configRedirectUri
+    } = moduleConfig.authServiceSettings![serviceName].oauth2!;
+    const logsPrefix = `[${moduleName}][${serviceName}][complete]`;
     if (!accessTokenGrantUrl) {
-      logger.error(`[${moduleName}][${serviceName}]: Access token grant URL not configured.`);
+      logger.error(`${logsPrefix}: Access token grant URL not configured.`);
       throw new ApplicationError('Authentication failed.');
     }
-    if (!redirectUri) {
-      logger.error(`[${moduleName}][${serviceName}]: Redirect URI not configured.`);
-      throw new ApplicationError('Authentication failed.');
+    const { code, codeVerifier, redirectUri: incomingRedirectUri } = data;
+    let redirectUri: string | undefined;
+    if (incomingRedirectUri) {
+      if (!allowedIncomingRedirectUris) {
+        logger.error(`${logsPrefix}: Allowed incoming Redirect URIs not configured.`);
+        throw new ApplicationError('Authentication failed.');
+      }
+      if (!allowedIncomingRedirectUris.includes(incomingRedirectUri)) {
+        logger.error(`${logsPrefix}: Incoming redirect URI ${incomingRedirectUri} is not allowed.`);
+        throw new ApplicationError('Authentication failed.');
+      }
+      redirectUri = incomingRedirectUri;
+    } else {
+      if (!configRedirectUri) {
+        logger.error(`${logsPrefix}: Redirect URI not configured.`);
+        throw new ApplicationError('Authentication failed.');
+      }
+      redirectUri = configRedirectUri;
     }
-    const { code, codeVerifier } = data;
     const { data: providerResponseData, hasError } =
       await httpRequest<IAMAuthenticationOAuth2AccessTokenProviderResponseData>(accessTokenGrantUrl, {
         body: {
@@ -103,10 +131,7 @@ export class IAMAuthenticationOAuth2Service<
         method: HttpMethod.POST
       });
     if (hasError || !providerResponseData) {
-      logger.error(
-        `[${moduleName}][${serviceName}]: Auhorization grant attempt failed for code "${code}".`,
-        providerResponseData
-      );
+      logger.error(`${logsPrefix}: Auhorization grant attempt failed for code "${code}".`, providerResponseData);
       throw new ApplicationError('Authentication failed.');
     }
     return {
@@ -163,11 +188,11 @@ export class IAMAuthenticationOAuth2Service<
   }
 
   // Default config - plain OAuth2 without OIDC
-  getUserCreateAccessTokenConfig(): IAMAuthenticationOAuth2GetUserCreateAccessTokenConfigResult {
+  getUserAuthenticationConfig(): IAMAuthenticationOAuth2GetUserAuthenticationConfigResult {
     const { configProvider, moduleName, serviceName } = this;
     const moduleConfig = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
     const { steps } = moduleConfig.authServiceSettings![serviceName];
-    const defaultConfig: IAMAuthenticationOAuth2GetUserCreateAccessTokenConfigResult = {
+    const defaultConfig: IAMAuthenticationOAuth2GetUserAuthenticationConfigResult = {
       [AppConfigDomainIAMAuthenticationStep.Complete]: {
         cache: {
           settings: {
@@ -192,7 +217,10 @@ export class IAMAuthenticationOAuth2Service<
       [AppConfigDomainIAMAuthenticationStep.Initiate]: {
         cache: {
           populate: {
-            data: [{ cacheFieldName: 'codeVerifier', inputFieldName: 'result.codeVerifier' }]
+            data: [
+              { cacheFieldName: 'codeVerifier', inputFieldName: 'result.codeVerifier' },
+              { cacheFieldName: 'redirectUri', inputFieldName: 'result.redirectUri' }
+            ]
           },
           settings: {
             cacheFieldName: 'state',
@@ -207,15 +235,20 @@ export class IAMAuthenticationOAuth2Service<
     return ld.merge(defaultConfig, steps || {});
   }
 
