@owlmeans/server-oidc-provider 0.1.0

package/build/consts.d.ts

@@ -0,0 +1,3 @@
+export declare const DEFAULT_ALIAS = "oidc-provider";
+export declare const OIDC_ACCOUNT_SERVICE = "oidc-account-service";
+//# sourceMappingURL=consts.d.ts.map

package/build/consts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consts.d.ts","sourceRoot":"","sources":["../src/consts.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,aAAa,kBAAkB,CAAA;AAE5C,eAAO,MAAM,oBAAoB,yBAA0B,CAAA"}

package/build/consts.js

@@ -0,0 +1,3 @@
+export const DEFAULT_ALIAS = 'oidc-provider';
+export const OIDC_ACCOUNT_SERVICE = 'oidc-account-service';
+//# sourceMappingURL=consts.js.map

package/build/consts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"consts.js","sourceRoot":"","sources":["../src/consts.ts"],"names":[],"mappings":"AACA,MAAM,CAAC,MAAM,aAAa,GAAG,eAAe,CAAA;AAE5C,MAAM,CAAC,MAAM,oBAAoB,GAAI,sBAAsB,CAAA"}

package/build/index.d.ts

@@ -0,0 +1,5 @@
+export type * from './types.js';
+export * from './service.js';
+export * from './consts.js';
+export * from './middleware.js';
+//# sourceMappingURL=index.d.ts.map

package/build/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,mBAAmB,YAAY,CAAA;AAC/B,cAAc,cAAc,CAAA;AAC5B,cAAc,aAAa,CAAA;AAC3B,cAAc,iBAAiB,CAAA"}

package/build/index.js

@@ -0,0 +1,4 @@
+export * from './service.js';
+export * from './consts.js';
+export * from './middleware.js';
+//# sourceMappingURL=index.js.map

package/build/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,cAAc,cAAc,CAAA;AAC5B,cAAc,aAAa,CAAA;AAC3B,cAAc,iBAAiB,CAAA"}

package/build/middleware.d.ts

@@ -0,0 +1,3 @@
+import type { Middleware } from '@owlmeans/context';
+export declare const createOidcProviderMiddleware: (web?: string, oidc?: string) => Middleware;
+//# sourceMappingURL=middleware.d.ts.map

package/build/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAOnD,eAAO,MAAM,4BAA4B,SAAS,MAAM,8BAqBvD,CAAA"}

package/build/middleware.js

@@ -0,0 +1,24 @@
+import { assertContext, MiddlewareStage, MiddlewareType } from '@owlmeans/context';
+import { DEFAULT_ALIAS as WEB_ALIAS } from '@owlmeans/server-api';
+import { DEFAULT_ALIAS } from './consts.js';
+export const createOidcProviderMiddleware = (web = WEB_ALIAS, oidc = DEFAULT_ALIAS) => {
+    const middleware = {
+        type: MiddlewareType.Context,
+        stage: MiddlewareStage.Loading,
+        apply: async (ctx) => {
+            const context = assertContext(ctx);
+            const webService = context.service(web);
+            const oidcService = context.service(oidc);
+            const marker = `__oidcServiceAdded-${web}-${oidc}`;
+            if (!ctx.cfg.records?.find(record => record.id === marker)) {
+                await oidcService.update(webService);
+                if (ctx.cfg.records == null) {
+                    ctx.cfg.records = [];
+                }
+                ctx.cfg.records.push({ id: marker });
+            }
+        }
+    };
+    return middleware;
+};
+//# sourceMappingURL=middleware.js.map

package/build/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAClF,OAAO,EAAE,aAAa,IAAI,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAEjE,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAG3C,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,MAAc,SAAS,EAAE,IAAI,GAAG,aAAa,EAAE,EAAE;IAC5F,MAAM,UAAU,GAAe;QAC7B,IAAI,EAAE,cAAc,CAAC,OAAO;QAC5B,KAAK,EAAE,eAAe,CAAC,OAAO;QAC9B,KAAK,EAAE,KAAK,EAAC,GAAG,EAAC,EAAE;YACjB,MAAM,OAAO,GAAG,aAAa,CAAkB,GAAyB,CAAY,CAAA;YACpF,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAY,GAAG,CAAC,CAAA;YAClD,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAsB,IAAI,CAAC,CAAA;YAE9D,MAAM,MAAM,GAAG,sBAAsB,GAAG,IAAI,IAAI,EAAE,CAAA;YAClD,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,KAAK,MAAM,CAAC,EAAE,CAAC;gBAC3D,MAAM,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;gBACpC,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,IAAI,EAAE,CAAC;oBAC5B,GAAG,CAAC,GAAG,CAAC,OAAO,GAAG,EAAE,CAAA;gBACtB,CAAC;gBACD,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;YACtC,CAAC;QACH,CAAC;KACF,CAAA;IAED,OAAO,UAAU,CAAA;AACnB,CAAC,CAAA"}

