npm - @owlmeans/server-oidc-provider - Versions diffs - 0.1.2 → 0.1.3 - Mend

@owlmeans/server-oidc-provider 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +33 -816
package/build/service.d.ts.map +1 -1
package/build/service.js +12 -17
package/build/service.js.map +1 -1
package/build/utils/config.js +1 -1
package/build/utils/config.js.map +1 -1
package/package.json +17 -13
package/src/service.ts +14 -19
package/src/utils/config.ts +1 -1
package/tests/config.spec.d.ts +2 -0
package/tests/config.spec.d.ts.map +1 -0
package/tests/config.spec.ts +41 -0
package/tests/tsconfig.json +12 -0
package/tsconfig.json +6 -5

package/README.md CHANGED Viewed

@@ -1,848 +1,65 @@
 # @owlmeans/server-oidc-provider
-Server-side OpenID Connect Provider implementation for OwlMeans applications. This package provides a complete OIDC identity provider service built on the industry-standard `oidc-provider` library, with seamless integration into the OwlMeans server ecosystem.
+Embedded OIDC identity provider — wraps the `oidc-provider` library as an OwlMeans service.
-## Overview
-The `@owlmeans/server-oidc-provider` package delivers a full-featured OIDC identity provider with:
+> Use this package only when your service IS the identity provider (Keycloak alternative). For consuming an external IdP, use [`@owlmeans/server-oidc-rp`](../server-oidc-rp).
-- **Complete OIDC Provider**: Full OpenID Connect 1.0 and OAuth 2.0 implementation
-- **Fastify Integration**: Seamless integration with OwlMeans server API framework
-- **Account Management**: Pluggable account service for user authentication
-- **Adapter Support**: Configurable storage adapters for sessions and tokens
-- **Client Management**: Dynamic client registration and configuration
-- **Interaction Flows**: Customizable authentication and consent flows
-- **Security Features**: JWT signing, HTTPS support, and secure cookie handling
-- **Proxy Support**: Works behind reverse proxies and load balancers
+## Overview
-This package is part of the OwlMeans OIDC ecosystem:
-- **@owlmeans/oidc**: Core OIDC types and utilities
-- **@owlmeans/server-oidc-provider**: Server-side OIDC provider *(this package)*
-- **@owlmeans/server-oidc-rp**: Server-side relying party
-- **@owlmeans/web-oidc-provider**: Web UI for OIDC provider
-- **@owlmeans/web-oidc-rp**: Web-based relying party
+- `createOidcProviderService(alias?)` — factory for the embedded provider service
+- `appendOidcProviderService(context, alias?)` — registers the service on a context
+- `createOidcProviderMiddleware(webAlias?, oidcAlias?)` — middleware mounting the OIDC endpoints (authorize, token, userinfo, jwks)
+- Hosts the interaction UI route alias `oidc:interaction`
 ## Installation
 ```bash
-npm install @owlmeans/server-oidc-provider oidc-provider fastify
+bun add @owlmeans/server-oidc-provider
 ```
-## Dependencies
-This package requires:
-- `oidc-provider`: Industry-standard OIDC provider implementation
-- `@owlmeans/server-api`: Server API framework with Fastify
-- `@owlmeans/server-context`: Server context management
-- `@owlmeans/oidc`: Core OIDC functionality
-- `@owlmeans/config`: Configuration management
-- `jose`: JWT operations
-- `fastify`: HTTP server framework (peer dependency)
-## Core Concepts
-### OIDC Provider Service
-The OIDC provider service manages the complete lifecycle of an OpenID Connect identity provider, including client management, user authentication, token issuance, and session management.
-### Account Service
-Pluggable account service interface that handles user authentication and account loading for the OIDC provider.
-### Adapter Service
+## Usage
-Configurable storage adapter service for persisting OIDC sessions, authorization codes, access tokens, and other provider data.
-### Interaction Flows
-Customizable authentication and consent flows that work with the OwlMeans client module system.
-## API Reference
-### Types
-#### `OidcProviderService`
-Main OIDC provider service interface.
+Register the service and mount the middleware:
 ```typescript
-interface OidcProviderService extends InitializedService {
-  oidc: Provider                                    // oidc-provider instance
-  update(api: ApiServer): Promise<void>            // Update provider with API server
-  instance(): Provider                             // Get provider instance
-  getInteraction(id: string): Promise<Interaction | null>  // Get interaction by ID
-}
-```
-#### `OidcConfig`
-Configuration interface for OIDC provider.
+import {
+  createOidcProviderService,
+  appendOidcProviderService,
+  createOidcProviderMiddleware
+} from '@owlmeans/server-oidc-provider'
-```typescript
-interface OidcConfig extends OidcSharedConfig {
-  authService?: string                             // Authentication service name
-  basePath?: string                               // Base path for OIDC endpoints
-  frontBase?: string                              // Frontend base URL
-  clients: ClientMetadata[]                       // OIDC client configurations
-  customConfiguration?: Configuration             // Custom oidc-provider config
-  behindProxy?: boolean                           // Behind reverse proxy flag
-  defaultKeys: {                                  // Default signing keys
-    RS256: {
-      pk: string                                  // Private key (PEM format)
-      pub?: string                                // Public key (PEM format)
-    }
-  }
-  accountService?: string                         // Account service name
-  adapterService?: string                         // Adapter service name
-}
-```
-#### `OidcAccountService`
-Interface for user account management.
-```typescript
-interface OidcAccountService extends InitializedService {
-  loadById<C extends Config, T extends Context<C>>(
-    ctx: T,
-    id: string
-  ): Promise<Account | undefined>
-}
+appendOidcProviderService<C, T>(context)
+context.registerMiddleware(createOidcProviderMiddleware())
 ```
-#### `OidcAdapterService`
+The provider exposes the standard OIDC endpoints under the configured base path; the interaction screen is mounted at the path defined by `INTERACTION_PATH` from `@owlmeans/oidc`.
-Interface for storage adapter management.
+## API
-```typescript
-interface OidcAdapterService extends InitializedService {
-  instance(name: string): Adapter
-}
-```
+### `createOidcProviderService(alias?): OidcProviderService`
-#### `Config`
+Creates the embedded OIDC provider service. `alias` defaults to `DEFAULT_ALIAS` (`'oidc-provider'`).
-Extended server configuration with OIDC settings.
+### `appendOidcProviderService<C, T>(context, alias?): T`
-```typescript
-interface Config extends ServerConfig, OidcConfigAppend {
-  debug: ServerConfig["debug"] & {
-    oidc?: boolean                                // General OIDC debugging
-    oidcServer?: boolean                          // Server-specific debugging
