scimgateway 5.4.2 → 5.4.4

package/README.md

@@ -16,6 +16,7 @@ Validated through IdP's:
 
 Latest news:  
  
+- External JWKS (JSON Web Key Set) is now supported by JWT Authentication. These are public and typically frequent rotated by modern identity providers
 - [Azure Relay](https://learn.microsoft.com/en-us/azure/azure-relay/relay-what-is-it) is now supported for secure and hassle-free outbound communication — with just one minute of configuration
 - [ETag](https://datatracker.ietf.org/doc/html/rfc7644#section-3.14) is now supported
 - [Bulk Operations](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) is now supported
@@ -394,7 +395,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **log.loglevel.console** - off, debug, info, warn or error. Default off. Output to stdout and errors to stderr
 
-- **log.loglevel.push** - off, debug, info, warn or error. Default info. Push to stream used by remote real-time log subscription
+- **log.loglevel.push** - debug, info, warn or error. Default info. Push to stream used by remote real-time log subscription
 
 - **log.logDirectory** - custom defined log directory e.g. `/var/log/scimgateway` that will override default `<scimgateway path>/logs`. If not exist it will be created.
 
@@ -417,7 +418,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerJwtAzure** - Array of one or more JWT used by Azure SyncFabric. **tenantIdGUID** must be set to Entra ID Tenant ID.
 
-- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.
+- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret**, **publicKey** or **wellKnownUri** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. For JWKS (JSON Web Key Set), the **wellKnownUri** must be set to identity provider well-known URI which will be used for lookup the jwks_uri key.  **options.issuer** should normally be set for validation when using secret or publicKey. Other options may also be included according to jsonwebtoken npm package definition.
 
 - **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`clientId`** and **`clientSecret`** are mandatory. clientSecret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. `http://localhost:8880/oauth/token`
 
@@ -746,13 +747,18 @@ Please see code editor method HelperRest doRequest() IntelliSense for type and o
 ### Configuration notes - Remote real-time log subscription
 Using remote real-time log subscription we may implement custom logic like monitoring and centralized logging
 
-- using browser and url: https://host/logger  
-- curl -Ns https://host/logger -u gwread:password | sed 's/\xE2\x80\x8B//g'  
-- curl -Ns https://host/logger -H "Authorization: Bearer secret" | sed 's/\xE2\x80\x8B//g'  
-	(-s and sed to ignore keep-alive character)
+- browser and url: https://host/logger  
+- curl with -u or -H "Authorization: Bearer secret"
+	```
+	curl -Ns http://localhost:8880/logger -u gwadmin:password | awk '
+	/^data: / {sub(/^data: /,""); printf "%s", $0; last=1; next}
+	/^$/ {if (last) print ""; last=0}
+	'
+	```
 - custom client API (see example below)
 - not supported by Azure Relay
 
