@node-c/domain-iam 1.0.0-beta7 → 1.0.0-beta8

package/src/services/{userManager/iam.userManager.service.ts → authenticationManager/iam.authenticationManager.service.ts}

@@ -5,8 +5,6 @@ import {
   ConfigProviderService,
   DataDefaultData,
   DataEntityService,
-  DataFindOneOptions,
-  DomainEntityService,
   DomainEntityServiceDefaultData,
   GenericObject,
   LoggerService,
@@ -17,17 +15,16 @@ import {
 import ld from 'lodash';
 
 import {
-  IAMUserManagerCreateAccessTokenOptions,
-  IAMUserManagerCreateAccessTokenReturnData,
-  IAMUserManagerExecuteStepData,
-  IAMUserManagerExecuteStepOptions,
-  IAMUserManagerExecuteStepResult,
-  IAMUserManagerGetUserWithPermissionsDataOptions,
-  IAMUserManagerUserTokenEnityFields,
-  IAMUserManagerUserTokenUserIdentifier,
-  IAMUserManagerUserWithPermissionsData
-} from './iam.userManager.definitions';
+  IAMAuthenticationManagerAuthenticateOptions,
+  IAMAuthenticationManagerAuthenticateReturnData,
+  IAMAuthenticationManagerExecuteStepData,
+  IAMAuthenticationManagerExecuteStepOptions,
+  IAMAuthenticationManagerExecuteStepResult,
+  IAMAuthenticationManagerUserTokenEnityFields,
+  IAMAuthenticationManagerUserTokenUserIdentifier
+} from './iam.authenticationManager.definitions';
 
+import { Constants } from '../../common/definitions';
 import {
   IAMAuthenticationCompleteData,
   IAMAuthenticationCompleteOptions,
@@ -41,13 +38,14 @@ import {
   IAMAuthenticationUserLocalService
 } from '../authenticationUserLocal';
 import { IAMTokenManagerService, TokenType } from '../tokenManager';
+import { IAMUserWithPermissionsData, IAMUsersService } from '../users';
 
 // TODO: create user (signup); this should include password hashing
 // TODO: update password (incl. hashing)
 // TODO: reset password
 // TODO: periodic checking of external access tokens and their revoking
-export class IAMUserManagerService<
-  User extends object,
+export class IAMAuthenticationManagerService<
+  User extends object = object,
   Data extends DomainEntityServiceDefaultData<Partial<User>> = DomainEntityServiceDefaultData<Partial<User>>,
   DataEntityServiceData extends DataDefaultData<Partial<User>> = DataDefaultData<Partial<User>>
 > {
@@ -60,28 +58,29 @@ export class IAMUserManagerService<
     // eslint-disable-next-line no-unused-vars
     protected configProvider: ConfigProviderService,
     // eslint-disable-next-line no-unused-vars
-    protected dataUsersAuthCacheService: DataEntityService<GenericObject>,
+    protected logger: LoggerService,
+    // eslint-disable-next-line no-unused-vars
+    protected moduleName: string,
+    // eslint-disable-next-line no-unused-vars
+    protected dataUsersAuthCacheService?: DataEntityService<GenericObject>,
     // eslint-disable-next-line no-unused-vars
-    protected domainUsersEntityService: DomainEntityService<
+    public domainUsersEntityService?: IAMUsersService<
       User,
       DataEntityService<User, DataEntityServiceData>,
       Data,
       Record<string, DataEntityService<Partial<User>, DataDefaultData<object>>> | undefined
     >,
     // eslint-disable-next-line no-unused-vars
-    protected logger: LoggerService,
-    // eslint-disable-next-line no-unused-vars
-    protected moduleName: string,
-    // eslint-disable-next-line no-unused-vars
-    protected tokenManager: IAMTokenManagerService<IAMUserManagerUserTokenEnityFields>
+    protected tokenManager?: IAMTokenManagerService<IAMAuthenticationManagerUserTokenEnityFields>
   ) {}
 
