npm - scimgateway - Versions diffs - 5.4.4 → 5.5.0 - Mend

scimgateway 5.4.4 → 5.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -16,6 +16,7 @@ Validated through IdP's:
 Latest news:
+- Entra ID [Federated Identity Credentials](https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0) is now supported. Identity federation allows SCIM Gateway to access Microsoft Entra protected resources without needing to manage secrets
 - External JWKS (JSON Web Key Set) is now supported by JWT Authentication. These are public and typically frequent rotated by modern identity providers
 - [Azure Relay](https://learn.microsoft.com/en-us/azure/azure-relay/relay-what-is-it) is now supported for secure and hassle-free outbound communication — with just one minute of configuration
 - [ETag](https://datatracker.ietf.org/doc/html/rfc7644#section-3.14) is now supported
@@ -418,7 +419,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 - **auth.bearerJwtAzure** - Array of one or more JWT used by Azure SyncFabric. **tenantIdGUID** must be set to Entra ID Tenant ID.
-- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret**, **publicKey** or **wellKnownUri** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. For JWKS (JSON Web Key Set), the **wellKnownUri** must be set to identity provider well-known URI which will be used for lookup the jwks_uri key.  **options.issuer** should normally be set for validation when using secret or publicKey. Other options may also be included according to jsonwebtoken npm package definition.
+- **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret**, **publicKey** or **wellKnownUri** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. For JWKS (JSON Web Key Set), the **wellKnownUri** must be set to identity provider well-known URI which will be used for lookup the jwks_uri key.  **options.issuer** should normally be set for validation when using secret or publicKey, for JWKS the issuer will be included automatically. Other options may also be included according to the JWT standard.
 - **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`clientId`** and **`clientSecret`** are mandatory. clientSecret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. `http://localhost:8880/oauth/token`
@@ -716,7 +717,7 @@ Example Entra ID (plugin-entra-id) using certificate secret:
 	"connection": {
 	  "baseUrls": [],
 	  "auth": {
-	    "type": "oauth",
+	    "type": "oauthJwtBearer",
 	    "options": {
 	      "tenantIdGUID": "<tenantId>",
 	      "clientId": "<clientId>",
@@ -728,6 +729,27 @@ Example Entra ID (plugin-entra-id) using certificate secret:
 	  }
 	}
+Example Entra ID (plugin-entra-id) using federated credentials:
+	"connection": {
+	  "baseUrls": [],
+	  "auth": {
+	    "type": "oauthJwtBearer",
+	    "options": {
+	      "tenantIdGUID": "<tenantId>",
+	      "fedCred": {
+	        "issuer": "<https://FQDN-scimgateway/oauth>",
+	        "subject": "<entra id application object id - client id>",
+	        "name": "<entra id federated credentials unique name>"
+	      }
+	    }
+	  }
+	}
+	// Note: Federated credentials defined for the application in Entra ID must match the corresponding `issuer`, `subject`, and `name`
+	// example issuer: "https://scimgateway.my-company.com/oauth" and must be reachable from the internet
+	// exampole name: "plugin-entra-id"
 Example using general OAuth:
 	"connection": {
@@ -1469,6 +1491,45 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 ## Change log
+### v5.5.0
+[Improved]
+- Entra ID [Federated Identity Credentials](https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0) is now supported. Identity federation allows SCIM Gateway to access Microsoft Entra protected resources without needing to manage secrets
+	helper-rest includes options for federated credentials:
+		"auth {
+		  "type": "oauthJwtBearer",
+		  "options": {
+		    "tenantIdGUID": "<Entra ID tenantIdGUID",
+		    "fedCred": {
+		      "issuer": "<https://FQDN-scimgateway/oauth>",
+		      "subject": "<entra id application object id - client id>",
+		      "name": "<entra id federated credentials unique name>"
+		    }
+		  }
+		}
+	Example:
+		"auth {
+		  "type": "oauthJwtBearer",
+		  "options": {
+		    "tenantIdGUID": "11111111-2222-3333-4444-555555555555",
+		    "fedCred": {
+		      "issuer": "https://scimgateway.my-company.com/oauth>",
+		      "subject": "99999999-8888-7777-6666-555555555555",
+		      "name": "plugin-entra-id"
+		    }
+		  }
+		}
+	Note: Federated credentials defined for the application in Entra ID must match the corresponding `issuer`, `subject`, and `name` values defined in the SCIM Gateway endpoint configuration. An example of this can be using `plugin-entra-id` and other plugins that interact with endpoints or applications protected by Entra ID.
+	Also note: SCIM Gateway must be reachable from the internet (as defined by the `issuer` URL). This requires allowing inbound internet communication — or alternatively, Azure Relay can be used for outbound-only communication.
 ### v5.4.4
 [Improved]

package/bun.lock CHANGED Viewed

@@ -16,8 +16,7 @@
         "https-proxy-agent": "^7.0.6",
         "hyco-https": "^1.4.5",
         "is-in-subnet": "^4.0.1",
-        "jsonwebtoken": "^9.0.2",
-        "jwk-to-pem": "^2.0.7",
+        "jose": "^6.0.11",
         "ldapjs": "^3.0.7",
         "lokijs": "^1.5.12",
         "mongodb": "^6.16.0",
@@ -28,11 +27,10 @@
         "saml": "^3.0.1",
       },
       "devDependencies": {
-        "@stylistic/eslint-plugin": "^4.4.0",
+        "@stylistic/eslint-plugin": "^5.1.0",
         "@types/bun": "latest",
         "@types/dot-object": "^2.1.6",
         "@types/jsonwebtoken": "^9.0.9",
-        "@types/jwk-to-pem": "^2.0.3",
         "@types/node": "latest",
         "@types/nodemailer": "^6.4.17",
         "@types/passport": "^1.0.17",
@@ -143,7 +141,7 @@
     "@nodelib/fs.walk": ["@nodelib/fs.walk@1.2.8", "", { "dependencies": { "@nodelib/fs.scandir": "2.1.5", "fastq": "^1.6.0" } }, "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg=="],
-    "@stylistic/eslint-plugin": ["@stylistic/eslint-plugin@4.4.1", "", { "dependencies": { "@typescript-eslint/utils": "^8.32.1", "eslint-visitor-keys": "^4.2.0", "espree": "^10.3.0", "estraverse": "^5.3.0", "picomatch": "^4.0.2" }, "peerDependencies": { "eslint": ">=9.0.0" } }, "sha512-CEigAk7eOLyHvdgmpZsKFwtiqS2wFwI1fn4j09IU9GmD4euFM4jEBAViWeCqaNLlbX2k2+A/Fq9cje4HQBXuJQ=="],
+    "@stylistic/eslint-plugin": ["@stylistic/eslint-plugin@5.1.0", "", { "dependencies": { "@eslint-community/eslint-utils": "^4.7.0", "@typescript-eslint/types": "^8.34.1", "eslint-visitor-keys": "^4.2.1", "espree": "^10.4.0", "estraverse": "^5.3.0", "picomatch": "^4.0.2" }, "peerDependencies": { "eslint": ">=9.0.0" } }, "sha512-TJRJul4u/lmry5N/kyCU+7RWWOk0wyXN+BncRlDYBqpLFnzXkd7QGVfN7KewarFIXv0IX0jSF/Ksu7aHWEDeuw=="],
     "@types/body-parser": ["@types/body-parser@1.19.6", "", { "dependencies": { "@types/connect": "*", "@types/node": "*" } }, "sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g=="],
@@ -165,8 +163,6 @@
     "@types/jsonwebtoken": ["@types/jsonwebtoken@9.0.10", "", { "dependencies": { "@types/ms": "*", "@types/node": "*" } }, "sha512-asx5hIG9Qmf/1oStypjanR7iKTv0gXQ1Ov/jfrX6kS/EO0OFni8orbmGCn0672NHR3kXHwpAwR+B368ZGN/2rA=="],
-    "@types/jwk-to-pem": ["@types/jwk-to-pem@2.0.3", "", {}, "sha512-I/WFyFgk5GrNbkpmt14auGO3yFK1Wt4jXzkLuI+fDBNtO5ZI2rbymyGd6bKzfSBEuyRdM64ZUwxU1+eDcPSOEQ=="],
     "@types/ldapjs": ["@types/ldapjs@3.0.6", "", { "dependencies": { "@types/node": "*" } }, "sha512-E2Tn1ltJDYBsidOT9QG4engaQeQzRQ9aYNxVmjCkD33F7cIeLPgrRDXAYs0O35mK2YDU20c/+ZkNjeAPRGLM0Q=="],
     "@types/lokijs": ["@types/lokijs@1.5.14", "", {}, "sha512-4Fic47BX3Qxr8pd12KT6/T1XWU8dOlJBIp1jGoMbaDbiEvdv50rAii+B3z1b/J2pvMywcVP+DBPGP5/lgLOKGA=="],
@@ -239,8 +235,6 @@
     "argparse": ["argparse@2.0.1", "", {}, "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q=="],
-    "asn1.js": ["asn1.js@5.4.1", "", { "dependencies": { "bn.js": "^4.0.0", "inherits": "^2.0.1", "minimalistic-assert": "^1.0.0", "safer-buffer": "^2.1.0" } }, "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA=="],
     "assert-plus": ["assert-plus@1.0.0", "", {}, "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw=="],
     "async": ["async@3.2.6", "", {}, "sha512-htCUDlxyyCLMgaM3xXg0C0LW2xqfuQ6p05pCEIsXuyQ+a1koYKTuBMzRNwmybfLgvJDMd0r1LTn4+E0Ti6C2AA=="],
@@ -259,14 +253,10 @@