+
 We may configure read-only user/secret for log collection purpose    
 
 	"auth": {
@@ -792,67 +798,57 @@ Example using debug loglevel:
 Example code implementing remote real-time log subscription and custom message handling  
 
 ```
-// startup: bun <scriptname.ts>
-// update url (ws or wss) and the auth according to environment used
-const url = 'ws://localhost:8880/logger'
-const auth = 'Basic ' + btoa('gwadmin' + ':' + 'password') // const auth = 'Bearer ' + 'secret'
-
-const tls: any = {}
-if (url.startsWith('wss:')) {
-  tls.ca = [Bun.file('/path/to/self-signed-cert.pem')], // only needed for self-signed certs
-  tls.rejectUnauthorized = false
-}
-
-// messageHandler implements message handling and custom logic
-// could also use JSON.parse(message) and granular filtering on log "level"
+//
+// usage: bun <scriptname.ts>
+// update url and the auth according to environment used
+//
+const username = "gwadmin"
+const password = "password"
+const url = "http://localhost:8880/logger"
+
+const headers = new Headers({
+  Authorization: "Basic " + btoa(`${username}:${password}`),
+  Accept: "text/event-stream"
+})
+
+// message handling and custom logic
+// we could also do JSON.parse(message) and granular filtering on log "level"
 const messageHandler = async (message: string) => {
   console.log(message)
 }
 
-const startWebSocket = async () => {
-  try {
-    const ws = new WebSocket(url, {
-      headers: {
-      Authorization: auth,
-      },
-      tls,
-    })
-
-    // message is received
-    ws.addEventListener("message", event => {
-      messageHandler(event.data)
-    })
-
-    // socket opened
-    ws.addEventListener("open", event => {
+async function startup() {
+  while (true) {
+    try {
+      const resp = await fetch(url, { headers });
+      if (!resp.ok || !resp.body) {
+        console.error(`❌ Response error: ${resp.status} ${resp.statusText}`)
+        await Bun.sleep(10_000)
+        continue
+      }
       console.log('✅ Now awaiting log events...\n')
-    })
-
-    // socket closed
-    ws.addEventListener("close", event => {
-      let addInfo = ''
-      if (event.code === 1002) addInfo = ' => most likely authentication failure?'
-      console.warn(`⚠️ Connection closed (${event.code}): ${event.reason || 'no reason'}${addInfo}`)
-      retry()
-    })
-
-    // error handler
-    ws.addEventListener("error", event => {
-      // console.error('❌ WebSocket error:', event.message)
-    })
-
-  } catch (err: any) {
-    console.error('❌ Unexpected error:', err)
-  }
-}
 
-const retry = async () => {
-    console.log('🔁 Retry in 10 seconds...')
-    await Bun.sleep(10 * 1000)
-    startWebSocket()
+      const reader = resp.body.pipeThrough(new TextDecoderStream()).getReader()
+
+      while (true) {
+        const { value, done } = await reader.read()
+        if (done) break
+        if (!value.startsWith('data: ')) continue
+        const i = value.indexOf("\n\n")
+        if (i < 1) continue
+        const msg = value.slice(6, i)
+        messageHandler(msg)
+      }
+      console.error("⚠️ Connection closed");
+      await Bun.sleep(10_000)
+    } catch (err: any) {
+      console.error("❌ Connection error:", err?.message || err)
+      await Bun.sleep(10_000)
+    }
+  }
 }
 
-startWebSocket()
+startup()
 ```
 
 ### Configuration notes - Azure Relay
@@ -1471,7 +1467,39 @@ In code editor (e.g., Visual Studio Code), method details and documentation are
 MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 
-## Change log  
+## Change log
+
+### v5.4.4
+
+[Improved]
+
+- External JWKS (JSON Web Key Set) is now supported by JWT Authentication. These are public and typically frequent rotated by modern identity providers
+
+	JKWS is enabled by setting scimgateway.auth.bearerJwt[].wellKnownUri to the identity provider's well-known URI
+
+	Keycloak example:
+
+		auth: {
+		  "bearerJwt": [
+		    {
+		      "wellKnownUri": "https://keycloak.example.com/realms/example-realm/.well-known/openid-configuration",
+		      "options": {
+		        ...
+		      },
+		      ...
+		     }
+		  ]
+		}
+
+### v5.4.3
+
+[Fixed]
+
+- helper-rest, fixed an issue introduced in v5.3.8 that caused problems using OAuth
+
+[Improved]
+
+- Remote real-time logger
 
 ### v5.4.2
 

package/bun.lock

@@ -17,6 +17,7 @@
         "hyco-https": "^1.4.5",
         "is-in-subnet": "^4.0.1",
         "jsonwebtoken": "^9.0.2",
+        "jwk-to-pem": "^2.0.7",
         "ldapjs": "^3.0.7",
         "lokijs": "^1.5.12",
         "mongodb": "^6.16.0",
@@ -31,6 +32,7 @@
         "@types/bun": "latest",
         "@types/dot-object": "^2.1.6",
         "@types/jsonwebtoken": "^9.0.9",
+        "@types/jwk-to-pem": "^2.0.3",
         "@types/node": "latest",
         "@types/nodemailer": "^6.4.17",
         "@types/passport": "^1.0.17",
@@ -163,6 +165,8 @@
 
     "@types/jsonwebtoken": ["@types/jsonwebtoken@9.0.10", "", { "dependencies": { "@types/ms": "*", "@types/node": "*" } }, "sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA=="],
 
+    "@types/jwk-to-pem": ["@types/jwk-to-pem@2.0.3", "", {}, "sha512-I/WFyFgk5GrNbkpmt14auGO3yFK1Wt4jXzkLuI+fDBNtO5ZI2rbymyGd6bKzfSBEuyRdM64ZUwxU1+eDcPSOEQ=="],
+
     "@types/ldapjs": ["@types/ldapjs@3.0.6", "", { "dependencies": { "@types/node": "*" } }, "sha512-E2Tn1ltJDYBsidOT9QG4engaQeQzRQ9aYNxVmjCkD33F7cIeLPgrRDXAYs0O35mK2YDU20c/+ZkNjeAPRGLM0Q=="],
 