-    oidcData?: boolean                           // Data operation debugging
-  }
-}
-```
+Registers the provider service on the context.
-### Factory Functions
-#### `createOidcProviderService(alias?: string): OidcProviderService`
-Creates an OIDC provider service instance.
-**Parameters:**
-- `alias`: Service alias (default: 'oidc-provider')
-**Returns:** OidcProviderService instance
-**Features:**
-- Automatic provider configuration based on context settings
-- Integration with account and adapter services
-- Fastify middleware integration
-- JWT key management
-- Client configuration management
-**Example:**
-```typescript
-import { createOidcProviderService } from '@owlmeans/server-oidc-provider'
-const oidcProvider = createOidcProviderService('main-oidc')
-```
+### `createOidcProviderMiddleware(webAlias?, oidcAlias?)`
-#### `createOidcProviderMiddleware(web?: string, oidc?: string): Middleware`
-Creates middleware to integrate OIDC provider with API server.
-**Parameters:**
-- `web`: API server service alias (default: 'api-server')
-- `oidc`: OIDC provider service alias (default: 'oidc-provider')
-**Returns:** Context middleware
-**Example:**
-```typescript
-import { createOidcProviderMiddleware } from '@owlmeans/server-oidc-provider'
-const oidcMiddleware = createOidcProviderMiddleware('api', 'oidc')
-context.registerMiddleware(oidcMiddleware)
-```
-### Service Methods
-#### `update(api: ApiServer): Promise<void>`
-Updates the OIDC provider with the API server, registering all OIDC endpoints.
-**Parameters:**
-- `api`: API server instance to integrate with
-**Process:**
-1. Configures oidc-provider instance with context settings
-2. Sets up account and adapter services
-3. Configures interaction flows
-4. Registers OIDC endpoints with Fastify server
-**Example:**
-```typescript
-const oidcService = context.service<OidcProviderService>('oidc-provider')
-const apiServer = context.service<ApiServer>('api')
-await oidcService.update(apiServer)
-```
-#### `instance(): Provider`
-Gets the underlying oidc-provider instance for direct access.
-**Returns:** oidc-provider Provider instance
-**Example:**
-```typescript
-const provider = oidcService.instance()
-// Access oidc-provider methods directly
-const client = await provider.Client.find('client-id')
-const interaction = await provider.interactionDetails(req, res)
-```
-#### `getInteraction(id: string): Promise<Interaction | null>`
-Retrieves an interaction by its unique identifier.
-**Parameters:**
-- `id`: Interaction identifier
-**Returns:** Promise resolving to Interaction object or null
-**Example:**
-```typescript
-const interaction = await oidcService.getInteraction('interaction-uuid')
-if (interaction) {
-  console.log('Interaction details:', interaction.params)
-}
-```
+Returns middleware that mounts the OIDC authorize/token/userinfo/jwks endpoints onto the web app.
 ### Constants
-```typescript
-const DEFAULT_ALIAS = 'oidc-provider'              // Default service alias
-const OIDC_ACCOUNT_SERVICE = 'oidc-account-service' // Default account service name
-```
-## Usage Examples
-### Basic OIDC Provider Setup
-```typescript
-import { createOidcProviderService, createOidcProviderMiddleware } from '@owlmeans/server-oidc-provider'
-import { makeServerContext } from '@owlmeans/server-context'
-import { createApiServer } from '@owlmeans/server-api'
-// Create server configuration with OIDC settings
-const config = {
-  service: 'auth-server',
-  oidc: {
-    basePath: 'oidc',
-    clients: [
-      {
-        client_id: 'my-web-app',
-        client_secret: 'secure-client-secret',
-        redirect_uris: ['https://myapp.com/callback'],
-        response_types: ['code'],
-        grant_types: ['authorization_code', 'refresh_token'],
-        scope: 'openid profile email'
-      }
-    ],
-    defaultKeys: {
-      RS256: {
-        pk: `-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC...
------END PRIVATE KEY-----`,
-        pub: `-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtfGqPGwp...
------END PUBLIC KEY-----`
-      }
-    }
-  }
-}
-// Create context and services
-const context = makeServerContext(config)
-const apiServer = createApiServer('api')
-const oidcProvider = createOidcProviderService('oidc')
+- `DEFAULT_ALIAS` — `'oidc-provider'`
+- `OIDC_ACCOUNT_SERVICE` — `'oidc-account-service'` — alias for the user account adapter
-// Register services and middleware
-context.registerService(apiServer)
-context.registerService(oidcProvider)
-context.registerMiddleware(createOidcProviderMiddleware('api', 'oidc'))
-// Initialize and start
-await context.configure().init()
-await apiServer.listen()
-// OIDC endpoints now available at /oidc/*
-```
-### Custom Account Service Implementation
-```typescript
-import { createService } from '@owlmeans/context'
-import type { OidcAccountService } from '@owlmeans/server-oidc-provider'
-// Implement account service
-const accountService: OidcAccountService = createService('oidc-account-service', {
-  loadById: async (ctx, id) => {
-    // Load user account from your database
-    const user = await getUserById(id)
-    if (!user) {
-      return undefined
-    }
-    // Return oidc-provider Account object
-    return {
-      accountId: user.id,
-      // Standard claims
-      claims: async (use, scope, claims, rejected) => {
-        const standardClaims = {
-          sub: user.id,
-          email: user.email,
-          email_verified: user.emailVerified,
-          name: user.fullName,
-          given_name: user.firstName,
-          family_name: user.lastName,
-          picture: user.avatar
-        }
-        // Filter claims based on scope and requested claims
-        const result = {}
-        if (scope.includes('email')) {
-          result.email = standardClaims.email
-          result.email_verified = standardClaims.email_verified
-        }
-        if (scope.includes('profile')) {
-          result.name = standardClaims.name
-          result.given_name = standardClaims.given_name
-          result.family_name = standardClaims.family_name
-          result.picture = standardClaims.picture
-        }
-        return result
-      }
-    }
-  }
-})
-// Register account service
-context.registerService(accountService)
-```
-### Custom Storage Adapter
-```typescript
-import { createService } from '@owlmeans/context'
-import type { OidcAdapterService } from '@owlmeans/server-oidc-provider'
-// Implement Redis-based adapter service
-const adapterService: OidcAdapterService = createService('oidc-adapter-service', {
-  instance: (name) => {
-    // Return adapter for specific model (Session, AccessToken, etc.)
-    return {
-      async upsert(id, payload, expiresIn) {
-        const key = `oidc:${name}:${id}`
-        await redis.setex(key, expiresIn, JSON.stringify(payload))
-      },
-      async find(id) {
-        const key = `oidc:${name}:${id}`
