scimgateway 4.0.1 → 4.1.2

package/README.md

@@ -16,7 +16,8 @@ Validated through IdP's:
   
 Latest news:  
 
-- New major version v4.0.0. getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be limited to specific baseEntities. New MongoDB plugin  
+- Supporting OAuth Client Credentials authentication
+- Major version v4.0.0. getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be limited to specific baseEntities. New MongoDB plugin  
 - ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure AD IP-range  
 - General LDAP plugin configured for Active Directory  
 - [PlugSSO](https://elshaug.xyz/docs/plugsso) using SCIM Gateway
@@ -30,7 +31,7 @@ Latest news:
 
 ## Overview  
  
-With SCIM Gateway we could do user management by using REST based [SCIM](http://www.simplecloud.info/) 1.1 or 2.0 protocol. Gateway will translate incoming SCIM requests and expose CRUD functionality (create, read, update and delete user/group) towards destinations using endpoint specific protocols. In other words, none SCIM-endpoints will become SCIM-endpoints. Gateway do not require SCIM to be used, it's also an API Gateway that could be used for other things than user provisioning.  
+With SCIM Gateway we can manage users and groups by using REST based [SCIM](http://www.simplecloud.info/) 1.1 or 2.0 protocol. Gateway translates incoming SCIM requests and expose CRUD functionality (create, read, update and delete user/group) towards destinations using endpoint specific protocols. In other words, none SCIM-endpoints will become SCIM-endpoints. Gateway do not require SCIM to be used, it's also an API Gateway that could be used for other things than user provisioning.  
 
 SCIM Gateway is a standalone product, however this document shows how the gateway could be used by products like Symatec/Broadcom/CA Identity Manager.
 
@@ -184,7 +185,7 @@ When maintaining a set of modifications it useful to disable the postinstall ope
   
 	const loki = require('./lib/plugin-loki')
 	// const mongodb = require('./lib/plugin-mongodb')
-	// const restful = require('./lib/plugin-restful')
+	// const scim = require('./lib/plugin-scim')
 	// const forwardinc = require('./lib/plugin-forwardinc')
 	// const mssql = require('./lib/plugin-mssql')
 	// const saphana = require('./lib/plugin-saphana')  // prereq: npm install hdb
@@ -249,6 +250,14 @@ Below shows an example of config\plugin-saphana.json
               "readOnly": false,
               "baseEntities": []
             }
+          ],
+          "bearerOAuth": [
+            {
+              "client_id": null,
+              "client_secret": null,
+              "readOnly": false,
+              "baseEntities": []
+            }
           ]
         },
 	    "certificate": {
@@ -336,6 +345,8 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs`. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.   
 
+- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token  
+
 - **certificate** - If not using SSL/TLS certificate, set "key", "cert" and "ca" to **null**. When using SSL/TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory e.g:  
   
 		"certificate": {
@@ -1128,6 +1139,62 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.1.2  
+[Added] 
+
+- endpointMapper supporting one to many mappings using a comma separated list of attributes in the `mapTo`  
+
+    Configuration example:  
+
+        "map": {
+          "user": {
+            "PersonnelNumber": {
+              "mapTo": "id,userName",
+              "type": "string"
+            },
+            ...
+          }
+        }
+          
+
+### v4.1.1  
+[Added] 
+
+- plugin-ldap support userFilter/groupFilter configuration for restricting scope  
+
+    Configuration example:  
+
+        {
+          ...
+          "userFilter": "(memberOf=CN=grp1,OU=Groups,DC=test,DC=com)(!(memberOf=CN=Domain Admins,CN=Users,DC=test,DC=com))",
+          "groupFilter": "(!(cn=grp2))",
+          ...
+        }
+
+### v4.1.0  
+[Added] 
+
+- Supporting OAuth Client Credentials authentication
+
+    Configuration example:  
+
+        "bearerOAuth": [
+          {
+            "client_id": "my_client_id",
+            "client_secret": "my_client_secret",
+            "readOnly": false,
+            "baseEntities": []
+          }
+        ]
+
+
+    In example above, client using SCIM Gateway must have OAuth configuration:  
+
+        client_id = my_client_id
+        client_secret = my_client_secret
+        token request url = http(s)://<host>:<port>/oauth/token
+
+
 ### v4.0.1  
 [Added] 
 

