npm - strapi-plugin-oidc - Versions diffs - 1.10.3 → 1.10.5 - Mend

strapi-plugin-oidc 1.10.3 → 1.10.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -35,10 +35,10 @@ module.exports = ({ env }) => ({
     enabled: true,
     config: {
       // Required
+      OIDC_PUBLIC_URL: env('PUBLIC_URL', 'https://strapi.example.com'), // origin only — we append /strapi-plugin-oidc/oidc/callback
       OIDC_ISSUER: env('OIDC_ISSUER'), // https://your-provider or https://your-provider/realms/your-realm
       OIDC_CLIENT_ID: env('OIDC_CLIENT_ID'),
       OIDC_CLIENT_SECRET: env('OIDC_CLIENT_SECRET'),
-      OIDC_REDIRECT_URI: env('OIDC_REDIRECT_URI'), // https://your-strapi.com/strapi-plugin-oidc/oidc/callback
       // Optional — defaults shown
       OIDC_SCOPE: 'openid profile email', // space-separated scopes
@@ -59,6 +59,8 @@ module.exports = ({ env }) => ({
 });
 ```
+`OIDC_PUBLIC_URL` is your Strapi instance's origin (e.g. `https://myapp.com`). The plugin appends `/strapi-plugin-oidc/oidc/callback` to form the full OIDC redirect URI. If unset, falls back to the `PUBLIC_URL` environment variable. Only provide the scheme + host + port — no trailing slash or path.
 `OIDC_ISSUER` is your provider's issuer URL (e.g. `https://auth.example.com` or `https://auth.example.com/realms/myrealm`). The plugin appends `/.well-known/openid-configuration` automatically if not present, and fetches the discovery document at startup to configure all endpoints, JWKS URI, and canonical issuer.
 ### Security features
@@ -98,17 +100,6 @@ Only headers that CDN/proxy vendors guarantee to strip from inbound client reque
 Navigate to `/strapi-plugin-oidc/oidc` to start the OIDC flow, or click the **Login via SSO** button injected into the Strapi login page.
-## Skip Login Page
-Set `OIDC_SKIP_LOGIN_PAGE: true` to prevent users from ever seeing the Strapi admin login page. Unauthenticated requests are redirected directly to the OIDC provider. This is typically used alongside `OIDC_ENFORCE: true`.
-Two independent mechanisms cover both entry points:
-- **Server-side** — A Koa middleware intercepts unauthenticated GET requests to `/admin` and redirects to `/strapi-plugin-oidc/oidc` before the SPA is served. Excluded from this redirect: API routes (`/admin/login`, `/admin/logout`, `/admin/init`, etc.), static assets (`.js`, `.css`, `.png`, etc.), and POST requests.
-- **Client-side** — A DOM `MutationObserver` watches for React Router navigations to `/auth/login` (triggered by session expiry or 401 responses) and redirects before the login form renders.
-After logout without a provider `end_session_endpoint`, the fallback URL becomes `/strapi-plugin-oidc/oidc` instead of `/admin/auth/login`, ensuring the user lands on the provider's own page.
 ## Logout
 When the discovery document includes an `end_session_endpoint`, clicking logout redirects to the provider's end-session URL (RP-initiated logout). If the provider session has already expired, Strapi skips the redirect and goes straight to the login page.
@@ -212,30 +203,30 @@ Duplicate emails within the payload and emails already in the whitelist are sile
 ```bash
 # List
 curl -H "Authorization: Bearer <token>" \
-  http://localhost:1337/api/strapi-plugin-oidc/whitelist
+  https://strapi.example.com/api/strapi-plugin-oidc/whitelist
 # Export
 curl -H "Authorization: Bearer <token>" \
-  http://localhost:1337/api/strapi-plugin-oidc/whitelist/export \
+  https://strapi.example.com/api/strapi-plugin-oidc/whitelist/export \
   -o whitelist.json
 # Add
 curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
   -d '{"email": "user@example.com"}' \
-  http://localhost:1337/api/strapi-plugin-oidc/whitelist
+  https://strapi.example.com/api/strapi-plugin-oidc/whitelist
 # Bulk import
 curl -X POST -H "Authorization: Bearer <token>" -H "Content-Type: application/json" \
   -d '{"users": [{"email": "a@example.com"}, {"email": "b@example.com"}]}' \
-  http://localhost:1337/api/strapi-plugin-oidc/whitelist/import
+  https://strapi.example.com/api/strapi-plugin-oidc/whitelist/import
 # Delete one (by email)
 curl -X DELETE -H "Authorization: Bearer <token>" \
-  "http://localhost:1337/api/strapi-plugin-oidc/whitelist/user%40example.com"
+  "https://strapi.example.com/api/strapi-plugin-oidc/whitelist/user%40example.com"
 # Delete all
 curl -X DELETE -H "Authorization: Bearer <token>" \
-  http://localhost:1337/api/strapi-plugin-oidc/whitelist
+  https://strapi.example.com/api/strapi-plugin-oidc/whitelist
 ```
 ## Audit Log API
@@ -303,7 +294,7 @@ curl -H "Authorization: Bearer <token>" -G \
   --data-urlencode 'filters[action][$eq]=login_failure' \
   --data-urlencode 'filters[createdAt][$gte]=2026-04-08T00:00:00.000Z' \
   --data-urlencode 'filters[createdAt][$lt]=2026-04-09T00:00:00.000Z' \
-  http://localhost:1337/api/strapi-plugin-oidc/audit-logs
+  https://strapi.example.com/api/strapi-plugin-oidc/audit-logs
 ```
 ### Recorded actions
@@ -330,11 +321,11 @@ Each event is also emitted on Strapi's internal eventHub as `strapi-plugin-oidc:
 ```bash
 # Paginated list
 curl -H "Authorization: Bearer <token>" \
-  "http://localhost:1337/api/strapi-plugin-oidc/audit-logs?page=1&pageSize=50"
+  "https://strapi.example.com/api/strapi-plugin-oidc/audit-logs?page=1&pageSize=50"
 # NDJSON export
 curl -H "Authorization: Bearer <token>" \
-  http://localhost:1337/api/strapi-plugin-oidc/audit-logs/export \
+  https://strapi.example.com/api/strapi-plugin-oidc/audit-logs/export \
   -o oidc-audit-log.ndjson
 ```