-  /*
+  // TODO: the custom param mapping will potentially be needed here.
+  /**
    * OAuth2.0 flow w/ a PKCE challenge:
    * 1. IAMAuthenticationOAuth2Service.initiate
+   *
    * 1.1. Generate a PKCE code, code verifier for it and PKCE challenge based on them.
+   *
    * 1.2. Generate a unique random "state" and a unique random "nonce" (for OIDC only, optional).
+   *
    * 1.3. Generate an authorization code request URL. This URL contains the response_type=code, client_id, code_challenge, code_challenge_method, nonce, state, redirect_uri and scope. The code_challenge_method is usually S256.
+   *
    * 1.4. Return the code, verifier, challenge, nonce, state and the URL.
+   *
    * In this method, the only difference between the default OAuth2.0 flow and OIDC is that OIDC requires scope=oidc.
-   * TODO: the custom param mapping will potentially be needed here.
    */
   async initiate(
     data: IAMAuthenticationOAuth2InitiateData,
@@ -223,23 +256,42 @@ export class IAMAuthenticationOAuth2Service<
   ): Promise<IAMAuthenticationOAuth2InitiateResult> {
     const { configProvider, logger, moduleName, serviceName } = this;
     const moduleConfig = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
-    const { authorizationUrl, clientId, codeChallengeMethod, defaultScope, redirectUri } =
-      moduleConfig.authServiceSettings![serviceName].oauth2!;
-    const { scope } = data;
+    const {
+      allowedIncomingRedirectUris,
+      authorizationUrl,
+      clientId,
+      codeChallengeMethod,
+      defaultScope,
+      redirectUri: configRedirectUri
+    } = moduleConfig.authServiceSettings![serviceName].oauth2!;
+    const { redirectUri: incomingRedirectUri, scope } = data;
     const { generateNonce, withPCKE } = options;
     const finalScope = scope || defaultScope;
+    const logsPrefix = `[${moduleName}][${serviceName}][initiate]`;
+    let redirectUri: string | undefined;
     if (!authorizationUrl) {
-      logger.error(`[${moduleName}][${serviceName}]: Authorization URL not configured.`);
+      logger.error(`${logsPrefix}: Authorization URL not configured.`);
       throw new ApplicationError('Authentication failed.');
     }
-    if (!redirectUri) {
-      logger.error(`[${moduleName}][${serviceName}]: Redirect URI not configured.`);
-      throw new ApplicationError('Authentication failed.');
+    if (incomingRedirectUri) {
+      if (!allowedIncomingRedirectUris) {
+        logger.error(`${logsPrefix}: Allowed incoming Redirect URIs not configured.`);
+        throw new ApplicationError('Authentication failed.');
+      }
+      if (!allowedIncomingRedirectUris.includes(incomingRedirectUri)) {
+        logger.error(`${logsPrefix}: Incoming redirect URI ${incomingRedirectUri} is not allowed.`);
+        throw new ApplicationError('Authentication failed.');
+      }
+      redirectUri = incomingRedirectUri;
+    } else {
+      if (!configRedirectUri) {
+        logger.error(`${logsPrefix}: Redirect URI not configured.`);
+        throw new ApplicationError('Authentication failed.');
+      }
+      redirectUri = configRedirectUri;
     }
     if (!finalScope) {
-      logger.error(
-        `[${moduleName}][${serviceName}]: Either a scope in thwe input, or a configured default scope, is required..`
-      );
+      logger.error(`${logsPrefix}: Either a scope in thwe input, or a configured default scope, is required..`);
       throw new ApplicationError('Authentication failed.');
     }
     const state = this.generateUrlEncodedString(16);
@@ -269,6 +321,7 @@ export class IAMAuthenticationOAuth2Service<
       mfaUsed: true,
       mfaValid: true,
       nonce,
+      redirectUri,
       state,
       valid: true
     };
@@ -308,45 +361,4 @@ export class IAMAuthenticationOAuth2Service<
       `[${moduleName}][${serviceName}]:  In method "verifyExternalAccessToken": verification via external endpoint not configured.`
     );
   }
-
-  protected async verifyToken<DecodedTokenContent = unknown>(
-    token: string,
-    options?: { audiences?: string[]; issuer?: string; secret?: string }
-  ): Promise<{ content?: DecodedTokenContent; error?: unknown }> {
-    const { audiences, issuer, secret } = options || {};
-    let returnData: { content?: DecodedTokenContent; error?: unknown } = {};
-    if (secret) {
-      returnData = await new Promise<{ content?: DecodedTokenContent; error?: unknown }>(resolve => {
-        jwt.verify(token, secret, (err, decoded) => {
-          if (err) {
-            resolve({ content: decoded as DecodedTokenContent, error: err });
-          }
-          resolve({ content: decoded as DecodedTokenContent });
-        });
-      });
-    } else {
-      const tokenContent = jwt.decode(token) as DecodedTokenContent & { aud?: string; exp?: number; iss?: string };
-      if (tokenContent.exp) {
-        // tokenContent.exp < new Date().valueOf()
-        let currentTimeStamp = `${new Date().valueOf()}`;
-        let expString = `${tokenContent.exp}`;
-        if (expString.length < currentTimeStamp.length) {
-          currentTimeStamp = currentTimeStamp.substring(0, expString.length);
-        } else if (expString.length > currentTimeStamp.length) {
-          expString = expString.substring(0, currentTimeStamp.length);
-        }
-        if (parseInt(expString, 10) < parseInt(currentTimeStamp, 10)) {
-          returnData.error = Constants.TOKEN_EXPIRED_ERROR;
-        }
-      }
-      if (tokenContent.aud && audiences && !audiences.includes(tokenContent.aud)) {
-        returnData.error = Constants.TOKEN_MISMATCHED_AUDIENCES_ERROR;
-      }
-      if (tokenContent.iss && issuer && issuer !== tokenContent.iss) {
-        returnData.error = Constants.TOKEN_MISMATCHED_ISSUER_ERROR;
-      }
-      returnData.content = tokenContent;
-    }
-    return returnData;
-  }
 }

