@typekcz-nocobase-plugins/plugin-oidc-plus 1.0.2 → 1.0.4

package/src/locale/en-US.json

@@ -0,0 +1,40 @@
+{
+  "Enable": "Enable",
+  "Issuer": "Issuer",
+  "OIDC manager": "OIDC manager",
+  "OIDC Providers": "OIDC Providers",
+  "Provider name": "Name",
+  "Client id": "Client id",
+  "Client secret": "Client secret",
+  "Openid configuration": "Openid configuration",
+  "Authorization endpoint": "Authorization endpoint",
+  "Access token endpoint": "Access token endpoint",
+  "JWKS endpoint": "JWKS endpoint",
+  "Userinfo endpoint": "Userinfo endpoint",
+  "Redirect url": "Redirect url",
+  "Logout endpoint": "Logout endpoint",
+  "Id token sign alg": "Id token sign alg",
+  "Add provider": "Add",
+  "Edit provider": "Edit",
+  "Delete provider": "Delete",
+  "Sign in button name, which will be displayed on the sign in page": "Sign in button name, which will be displayed on the sign in page",
+  "Use this field to bind the user": "Use this field to bind the user",
+  "Sign up automatically when the user does not exist": "Sign up automatically when the user does not exist",
+  "Username must be 2-16 characters in length (excluding @.<>\"'/)": "Username must be 2-16 characters in length (excluding @.<>\"'/)",
+  "User not found": "User not found",
+  "Basic configuration": "Basic configuration",
+  "Field mapping": "Field mapping",
+  "Advanced configuration": "Advanced configuration",
+  "Usage": "Usage",
+  "Redirect URL": "Redirect URL",
+  "Check if NocoBase is running on HTTP protocol": "Check if NocoBase is running on HTTP protocol",
+  "The port number of the NocoBase service if it is not 80 or 443": "The port number of the NocoBase service if it is not 80 or 443",
+  "Pass parameters in the authorization code grant exchange": "Pass parameters in the authorization code grant exchange",
+  "Method to call the user info endpoint": "Method to call the user info endpoint",
+  "Where to put the access token when calling the user info endpoint": "Where to put the access token when calling the user info endpoint",
+  "Header": "Header",
+  "Body (Use with POST method)": "Body (Use with POST method)",
+  "Query parameters (Use with GET method)": "Query parameters (Use with GET method)",
+  "Parameter name": "Parameter name",
+  "The state token helps prevent CSRF attacks. It's recommended to leave it blank for automatic random generation.": "The state token helps prevent CSRF attacks. It's recommended to leave it blank for automatic random generation."
+}

package/src/locale/es-ES.json

@@ -0,0 +1,25 @@
+{
+  "Enable": "Activar",
+  "Issuer": "Emisor",
+  "Actions": "Acciones",
+  "Delete": "Borrar",
+  "Edit": "Editar",
+  "Button title": "Título del botón",
+  "OIDC manager": "Gestor OIDC",
+  "OIDC Providers": "Proveedores OIDC",
+  "Provider name": "Nombre",
+  "Client id": "Id de cliente",
+  "Client secret": "Secreto del cliente",
+  "Openid configuration": "Configuración Openid",
+  "Authorization endpoint": "Endpoint de autorización ",
+  "Access token endpoint": "Endpoint de token de acceso",
+  "JWKS endpoint": "Endpoint de JWKS",
+  "Userinfo endpoint": "Userinfo endpoint",
+  "Redirect url": "Redirect url",
+  "Logout endpoint": "Endpoint de cierre de sesión",
+  "Id token sign alg": "Id token sign alg",
+  "Add provider": "Añadir Proveedor",
+  "Edit provider": "Editar Proveedor",
+  "Delete provider": "Borrar Proveedor",
+  "Sign in button name, which will be displayed on the sign in page": "Nombre del botón de inicio de sesión, que se mostrará en la página de inicio de sesión"
+}