package/dist/server/index.js CHANGED Viewed

@@ -103,7 +103,7 @@ const coerceBoolNullable = zod.z.preprocess(
 );
 const pluginConfigSchema = zod.z.object({
   REMEMBER_ME: coerceBool(false),
-  OIDC_REDIRECT_URI: zod.z.string().default(""),
+  OIDC_PUBLIC_URL: zod.z.string().default(""),
   OIDC_CLIENT_ID: zod.z.string().default(""),
   OIDC_CLIENT_SECRET: zod.z.string().default(""),
   OIDC_SCOPE: zod.z.string().default("openid profile email"),
@@ -175,6 +175,7 @@ const DAY_MS = 864e5;
 const DISCOVERY_TIMEOUT_MS = 5e3;
 const OIDC_DISCOVERY_PATH = "/.well-known/openid-configuration";
 const OIDC_SIGN_IN_PATH = "/strapi-plugin-oidc/oidc";
+const OIDC_CALLBACK_PATH = "/strapi-plugin-oidc/oidc/callback";
 const AUTH_ROUTES = [
   "login",
   "register",
@@ -422,7 +423,6 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
-    OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
     OIDC_SCOPE: "openid profile email",
@@ -562,7 +562,6 @@ const REQUIRED_CONFIG_KEYS = [
   "OIDC_ISSUER",
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
-  "OIDC_REDIRECT_URI",
   "OIDC_SCOPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
@@ -571,6 +570,15 @@ const REQUIRED_CONFIG_KEYS = [
   "OIDC_USERINFO_ENDPOINT",
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
+function resolveRedirectUri(config2) {
+  const publicUrl = config2.OIDC_PUBLIC_URL || process.env.PUBLIC_URL || (process.env.NODE_ENV !== "production" ? "http://localhost:1337" : "");
+  if (!publicUrl) {
+    throw new Error(
+      "OIDC_PUBLIC_URL or PUBLIC_URL must be set in production. Provide your Strapi origin (e.g. https://myapp.com)."
+    );
+  }
+  return `${publicUrl.replace(/\/+$/, "")}${OIDC_CALLBACK_PATH}`;
+}
 const jwksCache = /* @__PURE__ */ new Map();
 let jwksDisabledWarned = false;
 function getJwks(uri) {
@@ -3621,7 +3629,7 @@ async function oidcSignIn(ctx) {
       ctx.redirect(`${adminUrl}/auth/login?oidc_redirect=1`);
       return;
     }
-    const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = config2;
+    const { OIDC_CLIENT_ID, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = config2;
     const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge__default.default();
     const state = node_crypto.randomBytes(32).toString("base64url");
     const nonce = node_crypto.randomBytes(32).toString("base64url");
@@ -3634,10 +3642,11 @@ async function oidcSignIn(ctx) {
     ctx.cookies.set(COOKIE_NAMES.codeVerifier, codeVerifier, cookieOptions);
     ctx.cookies.set(COOKIE_NAMES.state, state, cookieOptions);
     ctx.cookies.set(COOKIE_NAMES.nonce, nonce, cookieOptions);
+    const redirectUri = resolveRedirectUri(config2);
     const params = new URLSearchParams({
       response_type: "code",
       client_id: OIDC_CLIENT_ID,
-      redirect_uri: OIDC_REDIRECT_URI,
+      redirect_uri: redirectUri,
       scope: OIDC_SCOPE,
       code_challenge: codeChallenge,
       code_challenge_method: "S256",
@@ -3982,7 +3991,7 @@ async function oidcSignInCallback(ctx) {
     code: String(ctx.query.code),
     client_id: config2.OIDC_CLIENT_ID,
     client_secret: config2.OIDC_CLIENT_SECRET,
-    redirect_uri: config2.OIDC_REDIRECT_URI,
+    redirect_uri: resolveRedirectUri(config2),
     grant_type: "authorization_code",
     code_verifier: codeVerifier ?? ""
   });