package/src/services/authenticationOAuth2Consumer/iam.authenticationOAuth2Consumer.definitions.ts

@@ -0,0 +1,56 @@
+import {
+  IAMAuthenticationRefreshExternalAccessTokenData,
+  IAMAuthenticationRefreshExternalAccessTokenResult
+} from '../authentication';
+import {
+  IAMAuthenticationConsumerCompleteResult,
+  IAMAuthenticationConsumerGetUserAuthenticationConfigResult,
+  IAMAuthenticationConsumerInitiateResult,
+  IAMAuthenticationConsumerRefreshExternalAccessTokenResult
+} from '../authenticationConsumer';
+
+import {
+  IAMAuthenticationOAuth2CompleteData,
+  IAMAuthenticationOAuth2CompleteOptions,
+  IAMAuthenticationOAuth2CompleteResult,
+  IAMAuthenticationOAuth2InitiateData,
+  IAMAuthenticationOAuth2InitiateOptions,
+  IAMAuthenticationOAuth2InitiateResult,
+  IAMAuthenticationOAuth2VerifyExternalAccessTokenData,
+  IAMAuthenticationOAuth2VerifyExternalAccessTokenResult
+} from '../authenticationOAuth2';
+
+export type IAMAuthenticationOAuth2ConsumerCompleteData = IAMAuthenticationOAuth2CompleteData;
+
+export type IAMAuthenticationOAuth2ConsumerCompleteOptions<Context extends object> =
+  IAMAuthenticationOAuth2CompleteOptions<Context>;
+
+export type IAMAuthenticationOAuth2ConsumerCompleteResult = IAMAuthenticationOAuth2CompleteResult &
+  IAMAuthenticationConsumerCompleteResult & {
+    idToken?: string;
+    refreshToken?: string;
+  };
+
+export type IAMAuthenticationOAuth2ConsumerGetUserAuthenticationConfigResult =
+  IAMAuthenticationConsumerGetUserAuthenticationConfigResult;
+
+export interface IAMAuthenticationOAuth2ConsumerInitiateData extends IAMAuthenticationOAuth2InitiateData {
+  scope: string;
+}
+
+export type IAMAuthenticationOAuth2ConsumerInitiateOptions<Context extends object> =
+  IAMAuthenticationOAuth2InitiateOptions<Context>;
+
+export type IAMAuthenticationOAuth2ConsumerInitiateResult = IAMAuthenticationOAuth2InitiateResult &
+  IAMAuthenticationConsumerInitiateResult;
+
+export type IAMAuthenticationOAuth2ConsumerRefreshExternalAccessTokenData =
+  IAMAuthenticationRefreshExternalAccessTokenData;
+export type IAMAuthenticationOAuth2ConsumerRefreshExternalAccessTokenResult =
+  IAMAuthenticationRefreshExternalAccessTokenResult & IAMAuthenticationConsumerRefreshExternalAccessTokenResult;
+
+export type IAMAuthenticationOAuth2ConsumerVerifyExternalAccessTokenData =
+  IAMAuthenticationOAuth2VerifyExternalAccessTokenData;
+
+export type IAMAuthenticationOAuth2ConsumerVerifyExternalAccessTokenResult =
+  IAMAuthenticationOAuth2VerifyExternalAccessTokenResult;

package/src/services/authenticationOAuth2Consumer/iam.authenticationOAuth2Consumer.service.ts

