@opengovsg/mockpass 3.0.3 → 3.1.0

package/README.md

@@ -17,14 +17,26 @@ A mock SingPass/CorpPass/MyInfo server for dev purposes
 
 Configure your application to point to the following endpoints:
 
-SingPass:
+SingPass (v1 - Singpass OIDC):
  - http://localhost:5156/singpass/authorize - OIDC login redirect with optional page
  - http://localhost:5156/singpass/token - receives OIDC authorization code and returns id_token
 
-CorpPass:
+SingPass (v2 - NDI OIDC):
+ - http://localhost:5156/singpass/v2/authorize - OIDC login redirect with optional page
+ - http://localhost:5156/singpass/v2/token - receives OIDC authorization code and returns id_token
+ - http://localhost:5156/singpass/v2/.well-known/openid-configuration - OpenID discovery endpoint
+ - http://localhost:5156/singpass/v2/.well-known/keys - JWKS endpoint which exposes the auth provider's signing keys
+
+CorpPass (v1 - Corppass OIDC):
  - http://localhost:5156/corppass/authorize - OIDC login redirect with optional page
  - http://localhost:5156/corppass/token - receives OIDC authorization code and returns id_token
 
+CorpPass (v2 - Corppass OIDC):
+ - http://localhost:5156/corppass/v2/authorize - OIDC login redirect with optional page
+ - http://localhost:5156/corppass/v2/token - receives OIDC authorization code and returns id_token
+ - http://localhost:5156/corppass/v2/.well-known/openid-configuration - OpenID discovery endpoint
+ - http://localhost:5156/corppass/v2/.well-known/keys - JWKS endpoint which exposes the auth provider's signing keys
+
 MyInfo:
  - http://localhost:5156/myinfo/v3/person-basic (exclusive to government systems)
  - http://localhost:5156/myinfo/v3/authorise
@@ -42,6 +54,11 @@ and with application certs at `static/certs/{key.pem|server.crt}`
 Alternatively, provide the paths to your app cert as env vars
 `SERVICE_PROVIDER_CERT_PATH` and `SERVICE_PROVIDER_PUB_KEY`
 
+If you are integrating with Singpass NDI OIDC and/or Corppass v2 OIDC, you should 
+provide your well-known key endpoints as env vars `SP_RP_JWKS_ENDPOINT` and/or
+`CP_RP_JWKS_ENDPOINT` respectively. Alternatively, provide your application with
+the `oidc-v2-rp-*.json` JWKS.
+
 ```
 $ npm install @opengovsg/mockpass
 

package/index.js

@@ -5,7 +5,12 @@ const morgan = require('morgan')
 const path = require('path')
 require('dotenv').config()
 
-const { configOIDC, configMyInfo, configSGID } = require('./lib/express')
+const {
+  configOIDC,
+  configOIDCv2,
+  configMyInfo,
+  configSGID,
+} = require('./lib/express')
 
 const PORT = process.env.MOCKPASS_PORT || process.env.PORT || 5156
 
@@ -44,6 +49,7 @@ const app = express()
 app.use(morgan('combined'))
 
 configOIDC(app, options)
+configOIDCv2(app, options)
 configSGID(app, options)
 
 configMyInfo.consent(app)

package/lib/express/index.js

@@ -1,5 +1,5 @@
 module.exports = {
-  configOIDC: require('./oidc'),
+  ...require('./oidc'),
   configMyInfo: require('./myinfo'),
   configSGID: require('./sgid'),
 }

package/lib/express/oidc/index.js

@@ -0,0 +1,4 @@
+module.exports = {
+  configOIDC: require('./spcp'),
+  configOIDCv2: require('./v2-ndi'),
+}

package/lib/express/{oidc.js → oidc/spcp.js}

@@ -5,55 +5,25 @@ const jose = require('node-jose')
 const path = require('path')
 const ExpiryMap = require('expiry-map')
 
-const assertions = require('../assertions')
-const { generateAuthCode, lookUpByAuthCode } = require('../auth-code')