package/config/plugin-api.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-azure-ad.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-forwardinc.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-ldap.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {
@@ -86,6 +94,8 @@
         "ldap": {
           "userBase": "CN=Users,DC=test,DC=com",
           "groupBase": "OU=Groups,DC=test,DC=com",
+          "userFilter": null,
+          "groupFilter": null,
           "userNamingAttr": "CN",
           "groupNamingAttr": "CN",
           "userObjectClasses": [

package/config/plugin-loki.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-mongodb.json

@@ -53,6 +53,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-mssql.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-saphana.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-scim.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/lib/plugin-ldap.js

@@ -23,6 +23,13 @@
 //              "type": "string"
 //             }
 //
+// Additional user/group filtering for restricting scope may be configured in endpoint.entity.xxx.ldap e.g:
+// {
+//   ...
+//   "userFilter": "(memberOf=CN=grp1,OU=Groups,DC=test,DC=com)(!(memberOf=CN=Domain Admins,CN=Users,DC=test,DC=com))",
+//   "groupFilter": "(!(cn=grp2))",
+//   ...
+//  }
 //
 // Attributes according to map definition in the configuration file plugin-ldap.json:
 //
@@ -190,6 +197,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
             scope: scope,
             attributes: attrs
           }
+          if (config.entity[baseEntity].ldap.userFilter) ldapOptions.filter += config.entity[baseEntity].ldap.userFilter
         }
       }
     } else if (getObj.operator === 'eq' && getObj.attribute === 'group.value') {
@@ -209,6 +217,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
       scope: scope,
       attributes: attrs
     }
+    if (config.entity[baseEntity].ldap.userFilter) ldapOptions.filter += config.entity[baseEntity].ldap.userFilter
   }
   // end mandatory if-else logic
 
@@ -558,6 +567,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
             scope: scope,
             attributes: attrs
           }
+          if (config.entity[baseEntity].ldap.groupFilter) ldapOptions.filter += config.entity[baseEntity].ldap.groupFilter
         }
       }
     } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') {
@@ -578,6 +588,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
       scope: scope,
       attributes: attrs
     }
+    if (config.entity[baseEntity].ldap.groupFilter) ldapOptions.filter += config.entity[baseEntity].ldap.groupFilter
   }
   // mandatory if-else logic - end
 

package/lib/scimgateway.js

@@ -27,7 +27,6 @@ const utils = require('../lib/utils')
 const endpointMap = require('../lib/endpointMap')
 const countries = require('../lib/countries')
 const { createChecker } = require('is-in-subnet')
-// const { get } = require('superagent')
 
 /**
  * @constructor
@@ -54,6 +53,7 @@ const ScimGateway = function () {
   this.notValidAttributes = notValidAttributes // exposed to plugin-code
   let pwErrCount = 0
   let requestCounter = 0
+  const oAuthTokenExpire = 3600 // seconds
   let isMailLock = false
   let ipAllowListChecker
   let scimDef
@@ -74,6 +74,8 @@ const ScimGateway = function () {
   if (!config.auth.bearerToken) config.auth.bearerToken = []
   if (!config.auth.bearerJwt) config.auth.bearerJwt = []
   if (!config.auth.bearerJwtAzure) config.auth.bearerJwtAzure = []
+  if (!config.auth.bearerOAuth) config.auth.bearerOAuth = []
+  config.auth.oauthTokenStore = {} // oauth token store
   if (!config.certificate) config.certificate = {}
   if (!config.certificate.pfx) config.certificate.pfx = {}
   if (!config.emailOnError) config.emailOnError = {}
@@ -110,6 +112,7 @@ const ScimGateway = function () {
   let foundBearerToken = false
   let foundBearerJwtAzure = false
   let foundBearerJwt = false
+  let foundBearerOAuth = false
   let pwPfxPassword
 
   if (Array.isArray(config.auth.basic)) {
@@ -204,6 +207,20 @@ const ScimGateway = function () {
     if (!foundBearerJwt) config.auth.bearerJwt = []
   }
 