package/src/locale/fr-FR.json

@@ -0,0 +1,21 @@
+{
+  "Enable": "Activer",
+  "Issuer": "Issuer",
+  "OIDC manager": "OIDC manager",
+  "OIDC Providers": "OIDC Providers",
+  "Provider name": "Nom",
+  "Client id": "Client id",
+  "Client secret": "Client secret",
+  "Openid configuration": "Openid configuration",
+  "Authorization endpoint": "Authorization endpoint",
+  "Access token endpoint": "Access token endpoint",
+  "JWKS endpoint": "JWKS endpoint",
+  "Userinfo endpoint": "Userinfo endpoint",
+  "Redirect url": "Redirect url",
+  "Logout endpoint": "Logout endpoint",
+  "Id token sign alg": "Id token sign alg",
+  "Add provider": "Ajouter",
+  "Edit provider": "Modifier",
+  "Delete provider": "Supprimer",
+  "Sign in button name, which will be displayed on the sign in page": "Nom du bouton de connexion, qui sera affiché sur la page de connexion"
+}

package/src/locale/ko_KR.json

@@ -0,0 +1,28 @@
+{
+  "Enable": "활성화",
+  "Actions": "작업",
+  "Delete": "삭제",
+  "Edit": "편집",
+  "Copied": "복사됨",
+  "Field Map": "필드 매핑",
+  "id_token signed response algorithm": "id_token 서명 응답 알고리즘",
+  "Use this field to bind the user": "이 필드를 사용하여 사용자를 바인딩합니다",
+  "Sign up automatically when the user does not exist": "사용자가 존재하지 않을 때 자동으로 가입",
+  "Username must be 2-16 characters in length (excluding @.<>\"'/)": "사용자 이름은 2-16 자여야합니다 (@.<>\"'/ 제외)",
+  "User not found": "사용자를 찾을 수 없음",
+  "Basic configuration": "기본 설정",
+  "Field mapping": "필드 매핑",
+  "Advanced configuration": "고급 설정",
+  "Usage": "사용 방법",
+  "Redirect URL": "리디렉션 URL",
+  "Check if NocoBase is running on HTTP protocol": "NocoBase가 HTTP 프로토콜에서 실행 중인지 확인",
+  "The port number of the NocoBase service if it is not 80 or 443": "NocoBase 서비스의 포트 번호, 기본값은 443/80",
+  "Pass parameters in the authorization code grant exchange": "권한 부여 코드 교환 중에 매개 변수를 전달",
+  "Method to call the user info endpoint": "사용자 정보 엔드포인트를 호출하는 방법",
+  "Where to put the access token when calling the user info endpoint": "사용자 정보 엔드포인트를 호출할 때 access_token을 어디에 두어야 하는지",
+  "Header": "헤더 (기본값)",
+  "Body (Use with POST method)": "바디 (POST 방식과 함께 사용)",
+  "Query parameters (Use with GET method)": "쿼리 매개 변수 (GET 방식과 함께 사용)",
+  "Parameter name": "매개 변수 이름",
+  "The state token helps prevent CSRF attacks. It's recommended to leave it blank for automatic random generation.": "상태 토큰은 CSRF 공격을 방지하는 데 도움이 됩니다. 자동으로 무작위로 생성하려면 비워 두는 것이 좋습니다."
+  }

package/src/locale/pt-BR.json

@@ -0,0 +1,21 @@
+{
+  "Enable": "Habilitar",
+  "Issuer": "Emissor",
+  "OIDC manager": "Gerenciador OIDC",
+  "OIDC Providers": "Provedores OIDC",
+  "Provider name": "Nome do provedor",
+  "Client id": "ID do cliente",
+  "Client secret": "Segredo do cliente",
+  "Openid configuration": "Configuração OpenID",
+  "Authorization endpoint": "Endpoint de autorização",
+  "Access token endpoint": "Endpoint de token de acesso",
+  "JWKS endpoint": "Endpoint JWKS",
+  "Userinfo endpoint": "Endpoint de informações do usuário",
+  "Redirect url": "URL de redirecionamento",
+  "Logout endpoint": "Endpoint de logout",
+  "Id token sign alg": "Algoritmo de assinatura do token de ID",
+  "Add provider": "Adicionar",
+  "Edit provider": "Editar",
+  "Delete provider": "Excluir",
+  "Sign in button name, which will be displayed on the sign in page": "Nome do botão de login, que será exibido na página de login"
+}