+const assertions = require('../../assertions')
+const { generateAuthCode, lookUpByAuthCode } = require('../../auth-code')
+const {
+  buildAssertURL,
+  idGenerator,
+  customProfileFromHeaders,
+} = require('./utils')
 
 const LOGIN_TEMPLATE = fs.readFileSync(
-  path.resolve(__dirname, '../../static/html/login-page.html'),
+  path.resolve(__dirname, '../../../static/html/login-page.html'),
   'utf8',
 )
 const REFRESH_TOKEN_TIMEOUT = 24 * 60 * 60 * 1000
 const profileStore = new ExpiryMap(REFRESH_TOKEN_TIMEOUT)
 
 const signingPem = fs.readFileSync(
-  path.resolve(__dirname, '../../static/certs/spcp-key.pem'),
+  path.resolve(__dirname, '../../../static/certs/spcp-key.pem'),
 )
 
-const buildAssertURL = (redirectURI, authCode, state) =>
-  `${redirectURI}?code=${encodeURIComponent(
-    authCode,
-  )}&state=${encodeURIComponent(state)}`
-
-const idGenerator = {
-  singPass: ({ nric }) =>
-    assertions.myinfo.v3.personas[nric] ? `${nric} [MyInfo]` : nric,
-  corpPass: ({ nric, uen }) => `${nric} / UEN: ${uen}`,
-}
-
-const customProfileFromHeaders = {
-  singPass: (req) => {
-    const customNricHeader = req.header('X-Custom-NRIC')
-    const customUuidHeader = req.header('X-Custom-UUID')
-    if (!customNricHeader || !customUuidHeader) {
-      return false
-    }
-    return { nric: customNricHeader, uuid: customUuidHeader }
-  },
-  corpPass: (req) => {
-    const customNricHeader = req.header('X-Custom-NRIC')
-    const customUuidHeader = req.header('X-Custom-UUID')
-    const customUenHeader = req.header('X-Custom-UEN')
-    if (!customNricHeader || !customUuidHeader || !customUenHeader) {
-      return false
-    }
-    return {
-      nric: customNricHeader,
-      uuid: customUuidHeader,
-      uen: customUenHeader,
-    }
-  },
-}
-
 function config(app, { showLoginPage, serviceProvider }) {
   for (const idp of ['singPass', 'corpPass']) {
     const profiles = assertions.oidc[idp]

package/lib/express/oidc/utils.js

@@ -0,0 +1,42 @@
+const assertions = require('../../assertions')
+
+const buildAssertURL = (redirectURI, authCode, state) =>
+  `${redirectURI}?code=${encodeURIComponent(
+    authCode,
+  )}&state=${encodeURIComponent(state)}`
+
+const idGenerator = {
+  singPass: ({ nric }) =>
+    assertions.myinfo.v3.personas[nric] ? `${nric} [MyInfo]` : nric,
+  corpPass: ({ nric, uen }) => `${nric} / UEN: ${uen}`,
+}
+
+const customProfileFromHeaders = {
+  singPass: (req) => {
+    const customNricHeader = req.header('X-Custom-NRIC')
+    const customUuidHeader = req.header('X-Custom-UUID')
+    if (!customNricHeader || !customUuidHeader) {
+      return false
+    }
+    return { nric: customNricHeader, uuid: customUuidHeader }
+  },
+  corpPass: (req) => {
+    const customNricHeader = req.header('X-Custom-NRIC')
+    const customUuidHeader = req.header('X-Custom-UUID')
+    const customUenHeader = req.header('X-Custom-UEN')
+    if (!customNricHeader || !customUuidHeader || !customUenHeader) {
+      return false
+    }
+    return {
+      nric: customNricHeader,
+      uuid: customUuidHeader,
+      uen: customUenHeader,
+    }
+  },
+}
+
+module.exports = {
+  buildAssertURL,
+  idGenerator,
+  customProfileFromHeaders,
+}

package/lib/express/oidc/v2-ndi.js

@@ -0,0 +1,332 @@
+// This file implements NDI OIDC for Singpass authentication and Corppass OIDC
+// for Corppass authentication.