-        const data = await redis.get(key)
-        return data ? JSON.parse(data) : undefined
-      },
-      async findByUserCode(userCode) {
-        // Implement user code lookup for device flow
-        const keys = await redis.keys(`oidc:${name}:*`)
-        for (const key of keys) {
-          const data = await redis.get(key)
-          const payload = JSON.parse(data)
-          if (payload.userCode === userCode) {
-            return payload
-          }
-        }
-        return undefined
-      },
-      async findByUid(uid) {
-        // Implement UID-based lookup
-        const keys = await redis.keys(`oidc:${name}:*`)
-        for (const key of keys) {
-          const data = await redis.get(key)
-          const payload = JSON.parse(data)
-          if (payload.uid === uid) {
-            return payload
-          }
-        }
-        return undefined
-      },
-      async destroy(id) {
-        const key = `oidc:${name}:${id}`
-        await redis.del(key)
-      },
-      async revokeByGrantId(grantId) {
-        const keys = await redis.keys(`oidc:${name}:*`)
-        for (const key of keys) {
-          const data = await redis.get(key)
-          const payload = JSON.parse(data)
-          if (payload.grantId === grantId) {
-            await redis.del(key)
-          }
-        }
-      },
-      async consume(id) {
-        const key = `oidc:${name}:${id}`
-        const data = await redis.get(key)
-        if (data) {
-          const payload = JSON.parse(data)
-          payload.consumed = Math.floor(Date.now() / 1000)
-          await redis.setex(key, payload.exp - Math.floor(Date.now() / 1000), JSON.stringify(payload))
-        }
-      }
-    }
-  }
-})
-// Register adapter service
-context.registerService(adapterService)
-```
-### Advanced OIDC Configuration
-```typescript
-const advancedConfig = {
-  oidc: {
-    basePath: 'auth',
-    behindProxy: true,
-    accountService: 'custom-account-service',
-    adapterService: 'redis-adapter-service',
-    clients: [
-      // Web application
-      {
-        client_id: 'web-app',
-        client_secret: 'web-app-secret',
-        redirect_uris: [
-          'https://app.example.com/callback',
-          'https://staging.app.example.com/callback'
-        ],
-        post_logout_redirect_uris: [
-          'https://app.example.com/logout'
-        ],
-        response_types: ['code'],
-        grant_types: ['authorization_code', 'refresh_token'],
-        scope: 'openid profile email offline_access',
-        token_endpoint_auth_method: 'client_secret_basic'
-      },
-      // Mobile application (public client)
-      {
-        client_id: 'mobile-app',
-        redirect_uris: ['com.example.app://callback'],
-        response_types: ['code'],
-        grant_types: ['authorization_code', 'refresh_token'],
-        scope: 'openid profile email offline_access',
-        token_endpoint_auth_method: 'none', // Public client
-        require_auth_time: true
-      },
-      // SPA (Single Page Application)
-      {
-        client_id: 'spa-app',
-        redirect_uris: ['https://spa.example.com/callback'],
-        response_types: ['code'],
-        grant_types: ['authorization_code'],
-        scope: 'openid profile email',
-        token_endpoint_auth_method: 'none',
-        require_auth_time: false
-      }
-    ],
-    // Custom oidc-provider configuration
-    customConfiguration: {
-      features: {
-        devInteractions: { enabled: false },
-        deviceFlow: { enabled: true },
-        revocation: { enabled: true },
-        introspection: { enabled: true },
-        userinfo: { enabled: true }
-      },
-      ttl: {
-        AccessToken: 60 * 60,           // 1 hour
-        AuthorizationCode: 10 * 60,     // 10 minutes
-        IdToken: 60 * 60,               // 1 hour
-        DeviceCode: 10 * 60,            // 10 minutes
-        RefreshToken: 14 * 24 * 60 * 60 // 14 days
-      },
-      claims: {
-        openid: ['sub'],
-        email: ['email', 'email_verified'],
-        profile: ['name', 'family_name', 'given_name', 'picture']
-      },
-      scopes: ['openid', 'email', 'profile', 'offline_access']
-    }
-  }
-}
-```
-### Interaction Flow Integration
-```typescript
-import { modules } from '@owlmeans/oidc'
-import { module, handleRequest } from '@owlmeans/module'
-import { route, frontend } from '@owlmeans/route'
-// Register OIDC interaction modules
-context.registerModules(modules)
-// Custom login interaction handler
-const loginModule = module(
-  route('oidc-login', '/oidc/interaction/:uid/login', frontend()),
-  {
-    handle: handleRequest(async (req, ctx) => {
-      const { uid } = req.params
-      const oidcService = ctx.service<OidcProviderService>('oidc-provider')
-      // Get interaction details
-      const interaction = await oidcService.getInteraction(uid)
-      if (!interaction) {
-        throw new Error('Interaction not found')
-      }
-      // Return login form data
-      return {
-        interaction: {
-          uid: interaction.uid,
-          params: interaction.params,
-          prompt: interaction.prompt
-        },
-        client: interaction.params.client_id
-      }
-    })
-  }
-)
-context.registerModule(loginModule)
-```
-### Multi-Tenant OIDC Setup
-```typescript
-// Multi-tenant configuration with entity-specific clients
-const multiTenantConfig = {
-  oidc: {
-    clients: [
-      // Tenant A
-      {
-        client_id: 'tenant-a-web',
-        client_secret: 'tenant-a-secret',
-        redirect_uris: ['https://tenant-a.example.com/callback'],
-        response_types: ['code'],
-        grant_types: ['authorization_code', 'refresh_token'],
-        scope: 'openid profile email'
-      },
-      // Tenant B
-      {
-        client_id: 'tenant-b-web',
-        client_secret: 'tenant-b-secret',
-        redirect_uris: ['https://tenant-b.example.com/callback'],
-        response_types: ['code'],
-        grant_types: ['authorization_code', 'refresh_token'],
-        scope: 'openid profile email'
-      }
-    ],
-    // Tenant-aware account service
-    accountService: 'multi-tenant-account-service'
-  }
-}
-// Multi-tenant account service
-const multiTenantAccountService = createService('multi-tenant-account-service', {
-  loadById: async (ctx, id) => {
-    // Extract tenant from ID or use other tenant identification
-    const [tenantId, userId] = id.split(':')
-    const user = await getUserByIdAndTenant(userId, tenantId)
-    if (!user) {
-      return undefined
-    }
-    return {
-      accountId: id,
-      claims: async (use, scope) => {
-        return {
-          sub: id,
-          email: user.email,
-          name: user.name,
-          tenant: tenantId  // Custom claim
-        }
-      }
-    }
-  }
-})
-```
-### Development and Testing Configuration
-```typescript
-// Development configuration with debugging
-const devConfig = {
-  debug: {
