strapi-plugin-oidc 1.0.2 → 1.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +15 -12
- package/dist/server/index.js +37 -11
- package/dist/server/index.mjs +37 -11
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
<div align="center">
|
|
2
|
-
<img src="https://raw.githubusercontent.com/edmogeor/strapi-plugin-oidc/main/assets/icon.png" width="140" alt="OIDC
|
|
3
|
-
<h1>OIDC
|
|
2
|
+
<img src="https://raw.githubusercontent.com/edmogeor/strapi-plugin-oidc/main/assets/icon.png" width="140" alt="OIDC Login for Strapi Logo"/>
|
|
3
|
+
<h1>OIDC Login for Strapi</h1>
|
|
4
4
|
<p>
|
|
5
5
|
<a href="https://github.com/edmogeor/strapi-plugin-oidc/actions/workflows/test.yml">
|
|
6
6
|
<img src="https://github.com/edmogeor/strapi-plugin-oidc/actions/workflows/test.yml/badge.svg" alt="Tests">
|
|
@@ -8,7 +8,7 @@
|
|
|
8
8
|
</p>
|
|
9
9
|
</div>
|
|
10
10
|
|
|
11
|
-
A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.
|
|
11
|
+
A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.
|
|
12
12
|
|
|
13
13
|
This plugin allows your administrators to log in to the Strapi administration interface using external OIDC identity providers such as Zitadel, Keycloak, Auth0, AWS Cognito, and others.
|
|
14
14
|
|
|
@@ -36,6 +36,8 @@ module.exports = ({ env }) => ({
|
|
|
36
36
|
config: {
|
|
37
37
|
// Set to true to store the token in local storage, false for session storage
|
|
38
38
|
REMEMBER_ME: false,
|
|
39
|
+
// How long the remember me session should last in days (defaults to 30 days)
|
|
40
|
+
REMEMBER_ME_DAYS: 30,
|
|
39
41
|
|
|
40
42
|
// OpenID Connect Settings
|
|
41
43
|
OIDC_REDIRECT_URI: 'http://localhost:1337/strapi-plugin-oidc/oidc/callback', // Callback URI after successful login
|
|
@@ -43,22 +45,22 @@ module.exports = ({ env }) => ({
|
|
|
43
45
|
OIDC_CLIENT_SECRET: '[Client Secret from OpenID Provider]',
|
|
44
46
|
|
|
45
47
|
OIDC_SCOPES: 'openid profile email', // Standard OIDC scopes
|
|
46
|
-
|
|
48
|
+
|
|
47
49
|
// API Endpoints required for OIDC provider
|
|
48
50
|
OIDC_AUTHORIZATION_ENDPOINT: '[Authorization Endpoint]',
|
|
49
51
|
OIDC_TOKEN_ENDPOINT: '[Token Endpoint]',
|
|
50
52
|
OIDC_USER_INFO_ENDPOINT: '[User Info Endpoint]',
|
|
51
53
|
OIDC_USER_INFO_ENDPOINT_WITH_AUTH_HEADER: false,
|
|
52
|
-
OIDC_GRANT_TYPE: 'authorization_code',
|
|
53
|
-
|
|
54
|
+
OIDC_GRANT_TYPE: 'authorization_code',
|
|
55
|
+
|
|
54
56
|
// Customizable user field mapping for user creation
|
|
55
57
|
OIDC_FAMILY_NAME_FIELD: 'family_name',
|
|
56
58
|
OIDC_GIVEN_NAME_FIELD: 'given_name',
|
|
57
|
-
|
|
59
|
+
|
|
58
60
|
// Redirect to OIDC provider's logout page when users log out of Strapi
|
|
59
|
-
OIDC_LOGOUT_URL: '[OIDC Provider Logout URL]'
|
|
60
|
-
}
|
|
61
|
-
}
|
|
61
|
+
OIDC_LOGOUT_URL: '[OIDC Provider Logout URL]',
|
|
62
|
+
},
|
|
63
|
+
},
|
|
62
64
|
// ...
|
|
63
65
|
});
|
|
64
66
|
```
|
|
@@ -71,13 +73,14 @@ Once the plugin is installed and configured, you can manage the OIDC settings fr
|
|
|
71
73
|
|
|
72
74
|
- **Whitelist Management**: Restrict login to specific users by adding their email addresses to the whitelist. You can also whitelist entire email domains (e.g., `*@company.com`). If the whitelist is empty, any user who successfully authenticates via your OIDC provider will be able to log in and an account will be automatically created for them.
|
|
73
75
|
- **Default Role Assignment**: Select the default Strapi admin role that will be assigned to newly created users when they log in for the first time via OIDC.
|
|
74
|
-
- **Enforce OIDC Login**: When enabled, the default Strapi email and password login form will be disabled, forcing all administrators to log in using your OIDC provider.