+  // TODO: fix expiry vs TTL
   // TODO: clear the cache from the previous steps
   // TODO: make the issuing of local tokens work with purgeOldFromStore = false
-  async createAccessToken<AuthData = unknown>(
-    options: IAMUserManagerCreateAccessTokenOptions<AuthData>
-  ): Promise<IAMUserManagerCreateAccessTokenReturnData<User>> {
-    const { configProvider, logger, moduleName } = this;
+  async authenticate<AuthData = unknown>(
+    options: IAMAuthenticationManagerAuthenticateOptions<AuthData>
+  ): Promise<IAMAuthenticationManagerAuthenticateReturnData<User>> {
+    const { configProvider, logger, moduleName, tokenManager } = this;
     const moduleConfig = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
     const { accessTokenExpiryTimeInMinutes, defaultUserIdentifierField, refreshTokenExpiryTimeInHours } = moduleConfig;
     const {
@@ -89,16 +88,16 @@ export class IAMUserManagerService<
       rememberUser
     } = options;
     logger.info(
-      `[Domain.${moduleName}.UserManager]: Login attempt started${options.step ? ` for step ${options.step}` : ''}.`
+      `[Domain.${moduleName}.AuthenticationManager][${authType}]: Login attempt started${options.step ? ` for step ${options.step}` : ''}.`
     );
-    // 1. Make sure the auth service actually exists - local, oauth2, etc.
+    // 1. Make sure the authentication service actually exists - local, oauth2, etc.
     const authService = this.authServices[authType] as IAMAuthenticationService<object, object>;
     if (!authService) {
-      logger.info(`[Domain.${moduleName}.UserManager]: No authService ${authType} found.`);
+      logger.info(`[Domain.${moduleName}.AuthenticationManager][${authType}]: No authService ${authType} found.`);
       throw new ApplicationError('Authentication failed.');
     }
     // 2. Get the user-specific configuration from the authService.
-    const authServiceBehaviorConfig = authService.getUserCreateAccessTokenConfig();
+    const authServiceBehaviorConfig = authService.getUserAuthenticationConfig();
     let externalAccessToken: string | undefined;
     let externalRefreshToken: string | undefined;
     let issueTokens = false;
@@ -126,17 +125,27 @@ export class IAMUserManagerService<
     // 4. Run the final step, if this is the first step no mfa has been used.
     if (step === AppConfigDomainIAMAuthenticationStep.Initiate && !stepResult.mfaUsed) {
       issueTokens = true;
-      step = AppConfigDomainIAMAuthenticationStep.Complete;
-      stepConfig = authServiceBehaviorConfig[step];
-      const finalStepData = await this.executeStep(options, {
-        authService,
-        name: step,
-        stepConfig: ld.omit(stepConfig, 'cache')
-      });
-      stepResult = finalStepData.stepResult;
-      user = user ?? finalStepData.user;
-      userFilterField = finalStepData.userFilterField;
-      userFilterValue = finalStepData.userFilterValue;
+      // check whether skipping the complete step if mfaUsed is allowed and run the complete step if it isn't
+      if (!('skipCompleteStepAllowedOnNoMFA' in stepConfig && stepConfig.skipCompleteStepAllowedOnNoMFA)) {
+        step = AppConfigDomainIAMAuthenticationStep.Complete;
+        stepConfig = authServiceBehaviorConfig[step];
+        const finalStepData = await this.executeStep(options, {
+          authService,
+          name: step,
+          stepConfig: ld.omit(stepConfig, 'cache')
+        });
+        stepResult = ld.merge(ld.omit(stepResult, ['mfaUsed', 'mfaValid', 'valid']), finalStepData.stepResult);
+        user = user ?? finalStepData.user;
+        userFilterField = finalStepData.userFilterField;
+        userFilterValue = finalStepData.userFilterValue;
+      } else {
+        if ('userFilterField' in stepResult) {
+          userFilterField = stepResult.userFilterField as string;
+        }
+        if ('userFilterValue' in stepResult) {
+          userFilterValue = stepResult.userFilterValue as string;
+        }
+      }
     }
     // 5. Process the external access, refresh and, optionally, id tokens that are returned by the step execution.
     const actualStepResult = stepResult as
@@ -152,7 +161,7 @@ export class IAMUserManagerService<