@@ -0,0 +1,93 @@
+import {
+  AppConfigDomainIAM,
+  AppConfigDomainIAMAuthenticationStep,
+  ConfigProviderService,
+  LoggerService
+} from '@node-c/core';
+
+import ld from 'lodash';
+
+import {
+  IAMAuthenticationOAuth2ConsumerCompleteData,
+  IAMAuthenticationOAuth2ConsumerCompleteOptions,
+  IAMAuthenticationOAuth2ConsumerCompleteResult,
+  IAMAuthenticationOAuth2ConsumerGetUserAuthenticationConfigResult,
+  IAMAuthenticationOAuth2ConsumerInitiateData,
+  IAMAuthenticationOAuth2ConsumerInitiateOptions,
+  IAMAuthenticationOAuth2ConsumerInitiateResult,
+  IAMAuthenticationOAuth2ConsumerRefreshExternalAccessTokenData,
+  IAMAuthenticationOAuth2ConsumerRefreshExternalAccessTokenResult,
+  IAMAuthenticationOAuth2ConsumerVerifyExternalAccessTokenData,
+  IAMAuthenticationOAuth2ConsumerVerifyExternalAccessTokenResult
+} from './iam.authenticationOAuth2Consumer.definitions';
+
+import { IAMAuthenticationConsumerService } from '../authenticationConsumer';
+import { IAMAuthenticationOAuth2Service } from '../authenticationOAuth2';
+
+/**
+ * A service for integrating OAuth2 via other Node-C Apps as a consumer.
+ *
+ * This service is intended for use by the consumer environment.
+ */
+export class IAMAuthenticationOAuth2ConsumerService<
+  CompleteContext extends object,
+  InitiateContext extends object
+> extends IAMAuthenticationConsumerService<CompleteContext, InitiateContext> {
+  constructor(configProvider: ConfigProviderService, logger: LoggerService, moduleName: string, serviceName: string) {
+    super(configProvider, logger, moduleName, serviceName);
+  }
+
+  async complete(
+    data: IAMAuthenticationOAuth2ConsumerCompleteData,
+    options: IAMAuthenticationOAuth2ConsumerCompleteOptions<CompleteContext>
+  ): Promise<IAMAuthenticationOAuth2ConsumerCompleteResult> {
+    return super.complete(data, options) as Promise<IAMAuthenticationOAuth2ConsumerCompleteResult>;
+  }
+
+  getUserAuthenticationConfig(): IAMAuthenticationOAuth2ConsumerGetUserAuthenticationConfigResult {
+    const configFromParent = super.getUserAuthenticationConfig();
+    const { configProvider, moduleName, serviceName } = this;
+    const moduleConfig = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
+    const { steps } = moduleConfig.authServiceSettings![serviceName];
+    return ld.merge(
+      configFromParent,
+      {
+        [AppConfigDomainIAMAuthenticationStep.Initiate]: {
+          stepResultPublicFields: ['authorizationCodeRequestURL']
+        }
+      },
+      steps || {}
+    );
+  }
+
+  async initiate(
+    data: IAMAuthenticationOAuth2ConsumerInitiateData,
+    options: IAMAuthenticationOAuth2ConsumerInitiateOptions<InitiateContext>
+  ): Promise<IAMAuthenticationOAuth2ConsumerInitiateResult> {
+    const { configProvider, moduleName, serviceName } = this;
+    const moduleConfig = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
+    const { redirectUri } = moduleConfig.authServiceSettings![serviceName].oauth2!;
+    return super.initiate(
+      {
+        ...data,
+        ...(redirectUri ? { redirectUri } : {})
+      },
+      options
+    ) as Promise<IAMAuthenticationOAuth2ConsumerInitiateResult>;
+  }
+
+  async refreshExternalAccessToken(
+    data: IAMAuthenticationOAuth2ConsumerRefreshExternalAccessTokenData
+  ): Promise<IAMAuthenticationOAuth2ConsumerRefreshExternalAccessTokenResult> {
+    return super.refreshExternalAccessToken(
+      data
+    ) as Promise<IAMAuthenticationOAuth2ConsumerRefreshExternalAccessTokenResult>;
+  }
+
+  // verifyExternalAccessToken from the OAuth2 service
+  async verifyExternalAccessToken(
+    data: IAMAuthenticationOAuth2ConsumerVerifyExternalAccessTokenData
+  ): Promise<IAMAuthenticationOAuth2ConsumerVerifyExternalAccessTokenResult> {
+    return IAMAuthenticationOAuth2Service.prototype.verifyExternalAccessToken.call(this, data);
+  }
+}

package/src/services/authenticationOAuth2Consumer/index.ts

@@ -0,0 +1,2 @@
+export * from './iam.authenticationOAuth2Consumer.definitions';
+export * from './iam.authenticationOAuth2Consumer.service';

package/src/services/authenticationPassthrough/iam.authenticationPassthrough.definitions.ts