     "bl": ["bl@6.1.0", "", { "dependencies": { "@types/readable-stream": "^4.0.0", "buffer": "^6.0.3", "inherits": "^2.0.4", "readable-stream": "^4.2.0" } }, "sha512-ClDyJGQkc8ZtzdAAbAwBmhMSpwN/sC9HA8jxdYm6nVUbCfZbe2mgza4qh7AuEYyEPB/c4Kznf9s66bnsKMQDjw=="],
-    "bn.js": ["bn.js@4.12.2", "", {}, "sha512-n4DSx829VRTRByMRGdjQ9iqsN0Bh4OolPsFnaZBLcbi8iXcB+kJ9s7EnRt4wILZNV3kPLHkRVfOc/HvhC3ovDw=="],
     "brace-expansion": ["brace-expansion@1.1.12", "", { "dependencies": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg=="],
     "braces": ["braces@3.0.3", "", { "dependencies": { "fill-range": "^7.1.1" } }, "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA=="],
-    "brorand": ["brorand@1.1.0", "", {}, "sha512-cKV8tMCEpQs4hK/ik71d6LrPOnpkpGBR0wzxqr68g2m/LB2GxVYQroAjMJZRVM1Y4BCjCKc3vAamxSzOY2RP+w=="],
     "bson": ["bson@6.10.4", "", {}, "sha512-WIsKqkSC0ABoBJuT1LEX+2HEvNmNKKgnTAyd0fL8qzK4SH2i9NXg+t08YtdZp/V9IZ33cxe3iV4yM0qg8lMQng=="],
     "buffer": ["buffer@6.0.3", "", { "dependencies": { "base64-js": "^1.3.1", "ieee754": "^1.2.1" } }, "sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA=="],
@@ -325,8 +315,6 @@
     "ecdsa-sig-formatter": ["ecdsa-sig-formatter@1.0.11", "", { "dependencies": { "safe-buffer": "^5.0.1" } }, "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ=="],
-    "elliptic": ["elliptic@6.6.1", "", { "dependencies": { "bn.js": "^4.11.9", "brorand": "^1.1.0", "hash.js": "^1.0.0", "hmac-drbg": "^1.0.1", "inherits": "^2.0.4", "minimalistic-assert": "^1.0.1", "minimalistic-crypto-utils": "^1.0.1" } }, "sha512-RaddvvMatK2LJHqFJ+YA4WysVN5Ita9E35botqIYspQ4TkRAlCicdzKOjlyv/1Za5RyTNn7di//eEV0uTAfe3g=="],
     "es-define-property": ["es-define-property@1.0.1", "", {}, "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g=="],
     "es-errors": ["es-errors@1.3.0", "", {}, "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw=="],
@@ -411,12 +399,8 @@
     "has-tostringtag": ["has-tostringtag@1.0.2", "", { "dependencies": { "has-symbols": "^1.0.3" } }, "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw=="],
-    "hash.js": ["hash.js@1.1.7", "", { "dependencies": { "inherits": "^2.0.3", "minimalistic-assert": "^1.0.1" } }, "sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA=="],
     "hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="],
-    "hmac-drbg": ["hmac-drbg@1.0.1", "", { "dependencies": { "hash.js": "^1.0.3", "minimalistic-assert": "^1.0.0", "minimalistic-crypto-utils": "^1.0.1" } }, "sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg=="],
     "http-proxy-agent": ["http-proxy-agent@7.0.2", "", { "dependencies": { "agent-base": "^7.1.0", "debug": "^4.3.4" } }, "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig=="],
     "https": ["https@1.0.0", "", {}, "sha512-4EC57ddXrkaF0x83Oj8sM6SLQHAWXw90Skqu2M4AEWENZ3F02dFJE/GARA8igO79tcgYqGrD7ae4f5L3um2lgg=="],
@@ -465,6 +449,8 @@
     "isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],
+    "jose": ["jose@6.0.11", "", {}, "sha512-QxG7EaliDARm1O1S8BGakqncGT9s25bKL1WSf6/oa17Tkqwi8D2ZNglqCF+DsYF88/rV66Q/Q2mFAy697E1DUg=="],
     "js-md4": ["js-md4@0.3.2", "", {}, "sha512-/GDnfQYsltsjRswQhN9fhv3EMw2sCpUdrdxyWDOUK7eyD++r3gRhzgiQgc/x4MAv2i1iuQ4lxO5mvqM3vj4bwA=="],
     "js-yaml": ["js-yaml@4.1.0", "", { "dependencies": { "argparse": "^2.0.1" }, "bin": { "js-yaml": "bin/js-yaml.js" } }, "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA=="],
@@ -479,8 +465,6 @@
     "jwa": ["jwa@1.4.2", "", { "dependencies": { "buffer-equal-constant-time": "^1.0.1", "ecdsa-sig-formatter": "1.0.11", "safe-buffer": "^5.0.1" } }, "sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw=="],
-    "jwk-to-pem": ["jwk-to-pem@2.0.7", "", { "dependencies": { "asn1.js": "^5.3.0", "elliptic": "^6.6.1", "safe-buffer": "^5.0.1" } }, "sha512-cSVphrmWr6reVchuKQZdfSs4U9c5Y4hwZggPoz6cbVnTpAVgGRpEuQng86IyqLeGZlhTh+c4MAreB6KbdQDKHQ=="],
     "jws": ["jws@3.2.2", "", { "dependencies": { "jwa": "^1.4.1", "safe-buffer": "^5.0.1" } }, "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA=="],
     "keyv": ["keyv@4.5.4", "", { "dependencies": { "json-buffer": "3.0.1" } }, "sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw=="],
@@ -525,10 +509,6 @@
     "micromatch": ["micromatch@4.0.8", "", { "dependencies": { "braces": "^3.0.3", "picomatch": "^2.3.1" } }, "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA=="],
-    "minimalistic-assert": ["minimalistic-assert@1.0.1", "", {}, "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A=="],
-    "minimalistic-crypto-utils": ["minimalistic-crypto-utils@1.0.1", "", {}, "sha512-JIYlbt6g8i5jKfJ3xz7rF0LXmv2TkDxBLUkiBeZ7bAx4GnnNMr8xFpGnOxn6GhTEHx3SjRrZEoU+j04prX1ktg=="],
     "minimatch": ["minimatch@3.1.2", "", { "dependencies": { "brace-expansion": "^1.1.7" } }, "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw=="],
     "minimist": ["minimist@1.2.8", "", {}, "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA=="],

package/lib/helper-rest.ts CHANGED Viewed

@@ -10,10 +10,11 @@
 import { HttpsProxyAgent } from 'https-proxy-agent'
 import { URL } from 'url'
 import { Buffer } from 'node:buffer'
+import { createPublicKey, createPrivateKey, createHash } from 'node:crypto'
 import { samlAssertion } from './samlAssertion.ts'
-import * as jsonwebtoken from 'jsonwebtoken'
 import fs from 'node:fs'
 import querystring from 'querystring'
+import * as jose from 'jose'
 import * as utils from './utils.ts'
 /**
@@ -148,66 +149,118 @@ export class HelperRest {
           break
         case 'oauthJwtBearer':
-          let jwtClaims: jsonwebtoken.JwtPayload | Record<string, any> = {}
-          let jwtOpts: jsonwebtoken.SignOptions = {}
+          let jwtClaims: jose.JWTPayload | Record<string, any>
+          let jwtHeaders: jose.JWTHeaderParameters
           if (tenantIdGUID) { // Microsoft Entra ID
-            if (!this.config_entity[baseEntity]?.connection?.auth?.options?.tls?.cert) {
-              throw new Error(`auth type '${this.config_entity[baseEntity]?.connection?.auth?.type}' - missing options.tls.key/cert configuration`)
-            }
-            let privateKey = this.config_entity[baseEntity]?.connection?.auth?.options?.tls?._key || ''
-            let cert = this.config_entity[baseEntity]?.connection?.auth?.options?.tls?._cert || ''
-            if (!privateKey || !cert) {
-              privateKey = fs.readFileSync(this.config_entity[baseEntity].connection.auth.options.tls.key, 'utf-8') || ''
-              cert = fs.readFileSync(this.config_entity[baseEntity].connection.auth.options.tls.cert, 'utf-8') || ''
-              if (privateKey) this.config_entity[baseEntity].connection.auth.options.tls._key = privateKey
-              if (cert) this.config_entity[baseEntity].connection.auth.options.tls._cert = cert
-            }
-            if (!privateKey || !cert) {
-              throw new Error(`auth type '${this.config_entity[baseEntity]?.connection?.auth?.type}' - missing options.tls.key/cert file content`)
-            }
-            const jwtPayload: jsonwebtoken.JwtPayload = {
-              sub: this.config_entity[baseEntity]?.connection?.auth?.options?.clientId,
-              iss: this.config_entity[baseEntity]?.connection?.auth?.options?.clientId,
-              aud: `https://login.microsoftonline.com/${tenantIdGUID}/v2.0`,
-              iat: Math.floor(Date.now() / 1000) - 60,
-              exp: Math.floor(Date.now() / 1000) + 3600,
-              jti: crypto.randomUUID(),
-              nbf: Math.floor(Date.now() / 1000) - 60,
-            }
-            jwtClaims = {
-              ...jwtPayload,
-            }
-            const base64Thumbprint = utils.getBase64CertificateThumbprint(cert, 'sha1') // xt5=>sha1, x5t#S256=>sha256
-            jwtOpts = {
-              algorithm: 'RS256',
-              header: {
-                typ: 'JWT',
+            if (this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer) { // federated credentials
+              const name = JSON.stringify(this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.name) // ensure not using none valid json key
+              if (!this.scimgateway.jwk) this.scimgateway.jwk = {}
+              if (!this.scimgateway.jwk[baseEntity]) this.scimgateway.jwk[baseEntity] = {}
+              if (!this.scimgateway.jwk[baseEntity][name]) {
+                const { publicKey, privateKey } = await jose.generateKeyPair('RS256')