package/build/service.d.ts

@@ -0,0 +1,4 @@
+import type { Config, Context, OidcProviderService } from './types.js';
+export declare const createOidcProviderService: (alias?: string) => OidcProviderService;
+export declare const appendOidcProviderService: <C extends Config, T extends Context<C>>(ctx: T, alias?: string) => T;
+//# sourceMappingURL=service.d.ts.map

package/build/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../src/service.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,OAAO,EAA0C,mBAAmB,EAAE,MAAM,YAAY,CAAA;AAS9G,eAAO,MAAM,yBAAyB,WAAW,MAAM,KAAmB,mBA+EzE,CAAA;AAED,eAAO,MAAM,yBAAyB,GAAI,CAAC,SAAS,MAAM,EAAE,CAAC,SAAS,OAAO,CAAC,CAAC,CAAC,OACzE,CAAC,UAAS,MAAM,KACpB,CAOF,CAAA"}

package/build/service.js

@@ -0,0 +1,78 @@
+import { assertContext, createService } from '@owlmeans/context';
+import { DEFAULT_ALIAS, OIDC_ACCOUNT_SERVICE } from './consts.js';
+import { DEFAULT_PATH, INTERACTION } from '@owlmeans/oidc';
+import Provider from 'oidc-provider';
+import { SEP } from '@owlmeans/route';
+import { makeSecurityHelper } from '@owlmeans/config';
+import { combineConfig } from './utils/config.js';
+let _initializedOidc = undefined;
+export const createOidcProviderService = (alias = DEFAULT_ALIAS) => {
+    const service = createService(alias, {
+        update: async (api) => {
+            const context = assertContext(service.ctx, alias);
+            const cfg = context.cfg.oidc;
+            const serviceRoute = context.cfg.services[cfg.authService ?? context.cfg.service];
+            const helper = makeSecurityHelper(context);
+            const url = helper.makeUrl(serviceRoute, cfg.basePath ?? DEFAULT_PATH, { base: true });
+            const unsecure = context.cfg.security?.unsecure === false ? false : !url.startsWith('https');
+            const oidc = new Provider(url, {
+                ...await combineConfig(context, unsecure),
+                adapter: cfg.adapterService != null
+                    ? name => context.service(cfg.adapterService).instance(name)
+                    : undefined,
+                findAccount: async (_, id, _token) => {
+                    const accountSrv = context.service(cfg.accountService ?? OIDC_ACCOUNT_SERVICE);
+                    return accountSrv.loadById(context, id);
+                },
+                interactions: {
+                    url: async (_, interaction) => {
+                        const module = context.module(INTERACTION);
+                        const [uri] = await module.call({ params: { uid: interaction.uid } });
+                        return uri;
+                    }
+                }
+            });
+            oidc.proxy = cfg.behindProxy ?? unsecure;
+            const base = SEP + (cfg.basePath ?? DEFAULT_PATH);
+            await api.server.use(base, oidc.callback());
+            oidc.use(async (ctx, next) => {
+                await next();
+                const csp = ctx.response.headers['content-security-policy'];
+                if (csp != null) {
+                    // @TODO Make it a little bit nicer - preferably using helmet :)
+                    ctx.response.set('Content-Security-Policy', csp.replace(/form-action 'self'/, 'form-action *'));
+                }
+            });
+            if (context.cfg.debug?.all || context.cfg.debug?.oidc) {
+                oidc.use(async (_, next) => {
+                    await next();
+                });
+                oidc.on('grant.error', (_, error) => {
+                    console.warn('GRANT ERROR .......: ');
+                    console.info(oidc.issuer, _.request.toJSON(), _.body);
+                    console.error('!!!! GRANT ERROR: ', error);
+                });
+                oidc.on('server_error', (ctx, error) => {
+                    console.warn('SERVER ERROR .......: ', Object.getOwnPropertyNames(ctx.oidc));
+                    console.info(ctx.oidc.grant);
+                    console.error('!!!! SERVER ERROR: ', error);
+                });
+            }
+            _initializedOidc = service.oidc = oidc;
+        },
+        instance: () => {
+            return service.oidc ?? (service.oidc = _initializedOidc);
+        },
+        getInteraction: async (id) => {
+            return await service.instance().Interaction.find(id) ?? null;
+        }
+    });
+    return service;
+};
+export const appendOidcProviderService = (ctx, alias = DEFAULT_ALIAS) => {
+    const service = createOidcProviderService(alias);
+    const context = ctx;
+    context.registerService(service);
+    return context;
+};
+//# sourceMappingURL=service.js.map