package/dist/server/index.mjs CHANGED Viewed

@@ -97,7 +97,7 @@ const coerceBoolNullable = z.preprocess(
 );
 const pluginConfigSchema = z.object({
   REMEMBER_ME: coerceBool(false),
-  OIDC_REDIRECT_URI: z.string().default(""),
+  OIDC_PUBLIC_URL: z.string().default(""),
   OIDC_CLIENT_ID: z.string().default(""),
   OIDC_CLIENT_SECRET: z.string().default(""),
   OIDC_SCOPE: z.string().default("openid profile email"),
@@ -169,6 +169,7 @@ const DAY_MS = 864e5;
 const DISCOVERY_TIMEOUT_MS = 5e3;
 const OIDC_DISCOVERY_PATH = "/.well-known/openid-configuration";
 const OIDC_SIGN_IN_PATH = "/strapi-plugin-oidc/oidc";
+const OIDC_CALLBACK_PATH = "/strapi-plugin-oidc/oidc/callback";
 const AUTH_ROUTES = [
   "login",
   "register",
@@ -416,7 +417,6 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
-    OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
     OIDC_SCOPE: "openid profile email",
@@ -556,7 +556,6 @@ const REQUIRED_CONFIG_KEYS = [
   "OIDC_ISSUER",
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
-  "OIDC_REDIRECT_URI",
   "OIDC_SCOPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
@@ -565,6 +564,15 @@ const REQUIRED_CONFIG_KEYS = [
   "OIDC_USERINFO_ENDPOINT",
   "OIDC_AUTHORIZATION_ENDPOINT"
 ];
+function resolveRedirectUri(config2) {
+  const publicUrl = config2.OIDC_PUBLIC_URL || process.env.PUBLIC_URL || (process.env.NODE_ENV !== "production" ? "http://localhost:1337" : "");
+  if (!publicUrl) {
+    throw new Error(
+      "OIDC_PUBLIC_URL or PUBLIC_URL must be set in production. Provide your Strapi origin (e.g. https://myapp.com)."
+    );
+  }
+  return `${publicUrl.replace(/\/+$/, "")}${OIDC_CALLBACK_PATH}`;
+}
 const jwksCache = /* @__PURE__ */ new Map();
 let jwksDisabledWarned = false;
 function getJwks(uri) {
@@ -3615,7 +3623,7 @@ async function oidcSignIn(ctx) {
       ctx.redirect(`${adminUrl}/auth/login?oidc_redirect=1`);
       return;
     }
-    const { OIDC_CLIENT_ID, OIDC_REDIRECT_URI, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = config2;
+    const { OIDC_CLIENT_ID, OIDC_SCOPE, OIDC_AUTHORIZATION_ENDPOINT } = config2;
     const { code_verifier: codeVerifier, code_challenge: codeChallenge } = await pkceChallenge();
     const state = randomBytes(32).toString("base64url");
     const nonce = randomBytes(32).toString("base64url");
@@ -3628,10 +3636,11 @@ async function oidcSignIn(ctx) {
     ctx.cookies.set(COOKIE_NAMES.codeVerifier, codeVerifier, cookieOptions);
     ctx.cookies.set(COOKIE_NAMES.state, state, cookieOptions);
     ctx.cookies.set(COOKIE_NAMES.nonce, nonce, cookieOptions);
+    const redirectUri = resolveRedirectUri(config2);
     const params = new URLSearchParams({
       response_type: "code",
       client_id: OIDC_CLIENT_ID,
-      redirect_uri: OIDC_REDIRECT_URI,
+      redirect_uri: redirectUri,
       scope: OIDC_SCOPE,
       code_challenge: codeChallenge,
       code_challenge_method: "S256",
@@ -3976,7 +3985,7 @@ async function oidcSignInCallback(ctx) {
     code: String(ctx.query.code),
     client_id: config2.OIDC_CLIENT_ID,
     client_secret: config2.OIDC_CLIENT_SECRET,
-    redirect_uri: config2.OIDC_REDIRECT_URI,
+    redirect_uri: resolveRedirectUri(config2),
     grant_type: "authorization_code",
     code_verifier: codeVerifier ?? ""
   });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.10.3",
+  "version": "1.10.5",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",