-    oidc: true,
-    oidcServer: true,
-    oidcData: true
-  },
-  oidc: {
-    customConfiguration: {
-      features: {
-        devInteractions: { enabled: true }, // Enable dev interactions
-      },
-      // More permissive settings for development
-      conformIdTokenClaims: false,
-      // Custom cookies for development
-      cookies: {
-        keys: ['dev-cookie-secret'],
-        secure: false, // Allow non-HTTPS in development
-        sameSite: 'lax'
-      }
-    }
-  }
-}
-```
-## Advanced Features
-### Custom Claims and Scopes
-```typescript
-const customConfig = {
-  oidc: {
-    customConfiguration: {
-      // Define custom scopes
-      scopes: ['openid', 'email', 'profile', 'admin', 'api:read', 'api:write'],
-      // Map scopes to claims
-      claims: {
-        openid: ['sub'],
-        email: ['email', 'email_verified'],
-        profile: ['name', 'family_name', 'given_name', 'picture', 'locale'],
-        admin: ['role', 'permissions'],
-        'api:read': ['api_access'],
-        'api:write': ['api_access', 'write_permissions']
-      },
-      // Custom claim mapping
-      extraParams: ['tenant_id', 'organization'],
-      // Custom token format
-      formats: {
-        AccessToken: 'jwt',
-        ClientCredentials: 'jwt'
-      }
-    }
-  }
-}
-```
-### Dynamic Client Registration
-```typescript
-const dynamicClientConfig = {
-  oidc: {
-    customConfiguration: {
-      features: {
-        registration: { enabled: true },
-        registrationManagement: { enabled: true }
-      },
-      // Client validation
-      clientDefaults: {
-        grant_types: ['authorization_code'],
-        response_types: ['code'],
-        token_endpoint_auth_method: 'client_secret_basic'
-      }
-    }
-  }
-}
-// Handle dynamic client registration
-const clientRegistrationModule = module(
-  route('client-registration', '/oidc/reg', backend('POST')),
-  {
-    handle: handleRequest(async (req, ctx) => {
-      const oidcService = ctx.service<OidcProviderService>('oidc-provider')
-      const provider = oidcService.instance()
-      // Custom client validation logic
-      const clientMetadata = req.body
-      // Register client with oidc-provider
-      const client = await provider.Client.create(clientMetadata)
-      return {
-        client_id: client.clientId,
-        client_secret: client.clientSecret,
-        registration_access_token: client.registrationAccessToken
-      }
-    })
-  }
-)
-```
-### Integration with External Identity Providers
-```typescript
-// Federation with external IdPs
-const federatedConfig = {
-  oidc: {
-    customConfiguration: {
-      // Custom interaction handling for federation
-      interactions: {
-        url: async (ctx, interaction) => {
-          // Custom logic to determine if user should be redirected to external IdP
-          if (interaction.params.federated_idp) {
-            return `/oidc/federate/${interaction.params.federated_idp}/${interaction.uid}`
-          }
-          return `/oidc/interaction/${interaction.uid}`
-        }
-      }
-    }
-  }
-}
-```
-## Security Considerations
-### Key Management
-- Use strong RSA keys (2048-bit minimum) for JWT signing
-- Rotate signing keys periodically
-- Store private keys securely using environment variables or secret management
-- Use different keys for different environments
-### HTTPS and Proxy Configuration
-- Always use HTTPS in production
-- Configure `behindProxy` correctly when behind reverse proxies
-- Use secure cookie settings in production
-- Implement proper CORS policies
-### Client Security
-- Use strong client secrets for confidential clients
-- Validate redirect URIs strictly
-- Implement proper logout handling
-- Use appropriate token lifetimes
-### Session Management
-- Use secure session storage
-- Implement proper session cleanup
-- Monitor for session hijacking attempts
-- Use appropriate session timeouts
-## Best Practices
-1. **Configuration**: Use environment-specific configurations
-2. **Account Service**: Implement robust user authentication
-3. **Adapter Service**: Use persistent storage for production
-4. **Client Management**: Validate client configurations thoroughly
-5. **Security**: Follow OIDC security best practices
-6. **Monitoring**: Implement logging and monitoring
-7. **Testing**: Test all authentication flows thoroughly
-## Error Handling
-```typescript
-try {
-  const oidcService = createOidcProviderService()
-  await oidcService.update(apiServer)
-} catch (error) {
-  console.error('OIDC Provider setup failed:', error)
-  // Handle specific configuration errors
-  if (error.message.includes('missing key')) {
-    console.error('JWT signing key not configured')
-  }
-  if (error.message.includes('client')) {
-    console.error('Client configuration invalid')
-  }
-}
-```
-## Integration with OwlMeans Ecosystem
-### Server API Integration
-```typescript
-import { createApiServer } from '@owlmeans/server-api'
-// OIDC provider integrates seamlessly with server API
-const apiServer = createApiServer('api')
-const oidcProvider = createOidcProviderService('oidc')
-context.registerService(apiServer)
-context.registerService(oidcProvider)
-```
-### Authentication Integration
-```typescript
-import { makeAuthService } from '@owlmeans/server-auth'
-// Use OIDC tokens for API authentication
-const authService = makeAuthService('auth')
-// Configure auth service to validate OIDC tokens
-```
-### Context Integration
-```typescript
-import { makeServerContext } from '@owlmeans/server-context'
-// Full integration with server context management
-const context = makeServerContext(configWithOidc)
-```
-## Performance Considerations
+### Types
-- **Adapter Choice**: Use Redis or other fast storage for sessions
-- **Token Formats**: Consider JWT vs opaque tokens based on use case
-- **Caching**: Implement appropriate caching for user accounts
-- **Database Optimization**: Optimize account and client lookups
-- **Connection Pooling**: Use connection pooling for database operations
+`OidcProviderService` and provider config types are exported from the root entry.
 ## Related Packages
-- [`@owlmeans/oidc`](../oidc) - Core OIDC types and utilities
-- [`@owlmeans/server-api`](../server-api) - Server API framework
-- [`@owlmeans/server-context`](../server-context) - Server context management
-- [`@owlmeans/server-oidc-rp`](../server-oidc-rp) - Server-side relying party
-- [`@owlmeans/web-oidc-provider`](../web-oidc-provider) - Web UI for OIDC provider
+- [`@owlmeans/oidc`](../oidc) — shared protocol constants and module declarations
+- [`@owlmeans/server-oidc-rp`](../server-oidc-rp) — relying-party counterpart for consuming external IdPs
+- [`@owlmeans/server-api`](../server-api) — the underlying server API the middleware mounts onto
+- [`@owlmeans/web-oidc-provider`](../web-oidc-provider) — browser UI for the provider's interaction screens