       // Make sure we have an accessToken in the response and set the access and refresh tokens in variables for later use.
       if (!actualStepResult.accessToken) {
         logger.info(
-          `[Domain.${moduleName}.UserManager]: Login attempt failed for ${userFilterField} ${userFilterValue} - no accessToken returned from the authService and useReturnedTokens is set to true.`
+          `[Domain.${moduleName}.AuthenticationManager][${authType}]: Login attempt failed for ${userFilterField} ${userFilterValue} - no accessToken returned from the authService and useReturnedTokens is set to true.`
         );
         throw new ApplicationError('Authentication failed.');
       }
@@ -163,39 +172,61 @@ export class IAMUserManagerService<
     }
     // 6. Token management. In this case, we will definitely have the user, or will be force to create it.
     if (issueTokens) {
+      if (!tokenManager) {
+        throw new ApplicationError(`[${moduleName}][AuthenticationManager] tokenManager not configured.`);
+      }
       if (!user) {
         logger.info(
-          `[Domain.${moduleName}.UserManager]: Login attempt failed at step ${step} - user is required when issueTokens is set to true.`
+          `[Domain.${moduleName}.AuthenticationManager][${authType}]: Login attempt failed at step ${step} - user is required when issueTokens is set to true.`
         );
         throw new ApplicationError('Authentication failed.');
       }
+      const useExternalTokenAsLocal = 'useReturnedTokensAsLocal' in stepConfig && stepConfig.useReturnedTokensAsLocal;
+      const userIdentifierValue = user[defaultUserIdentifierField as keyof User];
       let refreshToken: string | undefined;
+      let refreshTokenExpiresIn: number | undefined;
+      let refreshTokenTTL: number | undefined;
       // 6.1. Create a local refresh token and save it. The payload contains the external refresh token, if it exists.
-      const userIdentifierValue = user[defaultUserIdentifierField as keyof User];
       if (externalRefreshToken || !externalAccessToken) {
+        let externalTokenData: GenericObject = {};
+        if (
+          externalRefreshToken &&
+          'refreshTokenExpiresIn' in actualStepResult &&
+          actualStepResult.refreshTokenExpiresIn
+        ) {
+          externalTokenData = {
+            externalToken: externalRefreshToken,
+            externalTokenAuthService: authType as IAMAuthenticationType
+          };
+          refreshTokenExpiresIn = actualStepResult.refreshTokenExpiresIn;
+        } else if (!rememberUser) {
+          refreshTokenExpiresIn =
+            (refreshTokenExpiryTimeInHours
+              ? refreshTokenExpiryTimeInHours
+              : Constants.DEFAULT_REFRESH_TOKEN_EXPIRY_TIME_IN_HOURS) * 60;
+        }
+        if (refreshTokenExpiresIn) {
+          refreshTokenTTL =
+            refreshTokenExpiresIn *
+            (moduleConfig.refreshTokenExpiryStorageTTLMultiplier ||
+              Constants.DEFAULT_REFRESH_TOKEN_STORAGE_TTL_MULTIPLIER);
+        }
         const {
           result: { token: localRefreshToken }
-        } = await this.tokenManager.create(
+        } = await tokenManager.create(
           {
             type: TokenType.Refresh,
-            [IAMUserManagerUserTokenUserIdentifier.FieldName]: userIdentifierValue,
-            ...(externalRefreshToken
-              ? {
-                  externalToken: externalRefreshToken,
-                  externalTokenAuthService: authType as IAMAuthenticationType
-                }
-              : {})
+            [IAMAuthenticationManagerUserTokenUserIdentifier.FieldName]: userIdentifierValue,
+            ...externalTokenData
           },
           {
-            expiresInMinutes:
-              (externalRefreshToken &&
-                'refreshTokenExpiresIn' in actualStepResult &&
-                actualStepResult.refreshTokenExpiresIn) ||
-              (rememberUser || !refreshTokenExpiryTimeInHours ? undefined : refreshTokenExpiryTimeInHours * 60),
-            identifierDataField: IAMUserManagerUserTokenUserIdentifier.FieldName,
+            expiresInMinutes: refreshTokenExpiresIn,