+                this.scimgateway.jwk[baseEntity][name] = { publicKey, privateKey }
+                const ttl = 5 * 60 // 5 minutes
+                ;(async () => {
+                  // rotate - delete JWK after 5 minutes, will be regenerated on next token request
+                  // entra id only lookup well-known uri and corresponding jwks_uri on token request validation if kid not found in entra cached JWKS
+                  setTimeout(async () => {
+                    delete this.scimgateway.jwk[baseEntity][name]
+                  }, ttl * 1000)
+                })()
+              }
+              this.scimgateway.jwk[baseEntity].issuer = this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer // updates .well-known
+              const now = Date.now()
+              const jwtPayload: jose.JWTPayload = {
+                iss: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer, // entra id federated credentials issuer e.g. https://scimgateway.my-company.com/oauth
+                sub: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.subject, // entra id application object id - client id
+                name: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.name, // entra id federated credentials unique name e.g. plugin-entra-id
+                aud: 'api://AzureADTokenExchange', // entra id federated credentials audience
+                // below is not used by entra id federated credentials token-generation - could be skipped
+                iat: Math.floor(now / 1000) - 60,
+                exp: Math.floor(now / 1000) + 3600,
+                jti: crypto.randomUUID(),
+                nbf: Math.floor(now / 1000) - 60,
+              }
+              jwtClaims = {
+                ...jwtPayload,
+              }
+              const jwk = await jose.exportJWK(this.scimgateway.jwk[baseEntity][name].publicKey)
+              const kid = createHash('sha256') // kid required for JWKS
+                .update(JSON.stringify(jwk))
+                .digest('base64url')
+              jwtHeaders = {
                 alg: 'RS256',
-                x5t: base64Thumbprint,
-              },
-            }
-            /* Microsoft recommended modern x5t#S256 does not work using self-signed certificate
-            const base64Thumbprint = utils.getBase64CertificateThumbprint(cert, 'sha256')
-            jwtOpts = {
-              algorithm: 'PS256',
-              header: {
+                typ: 'JWT',
+                kid,
+              }
+              form = {
+                grant_type: 'client_credentials',
+                scope: this.config_entity[baseEntity].connection.auth.options.scope, // "https://graph.microsoft.com/.default"
+                client_id: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.subject,
+                client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+                client_assertion: await new jose.SignJWT(jwtClaims)
+                  .setProtectedHeader(jwtHeaders)
+                  .sign(this.scimgateway.jwk[baseEntity][name].privateKey),
+              }
+            } else { // standard certificate
+              if (!this.config_entity[baseEntity]?.connection?.auth?.options?.tls?.cert) {
+                throw new Error(`auth type '${this.config_entity[baseEntity]?.connection?.auth?.type}' - missing options.tls.key/cert configuration`)
+              }
+              let privateKey = this.config_entity[baseEntity]?.connection?.auth?.options?.tls?._key || ''
+              let cert = this.config_entity[baseEntity]?.connection?.auth?.options?.tls?._cert || ''
+              let certPem = this.config_entity[baseEntity]?.connection?.auth?.options?.tls?._certPem || ''
+              if (!privateKey || !cert) {
+                const privateKeyPem = fs.readFileSync(this.config_entity[baseEntity].connection.auth.options.tls.key, 'utf-8') || ''
+                certPem = fs.readFileSync(this.config_entity[baseEntity].connection.auth.options.tls.cert, 'utf-8') || ''
+                if (privateKeyPem) {
+                  privateKey = createPrivateKey(privateKeyPem) // PEM => KeyObject
+                  this.config_entity[baseEntity].connection.auth.options.tls._key = privateKey
+                }
+                if (certPem) {
+                  cert = createPublicKey(certPem)
+                  this.config_entity[baseEntity].connection.auth.options.tls._cert = cert
+                  this.config_entity[baseEntity].connection.auth.options.tls._certPem = certPem
+                }
+              }
+              if (!privateKey || !cert) {
+                throw new Error(`auth type '${this.config_entity[baseEntity]?.connection?.auth?.type}' - missing options.tls.key/cert file content`)
+              }
+              const jwtPayload: jose.JWTPayload = {
+                iss: this.config_entity[baseEntity]?.connection?.auth?.options?.clientId,
+                sub: this.config_entity[baseEntity]?.connection?.auth?.options?.clientId,
+                aud: `https://login.microsoftonline.com/${tenantIdGUID}/v2.0`,
+                iat: Math.floor(Date.now() / 1000) - 60,
+                exp: Math.floor(Date.now() / 1000) + 3600,
+                jti: crypto.randomUUID(),
+                nbf: Math.floor(Date.now() / 1000) - 60,
+              }
+              jwtClaims = {
+                ...jwtPayload,
+              }
+              const base64Thumbprint = utils.getBase64CertificateThumbprint(certPem, 'sha256') // x5t=>sha1, x5t#S256=>sha256
+              jwtHeaders = {
+                'alg': 'RS256',
                 'typ': 'JWT',
-                'alg': 'PS256',
-                'x5t#S256': base64Thumbprint,
-              },
-            }
-            */
-            form = {
-              grant_type: 'client_credentials',
-              scope: this.config_entity[baseEntity].connection.auth.options.scope, // "https://graph.microsoft.com/.default"
-              client_id: this.config_entity[baseEntity]?.connection?.auth?.options?.clientId,
-              client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
-              client_assertion: jsonwebtoken.sign(jwtClaims, privateKey, jwtOpts),
+                'x5t#S256': base64Thumbprint, // Microsoft recommend modern x5t#S256 over x5t
+              }
+              form = {
+                grant_type: 'client_credentials',
+                scope: this.config_entity[baseEntity].connection.auth.options.scope, // "https://graph.microsoft.com/.default"
+                client_id: this.config_entity[baseEntity]?.connection?.auth?.options?.clientId,
+                client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+                client_assertion: await new jose.SignJWT(jwtClaims)
+                  .setProtectedHeader(jwtHeaders)
+                  .sign(privateKey),
+              }
             }
           } else if (serviceAccountKeyFile) { // Google - using Service Account key json-file
             if (!this.config_entity[baseEntity]?.connection?.auth?.options?.jwtPayload?.scope || !this.config_entity[baseEntity]?.connection?.auth?.options?.jwtPayload?.subject) {
@@ -228,10 +281,10 @@ export class HelperRest {
             }
             tokenUrl = gkey.token_uri // https://oauth2.googleapis.com/token
-            const privateKey = gkey.private_key
-            const jwtPayload: jsonwebtoken.JwtPayload = {
-              sub: this.config_entity[baseEntity]?.connection?.auth?.options?.jwtPayload?.subject, // gmail sender mail-address: noreply@mycompany.com
+            const privateKey = createPrivateKey(gkey.private_key) // PEM => KeyObject
+            const jwtPayload: jose.JWTPayload = {
               iss: gkey.client_email, // service account email/user
+              sub: this.config_entity[baseEntity]?.connection?.auth?.options?.jwtPayload?.subject, // gmail sender mail-address: noreply@mycompany.com
               aud: gkey.token_uri,
               iat: Math.floor(Date.now() / 1000) - 60, // issued at
               exp: Math.floor(Date.now() / 1000) + 3600, // expiration time
@@ -240,17 +293,17 @@ export class HelperRest {
               ...jwtPayload,
               scope: this.config_entity[baseEntity]?.connection?.auth?.options?.jwtPayload?.scope, // https://www.googleapis.com/auth/gmail.send
             }
-            jwtOpts = {
-              algorithm: 'RS256',
-              header: {
-                typ: 'JWT',