+
+const express = require('express')
+const fs = require('fs')
+const { render } = require('mustache')
+const jose = require('node-jose')
+const path = require('path')
+
+const assertions = require('../../assertions')
+const { generateAuthCode, lookUpByAuthCode } = require('../../auth-code')
+const {
+  buildAssertURL,
+  idGenerator,
+  customProfileFromHeaders,
+} = require('./utils')
+
+const LOGIN_TEMPLATE = fs.readFileSync(
+  path.resolve(__dirname, '../../../static/html/login-page.html'),
+  'utf8',
+)
+
+const aspPublic = fs.readFileSync(
+  path.resolve(__dirname, '../../../static/certs/oidc-v2-asp-public.json'),
+)
+
+const aspSecret = fs.readFileSync(
+  path.resolve(__dirname, '../../../static/certs/oidc-v2-asp-secret.json'),
+)
+
+const rpPublic = fs.readFileSync(
+  path.resolve(__dirname, '../../../static/certs/oidc-v2-rp-public.json'),
+)
+
+function config(app, { showLoginPage }) {
+  for (const idp of ['singPass', 'corpPass']) {
+    const profiles = assertions.oidc[idp]
+    const defaultProfile =
+      profiles.find((p) => p.nric === process.env.MOCKPASS_NRIC) || profiles[0]
+
+    app.get(`/${idp.toLowerCase()}/v2/authorize`, (req, res) => {
+      const {
+        scope,
+        response_type,
+        client_id,
+        redirect_uri: redirectURI,
+        state,
+        nonce,
+      } = req.query
+
+      if (scope !== 'openid') {
+        return res.status(400).send(`Unknown scope ${scope}`)
+      }
+      if (response_type !== 'code') {
+        return res.status(400).send(`Unknown response_type ${response_type}`)
+      }
+      if (!client_id) {
+        return res.status(400).send('Missing client_id')
+      }
+      if (!redirectURI) {
+        return res.status(400).send('Missing redirect_uri')
+      }
+      if (!nonce) {
+        return res.status(400).send('Missing nonce')
+      }
+      if (!state) {
+        return res.status(400).send('Missing state')
+      }
+
+      // Identical to OIDC v1
+      if (showLoginPage(req)) {
+        const values = profiles.map((profile) => {
+          const authCode = generateAuthCode({ profile, nonce })
+          const assertURL = buildAssertURL(redirectURI, authCode, state)
+          const id = idGenerator[idp](profile)
+          return { id, assertURL }
+        })
+        const response = render(LOGIN_TEMPLATE, {
+          values,
+          customProfileConfig: {
+            endpoint: `/${idp.toLowerCase()}/v2/authorize/custom-profile`,
+            showUuid: true,
+            showUen: idp === 'corpPass',
+            redirectURI,
+            state,
+            nonce,
+          },
+        })
+        res.send(response)
+      } else {
+        const profile = customProfileFromHeaders[idp](req) || defaultProfile
+        const authCode = generateAuthCode({ profile, nonce })
+        const assertURL = buildAssertURL(redirectURI, authCode, state)
+        console.warn(
+          `Redirecting login from ${req.query.client_id} to ${redirectURI}`,
+        )
+        res.redirect(assertURL)
+      }
+    })
+
+    app.get(`/${idp.toLowerCase()}/v2/authorize/custom-profile`, (req, res) => {
+      const { nric, uuid, uen, redirectURI, state, nonce } = req.query
+
+      const profile = { nric, uuid }
+      if (idp === 'corpPass') {
+        profile.name = `Name of ${nric}`
+        profile.isSingPassHolder = false
+        profile.uen = uen
+      }
+
+      const authCode = generateAuthCode({ profile, nonce })
+      const assertURL = buildAssertURL(redirectURI, authCode, state)
+      res.redirect(assertURL)
+    })
+
+    app.post(
+      `/${idp.toLowerCase()}/v2/token`,
+      express.urlencoded({ extended: false }),
+      async (req, res) => {
+        const {
+          client_id,
+          redirect_uri: redirectURI,
+          grant_type,
+          code: authCode,
+          client_assertion_type,
+          client_assertion: clientAssertion,
+        } = req.body
+
+        // Only SP requires client_id
+        if (idp === 'singPass' && !client_id) {
+          return res.status(400).send('Missing client_id')
+        }
+        if (!redirectURI) {
+          return res.status(400).send('Missing redirect_uri')
+        }
+        if (grant_type !== 'authorization_code') {
