scimgateway 5.5.1 → 5.5.2

package/README.md

@@ -738,16 +738,16 @@ Example Entra ID (plugin-entra-id) using federated credentials:
 	    "options": {
 	      "tenantIdGUID": "<tenantId>",
 	      "fedCred": {
-	        "issuer": "<https://FQDN-scimgateway/oauth>",
+	        "issuer": "<https://FQDN-scimgateway>",
 	        "subject": "<entra id application object id - client id>",
 	        "name": "<entra id federated credentials unique name>"
 	      }
 	    }
 	  }
 	}
-	// Note: Federated credentials defined for the application in Entra ID must match the corresponding `issuer`, `subject`, and `name`
-	// example issuer: "https://scimgateway.my-company.com/oauth" and base URL must be reachable from the internet
-	// exampole name: "plugin-entra-id"
+  	// Note, fedCred configuration must match corresponding configuration in Entra ID Application - Certificates & Secrets - Federated credentials - scenario "Other issuer"	
+	// example issuer: "https://scimgateway.my-company.com" note, this scimgateway base URL must be reachable from the internet
+	// example name: "plugin-entra-id"
 
 
 Example using general OAuth:  
@@ -1491,6 +1491,17 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log
 
+### v5.5.2
+
+[Improved]
+
+- Entra ID Federated Identity Credentials introduced in v5.5.0, the issuer configuration should be scimgateway base URL  
+	old: `"issuer": "<https://FQDN-scimgateway>/oauth"`  
+	new: `"issuer": "<https://FQDN-scimgateway>"`  
+
+	Change log v5.5.0 have been corrected with the new issuer having base URL only
+	
+
 ### v5.5.1
 
 [Fixed]
@@ -1510,7 +1521,7 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 		  "options": {
 		    "tenantIdGUID": "<Entra ID tenantIdGUID",
 		    "fedCred": {
-		      "issuer": "<https://FQDN-scimgateway/oauth>",
+		      "issuer": "<https://FQDN-scimgateway>",
 		      "subject": "<entra id application object id - client id>",
 		      "name": "<entra id federated credentials unique name>"
 		    }
@@ -1524,14 +1535,14 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 		  "options": {
 		    "tenantIdGUID": "11111111-2222-3333-4444-555555555555",
 		    "fedCred": {
-		      "issuer": "https://scimgateway.my-company.com/oauth",
+		      "issuer": "https://scimgateway.my-company.com",
 		      "subject": "99999999-8888-7777-6666-555555555555",
 		      "name": "plugin-entra-id"
 		    }
 		  }
 		}
 
-	Note: Federated credentials defined for the application in Entra ID must match the corresponding `issuer`, `subject`, and `name` values defined in the SCIM Gateway endpoint configuration. An example of this can be using `plugin-entra-id` and other plugins that interact with endpoints or applications protected by Entra ID.
+	Note: Federated credentials (scenario "Other issuer") defined for the application in Entra ID must match the corresponding `issuer`, `subject`, and `name` values defined in the SCIM Gateway endpoint configuration. An example of this can be using `plugin-entra-id` and other plugins that interact with endpoints or applications protected by Entra ID.
 
 	Also note: SCIM Gateway must be reachable from the internet (as defined by the `issuer` URL). This requires allowing inbound internet communication — or alternatively, Azure Relay can be used for outbound-only communication.
 

package/lib/helper-rest.ts

@@ -154,27 +154,9 @@ export class HelperRest {
 
           if (tenantIdGUID) { // Microsoft Entra ID
             if (this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer) { // federated credentials
-              const name = JSON.stringify(this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.name) // ensure not using none valid json key
-              if (!this.scimgateway.jwk) this.scimgateway.jwk = {}
-              if (!this.scimgateway.jwk[baseEntity]) this.scimgateway.jwk[baseEntity] = {}
-              if (!this.scimgateway.jwk[baseEntity][name]) {
-                const { publicKey, privateKey } = await jose.generateKeyPair('RS256')
-                this.scimgateway.jwk[baseEntity][name] = { publicKey, privateKey }
-                const ttl = 5 * 60 // 5 minutes
-                ;(async () => {
-                  // rotate - delete JWK after 5 minutes, will be regenerated on next token request
-                  // entra id only lookup well-known uri and corresponding jwks_uri on token request validation if kid not found in entra cached JWKS
-                  setTimeout(async () => {
-                    delete this.scimgateway.jwk[baseEntity][name]
-                  }, ttl * 1000)
-                })()
-              }
-
-              this.scimgateway.jwk[baseEntity].issuer = this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer // updates .well-known
-
               const now = Date.now()
               const jwtPayload: jose.JWTPayload = {
-                iss: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer, // entra id federated credentials issuer e.g. https://scimgateway.my-company.com/oauth
+                iss: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer, // entra id federated credentials issuer - scimgateway base URL, e.g. https://scimgateway.my-company.com
                 sub: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.subject, // entra id application object id - client id
                 name: this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.name, // entra id federated credentials unique name e.g. plugin-entra-id
                 aud: 'api://AzureADTokenExchange', // entra id federated credentials audience
@@ -188,7 +170,8 @@ export class HelperRest {
                 ...jwtPayload,
               }
 