-                alg: 'RS256',
-                kid: gkey.client_id,
-              },
+            jwtHeaders = {
+              alg: 'RS256',
+              typ: 'JWT',
+              kid: gkey.client_id,
             }
             form = {
               grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-              assertion: jsonwebtoken.sign(jwtClaims, privateKey, jwtOpts),
+              assertion: await new jose.SignJWT(jwtClaims)
+                .setProtectedHeader(jwtHeaders)
+                .sign(privateKey),
             }
           } else {
             // standard JWT - requires all configuation: tokenUrl, jwtPayload and tls.key
@@ -266,27 +319,29 @@ export class HelperRest {
             let privateKey = this.config_entity[baseEntity]?.connection?.auth?.options?.tls?._key || ''
             if (!privateKey) {
               privateKey = fs.readFileSync(this.config_entity[baseEntity].connection.auth.options.tls.key, 'utf-8') || ''
-              if (privateKey) this.config_entity[baseEntity].connection.auth.options.tls._key = privateKey
+              if (privateKey) {
+                privateKey = createPrivateKey(privateKey)
+                this.config_entity[baseEntity].connection.auth.options.tls._key = privateKey
+              }
             }
-            let jwtPayload = this.config_entity[baseEntity].connection.auth.options.jwtPayload
+            let jwtPayload: jose.JWTPayload = this.config_entity[baseEntity].connection.auth.options.jwtPayload
             if (!jwtPayload.iat) jwtPayload.iat = Math.floor(Date.now() / 1000) - 60
             if (!jwtPayload.exp) jwtPayload.exp = Math.floor(Date.now() / 1000) + 3600
             jwtClaims = {
               ...jwtPayload,
             }
-            jwtOpts = {
-              algorithm: 'RS256',
-              header: {
-                typ: 'JWT',
-                alg: 'RS256',
-              },
+            jwtHeaders = {
+              alg: 'RS256',
+              typ: 'JWT',
             }
             form = {
               grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-              assertion: jsonwebtoken.sign(jwtClaims, privateKey, jwtOpts),
+              assertion: await new jose.SignJWT(jwtClaims)
+                .setProtectedHeader(jwtHeaders)
+                .sign(privateKey),
             }
           }
@@ -410,8 +465,8 @@ export class HelperRest {
         if (opt?.connection) { // allow overriding/extending configuration connection by caller argument opt.connection
           let org = this.config_entity[baseEntity]?.connection
           orgConnection = utils.copyObj(org)
-          if (!orgConnection) orgConnection = {}
-          orgConnection = utils.extendObj(orgConnection, opt.connection)
+          if (!org) org = {}
+          org = utils.extendObj(org, opt.connection)
         }
         // may use configuration type='oauth' and auto corrected to 'oauthJwtBearer'
@@ -699,6 +754,7 @@ export class HelperRest {
       try { urlObj = new URL(path) } catch (err) { void 0 }
       let isServiceClient = !urlObj && this._serviceClient[baseEntity] && !this.lock.isLocked() // !isLocked to avoid retry ongoing doRequest with failing getAccessToken()
       let oAuthTokeErr = statusCode === 401 && this.config_entity[baseEntity].connection?.auth?.type && this.config_entity[baseEntity].connection.auth.type.startsWith('oauth')
       if (isServiceClient && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ABORT_ERR' || err.code === 'ETIMEDOUT' || statusCode === 504 || oAuthTokeErr || retryAfter)) {
         this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
         if (retryAfter) {
@@ -709,8 +765,10 @@ export class HelperRest {
         }
         if (retryCount < this.config_entity[baseEntity].connection.baseUrls.length) {
           retryCount++
-          this.updateServiceClient(baseEntity, { baseUrl: this.config_entity[baseEntity].connection.baseUrls[retryCount - 1] })
-          this.scimgateway.logDebug(baseEntity, `${(this.config_entity[baseEntity].connection.baseUrls.length > 1) ? 'failover ' : ''}retry[${retryCount}] using baseUrl = ${this._serviceClient[baseEntity].baseUrl}`)
+          if (isServiceClient) {
+            this.updateServiceClient(baseEntity, { baseUrl: this.config_entity[baseEntity].connection.baseUrls[retryCount - 1] })
+            this.scimgateway.logDebug(baseEntity, `${(this.config_entity[baseEntity].connection.baseUrls.length > 1) ? 'failover ' : ''}retry[${retryCount}] using baseUrl = ${this._serviceClient[baseEntity].baseUrl}`)
+          }
           if (oAuthTokeErr) {
             delete this._serviceClient[baseEntity] // ensure new getAccessToken request - token used should not have been expired, but rejected for other reason e.g. token server restart and no persistent token store?
           }
@@ -778,6 +836,7 @@ export class HelperRest {
   * type=**"basic"** having auth.options:
   * ```
   * {
+  *   "type": "basic",
   *   "options": {
   *      "username": "<username>",
   *      "password": "<password>"
@@ -788,6 +847,7 @@ export class HelperRest {
   * type=**"oauth"** having auth.options:
   * ```
   * {
+  *   "type": "oauth",
   *   "options": {
   *     "tenantIdGUID": "<Entra ID tenantIdGUID", // Entra ID authentication - if baseUrls not defined, baseUrls automatically set to [https://graph.microsoft.com/beta]
   *     "tokenUrl": "<tokenUrl>", // must be set if not using tenantIdGUID
@@ -800,6 +860,7 @@ export class HelperRest {
   * type=**"token"** having auth.options:
   * ```
   * {
+  *   "type": "token",
   *   "options": {
   *     "tokenUrl": "<url for requesting token">
   *     "username": "<user name for token request>"
@@ -811,6 +872,7 @@ export class HelperRest {
   * type=**"bearer"** having auth.options:
   * ```
   * {
+  *   "type": "bearer",
   *   "options": {
   *     "token": "<bearer token to be used">
   *   }
@@ -820,6 +882,7 @@ export class HelperRest {
   * type=**"oauthSamlBearer"** having auth.options:
   * ```
   * {
+  *   "type": "oauthSamlBearer",
   *   "options": {
   *     "tokenUrl": "<tokenUrl>",
   *     "samlPayload": {
@@ -841,8 +904,9 @@ export class HelperRest {
   *
   * type=**"oauthJwtBearer"** having auth.options:
   * ```
-  * // Microsoft Entra ID
+  * // Microsoft Entra ID - using certificate
   * {
+  *   "type": "oauthJwtBearer",
   *   "options": {
   *     "tenantIdGUID": "<Entra ID tenantIdGUID", // Entra ID authentication, if baseUrls not defined, baseUrls automatically set to [https://graph.microsoft.com/beta]
   *     "clientId": "<clientId>",
@@ -853,8 +917,23 @@ export class HelperRest {
   *   }
   * }
   *
+  * // Microsoft Entra ID - using Federated credentials
+  * // Note, fedCred configuration must match corresponding configuration in Entra ID Application - Federation credentials
+  * {
+  *   "type": "oauthJwtBearer",
+  *   "options": {
+  *     "tenantIdGUID": "<Entra ID tenantIdGUID",
+  *     "fedCred": {
+  *       "issuer": "<https://FQDN-scimgateway/oauth>", // e.g. https://scimgateway.my-company.com/oauth
+  *       "subject": "<entra id application object id - client id>",
+  *       "name": "<entra id federated credentials unique name>" // e.g. plugin-entra-id
+  *     }
+  *   }
+  * }
+  *
   * // Google Cloud Platform - GCP
   * {
+  *   "type": "oauthJwtBearer",
   *   "options": {
   *     "serviceAccountKeyFile": "<Google Service Account key file name>", // located in ./config/certs. If baseUrls not defined, baseUrls automatically set to [https://www.googleapis.com]
   *     "scope": "<jwt-scope>",
@@ -864,6 +943,7 @@ export class HelperRest {
   *
   * // General JWT API
   * {
+  *   "type": "oauthJwtBearer",
   *   "options": {
   *     "tokenUrl":  "<tokenUrl",
   *     "tls": {

package/lib/logger.ts CHANGED Viewed

@@ -131,7 +131,7 @@ export class Logger {
     let customMask = this.customMasking || []
     if (!Array.isArray(customMask)) customMask = []
-    const jsonMaskKeys = ['password', 'access_token', 'client_secret', 'assertion', 'client_assertion']
+    const jsonMaskKeys = ['password', 'access_token', 'client_secret', 'assertion', 'client_assertion', 'refresh_token']
     const jsonJoinedKeys = jsonMaskKeys.concat(customMask).join('|')
     const xmlMaskKeys = ['credentials', 'PasswordText', 'PasswordDigest', 'password']
     const xmlJoinedKeys = xmlMaskKeys.concat(customMask).join('"?|') + '"?'