     "@types/lokijs": ["@types/lokijs@1.5.14", "", {}, "sha512-4Fic47BX3Qxr8pd12KT6/T1XWU8dOlJBIp1jGoMbaDbiEvdv50rAii+B3z1b/J2pvMywcVP+DBPGP5/lgLOKGA=="],
@@ -235,6 +239,8 @@
 
     "argparse": ["argparse@2.0.1", "", {}, "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q=="],
 
+    "asn1.js": ["asn1.js@5.4.1", "", { "dependencies": { "bn.js": "^4.0.0", "inherits": "^2.0.1", "minimalistic-assert": "^1.0.0", "safer-buffer": "^2.1.0" } }, "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA=="],
+
     "assert-plus": ["assert-plus@1.0.0", "", {}, "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw=="],
 
     "async": ["async@3.2.6", "", {}, "sha512-htCUDlxyyCLMgaM3xXg0C0LW2xqfuQ6p05pCEIsXuyQ+a1koYKTuBMzRNwmybfLgvJDMd0r1LTn4+E0Ti6C2AA=="],
@@ -253,10 +259,14 @@
 
     "bl": ["bl@6.1.0", "", { "dependencies": { "@types/readable-stream": "^4.0.0", "buffer": "^6.0.3", "inherits": "^2.0.4", "readable-stream": "^4.2.0" } }, "sha512-ClDyJGQkc8ZtzdAAbAwBmhMSpwN/sC9HA8jxdYm6nVUbCfZbe2mgza4qh7AuEYyEPB/c4Kznf9s66bnsKMQDjw=="],
 
+    "bn.js": ["bn.js@4.12.2", "", {}, "sha512-n4DSx829VRTRByMRGdjQ9iqsN0Bh4OolPsFnaZBLcbi8iXcB+kJ9s7EnRt4wILZNV3kPLHkRVfOc/HvhC3ovDw=="],
+
     "brace-expansion": ["brace-expansion@1.1.12", "", { "dependencies": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg=="],
 
     "braces": ["braces@3.0.3", "", { "dependencies": { "fill-range": "^7.1.1" } }, "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA=="],
 
+    "brorand": ["brorand@1.1.0", "", {}, "sha512-cKV8tMCEpQs4hK/ik71d6LrPOnpkpGBR0wzxqr68g2m/LB2GxVYQroAjMJZRVM1Y4BCjCKc3vAamxSzOY2RP+w=="],
+
     "bson": ["bson@6.10.4", "", {}, "sha512-WIsKqkSC0ABoBJuT1LEX+2HEvNmNKKgnTAyd0fL8qzK4SH2i9NXg+t08YtdZp/V9IZ33cxe3iV4yM0qg8lMQng=="],
 
     "buffer": ["buffer@6.0.3", "", { "dependencies": { "base64-js": "^1.3.1", "ieee754": "^1.2.1" } }, "sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA=="],
@@ -315,6 +325,8 @@
 
     "ecdsa-sig-formatter": ["ecdsa-sig-formatter@1.0.11", "", { "dependencies": { "safe-buffer": "^5.0.1" } }, "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ=="],
 
+    "elliptic": ["elliptic@6.6.1", "", { "dependencies": { "bn.js": "^4.11.9", "brorand": "^1.1.0", "hash.js": "^1.0.0", "hmac-drbg": "^1.0.1", "inherits": "^2.0.4", "minimalistic-assert": "^1.0.1", "minimalistic-crypto-utils": "^1.0.1" } }, "sha512-RaddvvMatK2LJHqFJ+YA4WysVN5Ita9E35botqIYspQ4TkRAlCicdzKOjlyv/1Za5RyTNn7di//eEV0uTAfe3g=="],
+
     "es-define-property": ["es-define-property@1.0.1", "", {}, "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g=="],
 
     "es-errors": ["es-errors@1.3.0", "", {}, "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw=="],
@@ -399,8 +411,12 @@
 
     "has-tostringtag": ["has-tostringtag@1.0.2", "", { "dependencies": { "has-symbols": "^1.0.3" } }, "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw=="],
 