-              const jwk = await jose.exportJWK(this.scimgateway.jwk[baseEntity][name].publicKey)
+              const { publicKey, privateKey } = await jose.generateKeyPair('RS256')
+              const jwk = await jose.exportJWK(publicKey)
               const kid = createHash('sha256') // kid required for JWKS
                 .update(JSON.stringify(jwk))
                 .digest('base64url')
@@ -206,8 +189,22 @@ export class HelperRest {
                 client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
                 client_assertion: await new jose.SignJWT(jwtClaims)
                   .setProtectedHeader(jwtHeaders)
-                  .sign(this.scimgateway.jwk[baseEntity][name].privateKey),
+                  .sign(privateKey),
+              }
+
+              // keep JWK for 5 minutes, will be regenerated on next token request
+              // entra id only lookup well-known uri and corresponding jwks_uri on token request validation if kid not found in entra cached JWKS
+              if (!this.scimgateway.jwk) this.scimgateway.jwk = {}
+              if (!this.scimgateway.jwk[kid]) {
+                this.scimgateway.jwk[kid] = { publicKey, privateKey }
+                const ttl = 5 * 60
+                ;(async () => {
+                  setTimeout(async () => {
+                    delete this.scimgateway.jwk[kid]
+                  }, ttl * 1000)
+                })()
               }
+              this.scimgateway.jwk.issuer = this.config_entity[baseEntity]?.connection?.auth?.options?.fedCred?.issuer // all baseEntities should use same issuer
             } else { // standard certificate
               if (!this.config_entity[baseEntity]?.connection?.auth?.options?.tls?.cert) {
                 throw new Error(`auth type '${this.config_entity[baseEntity]?.connection?.auth?.type}' - missing options.tls.key/cert configuration`)
@@ -918,13 +915,13 @@ export class HelperRest {
   * }
   * 
   * // Microsoft Entra ID - using Federated credentials
-  * // Note, fedCred configuration must match corresponding configuration in Entra ID Application - Federation credentials 
+  * // Note, fedCred configuration must match corresponding configuration in Entra ID Application - Certificates & Secrets - Federated credentials - scenario "Other issuer"
   * {
   *   "type": "oauthJwtBearer",
   *   "options": {
   *     "tenantIdGUID": "<Entra ID tenantIdGUID",
   *     "fedCred": {
-  *       "issuer": "<https://FQDN-scimgateway/oauth>", // e.g. https://scimgateway.my-company.com/oauth
+  *       "issuer": "<https://FQDN-scimgateway", // scimgateway base URL, e.g. https://scimgateway.my-company.com
   *       "subject": "<entra id application object id - client id>",
   *       "name": "<entra id federated credentials unique name>" // e.g. plugin-entra-id
   *     }

package/lib/scimgateway.ts

@@ -486,7 +486,7 @@ export class ScimGateway {
       getMethod: 'getAppRoles',
     }
     /** handlers supported url paths */
-    const handlers = ['users', 'groups', 'bulk', 'serviceplans', 'approles', 'api', 'schemas', 'resourcetypes', 'serviceproviderconfig', 'serviceproviderconfigs', 'oauth', 'logger']
+    const handlers = ['users', 'groups', 'bulk', 'serviceplans', 'approles', 'api', 'schemas', 'resourcetypes', 'serviceproviderconfig', 'serviceproviderconfigs', 'oauth', '.well-known', 'logger']
 
     try {
       if (!fs.existsSync(configDir + '/wsdls')) fs.mkdirSync(configDir + '/wsdls')
@@ -972,53 +972,44 @@ export class ScimGateway {
       )
     }
 