+          return res.status(400).send(`Unknown grant_type ${grant_type}`)
+        }
+        if (!authCode) {
+          return res.status(400).send('Missing code')
+        }
+        if (
+          client_assertion_type !==
+          'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
+        ) {
+          return res
+            .status(400)
+            .send(`Unknown client_assertion_type ${client_assertion_type}`)
+        }
+        if (!clientAssertion) {
+          return res.status(400).send('Missing client_assertion')
+        }
+
+        // Step 0: Get the RP keyset
+        const rpJwksEndpoint =
+          idp === 'singPass'
+            ? process.env.SP_RP_JWKS_ENDPOINT
+            : process.env.CP_RP_JWKS_ENDPOINT
+
+        let rpKeysetString
+
+        if (rpJwksEndpoint) {
+          try {
+            rpKeysetString = await fetch(rpJwksEndpoint, {
+              method: 'GET',
+            }).then((response) => response.text())
+          } catch (e) {
+            return res
+              .status(400)
+              .send(
+                `Failed to fetch RP JWKS from specified endpoint: ${e.message}`,
+              )
+          }
+        } else {
+          // If the endpoint is not defined, default to the sample keyset we provided.
+          rpKeysetString = rpPublic
+        }
+
+        let rpKeysetJson
+        try {
+          rpKeysetJson = JSON.parse(rpKeysetString)
+        } catch (e) {
+          return res.status(400).send(`Unable to parse RP keyset: ${e.message}`)
+        }
+
+        const rpKeyset = await jose.JWK.asKeyStore(rpKeysetJson)
+
+        // Step 0.5: Verify client assertion with RP signing key
+        let clientAssertionVerified
+        try {
+          clientAssertionVerified = await jose.JWS.createVerify(
+            rpKeyset,
+          ).verify(clientAssertion)
+        } catch (e) {
+          return res
+            .status(400)
+            .send(`Unable to verify client_assertion: ${e.message}`)
+        }
+
+        let clientAssertionClaims
+        try {
+          clientAssertionClaims = JSON.parse(clientAssertionVerified.payload)
+        } catch (e) {
+          return res
+            .status(400)
+            .send(`Unable to parse client_assertion: ${e.message}`)
+        }
+
+        if (idp === 'singPass') {
+          if (clientAssertionClaims['sub'] !== client_id) {
+            return res
+              .status(400)
+              .send('Incorrect sub in client_assertion claims')
+          }
+        } else {
+          // Since client_id is not given for corpPass, sub claim is required in
+          // order to get aud for id_token.
+          if (!clientAssertionClaims['sub']) {
+            return res
+              .status(400)
+              .send('Missing sub in client_assertion claims')
+          }
+        }
+
+        // According to OIDC spec, asp must check the aud claim.
+        const iss = `${req.protocol}://${req.get(
+          'host',
+        )}/${idp.toLowerCase()}/v2`
+
+        if (clientAssertionClaims['aud'] !== iss) {
+          return res
+            .status(400)
+            .send('Incorrect aud in client_assertion claims')
+        }
+
+        // Step 1: Obtain profile for which the auth code requested data for
+        const { profile, nonce } = lookUpByAuthCode(authCode)
+
+        // Step 2: Get ID token
+        const aud = clientAssertionClaims['sub']
+        console.warn(
+          `Received auth code ${authCode} from ${aud} and ${redirectURI}`,
+        )
+
+        const { idTokenClaims, accessToken } = await assertions.oidc.create[
+          idp
+        ](profile, iss, aud, nonce)
+
+        // Step 3: Sign ID token with ASP signing key
+        const signingKey = await jose.JWK.asKeyStore(
+          JSON.parse(aspSecret),
+        ).then((keystore) => keystore.get({ use: 'sig' }))
+
+        const signedIdToken = await jose.JWS.createSign(
+          { format: 'compact' },
+          signingKey,
+        )
+          .update(JSON.stringify(idTokenClaims))
+          .final()
+
+        // Step 4: Encrypt ID token with RP encryption key
+        // We're using the first encryption key we find, although NDI actually
+        // has its own selection criteria.