+    "hash.js": ["hash.js@1.1.7", "", { "dependencies": { "inherits": "^2.0.3", "minimalistic-assert": "^1.0.1" } }, "sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA=="],
+
     "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="],
 
+    "hmac-drbg": ["hmac-drbg@1.0.1", "", { "dependencies": { "hash.js": "^1.0.3", "minimalistic-assert": "^1.0.0", "minimalistic-crypto-utils": "^1.0.1" } }, "sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg=="],
+
     "http-proxy-agent": ["http-proxy-agent@7.0.2", "", { "dependencies": { "agent-base": "^7.1.0", "debug": "^4.3.4" } }, "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig=="],
 
     "https": ["https@1.0.0", "", {}, "sha512-4EC57ddXrkaF0x83Oj8sM6SLQHAWXw90Skqu2M4AEWENZ3F02dFJE/GARA8igO79tcgYqGrD7ae4f5L3um2lgg=="],
@@ -463,6 +479,8 @@
 
     "jwa": ["jwa@1.4.2", "", { "dependencies": { "buffer-equal-constant-time": "^1.0.1", "ecdsa-sig-formatter": "1.0.11", "safe-buffer": "^5.0.1" } }, "sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw=="],
 
+    "jwk-to-pem": ["jwk-to-pem@2.0.7", "", { "dependencies": { "asn1.js": "^5.3.0", "elliptic": "^6.6.1", "safe-buffer": "^5.0.1" } }, "sha512-cSVphrmWr6reVchuKQZdfSs4U9c5Y4hwZggPoz6cbVnTpAVgGRpEuQng86IyqLeGZlhTh+c4MAreB6KbdQDKHQ=="],
+
     "jws": ["jws@3.2.2", "", { "dependencies": { "jwa": "^1.4.1", "safe-buffer": "^5.0.1" } }, "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA=="],
 
     "keyv": ["keyv@4.5.4", "", { "dependencies": { "json-buffer": "3.0.1" } }, "sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw=="],
@@ -507,6 +525,10 @@
 
     "micromatch": ["micromatch@4.0.8", "", { "dependencies": { "braces": "^3.0.3", "picomatch": "^2.3.1" } }, "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA=="],
 
+    "minimalistic-assert": ["minimalistic-assert@1.0.1", "", {}, "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A=="],
+
+    "minimalistic-crypto-utils": ["minimalistic-crypto-utils@1.0.1", "", {}, "sha512-JIYlbt6g8i5jKfJ3xz7rF0LXmv2TkDxBLUkiBeZ7bAx4GnnNMr8xFpGnOxn6GhTEHx3SjRrZEoU+j04prX1ktg=="],
+
     "minimatch": ["minimatch@3.1.2", "", { "dependencies": { "brace-expansion": "^1.1.7" } }, "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw=="],
 
     "minimist": ["minimist@1.2.8", "", {}, "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA=="],

package/config/plugin-api.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-entra-id.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-ldap.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-loki.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-mongodb.json

@@ -50,6 +50,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-mssql.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-saphana.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-scim.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/config/plugin-soap.json

@@ -44,6 +44,7 @@
         {
           "secret": null,
           "publicKey": null,
+          "wellKnownUri": null,
           "options": {
             "issuer": null
           },

package/lib/helper-rest.ts

@@ -578,7 +578,7 @@ export class HelperRest {
         options.headers['Authorization'] = 'Basic ' + Buffer.from(`${o.auth?.options?.username}:${o.auth?.options?.password}`).toString('base64')
         delete o.auth
       }
-      options = utils.extendObj(o?.connection?.options, options)
+      options = utils.extendObj(options, o)
     }
 
     const cli: any = {}

package/lib/scimgateway.ts

@@ -21,6 +21,7 @@ import dot from 'dot-object'
 import nodemailer from 'nodemailer'
 import fs from 'node:fs'
 import path from 'node:path'
+import jwkToPem from 'jwk-to-pem'
 import * as jwt from 'jsonwebtoken'
 import * as utils from './utils.ts'
 import * as utilsScim from './utils-scim.ts'
@@ -37,7 +38,6 @@ export class ScimGateway {
   private getMemberOf: any
   private getAppRoles: any
   private pub: any
-  private Nonce = new utils.TimerMapCache(2000)
   // @ts-expect-error: has no initializer
   private helperRest: HelperRest
   /** pluginName is the name of plugin e.g., plugin-loki */
@@ -670,37 +670,78 @@ export class ScimGateway {
       })
     }
 