+            identifierDataField: IAMAuthenticationManagerUserTokenUserIdentifier.FieldName,
             persist: true,
             purgeOldFromData: true,
-            tokenContentOnlyFields: ['externalToken']
+            tokenContentOnlyFields: ['externalToken'],
+            ttl: refreshTokenTTL,
+            useExternalTokenAsLocal
           }
         );
         refreshToken = localRefreshToken;
@@ -203,14 +234,19 @@ export class IAMUserManagerService<
       // 6.2. Create a local access token and save it. The payload contains the external access token, if it exists.
       const accessTokenExpiresIn =
         (externalAccessToken && 'accessTokenExpiresIn' in actualStepResult && actualStepResult.accessTokenExpiresIn) ||
-        accessTokenExpiryTimeInMinutes;
+        accessTokenExpiryTimeInMinutes ||
+        Constants.DEFAULT_ACCESS_TOKEN_EXPIRY_TIME_IN_HOURS;
+      const accessTokenTTL =
+        refreshTokenExpiresIn ||
+        accessTokenExpiresIn *
+          (moduleConfig.accessTokenExpiryStorageTTLMultiplier || Constants.DEFAULT_ACCESS_TOKEN_STORAGE_TTL_MULTIPLIER);
       const {
         result: { token: accessToken }
-      } = await this.tokenManager.create(
+      } = await tokenManager.create(
         {
           refreshToken,
           type: TokenType.Access,
-          [IAMUserManagerUserTokenUserIdentifier.FieldName]: userIdentifierValue,
+          [IAMAuthenticationManagerUserTokenUserIdentifier.FieldName]: userIdentifierValue,
           ...(externalAccessToken
             ? {
                 externalToken: externalAccessToken,
@@ -220,42 +256,46 @@ export class IAMUserManagerService<
         },
         {
           expiresInMinutes: accessTokenExpiresIn,
-          identifierDataField: IAMUserManagerUserTokenUserIdentifier.FieldName,
+          identifierDataField: IAMAuthenticationManagerUserTokenUserIdentifier.FieldName,
           persist: true,
           purgeOldFromData: true,
-          tokenContentOnlyFields: ['externalToken', 'refreshToken']
+          tokenContentOnlyFields: ['externalToken', 'refreshToken'],
+          ttl: accessTokenTTL,
+          useExternalTokenAsLocal
         }
       );
       // 6.3. Create an idToken. The payload contains the user with permissions data
       const {
         result: { token: idToken }
-      } = await this.tokenManager.create(
+      } = await tokenManager.create(
         {
           accessToken,
           type: TokenType.Id,
           user,
-          [IAMUserManagerUserTokenUserIdentifier.FieldName]: userIdentifierValue
+          [IAMAuthenticationManagerUserTokenUserIdentifier.FieldName]: userIdentifierValue
         },
         {
           expiresInMinutes: accessTokenExpiresIn,
-          identifierDataField: IAMUserManagerUserTokenUserIdentifier.FieldName,
+          identifierDataField: IAMAuthenticationManagerUserTokenUserIdentifier.FieldName,
           persist: true,
           purgeOldFromData: true,
-          tokenContentOnlyFields: ['accessToken', 'user']
+          tokenContentOnlyFields: ['accessToken', 'user'],
+          ttl: accessTokenTTL
         }
       );
       logger.info(
-        `[Domain.${moduleName}.UserManager]: Login attempt successful for ${userFilterField} ${userFilterValue}.`
+        `[Domain.${moduleName}.AuthenticationManager][${authType}]: Login attempt successful for ${userFilterField} ${userFilterValue}.`
       );
       return { accessToken, idToken, refreshToken, user };
     }
-    const returnData: IAMUserManagerCreateAccessTokenReturnData<User> = { nextStepsRequired: true };
+    const returnData: IAMAuthenticationManagerAuthenticateReturnData<User> = { nextStepsRequired: true };
     if (stepConfig.stepResultPublicFields?.length) {
       stepConfig.stepResultPublicFields.forEach(fieldName => {
         setNested(
           returnData,
           fieldName,
-          getNested(stepResult, fieldName, { removeNestedFieldEscapeSign: true }).unifiedValue
+          getNested(stepResult, fieldName, { removeNestedFieldEscapeSign: true }).unifiedValue,
+          { removeNestedFieldEscapeSign: true }
         );
       });
     }
@@ -263,28 +303,29 @@ export class IAMUserManagerService<
   }
 