+  if (Array.isArray(config.auth.bearerOAuth)) {
+    const arr = config.auth.bearerOAuth
+    for (let i = 0; i < arr.length; i++) {
+      try {
+        if (arr[i].client_secret) arr[i].client_secret = ScimGateway.prototype.getPassword(`scimgateway.auth.bearerOAuth[${i}].client_secret`, configFile)
+      } catch (err) {
+        logger.error(`${gwName}[${pluginName}] getPassword error: ${err.message}`)
+        throw err // above logger.error included because this unhanledExcepton will be handled by winston and may fail with an other internal winston error e.g. related to memoryUsage collection logic when running in unikernel
+      }
+      if (arr[i].client_secret && arr[i].client_id) foundBearerOAuth = true
+    }
+    if (!foundBearerOAuth) config.auth.bearerOAuth = []
+  }
+
   if (config.certificate.pfx.password) pwPfxPassword = ScimGateway.prototype.getPassword('scimgateway.certificate.pfx.password', configFile)
   if (config.emailOnError.smtp.password) config.emailOnError.smtp.password = ScimGateway.prototype.getPassword('scimgateway.emailOnError.smtp.password', configFile)
 
@@ -299,31 +316,25 @@ const ScimGateway = function () {
   }
 
   // start auth methods - used by auth
-  const unauth = (ctx) => {
-    return new Promise((resolve, reject) => {
-      if (ctx.url === '/ping' || ctx.url === '/favicon.ico') resolve(true) // ping - no auth
-      else resolve(false)
-    })
-  }
-
-  const basic = (baseEntity, method, authType, authToken) => {
+  const basic = (baseEntity, method, authType, authToken, url) => {
     return new Promise((resolve, reject) => { // basic auth
+      if (url === '/ping' || url.endsWith('/oauth/token') || url === '/favicon.ico') resolve(true) // no auth
       if (authType !== 'Basic') resolve(false)
       if (!foundBasic) resolve(false) // not configured
       const [userName, userPassword] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
       if (!userName || !userPassword) {
-        reject(new Error(`authentication failed for user ${userName}`))
+        return reject(new Error(`authentication failed for user ${userName}`))
       }
       const arr = config.auth.basic
       for (let i = 0; i < arr.length; i++) {
         if (arr[i].username === userName && arr[i].password === userPassword) { // authentication OK
           if (arr[i].baseEntities) {
             if (Array.isArray(arr[i].baseEntities) && arr[i].baseEntities.length > 0) {
-              if (!baseEntity) reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].username} according to basic configuration baseEntitites=${arr[i].baseEntities}`))
-              if (!arr[i].baseEntities.includes(baseEntity)) reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].username} according to basic configuration baseEntitites=${arr[i].baseEntities}`))
+              if (!baseEntity) return reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].username} according to basic configuration baseEntitites=${arr[i].baseEntities}`))
+              if (!arr[i].baseEntities.includes(baseEntity)) return reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].username} according to basic configuration baseEntitites=${arr[i].baseEntities}`))
             }
           }
-          if (arr[i].readOnly === true && method !== 'GET') reject(new Error(`only allowing readOnly for user ${arr[i].username} according to basic configuration readOnly=true`))
+          if (arr[i].readOnly === true && method !== 'GET') return reject(new Error(`only allowing readOnly for user ${arr[i].username} according to basic configuration readOnly=true`))
           return resolve(true)
         }
       }
@@ -333,18 +344,18 @@ const ScimGateway = function () {
 