+        const encryptionKey = rpKeyset.get({ use: 'enc' })
+
+        const idToken = await jose.JWE.createEncrypt(
+          { format: 'compact', fields: { cty: 'JWT' } },
+          encryptionKey,
+        )
+          .update(signedIdToken)
+          .final()
+
+        // Step 5: Send token
+        res.status(200).send({
+          access_token: accessToken,
+          token_type: 'Bearer',
+          id_token: idToken,
+          ...(idp === 'corpPass'
+            ? { scope: 'openid', expires_in: 10 * 60 }
+            : {}),
+        })
+      },
+    )
+
+    app.get(
+      `/${idp.toLowerCase()}/v2/.well-known/openid-configuration`,
+      (req, res) => {
+        const baseUrl = `${req.protocol}://${req.get(
+          'host',
+        )}/${idp.toLowerCase()}/v2`
+
+        // Note: does not support backchannel auth
+        const data = {
+          issuer: baseUrl,
+          authorization_endpoint: `${baseUrl}/authorize`,
+          jwks_uri: `${baseUrl}/.well-known/keys`,
+          response_types_supported: ['code'],
+          scopes_supported: ['openid'],
+          subject_types_supported: ['public'],
+          claims_supported: ['nonce', 'aud', 'iss', 'sub', 'exp', 'iat'],
+          grant_types_supported: ['authorization_code'],
+          token_endpoint: `${baseUrl}/token`,
+          token_endpoint_auth_methods_supported: ['private_key_jwt'],
+          token_endpoint_auth_signing_alg_values_supported: ['ES512'], // omits ES256 and ES384 (allowed in SP)
+          id_token_signing_alg_values_supported: ['ES256'],
+          id_token_encryption_alg_values_supported: ['ECDH-ES+A256KW'], // omits ECDH-ES+A192KW, ECDH-ES+A128KW and RSA-OAEP-256 (allowed in SP)
+          id_token_encryption_enc_values_supported: ['A256CBC-HS512'],
+        }
+
+        if (idp === 'corpPass') {
+          data['claims_supported'].push([
+            'userInfo',
+            'entityInfo',
+            'rt_hash',
+            'at_hash',
+            'amr',
+          ])
+          // Omit authorization-info_endpoint for CP
+        }
+
+        res.status(200).send(data)
+      },
+    )
+
+    app.get(`/${idp.toLowerCase()}/v2/.well-known/keys`, (req, res) => {
+      res.status(200).send(JSON.parse(aspPublic))
+    })
+  }
+  return app
+}
+
+module.exports = config

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opengovsg/mockpass",
-  "version": "3.0.3",
+  "version": "3.1.0",
   "description": "A mock SingPass/CorpPass server for dev purposes",
   "main": "index.js",
   "bin": {
@@ -41,7 +41,7 @@
     "dotenv": "^16.0.0",
     "expiry-map": "^2.0.0",
     "express": "^4.16.3",
-    "jsonwebtoken": "^8.4.0",
+    "jsonwebtoken": "^9.0.0",
     "lodash": "^4.17.11",
     "morgan": "^1.9.1",