   private async executeStep<AuthData>(
-    data: IAMUserManagerExecuteStepData<AuthData>,
-    options: IAMUserManagerExecuteStepOptions<User>
-  ): Promise<IAMUserManagerExecuteStepResult<User>> {
-    const { configProvider, domainUsersEntityService, logger, moduleName } = this;
+    data: IAMAuthenticationManagerExecuteStepData<AuthData>,
+    options: IAMAuthenticationManagerExecuteStepOptions<User>
+  ): Promise<IAMAuthenticationManagerExecuteStepResult<User>> {
+    const { configProvider, dataUsersAuthCacheService, domainUsersEntityService, logger, moduleName } = this;
     const { defaultUserIdentifierField } = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
     const {
-      // eslint-disable-next-line no-unused-vars, @typescript-eslint/no-unused-vars
-      auth: { type: _authType, ...authData },
+      auth: { type: authType, ...authData },
       filters: userFilters,
       mainFilterField
     } = data;
     const { authService, stepConfig, name: stepName } = options;
     const { cache: cacheSettings, findUser, findUserBeforeAuth, validWithoutUser } = stepConfig;
     const hasFilters = userFilters && Object.keys(userFilters).length;
+    const logPrefix = `[Domain.${moduleName}.AuthenticationManager][executeStep][${authType}][${stepName}]`;
     const stepInputData: { data: unknown; options?: unknown } = { data: ld.cloneDeep(authData) };
-    let user: IAMUserManagerUserWithPermissionsData<User, unknown> | null = null;
+    let runFindUserInExternalTokenPayloads = false;
+    let user: IAMUserWithPermissionsData<User, unknown> | null = null;
     let userFilterField: string | undefined;
     let userFilterValue: unknown | undefined;
     // 1. Find the user based on the provided filters, if enabled.
     if (findUser && findUserBeforeAuth) {
       if (!hasFilters) {
-        logger.info(`[Domain.${moduleName}.UserManager]: No filters provided for findUserBeforeToken=true.`);
+        logger.info(`${logPrefix}[Part 1]: No filters provided for findUserBeforeToken=true.`);
         throw new ApplicationError('Authentication failed.');
       }
       userFilterField = mainFilterField;
@@ -292,22 +333,33 @@ export class IAMUserManagerService<
       user = await this.getUserForStepExecution({ filters: userFilters, mainFilterField: userFilterField });
       if (!user) {
         logger.info(
-          `[Domain.${moduleName}.UserManager]: Login attempt failed for ${userFilterField} ${userFilterValue} - user not found.`
+          `${logPrefix}[Part 1]: Login attempt failed for ${userFilterField} ${userFilterValue} - user not found.`
         );
         throw new ApplicationError('Authentication failed.');
       }
     }
-    stepInputData.options = {
-      context: user || ({} as IAMUserManagerUserWithPermissionsData<User, unknown>),
-      contextIdentifierField: defaultUserIdentifierField
-    };
-    // 2. Restore the cache, if configured
+    if (user) {
+      stepInputData.options = {
+        context: user,
+        contextIdentifierField: defaultUserIdentifierField
+      };
+    } else if (userFilters) {
+      stepInputData.options = {
+        context: userFilters,
+        contextIdentifierField: mainFilterField
+      };
+    }
+    // 2. Restore the cache, if configured.
     if (cacheSettings && 'use' in cacheSettings && cacheSettings.use) {
+      if (!dataUsersAuthCacheService) {
+        logger.info(`${logPrefix}[Part 2]: dataUsersAuthCacheService not configured.`);
+        throw new ApplicationError('Authentication failed.');
+      }
       const cacheInput: { data: unknown; options: unknown } = {
         data: stepInputData.data,
         options: stepInputData.options
       };
-      const cacheResult = await this.dataUsersAuthCacheService.findOne({
+      const cacheResult = await dataUsersAuthCacheService.findOne({
         filters: {
           [cacheSettings.settings.cacheFieldName]: getNested(cacheInput, cacheSettings.settings.inputFieldName)
             .unifiedValue
@@ -336,11 +388,14 @@ export class IAMUserManagerService<
       stepInputData.options as IAMAuthenticationCompleteOptions<User>
     );
     // 4. Process the step result
-    if (!stepResult.valid || (stepResult.mfaUsed && !stepResult.mfaValid)) {
-      logger.info(`[Domain.${moduleName}.UserManager]: Bad step result:`, stepResult);
+    if (
+      (!stepResult.valid && !(stepResult as unknown as { nextStepsRequired: boolean }).nextStepsRequired) ||
+      (stepResult.mfaUsed && !stepResult.mfaValid)
+    ) {
+      logger.info(`${logPrefix}[Part 4]: Bad step result:`, stepResult);
       throw new ApplicationError('Authentication failed.');
     }
-    // 5. If the step returns tokens and decoding is enabled, decode the reutrned tokens for payloads
+    // 5. If the step returns tokens and decoding is enabled, decode the reutrned tokens for payloads.
     if ('decodeReturnedTokens' in stepConfig && stepConfig.decodeReturnedTokens) {
       const tokensForDecoding: Record<string, string> = {};
       const tokenKeys = ['accessToken', 'idToken', 'refreshToken'];
@@ -354,7 +409,7 @@ export class IAMUserManagerService<
       const externalTokenPayloads = await authService.getPayloadsFromExternalTokens(tokensForDecoding);
       stepResult = { ...stepResult, ...externalTokenPayloads };
     }
-    // 6. Find the user based on either the provided filters, or on the stepResult data, if enabled
+    // 6. Find the user based on either the provided filters, or on the stepResult data, if enabled.
     if (findUser && !findUserBeforeAuth) {
       if ('findUserInAuthResultBy' in stepConfig && stepConfig.findUserInAuthResultBy) {
         const { userFieldName, resultFieldName } = stepConfig.findUserInAuthResultBy;