package/build/service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../src/service.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,OAAO,EAA0C,mBAAmB,EAAE,MAAM,YAAY,CAAA;AAS9G,eAAO,MAAM,yBAAyB,GAAI,QAAO,MAAsB,KAAG,~~mBA6FzE~~,CAAA;AAED,eAAO,MAAM,yBAAyB,GAAI,CAAC,SAAS,MAAM,EAAE,CAAC,SAAS,OAAO,CAAC,CAAC,CAAC,EAC9E,KAAK,CAAC,EAAE,QAAO,MAAsB,KACpC,CAOF,CAAA"}
1	+ {"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../src/service.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,OAAO,EAA0C,mBAAmB,EAAE,MAAM,YAAY,CAAA;AAS9G,eAAO,MAAM,yBAAyB,GAAI,QAAO,MAAsB,KAAG,mBAwFzE,CAAA;AAED,eAAO,MAAM,yBAAyB,GAAI,CAAC,SAAS,MAAM,EAAE,CAAC,SAAS,OAAO,CAAC,CAAC,CAAC,EAC9E,KAAK,CAAC,EAAE,QAAO,MAAsB,KACpC,CAOF,CAAA"}

package/build/service.js CHANGED Viewed

@@ -26,7 +26,7 @@ export const createOidcProviderService = (alias = DEFAULT_ALIAS) => {
                 },
                 interactions: {
                     url: async (_, interaction) => {
-                        const module = context.module(INTERACTION);
+                        const module = context.entrypoint(INTERACTION);
                         const [uri] = await module.call({ params: { uid: interaction.uid } });
                         return uri;
                     }
@@ -35,18 +35,22 @@ export const createOidcProviderService = (alias = DEFAULT_ALIAS) => {
             oidc.proxy = cfg.behindProxy ?? unsecure;
             const base = SEP + (cfg.basePath ?? DEFAULT_PATH);
             api.server.use(base, oidc.callback());
-            oidc.use(async (ctx, next) => {
-                await next();
-                const csp = ctx.response.headers['content-security-policy'];
-                if (csp != null) {
-                    // @TODO Make it a little bit nicer - preferably using helmet :)
-                    ctx.response.set('Content-Security-Policy', csp.replace(/form-action 'self'/, 'form-action *'));
+            // oidc-provider v9: provider.use() middleware no longer runs post-response after a matched
+            // route. CSP rewrite is handled at the Fastify layer via an onSend hook instead.
+            api.server.addHook('onSend', async (request, reply, payload) => {
+                if (!request.url.startsWith(base)) {
+                    return payload;
                 }
+                const csp = reply.getHeader('content-security-policy');
+                if (typeof csp === 'string' && csp.includes("form-action 'self'")) {
+                    reply.header('Content-Security-Policy', csp.replace(/form-action 'self'/, 'form-action *'));
+                }
+                return payload;
             });
             if (context.cfg.debug?.all || context.cfg.debug?.oidc) {
                 oidc.on('grant.error', (_, error) => {
                     console.warn('GRANT ERROR .......: ');
-                    console.info(oidc.issuer, _.request.toJSON(), _.body);
+                    console.info(oidc.issuer);
                     console.error('!!!! GRANT ERROR: ', error);
                 });
                 oidc.on('server_error', (ctx, error) => {
@@ -59,15 +63,6 @@ export const createOidcProviderService = (alias = DEFAULT_ALIAS) => {
                     console.info(ctx.oidc.grant);
                     console.error('!!!! USER INFO ERROR: ', error);
                 });
-                oidc.use(async (_, next) => {
-                    console.log('OIDC REQ .......: ');
-                    console.log(_.request.toJSON());
-                    await next();
-                    console.log(_.oidc);
-                    console.log('OIDC RES .......: ');
-                    console.log(_.response.toJSON());
-                    console.log('OIDC RESPONSE BODY .......: ', _.response.body);
-                });
             }
             _initializedOidc = service.oidc = oidc;
         },