-    // oauth well-known: /oauth/.well-known/openid-configuration
+    // oauth well-known: /.well-known/openid-configuration
     // this.jwk is managed by helper-rest oauthJwtBearer - Entra ID Federated Identity
-    // {issuer: <scimgateway-baseUrl>/oauth, <federated-identity-unique-name>: {privateKey, publicKey}}
-    // example issuer: https://scimgateway.my-company.com/oauth
+    // { issuer: <scimgateway-baseUrl>, kid: { privateKey, publicKey } }
+    // example issuer: https://scimgateway.my-company.com
     const getHandlerOauthWellKnown = async (ctx: Context) => {
-      const baseEntity = ctx.routeObj.baseEntity
-      logger.debug(`${gwName}[${pluginName}][${baseEntity}] [oauth] .well-known request`)
-
-      if (!this.jwk || !this.jwk[baseEntity] || !this.jwk[baseEntity].issuer) {
+      logger.debug(`${gwName}[${pluginName}] [oauth] .well-known request`)
+      if (!this.jwk || (Object.keys(this.jwk).length < 1)) {
         ctx.response.body = '{}'
         ctx.response.status = 200
         return ctx
       }
-
-      const issuer = this.jwk[baseEntity].issuer //  dynamic set by helper-rest oauthJwtBearer e.g. 'https://scimgateway.my-company.com/oauth'
+      const issuer = this.jwk.issuer
       let body = {
         issuer,
-        jwks_uri: issuer + '/certs',
+        jwks_uri: issuer + '/.well-known/jwks.json',
       }
       ctx.response.body = JSON.stringify(body)
       ctx.response.status = 200
     }
 
-    // oauth JWKS: /oauth/certs
+    // oauth JWKS: /.well-known/jwks.json
     // this.jwk is managed by helper-rest oauthJwtBearer - Entra ID Federated Identity
-    // {issuer: <scimgateway-baseUrl>/oauth, <federated-identity-unique-name>: {privateKey, publicKey}}
-    const getHandlerOauthCerts = async (ctx: Context) => {
-      const baseEntity = ctx.routeObj.baseEntity
-      logger.debug(`${gwName}[${pluginName}][${baseEntity}] [oauth] jwks_uri certs request`)
-
-      if (!this.jwk || !this.jwk[baseEntity]) {
+    // { issuer: <scimgateway-baseUrl>, kid: { privateKey, publicKey } }
+    const getHandlerOauthJwks = async (ctx: Context) => {
+      logger.debug(`${gwName}[${pluginName}] [oauth] jwks_uri request`)
+      if (!this.jwk || (Object.keys(this.jwk).length < 1)) {
         ctx.response.body = '{"keys":[]}'
         ctx.response.status = 200
         return ctx
       }
-
       const keys: Array<Record<string, any>> = []
-      for (const name in this.jwk[baseEntity]) {
-        const keyObj = this.jwk[baseEntity][name]
-        if (typeof keyObj !== 'object' || keyObj === null) continue // skip issuer
-        const jwk = await jose.exportJWK(this.jwk[baseEntity][name].publicKey)
-        jwk.kid = createHash('sha256') // needed for JWKS
-          .update(JSON.stringify(jwk))
-          .digest('base64url')
+      for (const kid in this.jwk) {
+        const keyObj = this.jwk[kid]
+        if (typeof keyObj !== 'object' || keyObj === null) continue
+        const jwk = await jose.exportJWK(this.jwk[kid].publicKey)
+        jwk.kid = kid // needed for JWKS
         keys.push(jwk)
       }
-
       let body = {
         keys,
       }
@@ -2673,13 +2664,13 @@ export class ScimGateway {
           return ctx
         }
       }
-      if (ctx.request.method === 'GET' && ctx.path.endsWith('/oauth/.well-known/openid-configuration')) {
+      if (ctx.request.method === 'GET' && ctx.path.endsWith('/.well-known/openid-configuration')) {
         await getHandlerOauthWellKnown(ctx)
         if (!ctx.response.status) ctx.response.status = 404
         return ctx
       }
-      if (ctx.request.method === 'GET' && ctx.path.endsWith('/oauth/certs')) {
-        await getHandlerOauthCerts(ctx)
+      if (ctx.request.method === 'GET' && ctx.path.endsWith('/.well-known/jwks.json')) {
+        await getHandlerOauthJwks(ctx)
         if (!ctx.response.status) ctx.response.status = 404
         return ctx
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.5.1",
+  "version": "5.5.2",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",