@@ -0,0 +1,32 @@
+import {
+  IAMAuthenticationCompleteData,
+  IAMAuthenticationCompleteOptions,
+  IAMAuthenticationCompleteResult,
+  IAMAuthenticationGetUserAuthenticationConfigResult,
+  IAMAuthenticationInitiateData,
+  IAMAuthenticationInitiateOptions,
+  IAMAuthenticationInitiateResult
+} from '../authentication';
+
+export type IAMAuthenticationPassthroughCompleteData = IAMAuthenticationCompleteData & {
+  externalAccessToken?: string;
+  externalAccessTokenExpiresIn?: number;
+  externalIdToken?: string;
+  externalRefreshToken?: string;
+  externalRefreshTokenExpiresIn?: number;
+};
+
+export type IAMAuthenticationPassthroughCompleteOptions<Context extends object> =
+  IAMAuthenticationCompleteOptions<Context>;
+
+export type IAMAuthenticationPassthroughCompleteResult = IAMAuthenticationCompleteResult;
+
+export type IAMAuthenticationPassthroughGetUserAuthenticationConfigResult =
+  IAMAuthenticationGetUserAuthenticationConfigResult;
+
+export type IAMAuthenticationPassthroughInitiateData = IAMAuthenticationInitiateData;
+
+export type IAMAuthenticationPassthroughInitiateOptions<Context extends object> =
+  IAMAuthenticationInitiateOptions<Context>;
+
+export type IAMAuthenticationPassthroughInitiateResult = IAMAuthenticationInitiateResult;

package/src/services/authenticationPassthrough/iam.authenticationPassthrough.service.ts

@@ -0,0 +1,100 @@
+import {
+  AppConfigDomainIAM,
+  AppConfigDomainIAMAuthenticationStep,
+  ConfigProviderService,
+  LoggerService
+} from '@node-c/core';
+
+import ld from 'lodash';
+
+import {
+  IAMAuthenticationPassthroughCompleteData,
+  IAMAuthenticationPassthroughCompleteOptions,
+  IAMAuthenticationPassthroughCompleteResult,
+  IAMAuthenticationPassthroughGetUserAuthenticationConfigResult,
+  IAMAuthenticationPassthroughInitiateData,
+  IAMAuthenticationPassthroughInitiateOptions,
+  IAMAuthenticationPassthroughInitiateResult
+} from './iam.authenticationPassthrough.definitions';
+
+import { IAMAuthenticationService } from '../authentication';
+/**
+ * A service for skipping authentication in order to use the rest of the AuthenticationManager.authenticate functionality (passthrough).
+ *
+ * This service is intended for use by the provider environment.
+ */
+export class IAMAuthenticationPassthroughService<
+  CompleteContext extends object,
+  InitiateContext extends object
+> extends IAMAuthenticationService<CompleteContext, InitiateContext> {
+  constructor(configProvider: ConfigProviderService, logger: LoggerService, moduleName: string, serviceName: string) {
+    super(configProvider, logger, moduleName, serviceName);
+    this.isLocal = true;
+  }
+
+  async complete(
+    data: IAMAuthenticationPassthroughCompleteData,
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _options: IAMAuthenticationPassthroughCompleteOptions<CompleteContext>
+  ): Promise<IAMAuthenticationPassthroughCompleteResult> {
+    const returnData: IAMAuthenticationPassthroughCompleteResult = { mfaUsed: false, valid: true };
+    if (data.externalAccessToken) {
+      returnData.accessToken = data.externalAccessToken;
+      if (data.externalAccessTokenExpiresIn) {
+        returnData.accessTokenExpiresIn = data.externalAccessTokenExpiresIn;
+      }
+    }
+    if (data.externalIdToken) {
+      returnData.idToken = data.externalIdToken;
+    }
+    if (data.externalRefreshToken) {
+      returnData.refreshToken = data.externalRefreshToken;
+      if (data.externalRefreshTokenExpiresIn) {
+        returnData.refreshTokenExpiresIn = data.externalRefreshTokenExpiresIn;
+      }
+    }
+    return returnData;
+  }
+
+  /**
+   * This config is intended for use by the provider environment.
+   *
+   * User data from: provider
+   *
+   * Internal tokens from: provider
+   *
+   * External tokens from: consumer (optional)
+   *
+   * Authentication happens in: consumer
+   */
+  getUserAuthenticationConfig(): IAMAuthenticationPassthroughGetUserAuthenticationConfigResult {
+    const { configProvider, moduleName, serviceName } = this;
+    const moduleConfig = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
+    const { steps } = moduleConfig.authServiceSettings![serviceName];
+    const defaultConfig: IAMAuthenticationPassthroughGetUserAuthenticationConfigResult = {
+      // this step accepts the external access tokens (if any) from the authData in the step input
+      // and issues local tokens using that data
+      [AppConfigDomainIAMAuthenticationStep.Complete]: {
+        findUser: true,
+        findUserBeforeAuth: true,
+        validWithoutUser: false
+      },
+      // this step simply does nothing
+      [AppConfigDomainIAMAuthenticationStep.Initiate]: {
+        findUser: false,
+        findUserBeforeAuth: false,
+        validWithoutUser: true
+      }
+    };
+    return ld.merge(defaultConfig, steps || {});
+  }
+
+  async initiate(
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _data: IAMAuthenticationPassthroughInitiateData,
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    _options: IAMAuthenticationPassthroughInitiateOptions<InitiateContext>
+  ): Promise<IAMAuthenticationPassthroughInitiateResult> {
+    return { mfaUsed: false, valid: true };
+  }
+}