     "mustache": "^4.2.0",

package/static/certs/oidc-v2-asp-public.json

@@ -0,0 +1,12 @@
+{
+  "keys": [
+    {
+      "kty": "EC",
+      "use": "sig",
+      "crv": "P-521",
+      "kid": "sig-1655709297",
+      "x": "AWuSHLkeP89DOkPaTs6MUDTFX1oL_Nr2rsJxCUyWL9x4LDEwtGXxWmw5-KhJSKauwJL2fAiNribZa2E0EZ-A4DzL",
+      "y": "AHoghl5OGyp7Vejt2sqYW7z2G_gTGBDR9q-ylLjnERpKd7-kHybLEutkwp5tmkhhlOysCcXE7vpTcnwxeQPa3zN0"
+    }     
+  ]
+}

package/static/certs/oidc-v2-asp-secret.json

@@ -0,0 +1,13 @@
+{
+  "keys": [
+    {
+      "kty": "EC",
+      "d": "ATdzXBC0WOU74xmdFfeVWfm2ybggXGeWGCMpYlpqzhW5cdrTrlj7UbTmKYlPJe70F5UD-wG2TK6tUoNiVpfEKmky",
+      "use": "sig",
+      "crv": "P-521",
+      "kid": "sig-1655709297",
+      "x": "AWuSHLkeP89DOkPaTs6MUDTFX1oL_Nr2rsJxCUyWL9x4LDEwtGXxWmw5-KhJSKauwJL2fAiNribZa2E0EZ-A4DzL",
+      "y": "AHoghl5OGyp7Vejt2sqYW7z2G_gTGBDR9q-ylLjnERpKd7-kHybLEutkwp5tmkhhlOysCcXE7vpTcnwxeQPa3zN0"
+    }
+  ]
+}

package/static/certs/oidc-v2-rp-public.json

@@ -0,0 +1,22 @@
+{
+  "keys": [
+    {
+      "kty": "EC",
+      "use": "sig",
+      "crv": "P-521",
+      "kid": "sig-2022-06-04T09:22:28Z",
+      "x": "AAj_CAKL9NmP6agPCMto6_LiYQqko3o3ZWTtBg75bA__Z8yKEv_CwHzaibkVLnJ9XKWxCQeyEk9ROLhJoJuZxnsI",
+      "y": "AZeoe0v-EwqD3oo1V5lxUAmC80qHt-ybqOsl1mYKPgE_ctGcD4hj8tVhmD0Of6ARuKVTxNWej-X82hEW_7Aa-XpR",
+      "alg": "ES512"
+    },
+    {
+      "kty": "EC",
+      "use": "enc",
+      "crv": "P-521",
+      "kid": "enc-2022-06-04T13:46:15Z",
+      "x": "AB-16HyJwnlSZbQtqhFskADqFrm6rgX9XeaV8FgynX61750GCRbYjoueDosSNt-qzK5QNHskdQw0QZ700YF2JIlb",
+      "y": "AZwYlSBSdV-CxGRMz6ovTvWxKJ6e44gaZHf-YfbJV7w9VdAJb3OuzbHNGRuzNDjEa8eH-paLDaAB84ezrEm1SRHq",
+      "alg": "ECDH-ES+A256KW"
+    }        
+  ]
+}

package/static/certs/oidc-v2-rp-secret.json

@@ -0,0 +1,24 @@
+{
+  "keys": [
+    {
+      "kty": "EC",
+      "d": "AFOzlND2sq43ykty-VZXw-IEIOyHkBsNXUU77o5yEYcktpoMe9Dl3jsaXwzRK6wtDJH_uoz4IG1Uj4J_WyH5O3GS",
+      "use": "sig",
+      "crv": "P-521",
+      "kid": "sig-2022-06-04T09:22:28Z",
+      "x": "AAj_CAKL9NmP6agPCMto6_LiYQqko3o3ZWTtBg75bA__Z8yKEv_CwHzaibkVLnJ9XKWxCQeyEk9ROLhJoJuZxnsI",
+      "y": "AZeoe0v-EwqD3oo1V5lxUAmC80qHt-ybqOsl1mYKPgE_ctGcD4hj8tVhmD0Of6ARuKVTxNWej-X82hEW_7Aa-XpR",
+      "alg": "ES512"
+    },
+    {
+      "kty": "EC",
+      "d": "AP7xECOnlKW-FuLpe1h3ULZoqFzScFrbyAEQTFFG49j5HRHl0k13-6_6nWnwJ9Y8sTrGOWH4GszmDBBZGGvESJQr",
+      "use": "enc",
+      "crv": "P-521",
+      "kid": "enc-2022-06-04T13:46:15Z",
+      "x": "AB-16HyJwnlSZbQtqhFskADqFrm6rgX9XeaV8FgynX61750GCRbYjoueDosSNt-qzK5QNHskdQw0QZ700YF2JIlb",
+      "y": "AZwYlSBSdV-CxGRMz6ovTvWxKJ6e44gaZHf-YfbJV7w9VdAJb3OuzbHNGRuzNDjEa8eH-paLDaAB84ezrEm1SRHq",
+      "alg": "ECDH-ES+A256KW"
+    }
+  ]
+}