-    const jwtVerify = async (baseEntity: string, method: string, el: Record<string, any>, authToken: string) => { // used by bearerJwt
-      return await new Promise((resolve) => {
-        jwt.verify(authToken, (el.secret) ? el.secret : el.publicKeyContent, el.options, (err) => {
-          if (err != null) resolve(false)
-          else {
-            if (el.baseEntities) {
-              if (Array.isArray(el.baseEntities) && el.baseEntities.length > 0) {
-                if (!baseEntity) return resolve(false)
-                if (!el.baseEntities.includes(baseEntity)) return resolve(false)
-              }
-            }
-            if (el.readOnly === true && method !== 'GET') return resolve(false)
-            resolve(true) // authorization OK
+    const getJwksPemKey = async (kid: string, wellKnownUri: string): Promise<Array<any>> => { // retrieves "JSON Web Key Set" from well-known jwks_uri and returns the public key that corresponds with the access token kid value
+      if (!this.helperRest) this.helperRest = this.newHelperRest()
+      let res
+      try { // get issuer and jwks_uri from well-knonw uri
+        res = await this.helperRest.doRequest('undefined', 'GET', wellKnownUri)
+      } catch (err: any) {
+        logger.error(`${gwName}[${pluginName}] JWKS wellKnownUri=${wellKnownUri} error: ${err.message}`)
+        return []
+      }
+      if (!res?.body) return []
+      const issuer = res.body.issuer
+      const jwks_uri = res.body.jwks_uri
+      if (!issuer || !jwks_uri) {
+        logger.error(`${gwName}[${pluginName}] JWKS wellKnownUri=${wellKnownUri} error: found issuer=${issuer} and jwks_uri=${jwks_uri} - both should be found`)
+        return []
+      }
+      // JWKS
+      try { // get jwks that correspods with kid from jwks_uri
+        res = await this.helperRest.doRequest('undefined', 'GET', jwks_uri)
+      } catch (err: any) {
+        logger.error(`${gwName}[${pluginName}] JWKS jwks_uri=${jwks_uri} error: ${err.message}`)
+        return []
+      }
+      if (!res || !Array.isArray(res?.body?.keys)) return []
+      const keys = res.body.keys.filter((k: any) => k.kid === kid)
+      if (keys.length !== 1) return []
+      try {
+        return [jwkToPem(keys[0]), issuer, keys[0].alg]
+      } catch (err: any) {
+        return []
+      }
+    }
+
+    const jwtVerify = async (baseEntity: string, method: string, el: Record<string, any>, authToken: string, kid?: string): Promise<boolean> => { // used by bearerJwt
+      try {
+        jwt.verify(authToken, (el.secret) ? el.secret : el.publicKeyContent, el.options)
+        if (Array.isArray(el?.baseEntities) && el.baseEntities.length > 0) {
+          if (!el.baseEntities.includes(baseEntity)) return false
+        }
+        if (el.readOnly === true && method !== 'GET') return false
+        return true // authorization OK
+      } catch (err: any) {
+        if (!el.wellKnownUri) throw new Error(`JWT error: ${err.message}`)
+        // using wellKnownUri - JWKS and external public certificate - try once again we might have an updated certificate (key)
+        if (!kid) throw new Error(`JWKS error: missing kid`)
+        const [pemKey, issuer, alg] = await getJwksPemKey(kid, el.wellKnownUri)
+        if (!pemKey) throw new Error('JWKS error: no external public certificate found')
+        el.publicKeyContent = pemKey
+        if (!el.options) el.options = {}
+        if (issuer) el.options.issuer = issuer
+        if (alg) el.options.algorithms = [alg]
+        try {
+          jwt.verify(authToken, el.publicKeyContent, el.options)
+          if (Array.isArray(el?.baseEntities) && el.baseEntities.length > 0) {
+            if (!el.baseEntities.includes(baseEntity)) return false
           }
-        })
-      })
+          if (el.readOnly === true && method !== 'GET') return false
+          return true // authorization OK
+        } catch (err: any) {
+          throw new Error(`JWKS error: ${err.message}`)
+        }
+      }
     }
 
