scimgateway 5.5.0 → 5.5.2

package/README.md

@@ -738,16 +738,16 @@ Example Entra ID (plugin-entra-id) using federated credentials:
 	    "options": {
 	      "tenantIdGUID": "<tenantId>",
 	      "fedCred": {
-	        "issuer": "<https://FQDN-scimgateway/oauth>",
+	        "issuer": "<https://FQDN-scimgateway>",
 	        "subject": "<entra id application object id - client id>",
 	        "name": "<entra id federated credentials unique name>"
 	      }
 	    }
 	  }
 	}
-	// Note: Federated credentials defined for the application in Entra ID must match the corresponding `issuer`, `subject`, and `name`
-	// example issuer: "https://scimgateway.my-company.com/oauth" and must be reachable from the internet
-	// exampole name: "plugin-entra-id"
+  	// Note, fedCred configuration must match corresponding configuration in Entra ID Application - Certificates & Secrets - Federated credentials - scenario "Other issuer"	
+	// example issuer: "https://scimgateway.my-company.com" note, this scimgateway base URL must be reachable from the internet
+	// example name: "plugin-entra-id"
 
 
 Example using general OAuth:  
@@ -1491,6 +1491,23 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log
 
+### v5.5.2
+
+[Improved]
+
+- Entra ID Federated Identity Credentials introduced in v5.5.0, the issuer configuration should be scimgateway base URL  
+	old: `"issuer": "<https://FQDN-scimgateway>/oauth"`  
+	new: `"issuer": "<https://FQDN-scimgateway>"`  
+
+	Change log v5.5.0 have been corrected with the new issuer having base URL only
+	
+
+### v5.5.1
+
+[Fixed]
+
+- 401 Unauthorized response did include scim-formatted error message when using `helper-rest` and authentication `PassThrough`. 401 should not include scim-formatted error message
+
 ### v5.5.0
 
 [Improved]
@@ -1504,7 +1521,7 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 		  "options": {
 		    "tenantIdGUID": "<Entra ID tenantIdGUID",
 		    "fedCred": {
-		      "issuer": "<https://FQDN-scimgateway/oauth>",
+		      "issuer": "<https://FQDN-scimgateway>",
 		      "subject": "<entra id application object id - client id>",
 		      "name": "<entra id federated credentials unique name>"
 		    }
@@ -1518,18 +1535,17 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 		  "options": {
 		    "tenantIdGUID": "11111111-2222-3333-4444-555555555555",
 		    "fedCred": {
-		      "issuer": "https://scimgateway.my-company.com/oauth>",
+		      "issuer": "https://scimgateway.my-company.com",
 		      "subject": "99999999-8888-7777-6666-555555555555",
 		      "name": "plugin-entra-id"
 		    }
 		  }
 		}
 
-	Note: Federated credentials defined for the application in Entra ID must match the corresponding `issuer`, `subject`, and `name` values defined in the SCIM Gateway endpoint configuration. An example of this can be using `plugin-entra-id` and other plugins that interact with endpoints or applications protected by Entra ID.
+	Note: Federated credentials (scenario "Other issuer") defined for the application in Entra ID must match the corresponding `issuer`, `subject`, and `name` values defined in the SCIM Gateway endpoint configuration. An example of this can be using `plugin-entra-id` and other plugins that interact with endpoints or applications protected by Entra ID.
 
 	Also note: SCIM Gateway must be reachable from the internet (as defined by the `issuer` URL). This requires allowing inbound internet communication — or alternatively, Azure Relay can be used for outbound-only communication.
 
-
 ### v5.4.4
 
 [Improved]

