npm - strapi-plugin-oidc - Versions diffs - 1.9.3 → 1.9.5 - Mend

strapi-plugin-oidc 1.9.3 → 1.9.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -32,7 +32,7 @@ module.exports = ({ env }) => ({
     enabled: true,
     config: {
       // Required
-      OIDC_DISCOVERY_URL: env('OIDC_DISCOVERY_URL'), // https://your-provider/.well-known/openid-configuration
+      OIDC_ISSUER: env('OIDC_ISSUER'), // https://your-provider or https://your-provider/realms/your-realm
       OIDC_CLIENT_ID: env('OIDC_CLIENT_ID'),
       OIDC_CLIENT_SECRET: env('OIDC_CLIENT_SECRET'),
       OIDC_REDIRECT_URI: env('OIDC_REDIRECT_URI'), // https://your-strapi.com/strapi-plugin-oidc/oidc/callback
@@ -55,7 +55,7 @@ module.exports = ({ env }) => ({
 });
 ```
-`OIDC_DISCOVERY_URL` is the URL of your provider's OpenID Connect discovery document (`/.well-known/openid-configuration`). The plugin fetches it at startup and automatically configures all endpoints, JWKS URI, and issuer.
+`OIDC_ISSUER` is your provider's issuer URL (e.g. `https://auth.example.com` or `https://auth.example.com/realms/myrealm`). The plugin appends `/.well-known/openid-configuration` automatically if not present, and fetches the discovery document at startup to configure all endpoints, JWKS URI, and canonical issuer.
 ### Security features

package/dist/server/index.js CHANGED Viewed

@@ -59,7 +59,8 @@ const errorMessages = {
   WHITELIST_NOT_PRESENT: "Not present in whitelist",
   PROVIDER_RESPONSE_INVALID: "Unexpected response from OIDC provider",
   SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
-  JWKS_URI_NOT_CONFIGURED: "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document.",
+  OIDC_ISSUER_NOT_CONFIGURED: "[strapi-plugin-oidc] OIDC_ISSUER is not configured — discovery skipped. OIDC sign-in will fail until OIDC_ISSUER is set in your plugin config.",
+  JWKS_URI_NOT_CONFIGURED: "[strapi-plugin-oidc] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document.",
   ENFORCE_MIDDLEWARE_ERROR: "Error checking OIDC enforcement in middleware:",
   ENFORCE_SYNC_ERROR: "[strapi-plugin-oidc] Failed to sync OIDC_ENFORCE to database:",
   DEFAULT_ROLE_INIT_ERROR: "Could not initialize default OIDC role:",
@@ -102,7 +103,6 @@ const coerceBoolNullable = zod.z.preprocess(
 );
 const pluginConfigSchema = zod.z.object({
   REMEMBER_ME: coerceBool(false),
-  OIDC_DISCOVERY_URL: zod.z.string().default(""),
   OIDC_REDIRECT_URI: zod.z.string().default(""),
   OIDC_CLIENT_ID: zod.z.string().default(""),
   OIDC_CLIENT_SECRET: zod.z.string().default(""),
@@ -172,6 +172,7 @@ const CACHE_TTL = {
 const DEFAULT_RETENTION_DAYS = 90;
 const DAY_MS = 864e5;
 const DISCOVERY_TIMEOUT_MS = 5e3;
+const OIDC_DISCOVERY_PATH = "/.well-known/openid-configuration";
 const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 function getPluginConfig() {
   return pluginConfigSchema.parse(strapi.config.get("plugin::strapi-plugin-oidc") ?? {});
@@ -198,7 +199,6 @@ const discoveryDocumentSchema = zod.z.object({
   jwks_uri: zod.z.string().optional()
 }).passthrough();
 const FIELD_MAP = [
-  ["issuer", "OIDC_ISSUER"],
   ["authorization_endpoint", "OIDC_AUTHORIZATION_ENDPOINT"],
   ["token_endpoint", "OIDC_TOKEN_ENDPOINT"],
   ["userinfo_endpoint", "OIDC_USERINFO_ENDPOINT"],
@@ -207,8 +207,20 @@ const FIELD_MAP = [
 ];
 async function applyDiscovery(strapi2) {
   const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-  const discoveryUrl = config2.OIDC_DISCOVERY_URL;
-  if (!discoveryUrl) return;
+  const issuer = config2.OIDC_ISSUER;
+  if (!issuer) {
+    strapi2.log.warn(errorMessages.OIDC_ISSUER_NOT_CONFIGURED);
+    return;
+  }
+  let discoveryUrl;
+  let canonicalIssuer;
+  if (issuer.includes(OIDC_DISCOVERY_PATH)) {
+    discoveryUrl = issuer;
+    canonicalIssuer = issuer.replace(OIDC_DISCOVERY_PATH, "");
+  } else {
+    discoveryUrl = issuer.replace(/\/$/, "") + OIDC_DISCOVERY_PATH;
+    canonicalIssuer = issuer.replace(/\/$/, "");
+  }
   let doc;
   try {
     const res = await fetch(discoveryUrl, { signal: AbortSignal.timeout(DISCOVERY_TIMEOUT_MS) });