package/src/services/authenticationPassthrough/index.ts

@@ -0,0 +1,2 @@
+export * from './iam.authenticationPassthrough.definitions';
+export * from './iam.authenticationPassthrough.service';

package/src/services/authenticationPassthroughConsumer/iam.authenticationPassthroughConsumer.definitions.ts

@@ -0,0 +1,52 @@
+import {
+  IAMAuthenticationRefreshExternalAccessTokenData,
+  IAMAuthenticationRefreshExternalAccessTokenResult
+} from '../authentication';
+
+import {
+  IAMAuthenticationConsumerCompleteResult,
+  IAMAuthenticationConsumerGetUserAuthenticationConfigResult,
+  IAMAuthenticationConsumerInitiateResult
+} from '../authenticationConsumer';
+
+import {
+  IAMAuthenticationPassthroughCompleteData,
+  IAMAuthenticationPassthroughCompleteOptions,
+  IAMAuthenticationPassthroughCompleteResult,
+  IAMAuthenticationPassthroughGetUserAuthenticationConfigResult,
+  IAMAuthenticationPassthroughInitiateData,
+  IAMAuthenticationPassthroughInitiateOptions,
+  IAMAuthenticationPassthroughInitiateResult
+} from '../authenticationPassthrough';
+
+export type IAMAuthenticationPassthroughConsumerCompleteData = IAMAuthenticationPassthroughCompleteData & {
+  externalAccessToken?: string;
+  externalAccessTokenExpiresIn?: number;
+  externalIdToken?: string;
+  externalRefreshToken?: string;
+  externalRefreshTokenExpiresIn?: number;
+};
+
+export type IAMAuthenticationPassthroughConsumerCompleteOptions<Context extends object> =
+  IAMAuthenticationPassthroughCompleteOptions<Context>;
+
+export type IAMAuthenticationPassthroughConsumerCompleteResult = IAMAuthenticationPassthroughCompleteResult &
+  IAMAuthenticationConsumerCompleteResult;
+
+export type IAMAuthenticationPassthroughConsumerGetUserAuthenticationConfigResult =
+  IAMAuthenticationPassthroughGetUserAuthenticationConfigResult &
+    IAMAuthenticationConsumerGetUserAuthenticationConfigResult;
+
+export type IAMAuthenticationPassthroughConsumerInitiateData = IAMAuthenticationPassthroughInitiateData;
+
+export type IAMAuthenticationPassthroughConsumerInitiateOptions<Context extends object> =
+  IAMAuthenticationPassthroughInitiateOptions<Context>;
+
+export type IAMAuthenticationPassthroughConsumerInitiateResult = IAMAuthenticationPassthroughInitiateResult &
+  IAMAuthenticationConsumerInitiateResult;
+
+export type IAMAuthenticationPassthroughConsumerRefreshExternalAccessTokenData =
+  IAMAuthenticationRefreshExternalAccessTokenData;
+
+export type IAMAuthenticationPassthroughConsumerRefreshExternalAccessTokenResult =
+  IAMAuthenticationRefreshExternalAccessTokenResult;