package/src/locale/zh-CN.json

@@ -0,0 +1,28 @@
+{
+  "Enable": "启用",
+  "Actions": "操作",
+  "Delete": "删除",
+  "Edit": "编辑",
+  "Copied": "已复制",
+  "Field Map": "字段映射",
+  "id_token signed response algorithm": "id_token签名算法",
+  "Use this field to bind the user": "使用此字段绑定用户",
+  "Sign up automatically when the user does not exist": "用户不存在时自动注册",
+  "Username must be 2-16 characters in length (excluding @.<>\"'/)": "用户名必须为2-16个字符并且不包含@.<>\"'/）",
+  "User not found": "用户不存在",
+  "Basic configuration": "基础配置",
+  "Field mapping": "字段映射",
+  "Advanced configuration": "高级配置",
+  "Usage": "使用",
+  "Redirect URL": "回调 URL",
+  "Check if NocoBase is running on HTTP protocol": "NocoBase 应用为HTTP协议时勾选",
+  "The port number of the NocoBase service if it is not 80 or 443": "NocoBase 应用端口，默认 443/80",
+  "Pass parameters in the authorization code grant exchange": "使用 code 交换 token 时需要传递的参数",
+  "Method to call the user info endpoint": "访问获取用户信息的 API 的 HTTP 方法",
+  "Where to put the access token when calling the user info endpoint": "访问获取用户信息的 API 时 access_token 的传递方式",
+  "Header": "请求头 (Header, 默认)",
+  "Body (Use with POST method)": "请求体（Body, 配合 POST 方法使用）",
+  "Query parameters (Use with GET method)": "请求 URL 参数（Query, 配合 GET 方法使用）",
+  "Parameter name": "参数名",
+  "The state token helps prevent CSRF attacks. It's recommended to leave it blank for automatic random generation.": "state token 用于防止 CSRF 攻击，建议留空使用自动生成的随机值。"
+}