package/build/service.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"service.js","sourceRoot":"","sources":["../src/service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAChE,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AACjE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAE1D,OAAO,QAAQ,MAAM,eAAe,CAAA;AAGpC,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AACrC,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAEjD,IAAI,gBAAgB,GAAyB,SAAS,CAAA;AACtD,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,QAAgB,aAAa,EAAuB,EAAE;IAC9F,MAAM,OAAO,GAAwB,aAAa,CAAsB,KAAK,EAAE;QAC7E,MAAM,EAAE,KAAK,EAAC,GAAG,EAAC,EAAE;YAClB,MAAM,OAAO,GAAG,aAAa,CAAkB,OAAO,CAAC,GAAc,EAAE,KAAK,CAAC,CAAA;YAC7E,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAA;YAE5B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAe,CAAA;YAC/F,MAAM,MAAM,GAAG,kBAAkB,CAAkB,OAAO,CAAC,CAAA;YAC3D,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,QAAQ,IAAI,YAAY,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;YACtF,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAA;YAE5F,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,GAAG,EAAE;gBAC7B,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC;gBAEzC,OAAO,EAAE,GAAG,CAAC,cAAc,IAAI,IAAI;oBACjC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAqB,GAAG,CAAC,cAAe,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACjF,CAAC,CAAC,SAAS;gBAEb,WAAW,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE;oBACnC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAChC,GAAG,CAAC,cAAc,IAAI,oBAAoB,CAC3C,CAAA;oBAED,OAAO,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;gBACzC,CAAC;gBAED,YAAY,EAAE;oBACZ,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,EAAE;wBAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,~~MAAM~~,~~CAAe~~,WAAW,CAAC,CAAA;~~wBACxD~~,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,MAAM,CAAC,IAAI,CAAS,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,WAAW,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;wBAC7E,OAAO,GAAG,CAAA;oBACZ,CAAC;iBACF;aACF,CAAC,CAAA;YAEF,IAAI,CAAC,KAAK,GAAG,GAAG,CAAC,WAAW,IAAI,QAAQ,CAAA;YACxC,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,IAAI,YAAY,CAAC,CAAA;YAEjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAA;~~YACrC~~,~~IAAI~~,~~CAAC~~,GAAG,CAAC,KAAK,EAAE,~~GAAG~~,EAAE,~~IAAI~~,EAAE,EAAE;~~gBAC3B~~,~~MAAM~~,IAAI,EAAE,CAAA;~~gBACZ~~,MAAM,GAAG,GAAG,~~GAAG~~,CAAC,~~QAAQ~~,CAAC,~~OAAO,CAAC,~~yBAAyB,CAAC,CAAA;~~gBAC3D~~,IAAI,GAAG,~~IAAI~~,IAAI,~~EAAE~~,CAAC~~;oBAChB~~,~~gEAAgE;oBAEhE~~,~~GAAG~~,CAAC,~~QAAQ~~,CAAC,~~GAAG~~,CAAC,yBAAyB,EAAE,GAAG,CAAC,OAAO,CAAC,oBAAoB,EAAE,eAAe,CAAC,CAAC,CAAA;~~gBACjG~~,CAAC;~~YACH~~,CAAC,CAAC,CAAA;~~YACF~~,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;gBAEtD,IAAI,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE;oBAClC,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;oBACrC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,~~EAAE,~~CAAC,~~CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,~~CAAA;~~oBACrD~~,OAAO,CAAC,KAAK,CAAC,oBAAoB,EAAE,KAAK,CAAC,CAAA;gBAC5C,CAAC,CAAC,CAAA;gBAEF,IAAI,CAAC,EAAE,CAAC,cAAc,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;oBACrC,OAAO,CAAC,IAAI,CAAC,wBAAwB,EAAE,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;oBAC5E,OAAO,CAAC,IAAI,CAAE,GAAG,CAAC,IAAY,CAAC,KAAK,CAAC,CAAA;oBACrC,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAA;gBAC7C,CAAC,CAAC,CAAA;gBAEF,IAAI,CAAC,EAAE,CAAC,gBAAgB,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;oBACvC,OAAO,CAAC,IAAI,CAAC,2BAA2B,EAAE,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;oBAC/E,OAAO,CAAC,IAAI,CAAE,GAAG,CAAC,IAAY,CAAC,KAAK,CAAC,CAAA;oBACrC,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAA;gBAChD,CAAC,CAAC,CAAA;gBAEF,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;oBACzB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;oBACjC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;oBAC/B,MAAM,IAAI,EAAE,CAAA;oBACZ,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;oBACnB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAA;oBACjC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;oBAChC,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;gBAC9D,CAAC,CAAC,CAAA;YAEJ,CAAC;YAED,gBAAgB,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAA;QACxC,CAAC;QAED,QAAQ,EAAE,GAAG,EAAE;YACb,OAAO,OAAO,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,GAAG,gBAAiB,CAAC,CAAA;QAC3D,CAAC;QAED,cAAc,EAAE,KAAK,EAAC,EAAE,EAAC,EAAE;YACzB,OAAO,MAAM,OAAO,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,IAAI,CAAA;QAC9D,CAAC;KACF,CAAC,CAAA;IAEF,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,yBAAyB,GAAG,CACvC,GAAM,EAAE,QAAgB,aAAa,EAClC,EAAE;IACL,MAAM,OAAO,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAA;IAChD,MAAM,OAAO,GAAG,GAAQ,CAAA;IAExB,OAAO,CAAC,eAAe,CAAC,OAAO,CAAC,CAAA;IAEhC,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA"}
1	+ {"version":3,"file":"service.js","sourceRoot":"","sources":["../src/service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAChE,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AACjE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAE1D,OAAO,QAAQ,MAAM,eAAe,CAAA;AAGpC,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AACrC,OAAO,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAEjD,IAAI,gBAAgB,GAAyB,SAAS,CAAA;AACtD,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,QAAgB,aAAa,EAAuB,EAAE;IAC9F,MAAM,OAAO,GAAwB,aAAa,CAAsB,KAAK,EAAE;QAC7E,MAAM,EAAE,KAAK,EAAC,GAAG,EAAC,EAAE;YAClB,MAAM,OAAO,GAAG,aAAa,CAAkB,OAAO,CAAC,GAAc,EAAE,KAAK,CAAC,CAAA;YAC7E,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAA;YAE5B,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAe,CAAA;YAC/F,MAAM,MAAM,GAAG,kBAAkB,CAAkB,OAAO,CAAC,CAAA;YAC3D,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,GAAG,CAAC,QAAQ,IAAI,YAAY,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;YACtF,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAA;YAE5F,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,GAAG,EAAE;gBAC7B,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC;gBAEzC,OAAO,EAAE,GAAG,CAAC,cAAc,IAAI,IAAI;oBACjC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAqB,GAAG,CAAC,cAAe,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACjF,CAAC,CAAC,SAAS;gBAEb,WAAW,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE;oBACnC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAChC,GAAG,CAAC,cAAc,IAAI,oBAAoB,CAC3C,CAAA;oBAED,OAAO,UAAU,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;gBACzC,CAAC;gBAED,YAAY,EAAE;oBACZ,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,EAAE;wBAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,CAAmB,WAAW,CAAC,CAAA;wBAChE,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,MAAM,CAAC,IAAI,CAAS,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,WAAW,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;wBAC7E,OAAO,GAAG,CAAA;oBACZ,CAAC;iBACF;aACF,CAAC,CAAA;YAEF,IAAI,CAAC,KAAK,GAAG,GAAG,CAAC,WAAW,IAAI,QAAQ,CAAA;YACxC,MAAM,IAAI,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,IAAI,YAAY,CAAC,CAAA;YAEjD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAA;YAErC,2FAA2F;YAC3F,iFAAiF;YACjF,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;gBAC7D,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBAClC,OAAO,OAAO,CAAA;gBAChB,CAAC;gBACD,MAAM,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAA;gBACtD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;oBAClE,KAAK,CAAC,MAAM,CAAC,yBAAyB,EAAE,GAAG,CAAC,OAAO,CAAC,oBAAoB,EAAE,eAAe,CAAC,CAAC,CAAA;gBAC7F,CAAC;gBACD,OAAO,OAAO,CAAA;YAChB,CAAC,CAAC,CAAA;YAEF,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;gBAEtD,IAAI,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE;oBAClC,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;oBACrC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;oBACzB,OAAO,CAAC,KAAK,CAAC,oBAAoB,EAAE,KAAK,CAAC,CAAA;gBAC5C,CAAC,CAAC,CAAA;gBAEF,IAAI,CAAC,EAAE,CAAC,cAAc,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;oBACrC,OAAO,CAAC,IAAI,CAAC,wBAAwB,EAAE,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;oBAC5E,OAAO,CAAC,IAAI,CAAE,GAAG,CAAC,IAAY,CAAC,KAAK,CAAC,CAAA;oBACrC,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAA;gBAC7C,CAAC,CAAC,CAAA;gBAEF,IAAI,CAAC,EAAE,CAAC,gBAAgB,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE;oBACvC,OAAO,CAAC,IAAI,CAAC,2BAA2B,EAAE,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;oBAC/E,OAAO,CAAC,IAAI,CAAE,GAAG,CAAC,IAAY,CAAC,KAAK,CAAC,CAAA;oBACrC,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAA;gBAChD,CAAC,CAAC,CAAA;YAEJ,CAAC;YAED,gBAAgB,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAA;QACxC,CAAC;QAED,QAAQ,EAAE,GAAG,EAAE;YACb,OAAO,OAAO,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,GAAG,gBAAiB,CAAC,CAAA;QAC3D,CAAC;QAED,cAAc,EAAE,KAAK,EAAC,EAAE,EAAC,EAAE;YACzB,OAAO,MAAM,OAAO,CAAC,QAAQ,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,IAAI,CAAA;QAC9D,CAAC;KACF,CAAC,CAAA;IAEF,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,yBAAyB,GAAG,CACvC,GAAM,EAAE,QAAgB,aAAa,EAClC,EAAE;IACL,MAAM,OAAO,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAA;IAChD,MAAM,OAAO,GAAG,GAAQ,CAAA;IAExB,OAAO,CAAC,eAAe,CAAC,OAAO,CAAC,CAAA;IAEhC,OAAO,OAAO,CAAA;AAChB,CAAC,CAAA"}