     const bearerJwt = async (baseEntity: string, method: string, authType: string, authToken: string): Promise<boolean> => {
       if (authType !== 'Bearer' || !found.BearerJwt) return false // no standard jwt bearer token
       const jtoken: any = jwt.decode(authToken, { complete: true })
-      if (jtoken == null) return false
+      if (!jtoken) return false
       if (jtoken?.payload['iss'] && jtoken?.payload['iss'].indexOf('https://sts.windows.net') === 0) return false // azure - handled by bearerJwtAzure
-      const promises: any = []
       const arr = this.config.scimgateway.auth.bearerJwt
       for (let i = 0; i < arr.length; i++) {
-        promises.push(jwtVerify(baseEntity, method, arr[i], authToken))
-      }
-      const arrResolve = await Promise.all(promises).catch((err) => { throw (err) })
-      for (const i in arrResolve) {
-        if (arrResolve[i]) return true
+        if (await jwtVerify(baseEntity, method, arr[i], authToken, jtoken?.header?.kid) === true) return true
       }
       throw new Error('JWT authentication failed')
     }
@@ -786,7 +827,7 @@ export class ScimGateway {
         ])
           .catch((err) => { throw (err) })
         for (const i in arrResolve) {
-          if (arrResolve[i]) return true // auth OK - continue with routes
+          if (arrResolve[i] === true) return true // auth OK - continue with routes
         }
         // all false - invalid auth method or missing pluging config
         let err: Error
@@ -827,7 +868,6 @@ export class ScimGateway {
         }
         return false
       }
-      return false
     }
 
     const ipAllowList = (ipAddr: string): boolean => {
@@ -878,23 +918,24 @@ export class ScimGateway {
     const getHandlerLoggerSSE = async (ctx: Context) => {
       const levelInt = logger.levelToInt(this.config?.scimgateway?.log?.loglevel?.push || 'info')
       const encoder = new TextEncoder()
+      logger.info(`${gwName}[${pluginName}] remote logger connected from ip address ${ctx.ip}`, { baseEntity: ctx?.routeObj?.baseEntity })
 
       return new Response(
         new ReadableStream({
           start(controller) {
-            controller.enqueue(encoder.encode(`\u200B`))
+            controller.enqueue(encoder.encode(`: keep-alive\n\n`))
 
             const sub = async (msgObj: Record<string, any>) => {
               if (logger.levelToInt(msgObj.level) < levelInt) return
               if (ctx?.routeObj?.baseEntity !== 'undefined') { // if using baseEntity e.g. <host>/company1/logger, only include corresponding baseEntity logentries
                 if (ctx?.routeObj?.baseEntity !== msgObj.baseEntity) return
               }
-              controller.enqueue(encoder.encode(`${JSON.stringify(msgObj)}\n`))
+              controller.enqueue(encoder.encode(`data: ${JSON.stringify(msgObj)}\n\n`))
             }
             logger.subscribe(sub)
 
             const keepAliveInterval = setInterval(() => {
-              controller.enqueue(encoder.encode(`\u200B`)) // invisible keep-alive
+              controller.enqueue(encoder.encode(`: keep-alive\n\n`))
             }, 10000)
 
             const cleanup = () => {
@@ -2705,15 +2746,39 @@ export class ScimGateway {
       const isPublisherEnabled = this.config.scimgateway.stream.publisher.enabled
       const isChainingEnabled = this.config.scimgateway.chainingBaseUrl
 