package/src/server/__tests__/oidc.test.ts

@@ -0,0 +1,283 @@
+import { Database } from '@nocobase/database';
+import { MockServer, createMockServer } from '@nocobase/test';
+import { vi } from 'vitest';
+import { authType } from '../../constants';
+import { OIDCAuth } from '../oidc-auth';
+import { AppSupervisor } from '@nocobase/server';
+
+describe('oidc', () => {
+  let app: MockServer;
+  let db: Database;
+  let agent;
+  let authenticator;
+
+  beforeAll(async () => {
+    app = await createMockServer({
+      plugins: ['users', 'auth', 'oidc'],
+    });
+    db = app.db;
+    agent = app.agent();
+
+    const authenticatorRepo = db.getRepository('authenticators');
+    authenticator = await authenticatorRepo.create({
+      values: {
+        name: 'oidc-auth',
+        authType: authType,
+        enabled: 1,
+        options: {
+          oidc: {
+            issuer: '',
+            clientId: '',
+            clientSecret: '',
+          },
+        },
+      },
+    });
+  });
+
+  afterAll(async () => {
+    await app.destroy();
+  });
+
+  afterEach(async () => {
+    vi.restoreAllMocks();
+    await db.getRepository('users').destroy({
+      truncate: true,
+    });
+  });
+
+  it('should get auth url', async () => {
+    agent = app.agent();
+    vi.spyOn(OIDCAuth.prototype, 'createOIDCClient').mockResolvedValue({
+      authorizationUrl: ({ state }) => state,
+    } as any);
+    const res = await agent.set('X-Authenticator', 'oidc-auth').resource('oidc').getAuthUrl();
+    expect(res.body.data).toBeDefined();
+    const search = new URLSearchParams(decodeURIComponent(res.body.data));
+    expect(search.get('token')).toBeDefined();
+    expect(search.get('name')).toBe('oidc-auth');
+    expect(res.headers['set-cookie']).toBeDefined();
+    const token = res.headers['set-cookie'][0].split(';')[0].split('=')[1];
+    expect(token).toBe(search.get('token'));
+  });
+
+  it('should not sign in without auto signup', async () => {
+    await authenticator.update({
+      options: {
+        public: {
+          autoSignup: false,
+        },
+      },
+    });
+    agent = app.agent();
+    vi.spyOn(OIDCAuth.prototype, 'createOIDCClient').mockResolvedValue({
+      callback: (uri, { code }) => ({
+        access_token: 'access_token',
+      }),
+      userinfo: () => ({
+        sub: 'user1',
+      }),
+    } as any);
+
+    const res = await agent
+      .set('X-Authenticator', 'oidc-auth')
+      .set('Cookie', ['nocobase_oidc=token'])
+      .get('/auth:signIn?state=token%3Dtoken&name=oidc-auth');
+
+    expect(res.statusCode).toBe(401);
+  });
+
+  it('should sign in with auto signup', async () => {
+    await authenticator.update({
+      options: {
+        public: {
+          autoSignup: true,
+        },
+      },
+    });
+    agent = app.agent();
+    vi.spyOn(OIDCAuth.prototype, 'createOIDCClient').mockResolvedValue({
+      callback: (uri, { code }) => ({
+        access_token: 'access_token',
+      }),
+      userinfo: () => ({
+        sub: 'user1',
+      }),
+    } as any);
+
+    const res = await agent
+      .set('X-Authenticator', 'oidc-auth')
+      .set('Cookie', ['nocobase_oidc=token'])
+      .get('/auth:signIn?state=token%3Dtoken&name=oidc-auth');
+    expect(res.statusCode).toBe(200);
+    expect(res.body.data.user).toBeDefined();
+    expect(res.body.data.user.nickname).toBe('user1');
+  });
+
+  it('should sign in with existed email', async () => {
+    await authenticator.update({
+      options: {
+        oidc: {
+          userBindField: 'email',
+        },
+        public: {
+          autoSignup: false,
+        },
+      },
+    });
+    const user = await db.getRepository('users').create({
+      values: {
+        nickname: 'has-email',
+        email: 'test@nocobase.com',
+      },
+    });
+    agent = app.agent();
+    vi.spyOn(OIDCAuth.prototype, 'createOIDCClient').mockResolvedValue({
+      callback: (uri, { code }) => ({
+        access_token: 'access_token',
+      }),
+      userinfo: () => ({