|
|
76
|
+
- **Enforce OIDC Login**: When enabled, the default Strapi email and password login form will be disabled, forcing all administrators to log in using your OIDC provider. _(Note: This option is automatically disabled and grayed out if your whitelist is empty to prevent accidentally locking everyone out of the admin panel)._
|
|
75
77
|
|
|
76
78
|
## Credits & Changes
|
|
77
79
|
|
|
78
80
|
This plugin is a hard fork of the original [`strapi-plugin-sso`](https://github.com/yasudacloud/strapi-plugin-sso) created by **yasudacloud**. Huge thanks to them for creating the foundation of this plugin!
|
|
79
81
|
|
|
80
82
|
### Changes made to the original codebase:
|
|
83
|
+
|
|
81
84
|
- Removed alternative SSO methods to simplify the plugin.
|
|
82
85
|
- Redesigned the Whitelist and Role management UI (switched to native Strapi cards, added pagination, etc.).
|
|
83
86
|
- Added an OIDC logout redirect URL.
|
|
@@ -85,4 +88,4 @@ This plugin is a hard fork of the original [`strapi-plugin-sso`](https://github.
|
|
|
85
88
|
- Migrated the testing framework to Vitest and added comprehensive test coverage for controllers and services.
|
|
86
89
|
- Cleaned up dead code and unused dependencies to improve maintainability.
|
|
87
90
|
- Upgraded to use newer versions of Node.js.
|
|
88
|
-
- Added misc. quality of life improvements and bug fixes.
|
|
91
|
+
- Added misc. quality of life improvements and bug fixes.
|
package/dist/server/index.js
CHANGED
|
@@ -75,6 +75,8 @@ function destroy() {
|
|
|
75
75
|
const config = {
|
|
76
76
|
default: {
|
|
77
77
|
REMEMBER_ME: false,
|
|
78
|
+
REMEMBER_ME_DAYS: 30,
|
|
79
|
+
// 30 days
|
|
78
80
|
OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
|
|
79
81
|
OIDC_CLIENT_ID: "",
|
|
80
82
|
OIDC_CLIENT_SECRET: "",
|
|
@@ -546,10 +548,13 @@ function oauthService({ strapi: strapi2 }) {
|
|
|
546
548
|
ENTRY_CREATE = webhookStore.allowedEvents.get("ENTRY_CREATE");
|
|
547
549
|
}
|
|
548
550
|
const modelDef = strapi2.getModel("admin::user");
|
|
549
|
-
const sanitizedEntity = await strapiUtils__default.default.sanitize.sanitizers.defaultSanitizeOutput(
|
|
550
|
-
|
|
551
|
-
|
|
552
|
-
|
|
551
|
+
const sanitizedEntity = await strapiUtils__default.default.sanitize.sanitizers.defaultSanitizeOutput(
|
|
552
|
+
{
|
|
553
|
+
schema: modelDef,
|
|
554
|
+
getModel: (uid2) => strapi2.getModel(uid2)
|
|
555
|
+
},
|
|
556
|
+
user
|
|
557
|
+
);
|
|
553
558
|
eventHub.emit(ENTRY_CREATE, {
|
|
554
559
|
model: modelDef.modelName,
|
|
555
560
|
entry: sanitizedEntity
|
|
@@ -606,19 +611,40 @@ function oauthService({ strapi: strapi2 }) {
|
|
|
606
611
|
async generateToken(user, ctx) {
|
|
607
612
|
const sessionManager = strapi2.sessionManager;
|
|
608
613
|
if (!sessionManager) {
|
|
609
|
-
throw new Error(
|
|
614
|
+
throw new Error(
|
|
615
|
+
"sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later."
|
|
616
|
+
);
|
|
610
617
|
}
|
|
611
618
|
const userId = String(user.id);
|
|
612
619
|
const deviceId = node_crypto.randomUUID();
|
|
613
620
|
const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
|
|
614
621
|
const REMEMBER_ME = config2["REMEMBER_ME"];
|
|
615
622
|
const rememberMe = !!REMEMBER_ME;
|
|
616
|
-
const { token: refreshToken } = await sessionManager(
|
|
617
|
-
|
|
618
|
-
|
|
619
|
-
|
|
620
|
-
|
|
621
|
-
|
|
623
|
+
const { token: refreshToken } = await sessionManager("admin").generateRefreshToken(
|
|
624
|
+
userId,
|
|
625
|
+
deviceId,
|
|
626
|
+
{
|
|
627
|
+
type: rememberMe ? "refresh" : "session"
|
|
628
|
+
}
|
|
629
|
+
);
|
|
630
|
+
const isProduction = strapi2.config.get("environment") === "production";
|
|
631
|
+
const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
|
|
632
|
+
const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
|
|
633
|
+
const sameSite = strapi2.config.get("admin.auth.cookie.sameSite", "lax");
|
|
634
|
+
const cookieOptions = {