package/lib/helper-rest.ts

@@ -154,27 +154,9 @@ export class HelperRest {
 
           if (tenantIdGUID) { // Microsoft Entra ID
             if (this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer) { // federated credentials
-              const name = JSON.stringify(this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.name) // ensure not using none valid json key
-              if (!this.scimgateway.jwk) this.scimgateway.jwk = {}
-              if (!this.scimgateway.jwk[baseEntity]) this.scimgateway.jwk[baseEntity] = {}
-              if (!this.scimgateway.jwk[baseEntity][name]) {
-                const { publicKey, privateKey } = await jose.generateKeyPair('RS256')
-                this.scimgateway.jwk[baseEntity][name] = { publicKey, privateKey }
-                const ttl = 5 * 60 // 5 minutes
-                ;(async () => {
-                  // rotate - delete JWK after 5 minutes, will be regenerated on next token request
-                  // entra id only lookup well-known uri and corresponding jwks_uri on token request validation if kid not found in entra cached JWKS
-                  setTimeout(async () => {
-                    delete this.scimgateway.jwk[baseEntity][name]
-                  }, ttl * 1000)
-                })()
-              }
-
-              this.scimgateway.jwk[baseEntity].issuer = this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer // updates .well-known
-
               const now = Date.now()
               const jwtPayload: jose.JWTPayload = {
-                iss: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer, // entra id federated credentials issuer e.g. https://scimgateway.my-company.com/oauth
+                iss: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer, // entra id federated credentials issuer - scimgateway base URL, e.g. https://scimgateway.my-company.com
                 sub: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.subject, // entra id application object id - client id
                 name: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.name, // entra id federated credentials unique name e.g. plugin-entra-id
                 aud: 'api://AzureADTokenExchange', // entra id federated credentials audience
@@ -188,7 +170,8 @@ export class HelperRest {
                 ...jwtPayload,
               }
 
-              const jwk = await jose.exportJWK(this.scimgateway.jwk[baseEntity][name].publicKey)
+              const { publicKey, privateKey } = await jose.generateKeyPair('RS256')
+              const jwk = await jose.exportJWK(publicKey)
               const kid = createHash('sha256') // kid required for JWKS
                 .update(JSON.stringify(jwk))
                 .digest('base64url')
@@ -206,8 +189,22 @@ export class HelperRest {
                 client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
                 client_assertion: await new jose.SignJWT(jwtClaims)
                   .setProtectedHeader(jwtHeaders)
-                  .sign(this.scimgateway.jwk[baseEntity][name].privateKey),
+                  .sign(privateKey),
+              }
+
+              // keep JWK for 5 minutes, will be regenerated on next token request
+              // entra id only lookup well-known uri and corresponding jwks_uri on token request validation if kid not found in entra cached JWKS
+              if (!this.scimgateway.jwk) this.scimgateway.jwk = {}
+              if (!this.scimgateway.jwk[kid]) {
+                this.scimgateway.jwk[kid] = { publicKey, privateKey }
+                const ttl = 5 * 60
+                ;(async () => {
+                  setTimeout(async () => {
+                    delete this.scimgateway.jwk[kid]
+                  }, ttl * 1000)
+                })()
               }
+              this.scimgateway.jwk.issuer = this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer // all baseEntities should use same issuer
             } else { // standard certificate
               if (!this.config_entity[baseEntity]?.connection?.auth?.options?.tls?.cert) {
                 throw new Error(`auth type '${this.config_entity[baseEntity]?.connection?.auth?.type}' - missing options.tls.key/cert configuration`)
@@ -918,13 +915,13 @@ export class HelperRest {
   * }
   * 
   * // Microsoft Entra ID - using Federated credentials
-  * // Note, fedCred configuration must match corresponding configuration in Entra ID Application - Federation credentials 
+  * // Note, fedCred configuration must match corresponding configuration in Entra ID Application - Certificates & Secrets - Federated credentials - scenario "Other issuer"
   * {
   *   "type": "oauthJwtBearer",
   *   "options": {
   *     "tenantIdGUID": "<Entra ID tenantIdGUID",
   *     "fedCred": {
-  *       "issuer": "<https://FQDN-scimgateway/oauth>", // e.g. https://scimgateway.my-company.com/oauth
+  *       "issuer": "<https://FQDN-scimgateway", // scimgateway base URL, e.g. https://scimgateway.my-company.com
   *       "subject": "<entra id application object id - client id>",
   *       "name": "<entra id federated credentials unique name>" // e.g. plugin-entra-id
   *     }

package/lib/scimgateway.ts

@@ -486,7 +486,7 @@ export class ScimGateway {
       getMethod: 'getAppRoles',
     }
     /** handlers supported url paths */
-    const handlers = ['users', 'groups', 'bulk', 'serviceplans', 'approles', 'api', 'schemas', 'resourcetypes', 'serviceproviderconfig', 'serviceproviderconfigs', 'oauth', 'logger']
+    const handlers = ['users', 'groups', 'bulk', 'serviceplans', 'approles', 'api', 'schemas', 'resourcetypes', 'serviceproviderconfig', 'serviceproviderconfigs', 'oauth', '.well-known', 'logger']
 
     try {
       if (!fs.existsSync(configDir + '/wsdls')) fs.mkdirSync(configDir + '/wsdls')
@@ -586,7 +586,7 @@ export class ScimGateway {
       }
 