+        sub: 'user1',
+        email: 'test@nocobase.com',
+      }),
+    } as any);
+
+    const res = await agent
+      .set('X-Authenticator', 'oidc-auth')
+      .set('Cookie', ['nocobase_oidc=token'])
+      .get('/auth:signIn?state=token%3Dtoken&name=oidc-auth');
+
+    expect(res.body.data.user).toBeDefined();
+    expect(res.body.data.user.id).toBe(user.id);
+  });
+
+  it('should sign in with existed username', async () => {
+    await authenticator.update({
+      options: {
+        oidc: {
+          userBindField: 'username',
+        },
+        public: {
+          autoSignup: false,
+        },
+      },
+    });
+
+    const user = await db.getRepository('users').create({
+      values: {
+        nickname: 'has-username',
+        username: 'username',
+      },
+    });
+    agent = app.agent();
+    vi.spyOn(OIDCAuth.prototype, 'createOIDCClient').mockResolvedValue({
+      callback: (uri, { code }) => ({
+        access_token: 'access_token',
+      }),
+      userinfo: () => ({
+        username: 'username',
+        sub: 'username',
+      }),
+    } as any);
+
+    const res = await agent
+      .set('X-Authenticator', 'oidc-auth')
+      .set('Cookie', ['nocobase_oidc=token'])
+      .get('/auth:signIn?state=token%3Dtoken&name=oidc-auth');
+
+    expect(res.body.data.user).toBeDefined();
+    expect(res.body.data.user.id).toBe(user.id);
+  });
+
+  it('oidc:redirect', async () => {
+    vi.spyOn(OIDCAuth.prototype, 'signIn').mockResolvedValue({
+      user: {} as any,
+      token: 'test-token',
+    });
+    const res = await agent.get(`/oidc:redirect?state=${encodeURIComponent('name=oidc-auth&app=main')}`);
+    expect(res.statusCode).toBe(302);
+    expect(res.headers.location).toBe(`/admin?authenticator=oidc-auth&token=test-token`);
+  });
+
+  it('oidc:redirect, sub app', async () => {
+    vi.spyOn(OIDCAuth.prototype, 'signIn').mockResolvedValue({
+      user: {} as any,
+      token: 'test-token',
+    });
+    vi.spyOn(AppSupervisor, 'getInstance').mockReturnValue({
+      runningMode: 'multiple',
+    } as any);
+    const res = await agent.get(`/oidc:redirect?state=${encodeURIComponent('name=oidc-auth&app=sub')}`);
+    expect(res.statusCode).toBe(302);
+    expect(res.headers.location).toBe(`/apps/sub/admin?authenticator=oidc-auth&token=test-token`);
+  });
+
+  it('oidc:redirect, error', async () => {
+    vi.spyOn(OIDCAuth.prototype, 'signIn').mockRejectedValue(new Error('test error'));
+    const res = await agent.get(`/oidc:redirect?state=${encodeURIComponent('name=oidc-auth&app=main')}`);
+    expect(res.statusCode).toBe(302);
+    expect(res.headers.location).toBe(`/signin?redirect=/admin&authenticator=oidc-auth&error=test%20error`);
+  });
+});
+
+test('field mapping', () => {
+  const auth = new OIDCAuth({
+    authenticator: null,
+    ctx: {
+      db: {
+        getCollection: () => ({}),
+      } as any,
+    } as any,
+    options: {
+      oidc: {
+        fieldMap: [
+          {
+            source: 'username',
+            target: 'nickname',
+          },
+        ],
+      },
+    },
+  });
+  const userInfo = auth.mapField({
+    sub: 1,
+    username: 'user1',
+  });
+  expect(userInfo).toEqual({
+    sub: 1,
+    username: 'user1',
+    nickname: 'user1',
+  });
+});
+
+test('getExchangeBody', () => {
+  const auth = new OIDCAuth({
+    ctx: {
+      db: {
+        getCollection: () => ({}),
+      },
+    },
+    options: {
+      oidc: {
+        clientId: 'test_client_id',
+        clientSecret: 'test_client_secret',
+        exchangeBodyKeys: [
+          {
+            paramName: 'client_id',
+            optionsKey: 'clientId',
+            enabled: true,
+          },
+          {
+            paramName: 'client_secret',
+            optionsKey: 'clientSecret',
+            enabled: false,
+          },
+        ],
+      },
+    },
+  } as any);
+  const body = auth.getExchangeBody();
+  expect(body).toMatchObject({
+    client_id: 'test_client_id',
+  });
+});