package/build/utils/config.js CHANGED Viewed

@@ -30,7 +30,7 @@ export const combineConfig = async (context, _unsecure) => {
         },
         jwks: {
             keys: [
-                await jose.exportJWK(await jose.importPKCS8(cfg.defaultKeys.RS256.pk, 'RS256'))
+                await jose.exportJWK(await jose.importPKCS8(cfg.defaultKeys.RS256.pk, 'RS256', { extractable: true }))
             ]
         }
     };

package/build/utils/config.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/utils/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,EAAE,OAAgB,EAAE,SAAkB,EAA0B,EAAE;IAClG,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAA;IAE5B,MAAM,aAAa,GAAkB;QACnC,GAAG,GAAG,CAAC,mBAAmB;QAC1B,OAAO,EAAE;YACP,GAAG,GAAG,CAAC,OAAO;YACd,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,OAAO,IAAI,EAAE,CAAC;SAC5C,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC9C,MAAM,EAAE;YACN,KAAK,EAAE,CAAC,OAAO,EAAE,gBAAgB,EAAE,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC;YACnF,OAAO,EAAE;gBACP,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,oBAAoB;gBAC3F,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM,EAAE,OAAO,IAAI,EAAE;aAClD;YACD,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM;SACnC;QACD,MAAM,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,gBAAgB,EAAE,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM,IAAI,EAAE,CAAC;QACzF,QAAQ,EAAE;YACR,GAAG,GAAG,CAAC,mBAAmB,EAAE,QAAQ;YACpC,eAAe,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE;YACnC,qBAAqB;YACrB,eAAe;YACf,kEAAkE;YAClE,gCAAgC;YAChC,mBAAmB;YACnB,2DAA2D;YAC3D,KAAK;SACN;QACD,IAAI,EAAE;YACJ,IAAI,EAAE;gBACJ,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;~~aAChF~~;SACF;KACF,CAAA;IAED,OAAO,aAAa,CAAA;AACtB,CAAC,CAAA"}
1	+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/utils/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,EAAE,OAAgB,EAAE,SAAkB,EAA0B,EAAE;IAClG,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAA;IAE5B,MAAM,aAAa,GAAkB;QACnC,GAAG,GAAG,CAAC,mBAAmB;QAC1B,OAAO,EAAE;YACP,GAAG,GAAG,CAAC,OAAO;YACd,GAAG,CAAC,GAAG,CAAC,mBAAmB,EAAE,OAAO,IAAI,EAAE,CAAC;SAC5C,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC9C,MAAM,EAAE;YACN,KAAK,EAAE,CAAC,OAAO,EAAE,gBAAgB,EAAE,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC;YACnF,OAAO,EAAE;gBACP,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,oBAAoB;gBAC3F,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM,EAAE,OAAO,IAAI,EAAE;aAClD;YACD,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM;SACnC;QACD,MAAM,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,gBAAgB,EAAE,GAAG,GAAG,CAAC,mBAAmB,EAAE,MAAM,IAAI,EAAE,CAAC;QACzF,QAAQ,EAAE;YACR,GAAG,GAAG,CAAC,mBAAmB,EAAE,QAAQ;YACpC,eAAe,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE;YACnC,qBAAqB;YACrB,eAAe;YACf,kEAAkE;YAClE,gCAAgC;YAChC,mBAAmB;YACnB,2DAA2D;YAC3D,KAAK;SACN;QACD,IAAI,EAAE;YACJ,IAAI,EAAE;gBACJ,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;aACvG;SACF;KACF,CAAA;IAED,OAAO,aAAa,CAAA;AACtB,CAAC,CAAA"}

package/package.json CHANGED Viewed

@@ -1,12 +1,13 @@
 {
   "name": "@owlmeans/server-oidc-provider",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "license": "MIT",
   "type": "module",
   "scripts": {
     "build": "tsc -b",
     "dev": "sleep 306 && nodemon -e ts,tsx,json --watch src --exec \"tsc -p ./tsconfig.json\"",
-    "watch": "tsc -b -w --preserveWatchOutput --pretty"
+    "watch": "tsc -b -w --preserveWatchOutput --pretty",
+    "test": "bun test ./tests"
   },
   "main": "build/index.js",
   "module": "build/index.js",
@@ -21,27 +22,30 @@
     }
   },
   "devDependencies": {
+    "@owlmeans/dep-config": "workspace:*",
+    "@owlmeans/context": "^0.1.3",
+    "@types/bun": "^1.3.0",
     "@types/node": "^24.10.1",
-    "@types/oidc-provider": "^8.5.2",
+    "@types/oidc-provider": "9.5.0",
     "nodemon": "^3.1.11",
     "npm-check": "^6.0.1",
-    "typescript": "^5.8.3"
+    "typescript": "^6.0.2"
   },
   "peerDependencies": {
     "fastify": "*"
   },
   "dependencies": {
     "@noble/hashes": "^1.5.0",
-    "@owlmeans/client-module": "^0.1.2",
-    "@owlmeans/config": "^0.1.2",
-    "@owlmeans/context": "^0.1.2",
-    "@owlmeans/oidc": "^0.1.2",
-    "@owlmeans/route": "^0.1.2",
-    "@owlmeans/server-api": "^0.1.2",
-    "@owlmeans/server-context": "^0.1.2",
+    "@owlmeans/client-entrypoint": "^0.1.3",
+    "@owlmeans/config": "^0.1.3",
+    "@owlmeans/context": "^0.1.3",
+    "@owlmeans/oidc": "^0.1.3",
+    "@owlmeans/route": "^0.1.3",
+    "@owlmeans/server-api": "^0.1.3",
+    "@owlmeans/server-context": "^0.1.3",
     "@scure/base": "^1.1.9",
-    "jose": "5.9.6",
-    "oidc-provider": "8.5.2"
+    "jose": "6.2.3",
+    "oidc-provider": "9.8.4"
   },
   "publishConfig": {
     "access": "public"