@@ -371,6 +426,8 @@ export class IAMUserManagerService<
             mainFilterField: userFieldName
           });
         }
+      } else if ('findUserInExternalTokenPayloads' in stepConfig && stepConfig.findUserInExternalTokenPayloads) {
+        runFindUserInExternalTokenPayloads = true;
       } else if (hasFilters) {
         userFilterField = mainFilterField;
         userFilterValue = userFilters[userFilterField];
@@ -381,13 +438,18 @@ export class IAMUserManagerService<
       }
     }
     // 7. Create a user using the data from the tokens returned by the step execution, if enabled and there is no user found.
-    if (!user && 'createUser' in stepConfig && stepConfig.createUser) {
+    const createUser = 'createUser' in stepConfig && stepConfig.createUser;
+    if (!user && (createUser || runFindUserInExternalTokenPayloads)) {
       const userData = await authService.getUserDataFromExternalTokenPayloads(
         stepResult as IAMAuthenticationGetUserDataFromExternalTokenPayloadsData
       );
-      if (userData) {
+      if (createUser && userData) {
+        if (!domainUsersEntityService) {
+          logger.info(`${logPrefix}[Part 7]: domainUsersEntityService not configured.`);
+          throw new ApplicationError('Authentication failed.');
+        }
         const { result: createdUser } = await domainUsersEntityService.create(userData as unknown as Data['Create']);
-        user = await this.getUserWithPermissionsData(
+        user = await domainUsersEntityService.getUserWithPermissionsData(
           {
             filters: {
               [defaultUserIdentifierField]: createdUser[defaultUserIdentifierField as keyof typeof createdUser]
@@ -395,11 +457,13 @@ export class IAMUserManagerService<
           },
           { keepPassword: false }
         );
+      } else if (runFindUserInExternalTokenPayloads) {
+        user = userData as unknown as IAMUserWithPermissionsData<User, unknown>;
       }
     }
     if (validWithoutUser !== true && !user) {
       logger.info(
-        `[Domain.${moduleName}.UserManager]: Login attempt failed ${userFilterField && userFilterValue ? `for ${userFilterField} ${userFilterValue} ` : ''}- user not found.`
+        `${logPrefix}[Part 7]: Login attempt failed ${userFilterField && userFilterValue ? `for ${userFilterField} ${userFilterValue} ` : ''}- user not found.`
       );
       throw new ApplicationError('Authentication failed.');
     }
@@ -407,7 +471,11 @@ export class IAMUserManagerService<
       delete user.password;
     }
     // 8. Populate the cache, if configured
-    if (stepResult.mfaUsed && cacheSettings && 'populate' in cacheSettings && cacheSettings.populate) {
+    if (cacheSettings && 'populate' in cacheSettings && cacheSettings.populate) {
+      if (!dataUsersAuthCacheService) {
+        logger.info(`${logPrefix}[Part 7]: dataUsersAuthCacheService not configured.`);
+        throw new ApplicationError('Authentication failed.');
+      }
       const cacheInput: GenericObject = {
         data: stepInputData.data,
         options: stepInputData.options,
@@ -431,7 +499,7 @@ export class IAMUserManagerService<
         }
         cacheData[inputName] = cacheInput[inputName];
       }
-      await this.dataUsersAuthCacheService.create({
+      await dataUsersAuthCacheService.create({
         ...cacheData,
         [cacheSettings.settings.cacheFieldName]: getNested(cacheInput, cacheSettings.settings.inputFieldName)
           .unifiedValue
@@ -443,14 +511,20 @@ export class IAMUserManagerService<
   protected async getUserForStepExecution(options: {
     filters: GenericObject;
     mainFilterField: string;
-  }): Promise<IAMUserManagerUserWithPermissionsData<User, unknown> | null> {
-    const { configProvider, moduleName } = this;
+  }): Promise<IAMUserWithPermissionsData<User, unknown> | null> {
+    const { configProvider, domainUsersEntityService, moduleName } = this;
+    if (!domainUsersEntityService) {
+      throw new ApplicationError(`[${moduleName}][AuthenticationManager] domainUsersEntityService not configured.`);
+    }
     const { defaultUserIdentifierField } = configProvider.config.domain[moduleName] as AppConfigDomainIAM;
     const { mainFilterField } = options;
     let filters: GenericObject = options.filters;
-    let user: IAMUserManagerUserWithPermissionsData<User, unknown> | null = null;
+    let user: IAMUserWithPermissionsData<User, unknown> | null = null;
     if (mainFilterField !== defaultUserIdentifierField) {
-      const mainFilterFieldResult = await this.domainUsersEntityService.findOne({ filters });
+      // Allow search by an extended range of filters, directly in the database.
+      // This is needed because getUserWithPermissionsData will usually query the cache, where a
+      // prmary key filter is mandatory.
+      const mainFilterFieldResult = await domainUsersEntityService.findOne({ filters });
       if (!mainFilterFieldResult.result) {
         return null;
       }
@@ -461,18 +535,7 @@ export class IAMUserManagerService<
     } else {
       filters = options.filters;
     }
-    user = await this.getUserWithPermissionsData({ filters }, { keepPassword: true });
+    user = await domainUsersEntityService.getUserWithPermissionsData({ filters }, { keepPassword: true });
     return user;
   }
-
-  async getUserWithPermissionsData(
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    _options: DataFindOneOptions,
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    _privateOptions?: IAMUserManagerGetUserWithPermissionsDataOptions
-  ): Promise<IAMUserManagerUserWithPermissionsData<User, unknown> | null> {
-    throw new ApplicationError(
-      `Method ${this.moduleName}.IAMUserManagerService.getUserWithPermissionsData not implemented.`
-    );
-  }
 }