package/build/service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.js","sourceRoot":"","sources":["../src/service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAChE,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AACjE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAE1D,OAAO,QAAQ,MAAM,eAAe,CAAA;AAGpC,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AACrC,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAEjD,IAAI,gBAAgB,GAAyB,SAAS,CAAA;AACtD,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,QAAgB,aAAa,EAAuB,EAAE;IAC9F,MAAM,OAAO,GAAwB,aAAa,CAAsB,KAAK,EAAE;QAC7E,MAAM,EAAE,KAAK,EAAC,GAAG,EAAC,EAAE;YAClB,MAAM,OAAO,GAAG,aAAa,CAAkB,OAAO,CAAC,GAAc,EAAE,KAAK,CAAC,CAAA;YAC7E,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAA;YAE5B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAe,CAAA;YAC/F,MAAM,MAAM,GAAG,kBAAkB,CAAkB,OAAO,CAAC,CAAA;YAC3D,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,QAAQ,IAAI,YAAY,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;YACtF,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAA;YAE5F,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,GAAG,EAAE;gBAC7B,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC;gBAEzC,OAAO,EAAE,GAAG,CAAC,cAAc,IAAI,IAAI;oBACjC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAqB,GAAG,CAAC,cAAe,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACjF,CAAC,CAAC,SAAS;gBAEb,WAAW,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE;oBACnC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAChC,GAAG,CAAC,cAAc,IAAI,oBAAoB,CAC3C,CAAA;oBAED,OAAO,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;gBACzC,CAAC;gBAED,YAAY,EAAE;oBACZ,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,EAAE;wBAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAe,WAAW,CAAC,CAAA;wBACxD,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,MAAM,CAAC,IAAI,CAAS,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,WAAW,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;wBAC7E,OAAO,GAAG,CAAA;oBACZ,CAAC;iBACF;aACF,CAAC,CAAA;YAEF,IAAI,CAAC,KAAK,GAAG,GAAG,CAAC,WAAW,IAAI,QAAQ,CAAA;YACxC,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,IAAI,YAAY,CAAC,CAAA;YAEjD,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAA;YAC3C,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;gBAC3B,MAAM,IAAI,EAAE,CAAA;gBACZ,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAA;gBAC3D,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;oBAChB,gEAAgE;oBAEhE,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,yBAAyB,EAAE,GAAG,CAAC,OAAO,CAAC,oBAAoB,EAAE,eAAe,CAAC,CAAC,CAAA;gBACjG,CAAC;YACH,CAAC,CAAC,CAAA;YACF,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;gBACtD,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;oBACzB,MAAM,IAAI,EAAE,CAAA;gBACd,CAAC,CAAC,CAAA;gBAEF,IAAI,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE;oBAClC,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;oBACrC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAA;oBACrD,OAAO,CAAC,KAAK,CAAC,oBAAoB,EAAE,KAAK,CAAC,CAAA;gBAC5C,CAAC,CAAC,CAAA;gBAEF,IAAI,CAAC,EAAE,CAAC,cAAc,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;oBACrC,OAAO,CAAC,IAAI,CAAC,wBAAwB,EAAE,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;oBAC5E,OAAO,CAAC,IAAI,CAAE,GAAG,CAAC,IAAY,CAAC,KAAK,CAAC,CAAA;oBACrC,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAA;gBAC7C,CAAC,CAAC,CAAA;YACJ,CAAC;YAED,gBAAgB,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAA;QACxC,CAAC;QAED,QAAQ,EAAE,GAAG,EAAE;YACb,OAAO,OAAO,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,GAAG,gBAAiB,CAAC,CAAA;QAC3D,CAAC;QAED,cAAc,EAAE,KAAK,EAAC,EAAE,EAAC,EAAE;YACzB,OAAO,MAAM,OAAO,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,IAAI,CAAA;QAC9D,CAAC;KACF,CAAC,CAAA;IAEF,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,yBAAyB,GAAG,CACvC,GAAM,EAAE,QAAgB,aAAa,EAClC,EAAE;IACL,MAAM,OAAO,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAA;IAChD,MAAM,OAAO,GAAG,GAAQ,CAAA;IAExB,OAAO,CAAC,eAAe,CAAC,OAAO,CAAC,CAAA;IAEhC,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA"}