package/lib/scimgateway.ts CHANGED Viewed

@@ -11,6 +11,7 @@
 import { createServer as httpCreateServer } from 'node:http'
 import { createServer as httpsCreateServer } from 'node:https'
 import { type IncomingMessage, type ServerResponse } from 'node:http'
+import { createPublicKey, createHash } from 'node:crypto'
 import { createChecker } from 'is-in-subnet'
 import { BearerStrategy, type IBearerStrategyOptionWithRequest } from 'passport-azure-ad'
 import { fileURLToPath } from 'node:url'
@@ -21,8 +22,7 @@ import dot from 'dot-object'
 import nodemailer from 'nodemailer'
 import fs from 'node:fs'
 import path from 'node:path'
-import jwkToPem from 'jwk-to-pem'
-import * as jwt from 'jsonwebtoken'
+import * as jose from 'jose'
 import * as utils from './utils.ts'
 import * as utilsScim from './utils-scim.ts'
 import * as stream from './scim-stream.js'
@@ -33,6 +33,7 @@ export class ScimGateway {
   private logger: any
   private gwName: string
   private scimDef: any
+  private jwk: any
   private countries: any
   private multiValueTypes: any
   private getMemberOf: any
@@ -485,7 +486,7 @@ export class ScimGateway {
       getMethod: 'getAppRoles',
     }
     /** handlers supported url paths */
-    const handlers = ['users', 'groups', 'bulk', 'serviceplans', 'approles', 'api', 'schemas', 'resourcetypes', 'serviceproviderconfig', 'serviceproviderconfigs', 'logger']
+    const handlers = ['users', 'groups', 'bulk', 'serviceplans', 'approles', 'api', 'schemas', 'resourcetypes', 'serviceproviderconfig', 'serviceproviderconfigs', 'oauth', 'logger']
     try {
       if (!fs.existsSync(configDir + '/wsdls')) fs.mkdirSync(configDir + '/wsdls')
@@ -585,10 +586,12 @@ export class ScimGateway {
       }
       if (ctx.response.status && (ctx.response.status < 200 || ctx.response.status > 299)) {
-        if (ctx.response.status === 412 || ctx.response.status === 304) {
-          logger.info(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ellapsed} ${ctx.ip} ${userName} ${ctx.response.status} ${ctx.request.method} ${ctx.request.url} Inbound=${JSON.stringify(ctx.request.body)} Outbound=${outbound}`, { baseEntity: ctx?.routeObj?.baseEntity })
+        if (ctx.response.status === 401 && !ctx.request.headers.get('authorization')) {
+          logger.warn(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ellapsed} ${ctx.ip} ${userName} ${ctx.response.status} ${ctx.request.method} ${ctx.request.url} Inbound=${JSON.stringify(ctx.request.body)} Outbound=${outbound}`, { baseEntity: ctx?.routeObj?.baseEntity })
         } else if (ctx.response.status === 404) {
           logger.warn(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ellapsed} ${ctx.ip} ${userName} ${ctx.response.status} ${ctx.request.method} ${ctx.request.url} Inbound=${JSON.stringify(ctx.request.body)} Outbound=${outbound}`, { baseEntity: ctx?.routeObj?.baseEntity })
+        } else if (ctx.response.status === 412 || ctx.response.status === 304) {
+          logger.info(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ellapsed} ${ctx.ip} ${userName} ${ctx.response.status} ${ctx.request.method} ${ctx.request.url} Inbound=${JSON.stringify(ctx.request.body)} Outbound=${outbound}`, { baseEntity: ctx?.routeObj?.baseEntity })
         } else logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ellapsed} ${ctx.ip} ${userName} ${ctx.response.status} ${ctx.request.method} ${ctx.request.url} Inbound=${JSON.stringify(ctx.request.body)} Outbound=${outbound}`, { baseEntity: ctx?.routeObj?.baseEntity })
       } else logger.info(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ellapsed} ${ctx.ip} ${ctx.response.status} ${userName} ${ctx.request.method} ${ctx.request.url} Inbound=${JSON.stringify(ctx.request.body)} Outbound=${outbound}`, { baseEntity: ctx?.routeObj?.baseEntity })
     }
@@ -596,19 +599,16 @@ export class ScimGateway {
     // start auth methods - used by auth
     const basic = async (baseEntity: string, method: string, authType: string, authToken: string, path: string): Promise<boolean> => {
       return await new Promise((resolve, reject) => { // basic auth
-        if (authType !== 'Basic') resolve(false)
-        if (!found.Basic) resolve(false)
-        if (found.PassThrough && this.authPassThroughAllowed && !path.endsWith('/logger')) resolve(false) // Auth PassThrough browser logon dialog support
+        if (!found.Basic) return resolve(false)
+        if (authType !== 'Basic' || !authToken) return resolve(false)
+        if (found.PassThrough && this.authPassThroughAllowed && !path.endsWith('/logger')) return resolve(false) // Auth PassThrough browser logon dialog support
         const [userName, userPassword] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
-        if (!userName || !userPassword) {
-          return reject(new Error(`authentication failed for user ${userName}`))
-        }
+        if (!userName || !userPassword) return resolve(false)
         const arr = this.config.scimgateway.auth.basic
         for (let i = 0; i < arr.length; i++) {
           if (arr[i].username === userName && arr[i].password === userPassword) { // authentication OK
             if (arr[i].baseEntities) {
               if (Array.isArray(arr[i].baseEntities) && arr[i].baseEntities.length > 0) {
-                if (!baseEntity) return reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].username} according to basic configuration baseEntitites=${arr[i].baseEntities}`))
                 if (!arr[i].baseEntities.includes(baseEntity)) return reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].username} according to basic configuration baseEntitites=${arr[i].baseEntities}`))
               }
             }
@@ -616,20 +616,19 @@ export class ScimGateway {
             return resolve(true)
           }
         }
-        reject(new Error(`authentication failed for user ${userName}`))
+        resolve(false)
       })
     }
     const bearerToken = async (baseEntity: string, method: string, authType: string, authToken: string): Promise<boolean> => {
       return await new Promise((resolve, reject) => { // bearer token
-        if (authType !== 'Bearer' || !authToken) resolve(false)
-        if (!found.BearerToken) resolve(false)
+        if (!found.BearerToken) return resolve(false)
+        if (authType !== 'Bearer' || !authToken) return resolve(false)
         const arr = this.config.scimgateway.auth.bearerToken
         for (let i = 0; i < arr.length; i++) {
           if (arr[i].token === authToken) { // authentication OK
             if (arr[i].baseEntities) {
               if (Array.isArray(arr[i].baseEntities) && arr[i].baseEntities.length > 0) {
-                if (!baseEntity) return reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerToken according to bearerToken configuration baseEntitites=${arr[i].baseEntities}`))
                 if (!arr[i].baseEntities.includes(baseEntity)) return reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerToken according to bearerToken configuration baseEntitites=${arr[i].baseEntities}`))
               }
             }
@@ -637,24 +636,29 @@ export class ScimGateway {
             return resolve(true)
           }
         }
-        reject(new Error('bearerToken authentication failed'))
+        resolve(false)
       })
     }
     const bearerJwtAzure = async (baseEntity: string, method: string, authType: string, authToken: string): Promise<boolean> => {
       return await new Promise((resolve, reject) => {
-        if (authType !== 'Bearer' || !found.BearerJwtAzure) resolve(false) // no azure bearer token
-        const jtoken: any = jwt.decode(authToken, { complete: true })
-        if (jtoken == null) resolve(false)
-        else if (!jtoken.payload['iss']) resolve(false)
-        if (jtoken?.payload['iss'].indexOf('https://sts.windows.net') !== 0) resolve(false)
+        if (!found.BearerJwtAzure) return resolve(false)
+        if (authType !== 'Bearer' || !authToken) return resolve(false)
+        let payload
+        try {
+          payload = jose.decodeJwt(authToken)
+          if (!payload || !payload.iss) return resolve(false)
+          if (!payload.iss.startsWith('https://sts.windows.net')) return resolve(false)
+        } catch (err: any) {
+          return resolve(false)
+        }
         const req = { headers: { authorization: `${authType} ${authToken}` } } // Node.js http.createServer type IncomingMessage - header supported by passport
         passport.authenticate('oauth-bearer', { session: false }, (err: any, user: any, info: any) => {
           if (err) { return reject(err) }
           if (user) { // authenticated OK
             const arr = this.config.scimgateway.auth.bearerJwtAzure
             for (let i = 0; i < arr.length; i++) {
-              if (arr[i].tenantIdGUID && jtoken?.payload['iss'].includes(arr[i].tenantIdGUID)) {
+              if (arr[i].tenantIdGUID && payload.iss.includes(arr[i].tenantIdGUID)) {
                 if (arr[i].baseEntities) {