package/src/services/authenticationManager/index.ts

@@ -0,0 +1,2 @@
+export * from './iam.authenticationManager.definitions';
+export * from './iam.authenticationManager.service';

package/src/services/authenticationOAuth2/iam.authenticationOAuth2.definitions.ts

@@ -4,7 +4,7 @@ import {
   IAMAuthenticationCompleteResult,
   IAMAuthenticationGetPayloadsFromExternalTokensData,
   IAMAuthenticationGetPayloadsFromExternalTokensResult,
-  IAMAuthenticationGetUserCreateAccessTokenConfigResult,
+  IAMAuthenticationGetUserAuthenticationConfigResult,
   IAMAuthenticationInitiateData,
   IAMAuthenticationInitiateOptions,
   IAMAuthenticationInitiateResult,
@@ -24,6 +24,7 @@ export interface IAMAuthenticationOAuth2AccessTokenProviderResponseData {
 export interface IAMAuthenticationOAuth2CompleteData extends IAMAuthenticationCompleteData {
   code: string;
   codeVerifier: string;
+  redirectUri?: string;
   state: string;
 }
 
@@ -40,10 +41,11 @@ export type IAMAuthenticationOAuth2GetPayloadsFromExternalTokensData =
 export type IAMAuthenticationOAuth2GetPayloadsFromExternalTokensResult =
   IAMAuthenticationGetPayloadsFromExternalTokensResult;
 
-export type IAMAuthenticationOAuth2GetUserCreateAccessTokenConfigResult =
-  IAMAuthenticationGetUserCreateAccessTokenConfigResult;
+export type IAMAuthenticationOAuth2GetUserAuthenticationConfigResult =
+  IAMAuthenticationGetUserAuthenticationConfigResult;
 
 export interface IAMAuthenticationOAuth2InitiateData extends IAMAuthenticationInitiateData {
+  redirectUri?: string;
   scope?: string;
 }
 
@@ -60,6 +62,7 @@ export interface IAMAuthenticationOAuth2InitiateResult extends IAMAuthentication
   codeVerifier?: string;
   nonce?: string;
   state: string;
+  redirectUri: string;
 }
 
 export type IAMAuthenticationOAuth2VerifyExternalAccessTokenData = Pick<