   const bearerToken = (baseEntity, method, authType, authToken) => {
     return new Promise((resolve, reject) => { // bearer token
-      if (authType !== 'Bearer' || jwt.decode(authToken)) resolve(false) // bearer token auth not used
+      if (authType !== 'Bearer' || !authToken) resolve(false)
       if (!foundBearerToken || !authToken) resolve(false)
       const arr = config.auth.bearerToken
       for (let i = 0; i < arr.length; i++) {
         if (arr[i].token === authToken) { // authentication OK
           if (arr[i].baseEntities) {
             if (Array.isArray(arr[i].baseEntities) && arr[i].baseEntities.length > 0) {
-              if (!baseEntity) reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerToken according to bearerToken configuration baseEntitites=${arr[i].baseEntities}`))
-              if (!arr[i].baseEntities.includes(baseEntity)) reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerToken according to bearerToken configuration baseEntitites=${arr[i].baseEntities}`))
+              if (!baseEntity) return reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerToken according to bearerToken configuration baseEntitites=${arr[i].baseEntities}`))
+              if (!arr[i].baseEntities.includes(baseEntity)) return reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerToken according to bearerToken configuration baseEntitites=${arr[i].baseEntities}`))
             }
           }
-          if (arr[i].readOnly === true && method !== 'GET') reject(new Error('only allowing readOnly for this bearerToken according to bearerToken configuration readOnly=true'))
+          if (arr[i].readOnly === true && method !== 'GET') return reject(new Error('only allowing readOnly for this bearerToken according to bearerToken configuration readOnly=true'))
           return resolve(true)
         }
       }
@@ -360,18 +371,18 @@ const ScimGateway = function () {
       if (!payload.iss) resolve(false)
       if (payload.iss.indexOf('https://sts.windows.net') !== 0) resolve(false)
       passport.authenticate('oauth-bearer', { session: false }, (err, user, info) => {
-        if (err) { reject(err) }
+        if (err) { return reject(err) }
         if (user) { // authenticated OK
           const arr = config.auth.bearerJwtAzure
           for (let i = 0; i < arr.length; i++) {
             if (arr[i].tenantIdGUID && payload.iss.includes(arr[i].tenantIdGUID)) {
               if (arr[i].baseEntities) {
                 if (Array.isArray(arr[i].baseEntities) && arr[i].baseEntities.length > 0) {
-                  if (!baseEntity) reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].tenantIdGUID} according to bearerJwtAzure configuration baseEntitites=${arr[i].baseEntities}`))
-                  if (!arr[i].baseEntities.includes(baseEntity)) reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].tenantIdGUID} according to bearerJwtAzure configuration baseEntitites=${arr[i].baseEntities}`))
+                  if (!baseEntity) return reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].tenantIdGUID} according to bearerJwtAzure configuration baseEntitites=${arr[i].baseEntities}`))
+                  if (!arr[i].baseEntities.includes(baseEntity)) return reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].tenantIdGUID} according to bearerJwtAzure configuration baseEntitites=${arr[i].baseEntities}`))
                 }
               }
-              if (arr[i].readOnly === true && ctx.request.method !== 'GET') reject(new Error(`only allowing readOnly for user ${arr[i].tenantIdGUID} according to bearerJwtAzure configuration readOnly=true`))
+              if (arr[i].readOnly === true && ctx.request.method !== 'GET') return reject(new Error(`only allowing readOnly for user ${arr[i].tenantIdGUID} according to bearerJwtAzure configuration readOnly=true`))
             }
           }
           resolve(true)
@@ -414,6 +425,54 @@ const ScimGateway = function () {
     }
     throw new Error('JWT authentication failed')
   }
+
+  const bearerOAuth = (baseEntity, method, authType, authToken) => {
+    return new Promise((resolve, reject) => { // bearer token
+      if (authType !== 'Bearer' || !authToken) resolve(false)
+      if (!foundBearerOAuth || !authToken) resolve(false)
+      // config.auth.oauthTokenStore is autmatically generated by token create having syntax:
+      // { config.auth.oauthTokenStore: <token>: { expireDate: <timestamp>, readOnly: <copy-from-config>, baseEntities: [ <copy-from-config> ], isTokenRequested: true }}
+      const arr = config.auth.bearerOAuth
+      if (config.auth.oauthTokenStore[authToken]) { // authentication OK
+        const tokenObj = config.auth.oauthTokenStore[authToken]
+        if (Date.now() > tokenObj.expireDate) {
+          delete config.auth.oauthTokenStore[authToken]
+          const err = new Error('OAuth access token expired')
+          err.token_error = 'invalid_token'
+          err.token_error_description = 'The access token expired'
+          return reject(err)
+        }
+        if (tokenObj.baseEntities) {
+          if (Array.isArray(tokenObj.baseEntities) && tokenObj.baseEntities.length > 0) {
+            if (!baseEntity) return reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerOAuth according to bearerOAuth configuration baseEntitites=${tokenObj.baseEntities}`))
+            if (!tokenObj.baseEntities.includes(baseEntity)) return reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerOAuth according to bearerOAuth configuration baseEntitites=${tokenObj.baseEntities}`))
+          }
+        }
+        if (tokenObj.readOnly === true && method !== 'GET') return reject(new Error('only allowing readOnly for this bearerOAuth according to bearerOAuth configuration readOnly=true'))
+        return resolve(true)
+      } else {
+        for (let i = 0; i < arr.length; i++) { // resolve if token memory store have been cleared becuase of a gateway restart
+          if (utils.getEncrypted(authToken, arr[i].client_secret) === 'token' && !arr[i].isTokenRequested) {
+            arr[i].isTokenRequested = true // flagged as true to not allow repeated resolvements becuase token will also be cleared when expired
+            const baseEntities = utils.copyObj(arr[i].baseEntities)
+            let expires
+            let readOnly = false
+            if (arr[i].readOnly && arr[i].readOnly === true) readOnly = true
+            if (arr[i].expires_in && !isNaN(arr[i].expires_in)) expires = arr[i].expires_in
+            else expires = oAuthTokenExpire
+            config.auth.oauthTokenStore[authToken] = {
+              expireDate: Date.now() + expires * 1000,
+              readOnly: readOnly,
+              baseEntities: baseEntities
+            }
+            return resolve(true)
+          }
+        }
+      }
+      reject(new Error('OAuth authentication failed'))
+    })
+  }
+
   // end auth methods - used by auth
 