                   if (Array.isArray(arr[i].baseEntities) && arr[i].baseEntities.length > 0) {
                     if (!baseEntity) return reject(new Error(`baseEntity=${baseEntity} not allowed for user ${arr[i].tenantIdGUID} according to bearerJwtAzure configuration baseEntitites=${arr[i].baseEntities}`))
@@ -670,89 +674,99 @@ export class ScimGateway {
       })
     }
-    const getJwksPemKey = async (kid: string, wellKnownUri: string): Promise<Array<any>> => { // retrieves "JSON Web Key Set" from well-known jwks_uri and returns the public key that corresponds with the access token kid value
-      if (!this.helperRest) this.helperRest = this.newHelperRest()
-      let res
-      try { // get issuer and jwks_uri from well-knonw uri
-        res = await this.helperRest.doRequest('undefined', 'GET', wellKnownUri)
-      } catch (err: any) {
-        logger.error(`${gwName}[${pluginName}] JWKS wellKnownUri=${wellKnownUri} error: ${err.message}`)
-        return []
-      }
-      if (!res?.body) return []
-      const issuer = res.body.issuer
-      const jwks_uri = res.body.jwks_uri
-      if (!issuer || !jwks_uri) {
-        logger.error(`${gwName}[${pluginName}] JWKS wellKnownUri=${wellKnownUri} error: found issuer=${issuer} and jwks_uri=${jwks_uri} - both should be found`)
-        return []
-      }
-      // JWKS
-      try { // get jwks that correspods with kid from jwks_uri
-        res = await this.helperRest.doRequest('undefined', 'GET', jwks_uri)
-      } catch (err: any) {
-        logger.error(`${gwName}[${pluginName}] JWKS jwks_uri=${jwks_uri} error: ${err.message}`)
-        return []
-      }
-      if (!res || !Array.isArray(res?.body?.keys)) return []
-      const keys = res.body.keys.filter((k: any) => k.kid === kid)
-      if (keys.length !== 1) return []
-      try {
-        return [jwkToPem(keys[0]), issuer, keys[0].alg]
-      } catch (err: any) {
-        return []
-      }
-    }
-    const jwtVerify = async (baseEntity: string, method: string, el: Record<string, any>, authToken: string, kid?: string): Promise<boolean> => { // used by bearerJwt
+    const jwtVerify = async (baseEntity: string, method: string, el: Record<string, any>, authToken: string): Promise<boolean> => { // used by bearerJwt
       try {
-        jwt.verify(authToken, (el.secret) ? el.secret : el.publicKeyContent, el.options)
+        if (el.wellKnownUri) {
+          if (!el.jwks) {
+            if (!this.helperRest) this.helperRest = this.newHelperRest()
+            let res
+            try { // get issuer and jwks_uri from well-knonw uri
+              res = await this.helperRest.doRequest('undefined', 'GET', el.wellKnownUri)
+            } catch (err: any) {
+              throw new Error(`JWKS wellKnownUri=${el.wellKnownUri} error: ${err.message}`)
+            }
+            if (!res?.body) throw new Error(`JWKS wellKnownUri=${el.wellKnownUri} error: response missing data`)
+            const issuer = res.body.issuer
+            const jwks_uri = res.body.jwks_uri
+            if (!issuer || !jwks_uri) {
+              throw new Error(`JWKS wellKnownUri=${el.wellKnownUri} error: found issuer=${issuer} and jwks_uri=${jwks_uri} - both should be found`)
+            }
+            if (!el.options) el.options = {}
+            el.options.issuer = issuer
+            el.jwks = jose.createRemoteJWKSet(new URL(jwks_uri)) // will automatically reload the JWKS when verification fails due to an unknown kid
+          }
+          await jose.jwtVerify(authToken, el.jwks, el.options)
+        } else {
+          if (el.secret && !el.secretEncoded) {
+            el.secretEncoded = new TextEncoder().encode(el.secret)
+            if (!el.options) el.options = {}
+            el.options.algorithms = ['HS256', 'HS384', 'HS512'] // symmetric algorithms when using secret
+          }
+          await jose.jwtVerify(authToken, (el.secretEncoded) ? el.secretEncoded : el.publicKeyObj, el.options)
+        }
         if (Array.isArray(el?.baseEntities) && el.baseEntities.length > 0) {
           if (!el.baseEntities.includes(baseEntity)) return false
         }
         if (el.readOnly === true && method !== 'GET') return false
         return true // authorization OK
       } catch (err: any) {
-        if (!el.wellKnownUri) throw new Error(`JWT error: ${err.message}`)
-        // using wellKnownUri - JWKS and external public certificate - try once again we might have an updated certificate (key)
-        if (!kid) throw new Error(`JWKS error: missing kid`)
-        const [pemKey, issuer, alg] = await getJwksPemKey(kid, el.wellKnownUri)
-        if (!pemKey) throw new Error('JWKS error: no external public certificate found')
-        el.publicKeyContent = pemKey
-        if (!el.options) el.options = {}
-        if (issuer) el.options.issuer = issuer
-        if (alg) el.options.algorithms = [alg]
-        try {
-          jwt.verify(authToken, el.publicKeyContent, el.options)
-          if (Array.isArray(el?.baseEntities) && el.baseEntities.length > 0) {
-            if (!el.baseEntities.includes(baseEntity)) return false
-          }
-          if (el.readOnly === true && method !== 'GET') return false
-          return true // authorization OK
-        } catch (err: any) {
-          throw new Error(`JWKS error: ${err.message}`)
-        }
+        throw new Error(`JWT error: ${err.message}`)
       }
     }
     const bearerJwt = async (baseEntity: string, method: string, authType: string, authToken: string): Promise<boolean> => {
-      if (authType !== 'Bearer' || !found.BearerJwt) return false // no standard jwt bearer token
-      const jtoken: any = jwt.decode(authToken, { complete: true })
-      if (!jtoken) return false
-      if (jtoken?.payload['iss'] && jtoken?.payload['iss'].indexOf('https://sts.windows.net') === 0) return false // azure - handled by bearerJwtAzure
+      if (!found.BearerJwt) return false
+      if (authType !== 'Bearer' || !authToken) return false
+      let payload
+      try {
+        payload = jose.decodeJwt(authToken)
+        if (!payload) return false
+      } catch (err: any) {
+        return false
+      }
+      if (payload.iss && payload.iss.indexOf('https://sts.windows.net') === 0) return false // azure - handled by bearerJwtAzure
+      if (found.BearerOAuth) {
+        const a = this.config.scimgateway.auth.bearerOAuth
+        const confObjs = a.filter((o: any) => o.clientId === payload.aud)
+        if (confObjs.length > 0) return false // jwt handled by bearerOauth
+      }
+      const errs: Array<string> = []
       const arr = this.config.scimgateway.auth.bearerJwt
       for (let i = 0; i < arr.length; i++) {
-        if (await jwtVerify(baseEntity, method, arr[i], authToken, jtoken?.header?.kid) === true) return true
+        try {
+          if (await jwtVerify(baseEntity, method, arr[i], authToken) === true) return true
+        } catch (err: any) {
+          errs.push(err.message)
+        }
       }
-      throw new Error('JWT authentication failed')
+      if (errs.length > 0) throw new Error(errs.join(' == NextConfigValidation ==> '))
+      return false
     }
     const bearerOAuth = async (baseEntity: string, method: string, authType: string, authToken: string): Promise<boolean> => {
-      return await new Promise((resolve, reject) => { // bearer token
-        if (authType !== 'Bearer' || !authToken) resolve(false)
-        if (!found.BearerOAuth || !authToken) resolve(false)
+      return await new Promise(async (resolve, reject) => { // bearer token
+        if (!found.BearerOAuth) return resolve(false)
+        if (authType !== 'Bearer' || !authToken) return resolve(false)
         // this.config.scimgateway.auth.oauthTokenStore is autmatically generated by token create having syntax:
         // { this.config.scimgateway.auth.oauthTokenStore: <token>: { expireDate: <timestamp>, readOnly: <copy-from-config>, baseEntities: [ <copy-from-config> ], isTokenRequested: true }}
+        let payload
+        try {
+          payload = jose.decodeJwt(authToken)
+          if (!payload || payload.iss !== 'SCIM Gateway' || !payload.aud || !payload.sub) return resolve(false)
+        } catch (err: any) {
+          return resolve(false)
+        }
         const arr = this.config.scimgateway.auth.bearerOAuth
+        const confObjs = arr.filter((o: any) => o.clientId === payload.aud)
+        if (confObjs.length !== 1) return resolve(false)
+        try {
+          await jose.jwtVerify(authToken, new TextEncoder().encode(confObjs[0].clientSecret), { algorithms: ['HS256'] })
+          authToken = payload.sub
+        } catch (err: any) {
+          return resolve(false)
+        }
         if (this.config.scimgateway.auth.oauthTokenStore[authToken]) { // authentication OK
           const tokenObj = this.config.scimgateway.auth.oauthTokenStore[authToken]
           if (Date.now() > tokenObj.expireDate) {
@@ -763,10 +777,10 @@ export class ScimGateway {
           }
           if (tokenObj.baseEntities) {