       if (ctx.response.status && (ctx.response.status < 200 || ctx.response.status > 299)) {
-        if (ctx.response.status === 401 && !ctx.request.headers.get('authorization')) {
+        if (ctx.response.status === 401 && !ctx.request.headers.has('authorization')) {
           logger.warn(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ellapsed} ${ctx.ip} ${userName} ${ctx.response.status} ${ctx.request.method} ${ctx.request.url} Inbound=${JSON.stringify(ctx.request.body)} Outbound=${outbound}`, { baseEntity: ctx?.routeObj?.baseEntity })
         } else if (ctx.response.status === 404) {
           logger.warn(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ellapsed} ${ctx.ip} ${userName} ${ctx.response.status} ${ctx.request.method} ${ctx.request.url} Inbound=${JSON.stringify(ctx.request.body)} Outbound=${outbound}`, { baseEntity: ctx?.routeObj?.baseEntity })
@@ -597,11 +597,10 @@ export class ScimGateway {
     }
 
     // start auth methods - used by auth
-    const basic = async (baseEntity: string, method: string, authType: string, authToken: string, path: string): Promise<boolean> => {
+    const basic = async (baseEntity: string, method: string, authType: string, authToken: string): Promise<boolean> => {
       return await new Promise((resolve, reject) => { // basic auth
         if (!found.Basic) return resolve(false)
         if (authType !== 'Basic' || !authToken) return resolve(false)
-        if (found.PassThrough && this.authPassThroughAllowed && !path.endsWith('/logger')) return resolve(false) // Auth PassThrough browser logon dialog support
         const [userName, userPassword] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
         if (!userName || !userPassword) return resolve(false)
         const arr = this.config.scimgateway.auth.basic
@@ -819,7 +818,7 @@ export class ScimGateway {
       const obj = this.config.scimgateway.auth.passThrough
       if (obj.baseEntities) {
         if (Array.isArray(obj.baseEntities) && obj.baseEntities.length > 0) {
-          if (!baseEntity || !obj.baseEntities.includes(baseEntity)) throw new Error(`baseEntity=${baseEntity} not allowed for passThrough according to passThrough configuration baseEntitites=${obj.baseEntities}`)
+          if (!obj.baseEntities.includes(baseEntity)) throw new Error(`baseEntity=${baseEntity} not allowed for passThrough according to passThrough configuration baseEntitites=${obj.baseEntities}`)
         }
       }
       if (obj.readOnly === true && method !== 'GET') throw new Error('only allowing readOnly for passThrough according to passThrough configuration readOnly=true')
@@ -834,7 +833,7 @@ export class ScimGateway {
       try {
         // authenticate
         arrResolve = await Promise.all([
-          basic(ctx.routeObj.baseEntity, ctx.request.method, authType, authToken, ctx.path),
+          basic(ctx.routeObj.baseEntity, ctx.request.method, authType, authToken),
           bearerToken(ctx.routeObj.baseEntity, ctx.request.method, authType, authToken),
           bearerJwtAzure(ctx.routeObj.baseEntity, ctx.request.method, authType, authToken),
           bearerJwt(ctx.routeObj.baseEntity, ctx.request.method, authType, authToken),
@@ -973,53 +972,44 @@ export class ScimGateway {
       )
     }
 
-    // oauth well-known: /oauth/.well-known/openid-configuration
+    // oauth well-known: /.well-known/openid-configuration
     // this.jwk is managed by helper-rest oauthJwtBearer - Entra ID Federated Identity
-    // {issuer: <scimgateway-baseUrl>/oauth, <federated-identity-unique-name>: {privateKey, publicKey}}
-    // example issuer: https://scimgateway.my-company.com/oauth
+    // { issuer: <scimgateway-baseUrl>, kid: { privateKey, publicKey } }
+    // example issuer: https://scimgateway.my-company.com
     const getHandlerOauthWellKnown = async (ctx: Context) => {
-      const baseEntity = ctx.routeObj.baseEntity
-      logger.debug(`${gwName}[${pluginName}][${baseEntity}] [oauth] .well-known request`)
-
-      if (!this.jwk || !this.jwk[baseEntity] || !this.jwk[baseEntity].issuer) {
+      logger.debug(`${gwName}[${pluginName}] [oauth] .well-known request`)
+      if (!this.jwk || (Object.keys(this.jwk).length < 1)) {
         ctx.response.body = '{}'
         ctx.response.status = 200
         return ctx
       }
-
-      const issuer = this.jwk[baseEntity].issuer //  dynamic set by helper-rest oauthJwtBearer e.g. 'https://scimgateway.my-company.com/oauth'
+      const issuer = this.jwk.issuer
       let body = {
         issuer,
-        jwks_uri: issuer + '/certs',
+        jwks_uri: issuer + '/.well-known/jwks.json',
       }
       ctx.response.body = JSON.stringify(body)
       ctx.response.status = 200
     }
 