|
|
635
|
+
httpOnly: true,
|
|
636
|
+
secure: isProduction,
|
|
637
|
+
overwrite: true,
|
|
638
|
+
domain,
|
|
639
|
+
path,
|
|
640
|
+
sameSite
|
|
641
|
+
};
|
|
642
|
+
if (rememberMe) {
|
|
643
|
+
const REMEMBER_ME_DAYS = config2["REMEMBER_ME_DAYS"] || 30;
|
|
644
|
+
const durationInMs = REMEMBER_ME_DAYS * 24 * 60 * 60 * 1e3;
|
|
645
|
+
cookieOptions.maxAge = durationInMs;
|
|
646
|
+
cookieOptions.expires = new Date(Date.now() + durationInMs);
|
|
647
|
+
}
|
|
622
648
|
ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
|
|
623
649
|
const accessResult = await sessionManager("admin").generateAccessToken(refreshToken);
|
|
624
650
|
if ("error" in accessResult) {
|
package/dist/server/index.mjs
CHANGED
|
@@ -68,6 +68,8 @@ function destroy() {
|
|
|
68
68
|
const config = {
|
|
69
69
|
default: {
|
|
70
70
|
REMEMBER_ME: false,
|
|
71
|
+
REMEMBER_ME_DAYS: 30,
|
|
72
|
+
// 30 days
|
|
71
73
|
OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
|
|
72
74
|
OIDC_CLIENT_ID: "",
|
|
73
75
|
OIDC_CLIENT_SECRET: "",
|
|
@@ -539,10 +541,13 @@ function oauthService({ strapi: strapi2 }) {
|
|
|
539
541
|
ENTRY_CREATE = webhookStore.allowedEvents.get("ENTRY_CREATE");
|
|
540
542
|
}
|
|
541
543
|
const modelDef = strapi2.getModel("admin::user");
|
|
542
|
-
const sanitizedEntity = await strapiUtils.sanitize.sanitizers.defaultSanitizeOutput(
|
|
543
|
-
|
|
544
|
-
|
|
545
|
-
|
|
544
|
+
const sanitizedEntity = await strapiUtils.sanitize.sanitizers.defaultSanitizeOutput(
|
|
545
|
+
{
|
|
546
|
+
schema: modelDef,
|
|
547
|
+
getModel: (uid2) => strapi2.getModel(uid2)
|
|
548
|
+
},
|
|
549
|
+
user
|
|
550
|
+
);
|
|
546
551
|
eventHub.emit(ENTRY_CREATE, {
|
|
547
552
|
model: modelDef.modelName,
|
|
548
553
|
entry: sanitizedEntity
|
|
@@ -599,19 +604,40 @@ function oauthService({ strapi: strapi2 }) {
|
|
|
599
604
|
async generateToken(user, ctx) {
|
|
600
605
|
const sessionManager = strapi2.sessionManager;
|
|
601
606
|
if (!sessionManager) {
|
|
602
|
-
throw new Error(
|
|
607
|
+
throw new Error(
|
|
608
|
+
"sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later."
|
|
609
|
+
);
|
|
603
610
|
}
|
|
604
611
|
const userId = String(user.id);
|
|
605
612
|
const deviceId = randomUUID();
|
|
606
613
|
const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
|
|
607
614
|
const REMEMBER_ME = config2["REMEMBER_ME"];
|
|
608
615
|
const rememberMe = !!REMEMBER_ME;
|
|
609
|
-
const { token: refreshToken } = await sessionManager(
|
|
610
|
-
|
|
611
|
-
|
|
612
|
-
|
|
613
|
-
|
|
614
|
-
|
|
616
|
+
const { token: refreshToken } = await sessionManager("admin").generateRefreshToken(
|
|
617
|
+
userId,
|
|
618
|
+
deviceId,
|
|
619
|
+
{
|
|
620
|
+
type: rememberMe ? "refresh" : "session"
|
|
621
|
+
}
|
|
622
|
+
);
|
|
623
|
+
const isProduction = strapi2.config.get("environment") === "production";
|
|
624
|
+
const domain = strapi2.config.get("admin.auth.cookie.domain") || strapi2.config.get("admin.auth.domain");
|
|
625
|
+
const path = strapi2.config.get("admin.auth.cookie.path", "/admin");
|
|
626
|
+
const sameSite = strapi2.config.get("admin.auth.cookie.sameSite", "lax");
|
|
627
|
+
const cookieOptions = {
|
|
628
|
+
httpOnly: true,
|
|
629
|
+
secure: isProduction,
|
|
630
|
+
overwrite: true,
|
|
631
|
+
domain,
|
|
632
|
+
path,
|
|
633
|
+
sameSite
|
|
634
|
+
};
|
|
635
|
+
if (rememberMe) {
|
|
636
|
+
const REMEMBER_ME_DAYS = config2["REMEMBER_ME_DAYS"] || 30;
|
|
637
|
+
const durationInMs = REMEMBER_ME_DAYS * 24 * 60 * 60 * 1e3;
|
|
638
|
+
cookieOptions.maxAge = durationInMs;
|
|
639
|
+
cookieOptions.expires = new Date(Date.now() + durationInMs);
|
|
640
|
+
}
|
|
615
641
|
ctx.cookies.set("strapi_admin_refresh", refreshToken, cookieOptions);
|
|
616
642
|
const accessResult = await sessionManager("admin").generateAccessToken(refreshToken);
|
|
617
643
|
if ("error" in accessResult) {
|
package/package.json
CHANGED