             if (Array.isArray(tokenObj.baseEntities) && tokenObj.baseEntities.length > 0) {
-              if (!tokenObj.baseEntities.includes(baseEntity)) return reject(new Error(`baseEntity=${baseEntity} not allowed for this bearerOAuth according to bearerOAuth configuration baseEntitites=${tokenObj.baseEntities}`))
+              if (!tokenObj.baseEntities.includes(baseEntity)) return reject(new Error(`baseEntity=${baseEntity} not allowed according to bearerOAuth configuration baseEntitites=${tokenObj.baseEntities}`))
             }
           }
-          if (tokenObj.readOnly === true && method !== 'GET') return reject(new Error('only allowing readOnly for this bearerOAuth according to bearerOAuth configuration readOnly=true'))
+          if (tokenObj.readOnly === true && method !== 'GET') return reject(new Error('only allowing readOnly according to bearerOAuth configuration readOnly=true'))
           return resolve(true)
         } else {
           for (let i = 0; i < arr.length; i++) { // resolve if token memory store have been cleared because of a gateway restart
@@ -791,7 +805,7 @@ export class ScimGateway {
             }
           }
         }
-        reject(new Error('OAuth authentication failed'))
+        resolve(false)
       })
     }
@@ -816,8 +830,10 @@ export class ScimGateway {
     const isAuthorized = async (ctx: Context): Promise<boolean> => { // authentication/authorization
       const [authType, authToken] = (ctx.request.headers.get('authorization') || '').split(' ') // [0] = 'Basic' or 'Bearer'
-      try { // authenticate
-        const arrResolve = await Promise.all([
+      let arrResolve: boolean[] = []
+      try {
+        // authenticate
+        arrResolve = await Promise.all([
           basic(ctx.routeObj.baseEntity, ctx.request.method, authType, authToken, ctx.path),
           bearerToken(ctx.routeObj.baseEntity, ctx.request.method, authType, authToken),
           bearerJwtAzure(ctx.routeObj.baseEntity, ctx.request.method, authType, authToken),
@@ -825,22 +841,6 @@ export class ScimGateway {
           bearerOAuth(ctx.routeObj.baseEntity, ctx.request.method, authType, authToken),
           authPassThrough(ctx.routeObj.baseEntity, ctx.request.method, authType, authToken, ctx.path),
         ])
-          .catch((err) => { throw (err) })
-        for (const i in arrResolve) {
-          if (arrResolve[i] === true) return true // auth OK - continue with routes
-        }
-        // all false - invalid auth method or missing pluging config
-        let err: Error
-        if (authType.length < 1) err = new Error(`${ctx.request.url} request is missing authentication information`)
-        else {
-          err = new Error(`${ctx.request.url} request having unsupported authentication or plugin configuration is missing`)
-          logger.debug(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] request authToken = ${authToken}`, { baseEntity: ctx?.routeObj?.baseEntity })
-          logger.debug(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] request jwt.decode(authToken) = ${JSON.stringify(jwt.decode(authToken))}`, { baseEntity: ctx?.routeObj?.baseEntity })
-        }
-        if (authType === 'Bearer') ctx.response.headers.set('WWW-Authenticate', 'Bearer realm=""')
-        else if (found.Basic) ctx.response.headers.set('WWW-Authenticate', 'Basic realm=""')
-        if (ctx.request.url !== '/favicon.ico' && !ctx.request.url.startsWith('/apple-touch-icon')) logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${err.message}`, { baseEntity: ctx?.routeObj?.baseEntity })
-        return false
       } catch (err: any) {
         if (authType === 'Bearer') {
           let str = 'realm=""'
@@ -855,19 +855,30 @@ export class ScimGateway {
               ctx.response.body = JSON.stringify(errMsg)
             }
           }
-          ctx.response.headers.set('WWW-Authenticate', `Bearer ${str}`)
-        } else ctx.response.headers.set('WWW-Authenticate', 'Basic realm=""')
-        if (pwErrCount < 3) {
-          pwErrCount += 1
-          logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ctx.request.url} ${err.message}`, { baseEntity: ctx?.routeObj?.baseEntity })
-        } else { // delay brute force attempts
-          logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ctx.request.url} ${err.message} => delaying response with 2 minutes to prevent brute force`, { baseEntity: ctx?.routeObj?.baseEntity })
-          await new Promise((resolve) => {
-            setTimeout(() => { resolve(null) }, 1000 * 60 * 2)
-          })
-        }
+          ctx.response.headers.set('www-authenticate', `Bearer ${str}`)
+        } else ctx.response.headers.set('www-authenticate', 'Basic realm=""')
+        logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${err.message}`)
         return false
       }
+      for (const i in arrResolve) {
+        if (arrResolve[i] === true) return true // auth OK - continue with routes
+      }
+      // all auth validations failed
+      if (!authToken) {
+        if (found.Basic && ctx.request.headers.has('sec-fetch-dest')) ctx.response.headers.set('www-authenticate', 'Basic realm=""')
+        return false
+      }
+      if (authType === 'Bearer') ctx.response.headers.set('www-authenticate', 'Bearer realm=""')
+      else ctx.response.headers.set('www-authenticate', 'Basic realm=""')
+      if (pwErrCount < 3) pwErrCount += 1
+      else { // delay brute force attempts
+        const delay = (this.config.scimgateway.idleTimeout || 120) - 5
+        logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ctx.request.url} => max authentication failures reached, delaying response with ${delay} seconds to prevent brute force`, { baseEntity: ctx?.routeObj?.baseEntity })
+        await new Promise((resolve) => {
+          setTimeout(() => { resolve(null) }, 1000 * delay)
+        })
+      }
+      return false
     }
     const ipAllowList = (ipAddr: string): boolean => {
@@ -962,11 +973,66 @@ export class ScimGateway {
       )
     }
+    // oauth well-known: /oauth/.well-known/openid-configuration
+    // this.jwk is managed by helper-rest oauthJwtBearer - Entra ID Federated Identity
+    // {issuer: <scimgateway-baseUrl>/oauth, <federated-identity-unique-name>: {privateKey, publicKey}}
+    // example issuer: https://scimgateway.my-company.com/oauth
+    const getHandlerOauthWellKnown = async (ctx: Context) => {
+      const baseEntity = ctx.routeObj.baseEntity
+      logger.debug(`${gwName}[${pluginName}][${baseEntity}] [oauth] .well-known request`)
+      if (!this.jwk || !this.jwk[baseEntity] || !this.jwk[baseEntity].issuer) {
+        ctx.response.body = '{}'
+        ctx.response.status = 200
+        return ctx
+      }
+      const issuer = this.jwk[baseEntity].issuer //  dynamic set by helper-rest oauthJwtBearer e.g. 'https://scimgateway.my-company.com/oauth'
+      let body = {
+        issuer,
+        jwks_uri: issuer + '/certs',
+      }
+      ctx.response.body = JSON.stringify(body)
+      ctx.response.status = 200
+    }
+    // oauth JWKS: /oauth/certs
+    // this.jwk is managed by helper-rest oauthJwtBearer - Entra ID Federated Identity
+    // {issuer: <scimgateway-baseUrl>/oauth, <federated-identity-unique-name>: {privateKey, publicKey}}
+    const getHandlerOauthCerts = async (ctx: Context) => {
+      const baseEntity = ctx.routeObj.baseEntity
+      logger.debug(`${gwName}[${pluginName}][${baseEntity}] [oauth] jwks_uri certs request`)
+      if (!this.jwk || !this.jwk[baseEntity]) {
+        ctx.response.body = '{"keys":[]}'
+        ctx.response.status = 200
+        return ctx
+      }
+      const keys: Array<Record<string, any>> = []
+      for (const name in this.jwk[baseEntity]) {
+        const keyObj = this.jwk[baseEntity][name]
+        if (typeof keyObj !== 'object' || keyObj === null) continue // skip issuer
+        const jwk = await jose.exportJWK(this.jwk[baseEntity][name].publicKey)
+        jwk.kid = createHash('sha256') // needed for JWKS
+          .update(JSON.stringify(jwk))
+          .digest('base64url')
+        keys.push(jwk)
+      }
+      let body = {
+        keys,
+      }
+      ctx.response.body = JSON.stringify(body)
+      ctx.response.status = 200
+    }
     // oauth token request, POST /oauth/token
     const postHandlerOauthToken = async (ctx: Context) => {
-      logger.debug(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] [oauth] token request`, { baseEntity: ctx?.routeObj?.baseEntity })
+      const baseEntity = ctx.routeObj.baseEntity
+      logger.debug(`${gwName}[${pluginName}][${baseEntity}] [oauth] token request`)
       if (!found.BearerOAuth) {
-        logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] [oauth] token request, but plugin is missing auth.bearerOAuth configuration`, { baseEntity: ctx?.routeObj?.baseEntity })
+        logger.error(`${gwName}[${pluginName}][${baseEntity}] [oauth] token request, but plugin is missing auth.bearerOAuth configuration`)
         ctx.response.status = 500
         return