package/src/service.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import { DEFAULT_PATH, INTERACTION } from '@owlmeans/oidc'
 import type { Config, Context, OidcAccountService, OidcAdapterService, OidcProviderService } from './types.js'
 import Provider from 'oidc-provider'
 import type { BasicRoute } from '@owlmeans/route'
-import type { ClientModule } from '@owlmeans/client-module'
+import type { ClientEntrypoint } from '@owlmeans/client-entrypoint'
 import { SEP } from '@owlmeans/route'
 import { makeSecurityHelper } from '@owlmeans/config'
 import { combineConfig } from './utils/config.js'
@@ -38,7 +38,7 @@ export const createOidcProviderService = (alias: string = DEFAULT_ALIAS): OidcPr
         interactions: {
           url: async (_, interaction) => {
-            const module = context.module<ClientModule>(INTERACTION)
+            const module = context.entrypoint<ClientEntrypoint>(INTERACTION)
             const [uri] = await module.call<string>({ params: { uid: interaction.uid } })
             return uri
           }
@@ -49,20 +49,25 @@ export const createOidcProviderService = (alias: string = DEFAULT_ALIAS): OidcPr
       const base = SEP + (cfg.basePath ?? DEFAULT_PATH)
       api.server.use(base, oidc.callback())
-      oidc.use(async (ctx, next) => {
-        await next()
-        const csp = ctx.response.headers['content-security-policy']
-        if (csp != null) {
-          // @TODO Make it a little bit nicer - preferably using helmet :)
-          ctx.response.set('Content-Security-Policy', csp.replace(/form-action 'self'/, 'form-action *'))
+      // oidc-provider v9: provider.use() middleware no longer runs post-response after a matched
+      // route. CSP rewrite is handled at the Fastify layer via an onSend hook instead.
+      api.server.addHook('onSend', async (request, reply, payload) => {
+        if (!request.url.startsWith(base)) {
+          return payload
         }
+        const csp = reply.getHeader('content-security-policy')
+        if (typeof csp === 'string' && csp.includes("form-action 'self'")) {
+          reply.header('Content-Security-Policy', csp.replace(/form-action 'self'/, 'form-action *'))
+        }
+        return payload
       })
       if (context.cfg.debug?.all || context.cfg.debug?.oidc) {
         oidc.on('grant.error', (_, error) => {
           console.warn('GRANT ERROR .......: ')
-          console.info(oidc.issuer, _.request.toJSON(), _.body)
+          console.info(oidc.issuer)
           console.error('!!!! GRANT ERROR: ', error)
         })
@@ -78,16 +83,6 @@ export const createOidcProviderService = (alias: string = DEFAULT_ALIAS): OidcPr
           console.error('!!!! USER INFO ERROR: ', error)
         })
-        oidc.use(async (_, next) => {
-          console.log('OIDC REQ .......: ')
-          console.log(_.request.toJSON())
-          await next()
-          console.log(_.oidc)
-          console.log('OIDC RES .......: ')
-          console.log(_.response.toJSON())
-          console.log('OIDC RESPONSE BODY .......: ', _.response.body)
-        })
       }
       _initializedOidc = service.oidc = oidc

package/src/utils/config.ts CHANGED Viewed

@@ -34,7 +34,7 @@ export const combineConfig = async (context: Context, _unsecure: boolean): Promi
     },
     jwks: {
       keys: [
-        await jose.exportJWK(await jose.importPKCS8(cfg.defaultKeys.RS256.pk, 'RS256'))
+        await jose.exportJWK(await jose.importPKCS8(cfg.defaultKeys.RS256.pk, 'RS256', { extractable: true }))
       ]
     }
   }

package/tests/config.spec.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=config.spec.d.ts.map

package/tests/config.spec.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"config.spec.d.ts","sourceRoot":"","sources":["config.spec.ts"],"names":[],"mappings":""}

package/tests/config.spec.ts ADDED Viewed

@@ -0,0 +1,41 @@
+import { describe, it, expect } from 'bun:test'
+import { generateKeyPairSync } from 'node:crypto'
+import { AppType, Layer, makeBasicContext } from '@owlmeans/context'
+import type { BasicContext } from '@owlmeans/context'
+import { combineConfig } from '../src/utils/config.js'
+import type { Config } from '../src/types.js'
+const { privateKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
+const TEST_PKCS8_PEM = privateKey.export({ type: 'pkcs8', format: 'pem' }).toString()
+const makeTestContext = () => {
+  const cfg: Config = {
+    ready: false,
+    service: 'server-oidc-provider-tests',
+    layer: Layer.Service,
+    type: AppType.Backend,
+    services: {},
+    debug: { all: false },
+    oidc: {
+      clients: [],
+      defaultKeys: {
+        RS256: { pk: TEST_PKCS8_PEM },
+      },
+    },
+  } as unknown as Config
+  return makeBasicContext(cfg) as BasicContext<Config>
+}
+describe('combineConfig (jose v6 extractable key)', () => {
+  it('produces a JWKS with an RS256 key', async () => {
+    const context = makeTestContext()
+    const config = await combineConfig(context as any, true)
+    expect(config.jwks).toBeDefined()
+    expect(Array.isArray(config.jwks?.keys)).toBe(true)
+    const keys = config.jwks?.keys ?? []
+    expect(keys.length).toBeGreaterThan(0)
+    expect(keys[0].kty).toBe('RSA')
+  })
+})

package/tests/tsconfig.json ADDED Viewed

@@ -0,0 +1,12 @@
+{
+  "extends": [
+    "@owlmeans/dep-config/tsconfig.base.json",
+    "@owlmeans/dep-config/tsconfig.node.json"
+  ],
+  "compilerOptions": {
+    "types": ["bun"],
+    "rootDir": "../",
+    "noEmit": true
+  },
+  "include": ["./**/*", "../src/**/*"]
+}

package/tsconfig.json CHANGED Viewed

@@ -1,15 +1,16 @@
 {
   "extends": [
-    "../tsconfig.default.json",
+    "@owlmeans/dep-config/tsconfig.base.json",
+    "@owlmeans/dep-config/tsconfig.node.json"
   ],
   "compilerOptions": {
-    "rootDir": "./src/", /* Specify the root folder within your source files. */
-    "outDir": "./build/", /* Specify an output folder for all emitted files. */
-    "moduleResolution": "Bundler",
+    "rootDir": "./src/",
+    "outDir": "./build/"
   },
   "exclude": [
     "./dist/**/*",
     "./build/**/*",
+    "./tests/**/*",
     "./*.ts"
   ]
-}
+}