-      const wssInit = `
+      const sseInit = `
       <!DOCTYPE html>
       <html>
       <head>
         <style>
+          html, body {
+            height: 100%;
+            margin: 0;
+            padding: 0;
+          }
+          body {
+            display: flex;
+            flex-direction: column;
+            height: 100vh;
+            margin-left: 8px;
+          }
           .header-flex {
             display: flex;
             align-items: center;
             gap: 16px;
+            flex-shrink: 0;
+            margin-top: 2px;
+            margin-bottom: 2px;
+          }
+          #log {
+            flex: 1 1 auto;
+            width: 100%;
+            overflow: auto;
+            white-space: pre;
+            margin: 0;
+            min-height: 0;
+            height: auto;
+            box-sizing: border-box;
           }
           #stopBtn {
             padding: 4px 18px;
@@ -2728,42 +2793,41 @@ export class ScimGateway {
       </head>
       <body>
         <div class="header-flex">
-          <h3 style="margin:0;">SCIM Gateway remote logger</h3>
+          <h3>SCIM Gateway remote logger</h3>
           <button id="stopBtn" type="button">Stop</button>
         </div>
         <pre id="log"></pre>
         <script>
           const stopBtn = document.getElementById('stopBtn')
           const logElem = document.getElementById('log')
-          let ws = new WebSocket('{{protocol}}//' + location.host + location.pathname)
-          ws.onmessage = function(event) {
-            event.data.split('\\n').forEach(function(line) {
-              if (!line.trim()) return
-              const htmlLine = line.replace(
-                /(level":"\\s*)(debug|info|warn|error)/i,
-                function(match, p1, p2) {
-                  let color = ''
-                  switch (p2.toLowerCase()) {
-                    case 'debug': color = '#888'; break
-                    case 'info':  color = 'blue'; break
-                    case 'warn':  color = 'orange'; break
-                    case 'error': color = 'red'; break
-                    default: color = 'black'
-                  }
-                  return p1 + '<span style="color:' + color + ';font-weight:bold">' + p2 + '</span>'
+          let es = new EventSource(location.pathname)
+
+          es.onmessage = function(event) {
+            if (!event.data.trim()) return
+            const htmlLine = event.data.replace(
+              /(level":"\s*)(debug|info|warn|error)/i,
+              function(match, p1, p2) {
+                let color = ''
+                switch (p2.toLowerCase()) {
+                  case 'debug': color = '#888'; break
+                  case 'info':  color = 'blue'; break
+                  case 'warn':  color = 'orange'; break
+                  case 'error': color = 'red'; break
+                  default: color = 'black'
                 }
-              );
-              logElem.innerHTML += htmlLine + '<br>'
-            })
+                return p1 + '<span style="color:' + color + ';font-weight:bold">' + p2 + '</span>'
+              }
+            )
+            logElem.innerHTML += htmlLine + '<br>'
+            logElem.scrollTop = logElem.scrollHeight
           }
+
           stopBtn.onclick = function() {
-            if (ws) {
-              ws.close()
-              ws = null
+            if (es) {
+              es.close()
+              es = null
               stopBtn.textContent = 'Start'
-              stopBtn.onclick = function() {
-                location.reload()
-              }
+              stopBtn.onclick = function() { location.reload() }
             }
           }
         </script>
@@ -2807,29 +2871,18 @@ export class ScimGateway {
             await getHandlerServiceProviderConfig(ctx)
             return await onAfterHandle(ctx)
           case 'GET logger': // no onAfterHandle
-            if (req.headers.get('upgrade')?.toLowerCase() === 'websocket') { // browser step 2, and other Bun ws(s) clients
-              logger.info(`${gwName}[${pluginName}] remote logger connected from ip address ${ctx.ip}`, { baseEntity: ctx?.routeObj?.baseEntity })
-              return server.upgrade(req, { // after upgrade, the server will handle the WebSocket connection configured in Bun.serve()
-                data: { // passed to WebSocket server Bun open handler
-                  headers: req.headers,
-                  url: req.url,
-                  baseEntity: ctx?.routeObj?.baseEntity,
-                  ip: ctx.ip,
-                  nonce: this.Nonce.createItem(crypto.randomUUID()),
-                },
-              })
-            }
-            if (req.headers.has('sec-fetch-dest') && typeof Bun !== 'undefined') { // client is browser and not supporting WebSocket on Node.js
-              const url = new URL(ctx.origin)
-              const protocol = (url.protocol === 'https:' ? 'wss:' : 'ws:')
-              const js = wssInit.replace('{{protocol}}', protocol)