package/build/types.d.ts

@@ -0,0 +1,46 @@
+import type { InitializedService } from '@owlmeans/context';
+import type { OidcSharedConfig } from '@owlmeans/oidc';
+import type { ApiServer, ApiServerAppend } from '@owlmeans/server-api';
+import type { ServerConfig, ServerContext } from '@owlmeans/server-context';
+import type { Account, Adapter, ClientMetadata, Configuration, Interaction, Provider } from 'oidc-provider';
+export interface OidcProviderService extends InitializedService {
+    oidc: Provider;
+    update: (api: ApiServer) => Promise<void>;
+    instance: () => Provider;
+    getInteraction: (id: string) => Promise<Interaction | null>;
+}
+export interface OidcConfigAppend<Extra extends OidcSharedConfig = OidcSharedConfig> {
+    oidc: OidcConfig & Extra;
+}
+export interface OidcConfig extends OidcSharedConfig {
+    authService?: string;
+    basePath?: string;
+    frontBase?: string;
+    clients: ClientMetadata[];
+    customConfiguration?: Configuration;
+    behindProxy?: boolean;
+    defaultKeys: {
+        RS256: {
+            pk: string;
+            pub?: string;
+        };
+    };
+    accountService?: string;
+    adapterService?: string;
+}
+export interface OidcAccountService extends InitializedService {
+    loadById: <C extends Config, T extends Context<C>>(ctx: T, id: string) => Promise<Account | undefined>;
+}
+export interface OidcAdapterService extends InitializedService {
+    instance: (name: string) => Adapter;
+}
+export interface Config extends ServerConfig, OidcConfigAppend {
+    debug: ServerConfig["debug"] & {
+        oidc?: boolean;
+        oidcServer?: boolean;
+        oidcData?: boolean;
+    };
+}
+export interface Context<C extends Config = Config> extends ServerContext<C>, ApiServerAppend {
+}
+//# sourceMappingURL=types.d.ts.map

package/build/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAA;AAC3D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AACtE,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAA;AAC3E,OAAO,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AAE3G,MAAM,WAAW,mBAAoB,SAAQ,kBAAkB;IAC7D,IAAI,EAAE,QAAQ,CAAA;IAEd,MAAM,EAAE,CAAC,GAAG,EAAE,SAAS,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;IAEzC,QAAQ,EAAE,MAAM,QAAQ,CAAA;IAExB,cAAc,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAA;CAC5D;AAED,MAAM,WAAW,gBAAgB,CAAC,KAAK,SAAS,gBAAgB,GAAG,gBAAgB;IACjF,IAAI,EAAE,UAAU,GAAG,KAAK,CAAA;CACzB;AAED,MAAM,WAAW,UAAW,SAAQ,gBAAgB;IAClD,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,EAAE,cAAc,EAAE,CAAA;IACzB,mBAAmB,CAAC,EAAE,aAAa,CAAA;IACnC,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,WAAW,EAAE;QACX,KAAK,EAAE;YACL,EAAE,EAAE,MAAM,CAAA;YACV,GAAG,CAAC,EAAE,MAAM,CAAA;SACb,CAAA;KACF,CAAA;IACD,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAED,MAAM,WAAW,kBAAmB,SAAQ,kBAAkB;IAC5D,QAAQ,EAAE,CAAC,CAAC,SAAS,MAAM,EAAE,CAAC,SAAS,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,GAAG,SAAS,CAAC,CAAA;CACvG;AAED,MAAM,WAAW,kBAAmB,SAAQ,kBAAkB;IAC5D,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAA;CACpC;AAED,MAAM,WAAW,MAAO,SAAQ,YAAY,EAAE,gBAAgB;IAC5D,KAAK,EAAE,YAAY,CAAC,OAAO,CAAC,GAAG;QAC7B,IAAI,CAAC,EAAE,OAAO,CAAA;QACd,UAAU,CAAC,EAAE,OAAO,CAAA;QACpB,QAAQ,CAAC,EAAE,OAAO,CAAA;KACnB,CAAA;CACF;AAED,MAAM,WAAW,OAAO,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM,CAAE,SAAQ,aAAa,CAAC,CAAC,CAAC,EACxE,eAAe;CAAI"}

package/build/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/build/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/build/utils/client.d.ts