-    // oauth JWKS: /oauth/certs
+    // oauth JWKS: /.well-known/jwks.json
     // this.jwk is managed by helper-rest oauthJwtBearer - Entra ID Federated Identity
-    // {issuer: <scimgateway-baseUrl>/oauth, <federated-identity-unique-name>: {privateKey, publicKey}}
-    const getHandlerOauthCerts = async (ctx: Context) => {
-      const baseEntity = ctx.routeObj.baseEntity
-      logger.debug(`${gwName}[${pluginName}][${baseEntity}] [oauth] jwks_uri certs request`)
-
-      if (!this.jwk || !this.jwk[baseEntity]) {
+    // { issuer: <scimgateway-baseUrl>, kid: { privateKey, publicKey } }
+    const getHandlerOauthJwks = async (ctx: Context) => {
+      logger.debug(`${gwName}[${pluginName}] [oauth] jwks_uri request`)
+      if (!this.jwk || (Object.keys(this.jwk).length < 1)) {
         ctx.response.body = '{"keys":[]}'
         ctx.response.status = 200
         return ctx
       }
-
       const keys: Array<Record<string, any>> = []
-      for (const name in this.jwk[baseEntity]) {
-        const keyObj = this.jwk[baseEntity][name]
-        if (typeof keyObj !== 'object' || keyObj === null) continue // skip issuer
-        const jwk = await jose.exportJWK(this.jwk[baseEntity][name].publicKey)
-        jwk.kid = createHash('sha256') // needed for JWKS
-          .update(JSON.stringify(jwk))
-          .digest('base64url')
+      for (const kid in this.jwk) {
+        const keyObj = this.jwk[kid]
+        if (typeof keyObj !== 'object' || keyObj === null) continue
+        const jwk = await jose.exportJWK(this.jwk[kid].publicKey)
+        jwk.kid = kid // needed for JWKS
         keys.push(jwk)
       }
-
       let body = {
         keys,
       }
@@ -1100,11 +1090,12 @@ export class ScimGateway {
           if (pwErrCount < 3) {
             pwErrCount += 1
           } else { // delay brute force attempts
-            logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] [oauth] ${ctx.origin + ctx.path} ${errDescr} => delaying response with 2 minutes to prevent brute force`)
+            const delay = (this.config.scimgateway.idleTimeout || 120) - 5
+            logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] [oauth] ${ctx.origin + ctx.path} ${errDescr} => delaying response with ${delay} seconds to prevent brute force`)
             await new Promise((resolve) => {
               setTimeout(() => {
                 resolve(ctx)
-              }, 1000 * 60 * 2)
+              }, 1000 * delay)
             })
             ctx.response.status = 401
             return
@@ -2673,13 +2664,13 @@ export class ScimGateway {
           return ctx
         }
       }
-      if (ctx.request.method === 'GET' && ctx.path.endsWith('/oauth/.well-known/openid-configuration')) {
+      if (ctx.request.method === 'GET' && ctx.path.endsWith('/.well-known/openid-configuration')) {
         await getHandlerOauthWellKnown(ctx)
         if (!ctx.response.status) ctx.response.status = 404
         return ctx
       }
-      if (ctx.request.method === 'GET' && ctx.path.endsWith('/oauth/certs')) {
-        await getHandlerOauthCerts(ctx)
+      if (ctx.request.method === 'GET' && ctx.path.endsWith('/.well-known/jwks.json')) {
+        await getHandlerOauthJwks(ctx)
         if (!ctx.response.status) ctx.response.status = 404
         return ctx
       }
@@ -2766,6 +2757,14 @@ export class ScimGateway {
           if (!ctx.response.body) {
             ctx.response.body = 'Unauthorized'
             ctx.response.headers.set('content-type', 'text/plain')
+          } else {
+            try {
+              const b = JSON.parse(ctx.response.body)
+              if (b.schemas) { // 401 - do not return scim formatted error message e.g., using PassThrough
+                ctx.response.body = 'Unauthorized'
+                ctx.response.headers.set('content-type', 'text/plain')
+              }
+            } catch (err) { void 0 }
           }
           break
         case 403:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.5.0",
+  "version": "5.5.2",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",