   const auth = async (ctx, next) => { // authentication/authorization
@@ -425,7 +484,13 @@ const ScimGateway = function () {
       if (!['Users', 'Groups', 'Schemas', 'ServiceProviderConfigs', 'scim'].includes(entity)) baseEntity = entity
     }
     try { // authenticate
-      const arrResolve = await Promise.all([unauth(ctx), basic(baseEntity, ctx.request.method, authType, authToken), bearerToken(baseEntity, ctx.request.method, authType, authToken), bearerJwtAzure(baseEntity, ctx, next, authType, authToken), bearerJwt(baseEntity, ctx.request.method, authType, authToken)]).catch((err) => { throw (err) })
+      const arrResolve = await Promise.all([
+        basic(baseEntity, ctx.request.method, authType, authToken, ctx.url),
+        bearerToken(baseEntity, ctx.request.method, authType, authToken),
+        bearerJwtAzure(baseEntity, ctx, next, authType, authToken),
+        bearerJwt(baseEntity, ctx.request.method, authType, authToken),
+        bearerOAuth(baseEntity, ctx.request.method, authType, authToken)])
+        .catch((err) => { throw (err) })
       for (const i in arrResolve) {
         if (arrResolve[i]) {
           ctx.set('Content-Type', 'application/scim+json; charset=utf-8') // IE don't support JSON content to be shown in browser, pre IE/Edge versions did not support 'application/scim+json'
@@ -440,23 +505,37 @@ const ScimGateway = function () {
         logger.debug(`${gwName}[${pluginName}] request authToken = ${authToken}`)
         logger.debug(`${gwName}[${pluginName}] request jwt.decode(authToken) = ${JSON.stringify(jwt.decode(authToken))}`)
       }
-      ctx.set('WWW-Authenticate', 'Basic realm=""')
+      if (authType === 'Bearer') ctx.set('WWW-Authenticate', 'Bearer realm=""')
+      else ctx.set('WWW-Authenticate', 'Basic realm=""')
+      ctx.set('Content-Type', 'application/json; charset=utf-8')
       ctx.status = 401
-      ctx.body = 'Access denied'
+      ctx.body = { error: 'Access denied' }
       if (ctx.url !== '/favicon.ico') logger.error(`${gwName}[${pluginName}] ${err.message}`)
     } catch (err) {
-      ctx.set('WWW-Authenticate', 'Basic realm=""')
+      const body = {}
+      if (authType === 'Bearer') {
+        let str = 'realm=""'
+        if (err.token_error) {
+          str += `, error="${err.token_error}"`
+          body.error = err.token_error
+        }
+        if (err.token_error_description) {
+          str += `, error_description="${err.token_error_description}"`
+          body.error_description = err.token_error_description
+        }
+        ctx.set('WWW-Authenticate', `Bearer ${str}`)
+      } else ctx.set('WWW-Authenticate', 'Basic realm=""')
+      ctx.set('Content-Type', 'application/json; charset=utf-8')
+      ctx.status = 401
+      if (Object.keys(body).length > 0) ctx.body = body
+      else ctx.body = { error: 'Access denied' }
       if (pwErrCount < 3) {
         pwErrCount += 1
-        ctx.status = 401
-        ctx.body = 'Access denied'
         logger.error(`${gwName}[${pluginName}] ${ctx.url} ${err.message}`)
       } else { // delay brute force attempts
         logger.error(`${gwName}[${pluginName}] ${ctx.url} ${err.message} => delaying response with 2 minutes to prevent brute force`)
         return new Promise((resolve) => {
           setTimeout(() => {
-            ctx.status = 401
-            ctx.body = 'Access denied'
             resolve(ctx)
           }, 1000 * 60 * 2)
         })
@@ -468,9 +547,8 @@ const ScimGateway = function () {
     return new Promise((resolve) => {
       if (ctx.request.length) { // body is included - invalid content-type gives empty body (koa-bodyparser)
         const contentType = ctx.request.type.toLowerCase()
-        if (contentType === 'application/json' || contentType === 'application/scim+json') {
-          return resolve(next())
-        }
+        if (contentType === 'application/json' || contentType === 'application/scim+json') return resolve(next())
+        if (ctx.url.endsWith('/oauth/token')) return resolve(next())
         ctx.status = 415
         ctx.body = 'Content-Type header must be \'application/json\' or \'application/scim+json\''
         return resolve(ctx)
@@ -499,8 +577,9 @@ const ScimGateway = function () {
   // There is no return value, if there were it would be ignored
   app.use(logResult)
   app.use(bodyParser({ // parsed body store in ctx.request.body
-    enableTypes: ['json'],
-    extendTypes: { json: ['application/scim+json', 'text/plain'] }
+    enableTypes: ['json', 'form'],
+    extendTypes: { json: ['application/scim+json', 'text/plain'] },
+    formTypes: { form: ['application/x-www-form-urlencoded'] }
   }))
   app.use(ipAllowList)
   app.use(auth) // authentication before routes
@@ -542,6 +621,103 @@ const ScimGateway = function () {
     ctx.body = tx
   })
 