@@ -0,0 +1,4 @@
+import type { ClientMetadata } from 'oidc-provider';
+import type { Context } from '../types.js';
+export declare const updateClient: (context: Context, client: ClientMetadata) => ClientMetadata;
+//# sourceMappingURL=client.d.ts.map

package/build/utils/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/utils/client.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AACnD,OAAO,KAAK,EAAU,OAAO,EAAE,MAAM,aAAa,CAAA;AAKlD,eAAO,MAAM,YAAY,YAAa,OAAO,UAAU,cAAc,KAAG,cAoBvE,CAAA"}

package/build/utils/client.js

@@ -0,0 +1,31 @@
+import { randomBytes } from '@noble/hashes/utils';
+import { hex } from '@scure/base';
+import { makeSecurityHelper } from '@owlmeans/config';
+import { SEP } from '@owlmeans/route';
+export const updateClient = (context, client) => {
+    if (client.client_secret == null) {
+        if (!context.cfg.debug.all && !context.cfg.debug.oidc) {
+            throw new SyntaxError('Client secret is required');
+        }
+        client.client_secret = hex.encode(randomBytes(32));
+        console.info('\n');
+        console.info('~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~');
+        console.warn('IT IS EXCEPTIONALY UNSECURE, BUT WE GENEREATED A CLIENT SECRET FOR YOU', client.client_secret);
+        console.info('~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~');
+        console.info('\n');
+    }
+    const helper = makeSecurityHelper(context);
+    const updateUri = makeUriUpdater(context, helper);
+    client.redirect_uris = client.redirect_uris?.map(updateUri) ?? [];
+    client.post_logout_redirect_uris = client.post_logout_redirect_uris?.map(updateUri) ?? [];
+    return client;
+};
+const makeUriUpdater = (context, helper) => (uri) => {
+    if (uri.startsWith('{{')) {
+        const [host, ...parts] = uri.split(SEP);
+        const service = context.cfg.services[host.slice(2, -2)];
+        return helper.makeUrl(service, parts.join(SEP));
+    }
+    return uri;
+};
+//# sourceMappingURL=client.js.map

package/build/utils/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/utils/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAA;AACjD,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAA;AAGjC,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AAErD,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAErC,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,OAAgB,EAAE,MAAsB,EAAkB,EAAE;IACvF,IAAI,MAAM,CAAC,aAAa,IAAI,IAAI,EAAE,CAAC;QACjC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YACtD,MAAM,IAAI,WAAW,CAAC,2BAA2B,CAAC,CAAA;QACpD,CAAC;QACD,MAAM,CAAC,aAAa,GAAG,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAA;QAElD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAClB,OAAO,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAA;QACtD,OAAO,CAAC,IAAI,CAAC,wEAAwE,EAAE,MAAM,CAAC,aAAa,CAAC,CAAA;QAC5G,OAAO,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAA;QACtD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACpB,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,CAAkB,OAAO,CAAC,CAAA;IAC3D,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IACjD,MAAM,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAA;IACjE,MAAM,CAAC,yBAAyB,GAAG,MAAM,CAAC,yBAAyB,EAAE,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAA;IAEzF,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AAED,MAAM,cAAc,GAAG,CAAC,OAAgB,EAAE,MAAsB,EAAE,EAAE,CAAC,CAAC,GAAW,EAAU,EAAE;IAC3F,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,EAAE,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAEvC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;QACvD,OAAO,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;IACjD,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC,CAAA"}

package/build/utils/config.d.ts

@@ -0,0 +1,4 @@
+import type { Context } from '../types.js';
+import type { Configuration } from 'oidc-provider';
+export declare const combineConfig: (context: Context, _unsecure: boolean) => Promise<Configuration>;
+//# sourceMappingURL=config.d.ts.map

package/build/utils/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/utils/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAIlD,eAAO,MAAM,aAAa,YAAmB,OAAO,aAAa,OAAO,KAAG,OAAO,CAAC,aAAa,CAqC/F,CAAA"}