-              return new Response(js, { // browser step 1 => force WebSocket by sending javascript
-                status: 200,
-                headers: {
-                  'Content-Type': 'text/html; charset=utf-8',
-                },
-              })
-            } else return await getHandlerLoggerSSE(ctx) // using SSE for none WebSocket/wss e.g. curl -Ns http://localhost:8880/logger -u gwadmin:password | sed 's/\xE2\x80\x8B//g'
+            if (req.headers.has('sec-fetch-dest')) { // client is browser
+              if (ctx.request.headers.get('accept')?.includes('text/event-stream')) {
+                return await getHandlerLoggerSSE(ctx)
+              } else {
+                return new Response(sseInit, {
+                  status: 200,
+                  headers: {
+                    'Content-Type': 'text/html; charset=utf-8',
+                  },
+                })
+              }
+            } else return await getHandlerLoggerSSE(ctx)
           case 'PATCH users':
           case 'PATCH groups':
             await patchHandler(ctx)
@@ -2884,49 +2937,9 @@ export class ScimGateway {
             const reqWithRaw = req as Request & { raw: IncomingMessage }
             return await route(reqWithRaw, srv.requestIP(req)?.address || '')
           },
-          websocket: {
-            open: (ws) => {
-              const data = ws.data as { headers: Headers, url: string, baseEntity: string, ip: string, nonce: string } || {}
-              let isAuthorized = false // client is already authenticated by initial http/https upgrade to websocket, anyhow passing data to be validated
-              if (data?.nonce && this.Nonce.isItemValid(data.nonce)) {
-                if (data.headers.has('authorization')) {
-                  if (data.url.endsWith('/logger')) isAuthorized = true
-                }
-              }
-              if (!isAuthorized) {
-                logger.error(`${gwName}[${pluginName}] remote logger ip address ${data.ip} - WebSocket connection error: invalid nonce`, { baseEntity: data.baseEntity })
-                ws.close(3000, 'Unauthorized')
-                return
-              }
-
-              const levelInt = logger.levelToInt(this.config?.scimgateway?.log?.loglevel?.push || 'info')
-              const sub = async (msgObj: Record<string, any>) => {
-                if (logger.levelToInt(msgObj.level) < levelInt) return
-                if (data.baseEntity !== 'undefined') { // if using baseEntity e.g. <host>/company1/logger, only include corresponding baseEntity logentries
-                  if (data.baseEntity !== msgObj.baseEntity) return
-                }
-                ws.send(`${JSON.stringify(msgObj)}`)
-              }
-              logger.subscribe(sub)
-              ;(ws as any)._sub = sub
-              ;(ws as any)._baseEntity = data.baseEntity
-              ;(ws as any)._ip = data.ip
-            },
-            close: (ws) => {
-              const sub = (ws as any)._sub
-              const baseEntity = (ws as any)._baseEntity
-              const ip = (ws as any)._ip
-              if (sub) {
-                logger.unsubscribe(sub)
-              }
-              logger.info(`${gwName}[${pluginName}] remote logger disconnected from ip address ${ip}`, { baseEntity })
-            },
-            message: () => {},
-          },
         })
       } else {
         // using nodejs server either through Bun compability or Node.js
-
         // get body from req
         async function getRequestBody(req: any): Promise<Buffer> {
           return new Promise((resolve, reject) => {
@@ -3581,7 +3594,7 @@ Content-Transfer-Encoding: quoted-printable
       if (lastKey === 'password' && key.startsWith('scimgateway.auth.basic')) foundBasic = true
       else if (lastKey === 'token' && key.startsWith('scimgateway.auth.bearerToken')) foundBearerToken = true
       else if (lastKey === 'tenantIdGUID' && key.startsWith('scimgateway.auth.bearerJwtAzure')) foundBearerJwtAzure = true
-      else if (lastKey === 'secret' && key.startsWith('scimgateway.auth.bearerJwt')) foundBearerJwt = true
+      else if ((lastKey === 'publicKey' || lastKey === 'secret' || lastKey === 'wellKnownUri') && key.startsWith('scimgateway.auth.bearerJwt')) foundBearerJwt = true
       else if (lastKey === 'clientSecret' && key.startsWith('scimgateway.auth.bearerOAuth')) foundBearerOAuth = true
 
       // certificate full path

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.4.2",
+  "version": "5.4.4",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
@@ -48,6 +48,7 @@
     "hyco-https": "^1.4.5",
     "is-in-subnet": "^4.0.1",
     "jsonwebtoken": "^9.0.2",
+    "jwk-to-pem": "^2.0.7",
     "ldapjs": "^3.0.7",
     "lokijs": "^1.5.12",
     "mongodb": "^6.16.0",
@@ -65,6 +66,7 @@
     "@types/bun": "latest",
     "@types/dot-object": "^2.1.6",
     "@types/jsonwebtoken": "^9.0.9",
+    "@types/jwk-to-pem": "^2.0.3",
     "@types/node": "latest",
     "@types/nodemailer": "^6.4.17",
     "@types/passport": "^1.0.17",