+  // oauth token request
+  router.post(['/(|scim/)oauth/token', '/:baseEntity/(|scim/)oauth/token'], async (ctx) => {
+    logger.debug(`${gwName}[${pluginName}] [oauth] token request`)
+    if (!foundBearerOAuth) {
+      logger.error(`${gwName}[${pluginName}] [oauth] token request, but plugin is missing config.auth.bearerOAuth configuration`)
+      ctx.status = 500
+      return
+    }
+
+    const jsonBody = ctx.request.body
+    const [authType, authToken] = (ctx.request.header.authorization || '').split(' ') // [0] = 'Basic'
+    if (authType === 'Basic') { // id and secret may be in authorization header if not already included in body
+      const [id, secret] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
+      if (jsonBody.grant_type && id && secret) {
+        if (jsonBody.grant_type === 'client_credentials' || jsonBody.grant_type === 'refresh_token') { // don't use refresh_token but allowing as type
+          jsonBody.client_id = id
+          jsonBody.client_secret = secret
+        }
+      }
+    }
+
+    let expires
+    let token
+    let readOnly = false
+    let baseEntities
+    let err
+    let errDescr
+    if (!jsonBody.grant_type || (jsonBody.grant_type !== 'client_credentials' && jsonBody.grant_type !== 'refresh_token')) {
+      err = 'invalid_request'
+      errDescr = 'request type must be Client Credentials (grant_type=client_credentials)'
+    }
+
+    if (!err) {
+      const arr = config.auth.bearerOAuth
+      for (let i = 0; i < arr.length; i++) {
+        if (!arr[i].client_id || !arr[i].client_secret) continue
+        if (arr[i].client_id === jsonBody.client_id && arr[i].client_secret === jsonBody.client_secret) { // authentication OK
+          token = utils.getEncrypted('token', jsonBody.client_secret) // client_secret as seed
+          baseEntities = utils.copyObj(arr[i].baseEntities)
+          if (arr[i].readOnly && arr[i].readOnly === true) readOnly = true
+          if (arr[i].expires_in && !isNaN(arr[i].expires_in)) expires = arr[i].expires_in
+          else expires = oAuthTokenExpire
+          arr[i].isTokenRequested = true
+          break
+        }
+      }
+      if (!token) {
+        err = 'invalid_client'
+        errDescr = 'incorrect or missing client_id/client_secret'
+        if (pwErrCount < 3) {
+          pwErrCount += 1
+        } else { // delay brute force attempts
+          logger.error(`${gwName}[${pluginName}] [oauth] ${ctx.url} ${errDescr} => delaying response with 2 minutes to prevent brute force`)
+          return new Promise((resolve) => {
+            setTimeout(() => {
+              resolve(ctx)
+            }, 1000 * 60 * 2)
+          })
+        }
+      }
+    }
+
+    if (err) {
+      logger.error(`${gwName}[${pluginName}] [oauth] token request client_id: ${jsonBody ? jsonBody.client_id : ''} error: ${errDescr}`)
+      ctx.status = 400
+      ctx.body = {
+        error: err,
+        error_description: errDescr
+      }
+      return
+    }
+
+    const dtNow = Date.now()
+    for (const i in config.auth.oauthTokenStore) { // cleanup any expired tokens
+      const tokenObj = config.auth.oauthTokenStore[i]
+      if (dtNow > tokenObj.expireDate) {
+        delete config.auth.oauthTokenStore[i]
+      }
+    }
+
+    config.auth.oauthTokenStore[token] = { // update token store