package/build/utils/config.js

@@ -0,0 +1,39 @@
+import { updateClient } from './client.js';
+import * as jose from 'jose';
+export const combineConfig = async (context, _unsecure) => {
+    const cfg = context.cfg.oidc;
+    const configuration = {
+        ...cfg.customConfiguration,
+        clients: [
+            ...cfg.clients,
+            ...(cfg.customConfiguration?.clients ?? [])
+        ].map(client => updateClient(context, client)),
+        claims: {
+            email: ['email', 'email_verified', ...cfg.customConfiguration?.claims?.email ?? []],
+            profile: [
+                'username', 'family_name', 'given_name', 'locale', 'name', 'nickname', 'preferred_username',
+                ...cfg.customConfiguration?.claims?.profile ?? []
+            ],
+            ...cfg.customConfiguration?.claims,
+        },
+        scopes: ['openid', 'profile', 'offline_access', ...cfg.customConfiguration?.scopes ?? []],
+        features: {
+            ...cfg.customConfiguration?.features,
+            devInteractions: { enabled: false }
+            // devInteractions: {
+            //   enabled: (
+            //     (context.cfg.debug.all && context.cfg.debug.oidc !== false)
+            //     || context.cfg.debug.oidc
+            //   ) && unsecure,
+            //   ...cfg.customConfiguration?.features?.devInteractions,
+            // },
+        },
+        jwks: {
+            keys: [
+                await jose.exportJWK(await jose.importPKCS8(cfg.defaultKeys.RS256.pk, 'RS256'))
+            ]
+        }
+    };
+    return configuration;
+};
+//# sourceMappingURL=config.js.map

package/build/utils/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/utils/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,EAAE,OAAgB,EAAE,SAAkB,EAA0B,EAAE;IAClG,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAA;IAE5B,MAAM,aAAa,GAAkB;QACnC,GAAG,GAAG,CAAC,mBAAmB;QAC1B,OAAO,EAAE;YACP,GAAG,GAAG,CAAC,OAAO;YACd,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,OAAO,IAAI,EAAE,CAAC;SAC5C,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC9C,MAAM,EAAE;YACN,KAAK,EAAE,CAAC,OAAO,EAAE,gBAAgB,EAAE,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC;YACnF,OAAO,EAAE;gBACP,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,oBAAoB;gBAC3F,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM,EAAE,OAAO,IAAI,EAAE;aAClD;YACD,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM;SACnC;QACD,MAAM,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,gBAAgB,EAAE,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM,IAAI,EAAE,CAAC;QACzF,QAAQ,EAAE;YACR,GAAG,GAAG,CAAC,mBAAmB,EAAE,QAAQ;YACpC,eAAe,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE;YACnC,qBAAqB;YACrB,eAAe;YACf,kEAAkE;YAClE,gCAAgC;YAChC,mBAAmB;YACnB,2DAA2D;YAC3D,KAAK;SACN;QACD,IAAI,EAAE;YACJ,IAAI,EAAE;gBACJ,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;aAChF;SACF;KACF,CAAA;IAED,OAAO,aAAa,CAAA;AACtB,CAAC,CAAA"}

package/build/utils/index.d.ts

@@ -0,0 +1,3 @@
+export * from './config.js';
+export * from './client.js';
+//# sourceMappingURL=index.d.ts.map

package/build/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AACA,cAAc,aAAa,CAAA;AAC3B,cAAc,aAAa,CAAA"}

package/build/utils/index.js

@@ -0,0 +1,3 @@
+export * from './config.js';
+export * from './client.js';
+//# sourceMappingURL=index.js.map

package/build/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AACA,cAAc,aAAa,CAAA;AAC3B,cAAc,aAAa,CAAA"}