package/src/server/actions/getAuthUrl.ts

@@ -0,0 +1,25 @@
+import { Context, Next } from '@nocobase/actions';
+import { OIDCAuth } from '../oidc-auth';
+import { nanoid } from 'nanoid';
+import { cookieName } from '../../constants';
+
+export const getAuthUrl = async (ctx: Context, next: Next) => {
+  const redirect = ctx.action.params.values?.redirect || '';
+  const app = ctx.app.name;
+  const auth = ctx.auth as OIDCAuth;
+  const client = await auth.createOIDCClient();
+  const { scope, stateToken } = auth.getOptions();
+  const token = stateToken || nanoid(15);
+  ctx.cookies.set(cookieName, token, {
+    httpOnly: true,
+    domain: ctx.hostname,
+  });
+  ctx.body = client.authorizationUrl({
+    response_type: 'code',
+    scope: scope || 'openid email profile',
+    redirect_uri: `${auth.getRedirectUri()}`,
+    state: encodeURIComponent(`token=${token}&name=${ctx.headers['x-authenticator']}&app=${app}&redirect=${redirect}`),
+  });
+
+  return next();
+};

package/src/server/actions/redirect.ts

@@ -0,0 +1,32 @@
+import { Context, Next } from '@nocobase/actions';
+import { AppSupervisor } from '@nocobase/server';
+import { OIDCAuth } from '../oidc-auth';
+
+export const redirect = async (ctx: Context, next: Next) => {
+  const {
+    params: { state },
+  } = ctx.action;
+  const search = new URLSearchParams(decodeURIComponent(state));
+  const authenticator = search.get('name');
+  const appName = search.get('app');
+  const redirect = search.get('redirect') || '/admin';
+  let prefix = process.env.APP_PUBLIC_PATH || '';
+  if (appName && appName !== 'main') {
+    const appSupervisor = AppSupervisor.getInstance();
+    if (appSupervisor?.runningMode !== 'single') {
+      prefix += `apps/${appName}`;
+    }
+  }
+  const auth = (await ctx.app.authManager.get(authenticator, ctx)) as OIDCAuth;
+  if (prefix.endsWith('/')) {
+    prefix = prefix.slice(0, -1);
+  }
+  try {
+    const { token } = await auth.signIn();
+    ctx.redirect(`${prefix}${redirect}?authenticator=${authenticator}&token=${token}`);
+  } catch (error) {
+    ctx.logger.error('OIDC auth error', { error });
+    ctx.redirect(`${prefix}/signin?redirect=${redirect}&authenticator=${authenticator}&error=${error.message}`);
+  }
+  await next();
+};

package/src/server/index.ts

@@ -0,0 +1 @@
+export { default } from './plugin';