+      expireDate: dtNow + expires * 1000, // 1 hour
+      readOnly: readOnly,
+      baseEntities: baseEntities
+    }
+
+    const tx = {
+      access_token: token,
+      token_type: 'Bearer',
+      expires_in: expires,
+      refresh_token: token // ignored by scimgateway, but maybe used by client
+    }
+
+    ctx.set('Cache-Control', 'no-store')
+    ctx.body = tx
+  })
+
   router.get(['/(|scim/)Schemas/:id', '/:baseEntity/(|scim/)Schemas/:id'], async (ctx) => { // e.g /Schemas/Users | Groups | ServiceProviderConfigs
     let schemaName = ctx.params.id
     if (schemaName.substr(schemaName.length - 1) === 's') schemaName = schemaName.substr(0, schemaName.length - 1)
@@ -1818,7 +1994,7 @@ ScimGateway.prototype.endpointMapper = function endpointMapper (direction, parse
             }
           }
           for (const key2 in mapObj) {
-            if (mapObj[key2].mapTo.toLowerCase() === key.toLowerCase()) {
+            if (mapObj[key2].mapTo.split(',').map(item => item.trim().toLowerCase()).includes(key.toLowerCase())) {
               found = true
               if (mapObj[key2].type === 'array' && arrIndex && arrIndex >= 0) {
                 dotNewObj[`${key2}.${arrIndex}`] = dotObj[keyOrg] // servicePlan.0.value => servicePlan.0 and groups[0].value => memberOf.0
@@ -1831,16 +2007,19 @@ ScimGateway.prototype.endpointMapper = function endpointMapper (direction, parse
         }
       } else { // string (get)
         const resArr = []
-        let strArr
-        if (Array.isArray(str)) strArr = str
-        else strArr = str.split(',').map(item => item.trim())
+        let strArr = []
+        if (Array.isArray(str)) {
+          for (let i = 0; i < str.length; i++) {
+            strArr = strArr.concat(str[i].split(',').map(item => item.trim())) // supports "id,userName" e.g. {"mapTo": "id,userName"}
+          }
+        } else strArr = str.split(',').map(item => item.trim())
         for (let i = 0; i < strArr.length; i++) {
           const attr = strArr[i]
           let found = false
           for (const key in mapObj) {
-            if (mapObj[key].mapTo === attr) {
+            if (mapObj[key].mapTo && mapObj[key].mapTo.split(',').map(item => item.trim()).includes(attr)) { // supports { "mapTo": "userName,id" }
               found = true
-              resArr.push(key)
+              if (!resArr.includes(key)) resArr.push(key)
               break
             } else if (attr === 'roles' && mapObj[key].mapTo === 'roles.value') { // allow get using attribute roles - convert to correct roles.value
               found = true
@@ -1922,7 +2101,10 @@ ScimGateway.prototype.endpointMapper = function endpointMapper (direction, parse
               mapTo = mapTo.replace('.', '##') // only first occurence
               noneCore = true
             }
-            dotNewObj[mapTo] = dotObj[key] // {"active": {"mapTo": "accountEnabled"} => str.replace("accountEnabled", "active")
+            const arrMapTo = mapTo.split(',').map(item => item.trim()) // supports {"mapTo": "id,userName"}
+            for (let i = 0; i < arrMapTo.length; i++) {
+              dotNewObj[arrMapTo[i]] = dotObj[key] // {"active": {"mapTo": "accountEnabled"} => str.replace("accountEnabled", "active")
+            }
           }
           let mapTo = mapObj[key].mapTo
           if (mapTo.startsWith('urn:')) {