package/package.json

@@ -0,0 +1,49 @@
+{
+  "name": "@owlmeans/server-oidc-provider",
+  "version": "0.1.0",
+  "type": "module",
+  "scripts": {
+    "build": "tsc -b",
+    "dev": "sleep 306 && nodemon -e ts,tsx,json --watch src --exec \"tsc -p ./tsconfig.json\"",
+    "watch": "tsc -b -w --preserveWatchOutput --pretty"
+  },
+  "main": "build/index.js",
+  "module": "build/index.js",
+  "types": "build/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./build/index.js",
+      "require": "./build/index.js",
+      "default": "./build/index.js",
+      "module": "./build/index.js",
+      "types": "./build/index.d.ts"
+    }
+  },
+  "devDependencies": {
+    "@types/node": "^22.7.8",
+    "@types/oidc-provider": "^8.5.2",
+    "nodemon": "^3.1.7",
+    "npm-check": "^6.0.1",
+    "typescript": "^5.6.3"
+  },
+  "peerDependencies": {
+    "fastify": "*"
+  },
+  "dependencies": {
+    "@noble/hashes": "^1.5.0",
+    "@owlmeans/client-module": "^0.1.0",
+    "@owlmeans/config": "^0.1.0",
+    "@owlmeans/context": "^0.1.0",
+    "@owlmeans/oidc": "^0.1.0",
+    "@owlmeans/route": "^0.1.0",
+    "@owlmeans/server-api": "^0.1.0",
+    "@owlmeans/server-context": "^0.1.0",
+    "@scure/base": "^1.1.9",
+    "jose": "5.9.6",
+    "oidc-provider": "8.5.2"
+  },
+  "private": false,
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/consts.ts

@@ -0,0 +1,4 @@
+
+export const DEFAULT_ALIAS = 'oidc-provider'
+
+export const OIDC_ACCOUNT_SERVICE  = 'oidc-account-service'

package/src/index.ts

@@ -0,0 +1,5 @@
+
+export type * from './types.js'
+export * from './service.js'
+export * from './consts.js'
+export * from './middleware.js'

package/src/middleware.ts

@@ -0,0 +1,29 @@
+import type { Middleware } from '@owlmeans/context'
+import { assertContext, MiddlewareStage, MiddlewareType } from '@owlmeans/context'
+import { DEFAULT_ALIAS as WEB_ALIAS } from '@owlmeans/server-api'
+import type { ApiServer } from '@owlmeans/server-api'
+import { DEFAULT_ALIAS } from './consts.js'
+import type { Config, Context, OidcProviderService } from './types.js'
+
+export const createOidcProviderMiddleware = (web: string = WEB_ALIAS, oidc = DEFAULT_ALIAS) => {
+  const middleware: Middleware = {
+    type: MiddlewareType.Context,
+    stage: MiddlewareStage.Loading,
+    apply: async ctx => {
+      const context = assertContext<Config, Context>(ctx as unknown as Context) as Context
+      const webService = context.service<ApiServer>(web)
+      const oidcService = context.service<OidcProviderService>(oidc)
+
+      const marker = `__oidcServiceAdded-${web}-${oidc}`
+      if (!ctx.cfg.records?.find(record => record.id === marker)) {
+        await oidcService.update(webService)
+        if (ctx.cfg.records == null) {
+          ctx.cfg.records = []
+        }
+        ctx.cfg.records.push({ id: marker })
+      }
+    }
+  }
+
+  return middleware
+}