       }
@@ -974,7 +1040,7 @@ export class ScimGateway {
       try {
         if (!jsonBody) throw new Error('missing body')
         if (typeof jsonBody !== 'object') { // might have application/x-www-form-urlencoded or multipart/form-data body, but incorrect Content-Type header
-          logger.debug(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] [oauth] continue request validation even though incorrect body vs header Content-Type: ${ctx.request.headers.get('content-type')}`, { baseEntity: ctx?.routeObj?.baseEntity })
+          logger.debug(`${gwName}[${pluginName}][${baseEntity}] [oauth] continue request validation even though incorrect body vs header Content-Type: ${ctx.request.headers.get('content-type')}`)
           let body = utils.formUrlEncodedToJSON(jsonBody)
           if (Object.keys(body).length < 1) {
             body = utils.formDataMultipartToJSON(jsonBody)
@@ -985,7 +1051,7 @@ export class ScimGateway {
         }
         jsonBody = utils.copyObj(jsonBody) // no changes to original
       } catch (err: any) {
-        logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] [oauth] token request error: ${err.message}`, { baseEntity: ctx?.routeObj?.baseEntity })
+        logger.error(`${gwName}[${pluginName}][${baseEntity}] [oauth] token request error: ${err.message}`)
         ctx.response.status = 401
         return
       }
@@ -1016,6 +1082,9 @@ export class ScimGateway {
         for (let i = 0; i < arr.length; i++) {
           if (!arr[i].clientId || !arr[i].clientSecret) continue
           if (arr[i].clientId === jsonBody.client_id && arr[i].clientSecret === jsonBody.client_secret) { // authentication OK
+            if (Array.isArray(arr[i].baseEntities) && arr[i].baseEntities.length > 0) {
+              if (!arr[i].baseEntities.includes(baseEntity)) continue
+            }
             token = utils.getEncrypted(jsonBody.client_secret, jsonBody.client_secret)
             baseEntities = utils.copyObj(arr[i].baseEntities)
             if (arr[i].readOnly && arr[i].readOnly === true) readOnly = true
@@ -1027,7 +1096,7 @@ export class ScimGateway {
         }
         if (!token) {
           err = 'invalid_client'
-          errDescr = 'incorrect or missing client_id/client_secret'
+          errDescr = 'incorrect or missing client_id/client_secret or baseEntity'
           if (pwErrCount < 3) {
             pwErrCount += 1
           } else { // delay brute force attempts
@@ -1068,11 +1137,26 @@ export class ScimGateway {
         baseEntities,
       }
+      const jwtPayload: jose.JWTPayload = {
+        iss: 'SCIM Gateway',
+        aud: jsonBody.client_id,
+        sub: token,
+        iat: Math.floor(Date.now() / 1000) - 60,
+        exp: Math.floor(Date.now() / 1000) + expires,
+      }
+      const jwtHeaders = {
+        alg: 'HS256',
+        typ: 'JWT',
+      }
+      const jwt = await new jose.SignJWT(jwtPayload)
+        .setProtectedHeader(jwtHeaders)
+        .sign(new TextEncoder().encode(jsonBody.client_secret))
       const tx = {
-        access_token: token,
+        access_token: jwt,
         token_type: 'Bearer',
         expires_in: expires,
-        refresh_token: token, // ignored by scimgateway, but maybe used by client
+        refresh_token: jwt, // ignored by scimgateway, but maybe used by client
       }
       ctx.response.headers.set('Cache-Control', 'no-store')
@@ -2507,11 +2591,15 @@ export class ScimGateway {
         baseEntity = 'undefined'
       }
       if (handle) handle = handle.toLowerCase()
-      if (!handlers.includes(handle) || rest) { // rest => too many path elements
+      if (!handlers.includes(handle)) {
         baseEntity = ''
         handle = ''
         id = ''
         rest = ''
+      } else if (rest) { // too many path elements - keep baseEntity only
+        handle = ''
+        id = ''
+        rest = ''
       }
       // bodyParser
@@ -2585,9 +2673,19 @@ export class ScimGateway {
           return ctx
         }
       }
+      if (ctx.request.method === 'GET' && ctx.path.endsWith('/oauth/.well-known/openid-configuration')) {
+        await getHandlerOauthWellKnown(ctx)
+        if (!ctx.response.status) ctx.response.status = 404
+        return ctx
+      }
+      if (ctx.request.method === 'GET' && ctx.path.endsWith('/oauth/certs')) {
+        await getHandlerOauthCerts(ctx)
+        if (!ctx.response.status) ctx.response.status = 404
+        return ctx
+      }
       // validation
-      if (ctx.request.method === 'POST' && ctx.path === '/oauth/token') {
+      if (ctx.request.method === 'POST' && ctx.path.endsWith('/oauth/token')) {
         await postHandlerOauthToken(ctx)
         if (!ctx.response.status) ctx.response.status = 401 // Unauthorized
       } else if (!ctx.routeObj.handle) {
@@ -3173,26 +3271,22 @@ export class ScimGateway {
       logger.info(`${gwName}[${pluginName}] now stopping...`)
       await logger.close()
       if (server) {
-        if (typeof Bun !== 'undefined') {
+        if (typeof server.stop === 'function') { // Bun
           server.stop(true)
-        }
-      }
-      if (server) {
-        if (typeof Bun !== 'undefined') {
           await Bun.sleep(400) // give in-flight requests a chance to complete, also plugins may use SIGTERM/SIGINT
           server.stop()
           process.exit(0)
-        } else {
-          server.close(function () {
-            setTimeout(function () { // plugins may also use SIGTERM/SIGINT
+        } else if (typeof server.close === 'function') { // Node.js
+          server.close(() => {
+            setTimeout(() => { // plugins may use SIGTERM/SIGINT
               process.exit(0)
             }, 0.5 * 1000)
           })
-          setTimeout(function () { // problem closing server connections in time due to keep-alive sessions (active browser connection?), now forcing exit
-            process.exit(1)
-          }, 2 * 1000)
         }
       }
+      setTimeout(() => { // safety net
+        process.exit(1)
+      }, 2 * 1000)
     }
     process.setMaxListeners(Infinity)
@@ -3612,8 +3706,9 @@ Content-Transfer-Encoding: quoted-printable
           keyFile = dotConfig[key]
         }
         dotConfig[key] = keyFile
-        const addKey = key.replace(`.${lastKey}`, '.publicKeyContent')
-        dotConfig[addKey] = fs.readFileSync(keyFile)
+        const addKey = key.replace(`.${lastKey}`, '.publicKeyObj')
+        const pem = fs.readFileSync(keyFile)
+        dotConfig[addKey] = createPublicKey(pem)
       } else if (key.endsWith('.serviceAccountKeyFile')) { // Google Service Account Key json-file
         let keyFile = path.join(this.configDir, '/certs/', dotConfig[key])
         if (dotConfig[key].startsWith('/') || dotConfig[key].includes('\\')) {

package/lib/utils.ts CHANGED Viewed

@@ -673,8 +673,11 @@ export const formDataMultipartToJSON = function (body?: string, boundary?: strin
  */
 export const getBase64CertificateThumbprint = function (pemCertContent: string, shaVersion: 'sha1' | 'sha256' = 'sha1'): string {
   if (!pemCertContent) return ''
-  const certMatch = pemCertContent.match(/-----BEGIN CERTIFICATE-----([\s\S]+?)-----END CERTIFICATE-----/)
-  if (!certMatch) return ''
+  let certMatch = pemCertContent.match(/-----BEGIN CERTIFICATE-----([\s\S]+?)-----END CERTIFICATE-----/)
+  if (!certMatch) {
+    certMatch = pemCertContent.match(/-----BEGIN PUBLIC KEY-----([\s\S]+?)-----END PUBLIC KEY-----/)
+    if (!certMatch) return ''
+  }
   const certBase64 = certMatch[1].replace(/\s+/g, '') // remove whitespace and newlines
   const certDer = Buffer.from(certBase64, 'base64') // decode the PEM to DER (Base64 decode)
   const hash = crypto.createHash(shaVersion).update(certDer).digest() // compute the SHA-256 hash of the DER
@@ -696,9 +699,9 @@ export const getBase64CertificateThumbprint = function (pemCertContent: string,
 export const getEtag = function (obj: Record<string, any>): string {
   if (typeof obj !== 'object' || obj === null) return ''
   const hash = crypto
-    .createHash('md5')
+    .createHash('sha256')
     .update(JSON.stringify(obj), 'utf8')
-    .digest('base64')
+    .digest('base64url')
     .substring(0, 22)
   let eTag = ''

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.4.4",
+  "version": "5.5.0",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
@@ -47,8 +47,7 @@
     "https-proxy-agent": "^7.0.6",
     "hyco-https": "^1.4.5",
     "is-in-subnet": "^4.0.1",
-    "jsonwebtoken": "^9.0.2",
-    "jwk-to-pem": "^2.0.7",
+    "jose": "^6.0.11",
     "ldapjs": "^3.0.7",
     "lokijs": "^1.5.12",
     "mongodb": "^6.16.0",
@@ -62,11 +61,10 @@
     "typescript": "^5.6.3"
   },
   "devDependencies": {
-    "@stylistic/eslint-plugin": "^4.4.0",
+    "@stylistic/eslint-plugin": "^5.1.0",
     "@types/bun": "latest",
     "@types/dot-object": "^2.1.6",
     "@types/jsonwebtoken": "^9.0.9",
-    "@types/jwk-to-pem": "^2.0.3",
     "@types/node": "latest",
     "@types/nodemailer": "^6.4.17",
     "@types/passport": "^1.0.17",