package/lib/utils.js

@@ -336,3 +336,40 @@ module.exports.sortByKey = (key, order = 'ascending') => {
     )
   }
 }
+
+// getEncrypted returns encrypted or cleartext secret
+// same as getPassword method, but seed passed as argument and not using json configuration file
+// if pw is cleartext, return encrypted secret
+// if pw is encrypted, return cleartext secret
+module.exports.getEncrypted = function (pw, seed) {
+  if (!pw || !seed) return undefined
+  const ivLength = 16
+  if (seed.length < ivLength) {
+    const addStr = 'aB1cD2eF3gH4iJ5kL7'
+    const diff = ivLength - seed.length
+    if (diff > 0) seed += addStr.substring(0, diff)
+  }
+  if (pw) {
+    try { // decrypt
+      const pwencr = Buffer.from(pw, 'base64').toString('utf8')
+      const textParts = pwencr.split(':')
+      const iv = Buffer.from(textParts.shift(), 'hex')
+      const encryptedText = Buffer.from(textParts.join(':'), 'hex')
+      const decipher = crypto.createDecipheriv('aes-128-cbc', Buffer.from(seed.substr(-ivLength)), iv)
+      let pwclear = decipher.update(encryptedText)
+      pwclear = Buffer.concat([pwclear, decipher.final()])
+      pwclear = pwclear.toString()
+      return pwclear
+    } catch (err) { // password considered as cleartext and needs to be encrypted
+      const pwclear = pw
+      const iv = crypto.randomBytes(ivLength)
+      const cipher = crypto.createCipheriv('aes-128-cbc', Buffer.from(seed.substr(-ivLength), 'utf8'), iv)
+      let encrypted = cipher.update(pwclear)
+      encrypted = Buffer.concat([encrypted, cipher.final()])
+      let pwencr = iv.toString('hex') + ':' + encrypted.toString('hex')
+      pwencr = Buffer.from(pwencr).toString('base64')
+      return pwencr
+    }
+  }
+  return undefined
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.0.1",
+  "version": "4.1.2",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",