package/src/service.ts

@@ -0,0 +1,103 @@
+import { assertContext, createService } from '@owlmeans/context'
+import { DEFAULT_ALIAS, OIDC_ACCOUNT_SERVICE } from './consts.js'
+import { DEFAULT_PATH, INTERACTION } from '@owlmeans/oidc'
+import type { Config, Context, OidcAccountService, OidcAdapterService, OidcProviderService } from './types.js'
+import Provider from 'oidc-provider'
+import type { BasicRoute } from '@owlmeans/route'
+import type { ClientModule } from '@owlmeans/client-module'
+import { SEP } from '@owlmeans/route'
+import { makeSecurityHelper } from '@owlmeans/config'
+import { combineConfig } from './utils/config.js'
+
+let _initializedOidc: Provider | undefined = undefined
+export const createOidcProviderService = (alias: string = DEFAULT_ALIAS): OidcProviderService => {
+  const service: OidcProviderService = createService<OidcProviderService>(alias, {
+    update: async api => {
+      const context = assertContext<Config, Context>(service.ctx as Context, alias)
+      const cfg = context.cfg.oidc
+
+      const serviceRoute = context.cfg.services[cfg.authService ?? context.cfg.service] as BasicRoute
+      const helper = makeSecurityHelper<Config, Context>(context)
+      const url = helper.makeUrl(serviceRoute, cfg.basePath ?? DEFAULT_PATH, { base: true })
+      const unsecure = context.cfg.security?.unsecure === false ? false : !url.startsWith('https')
+
+      const oidc = new Provider(url, {
+        ...await combineConfig(context, unsecure),
+
+        adapter: cfg.adapterService != null
+          ? name => context.service<OidcAdapterService>(cfg.adapterService!).instance(name)
+          : undefined,
+
+        findAccount: async (_, id, _token) => {
+          const accountSrv = context.service<OidcAccountService>(
+            cfg.accountService ?? OIDC_ACCOUNT_SERVICE
+          )
+
+          return accountSrv.loadById(context, id)
+        },
+
+        interactions: {
+          url: async (_, interaction) => {
+            const module = context.module<ClientModule>(INTERACTION)
+            const [uri] = await module.call<string>({ params: { uid: interaction.uid } })
+            return uri
+          }
+        }
+      })
+
+      oidc.proxy = cfg.behindProxy ?? unsecure
+      const base = SEP + (cfg.basePath ?? DEFAULT_PATH)
+
+      await api.server.use(base, oidc.callback())
+      oidc.use(async (ctx, next) => {
+        await next()
+        const csp = ctx.response.headers['content-security-policy']
+        if (csp != null) {
+          // @TODO Make it a little bit nicer - preferably using helmet :)
+
+          ctx.response.set('Content-Security-Policy', csp.replace(/form-action 'self'/, 'form-action *'))
+        }
+      })
+      if (context.cfg.debug?.all || context.cfg.debug?.oidc) {
+        oidc.use(async (_, next) => {
+          await next()
+        })
+
+        oidc.on('grant.error', (_, error) => {
+          console.warn('GRANT ERROR .......: ')
+          console.info(oidc.issuer, _.request.toJSON(), _.body)
+          console.error('!!!! GRANT ERROR: ', error)
+        })
+
+        oidc.on('server_error', (ctx, error) => {
+          console.warn('SERVER ERROR .......: ', Object.getOwnPropertyNames(ctx.oidc))
+          console.info((ctx.oidc as any).grant)
+          console.error('!!!! SERVER ERROR: ', error)
+        })
+      }
+
+      _initializedOidc = service.oidc = oidc
+    },
+
+    instance: () => {
+      return service.oidc ?? (service.oidc = _initializedOidc!)
+    },
+
+    getInteraction: async id => {
+      return await service.instance().Interaction.find(id) ?? null
+    }
+  })
+
+  return service
+}
+
+export const appendOidcProviderService = <C extends Config, T extends Context<C>>(
+  ctx: T, alias: string = DEFAULT_ALIAS
+): T => {
+  const service = createOidcProviderService(alias)
+  const context = ctx as T
+
+  context.registerService(service)
+
+  return context
+}

package/src/types.ts

@@ -0,0 +1,55 @@
+import type { InitializedService } from '@owlmeans/context'
+import type { OidcSharedConfig } from '@owlmeans/oidc'
+import type { ApiServer, ApiServerAppend } from '@owlmeans/server-api'
+import type { ServerConfig, ServerContext } from '@owlmeans/server-context'
+import type { Account, Adapter, ClientMetadata, Configuration, Interaction, Provider } from 'oidc-provider'
+
+export interface OidcProviderService extends InitializedService {
+  oidc: Provider
+
+  update: (api: ApiServer) => Promise<void>
+
+  instance: () => Provider
+
+  getInteraction: (id: string) => Promise<Interaction | null>
+}
+
+export interface OidcConfigAppend<Extra extends OidcSharedConfig = OidcSharedConfig> {
+  oidc: OidcConfig & Extra
+}
+
+export interface OidcConfig extends OidcSharedConfig {
+  authService?: string
+  basePath?: string
+  frontBase?: string
+  clients: ClientMetadata[]
+  customConfiguration?: Configuration
+  behindProxy?: boolean
+  defaultKeys: {
+    RS256: {
+      pk: string
+      pub?: string
+    }
+  }
+  accountService?: string
+  adapterService?: string
+}
+
+export interface OidcAccountService extends InitializedService {
+  loadById: <C extends Config, T extends Context<C>>(ctx: T, id: string) => Promise<Account | undefined>
+}
+
+export interface OidcAdapterService extends InitializedService {
+  instance: (name: string) => Adapter
+}
+
+export interface Config extends ServerConfig, OidcConfigAppend { 
+  debug: ServerConfig["debug"] & {
+    oidc?: boolean
+    oidcServer?: boolean
+    oidcData?: boolean
+  }
+}
+
+export interface Context<C extends Config = Config> extends ServerContext<C>
+  , ApiServerAppend { }