package/src/server/oidc-auth.ts

@@ -0,0 +1,169 @@
+import { AuthConfig, BaseAuth } from '@nocobase/auth';
+import { AuthModel } from '@nocobase/plugin-auth';
+import { Issuer } from 'openid-client';
+import { cookieName, logoutCookieName } from '../constants';
+
+export class OIDCAuth extends BaseAuth {
+  constructor(config: AuthConfig) {
+    const { ctx } = config;
+    super({
+      ...config,
+      userCollection: ctx.db.getCollection('users'),
+    });
+  }
+
+  getRedirectUri() {
+    const ctx = this.ctx;
+    const { http, port } = this.getOptions();
+    const protocol = http ? 'http' : 'https';
+    const host = port ? `${ctx.hostname}${port ? `:${port}` : ''}` : ctx.host;
+    return `${protocol}://${host}${process.env.API_BASE_PATH}oidc:redirect`;
+  }
+
+  getOptions() {
+    return this.options?.oidc || {};
+  }
+
+  getExchangeBody() {
+    const options = this.getOptions();
+    const { exchangeBodyKeys } = options;
+    if (!exchangeBodyKeys) {
+      return {};
+    }
+    const body = {};
+    exchangeBodyKeys
+      .filter((item: { enabled: boolean }) => item.enabled)
+      .forEach((item: { paramName: string; optionsKey: string }) => {
+        const name = item.paramName || item.optionsKey;
+        body[name] = options[item.optionsKey];
+      });
+    return body;
+  }
+
+  mapField(userInfo: { [source: string]: any }) {
+    const { fieldMap } = this.getOptions();
+    if (!fieldMap) {
+      return userInfo;
+    }
+    fieldMap.forEach((item: { source: string; target: string }) => {
+      const { source, target } = item;
+      if (userInfo[source]) {
+        userInfo[target] = userInfo[source];
+      }
+    });
+    return userInfo;
+  }
+
+  async createOIDCClient() {
+    const { issuer, clientId, clientSecret, idTokenSignedResponseAlg } = this.getOptions();
+    const oidc = await Issuer.discover(issuer);
+    return new oidc.Client({
+      client_id: clientId,
+      client_secret: clientSecret,
+      id_token_signed_response_alg: idTokenSignedResponseAlg || 'RS256',
+    });
+  }
+
+  async validate() {
+    const ctx = this.ctx;
+    const { params: values } = ctx.action;
+    const { userInfoMethod = 'GET', accessTokenVia = 'header', stateToken } = this.getOptions();
+    const token = stateToken || ctx.cookies.get(cookieName);
+    const search = new URLSearchParams(decodeURIComponent(values.state));
+    if (search.get('token') !== token) {
+      ctx.logger.error('nocobase_oidc state mismatch', { method: 'validate' });
+      return null;
+    }
+    const client = await this.createOIDCClient();
+    const tokens = await client.callback(
+      this.getRedirectUri(),
+      {
+        code: values.code,
+        iss: values.iss,
+      },
+      {},
+      { exchangeBody: this.getExchangeBody() },
+    );
+    const userInfo: { [key: string]: any } = await client.userinfo(tokens, {
+      method: userInfoMethod,
+      via: accessTokenVia !== 'query' ? accessTokenVia : 'header',
+      params:
+        accessTokenVia === 'query'
+          ? {
+              access_token: tokens.access_token,
+            }
+          : {},
+    });
+    const mappedUserInfo = this.mapField(userInfo);
+    const { nickname, username, name, sub, email, phone, ...rest } = mappedUserInfo;
+    const authenticator = this.authenticator as AuthModel;
+    const userFields = {
+      username: username ?? null,
+      nickname: nickname || name || username || sub,
+      email: email ?? null,
+      phone: phone ?? null,
+      ...rest,
+    };
+    let user = await authenticator.findUser(sub);
+    if (user) {
+      // Update user fields
+      this.userRepository.update({
+        filter: {
+          id: user.id,
+        },
+        values: userFields,
+      });
+      return user;
+    }
+    // Bind existed user
+    const { userBindField = 'email' } = this.getOptions();
+    if (userBindField === 'email' && email) {
+      user = await this.userRepository.findOne({
+        filter: { email },
+      });
+    } else if (userBindField === 'username' && username) {
+      user = await this.userRepository.findOne({
+        filter: { username },
+      });
+    }
+    if (user) {
+      // Update user fields
+      this.userRepository.update({
+        filter: {
+          id: user.id,
+        },
+        values: userFields,
+      });
+      await authenticator.addUser(user.id, {
+        through: {
+          uuid: sub,
+        },
+      });
+      return user;
+    }
+    // Create new user
+    const { autoSignup } = this.options?.public || {};
+    if (!autoSignup) {
+      throw new Error('User not found');
+    }
+    if (username && !this.validateUsername(username)) {
+      throw new Error('Username must be 2-16 characters in length (excluding @.<>"\'/)');
+    }
+    return await authenticator.newUser(sub, userFields);
+  }
+
+  async signOut(): Promise<any> {
+    const { issuer, clientId, logout } = this.getOptions();
+    const oidc = await Issuer.discover(issuer);
+    if (logout && oidc.metadata.end_session_endpoint) {
+      const logoutUrl = new URL(oidc.metadata.end_session_endpoint);
+      logoutUrl.searchParams.set('client_id', clientId);
+      //logoutUrl.searchParams.set('id_token_hint', ???);
+      this.ctx.cookies.set(logoutCookieName, logoutUrl.toString(), {
+        httpOnly: false,
+        domain: this.ctx.hostname,
+      });
+    }
+    return super.signOut();
+  }
+}