@@ -222,13 +234,13 @@ async function applyDiscovery(strapi2) {
     );
     return;
   }
-  const updates = {};
+  const updates = { OIDC_ISSUER: canonicalIssuer };
   for (const [docField, configKey] of FIELD_MAP) {
     if (doc[docField]) {
       updates[configKey] = doc[docField];
     }
   }
-  if (Object.keys(updates).length > 0) {
+  if (Object.keys(updates).length > 1) {
     strapi2.config.set("plugin::strapi-plugin-oidc", { ...config2, ...updates });
     strapi2.log.info(`[strapi-plugin-oidc] Discovery applied: ${Object.keys(updates).join(", ")}`);
   }
@@ -385,7 +397,6 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
-    OIDC_DISCOVERY_URL: "",
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
@@ -401,7 +412,7 @@ const config = {
     OIDC_REQUIRE_EMAIL_VERIFIED: true,
     OIDC_TRUSTED_IP_HEADER: "",
     OIDC_FORCE_SECURE_COOKIES: false,
-    // Populated at bootstrap from OIDC_DISCOVERY_URL — not user-configurable directly
+    // Populated at bootstrap from OIDC_ISSUER — not user-configurable directly
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
     OIDC_USERINFO_ENDPOINT: "",
@@ -522,14 +533,14 @@ function toMessage(e) {
   return e instanceof Error ? e.message : String(e);
 }
 const REQUIRED_CONFIG_KEYS = [
-  "OIDC_DISCOVERY_URL",
+  "OIDC_ISSUER",
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
   "OIDC_REDIRECT_URI",
   "OIDC_SCOPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
-  // Populated at bootstrap from OIDC_DISCOVERY_URL — checked here as a runtime safety net
+  // Populated at bootstrap from OIDC_ISSUER — checked here as a runtime safety net
   "OIDC_TOKEN_ENDPOINT",
   "OIDC_USERINFO_ENDPOINT",
   "OIDC_AUTHORIZATION_ENDPOINT"

package/dist/server/index.mjs CHANGED Viewed

@@ -53,7 +53,8 @@ const errorMessages = {
   WHITELIST_NOT_PRESENT: "Not present in whitelist",
   PROVIDER_RESPONSE_INVALID: "Unexpected response from OIDC provider",
   SESSION_MANAGER_UNSUPPORTED: "sessionManager is not supported. Please upgrade to Strapi v5.24.1 or later.",
-  JWKS_URI_NOT_CONFIGURED: "[OIDC] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document.",
+  OIDC_ISSUER_NOT_CONFIGURED: "[strapi-plugin-oidc] OIDC_ISSUER is not configured — discovery skipped. OIDC sign-in will fail until OIDC_ISSUER is set in your plugin config.",
+  JWKS_URI_NOT_CONFIGURED: "[strapi-plugin-oidc] OIDC_JWKS_URI is not configured — ID token signature verification is disabled. Set OIDC_JWKS_URI and OIDC_ISSUER from your provider's discovery document.",
   ENFORCE_MIDDLEWARE_ERROR: "Error checking OIDC enforcement in middleware:",
   ENFORCE_SYNC_ERROR: "[strapi-plugin-oidc] Failed to sync OIDC_ENFORCE to database:",
   DEFAULT_ROLE_INIT_ERROR: "Could not initialize default OIDC role:",
@@ -96,7 +97,6 @@ const coerceBoolNullable = z.preprocess(
 );
 const pluginConfigSchema = z.object({
   REMEMBER_ME: coerceBool(false),
-  OIDC_DISCOVERY_URL: z.string().default(""),
   OIDC_REDIRECT_URI: z.string().default(""),
   OIDC_CLIENT_ID: z.string().default(""),
   OIDC_CLIENT_SECRET: z.string().default(""),
@@ -166,6 +166,7 @@ const CACHE_TTL = {
 const DEFAULT_RETENTION_DAYS = 90;
 const DAY_MS = 864e5;
 const DISCOVERY_TIMEOUT_MS = 5e3;
+const OIDC_DISCOVERY_PATH = "/.well-known/openid-configuration";
 const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 function getPluginConfig() {
   return pluginConfigSchema.parse(strapi.config.get("plugin::strapi-plugin-oidc") ?? {});
@@ -192,7 +193,6 @@ const discoveryDocumentSchema = z.object({
   jwks_uri: z.string().optional()
 }).passthrough();
 const FIELD_MAP = [
-  ["issuer", "OIDC_ISSUER"],
   ["authorization_endpoint", "OIDC_AUTHORIZATION_ENDPOINT"],
   ["token_endpoint", "OIDC_TOKEN_ENDPOINT"],
   ["userinfo_endpoint", "OIDC_USERINFO_ENDPOINT"],
@@ -201,8 +201,20 @@ const FIELD_MAP = [
 ];
 async function applyDiscovery(strapi2) {
   const config2 = strapi2.config.get("plugin::strapi-plugin-oidc");
-  const discoveryUrl = config2.OIDC_DISCOVERY_URL;
-  if (!discoveryUrl) return;
+  const issuer = config2.OIDC_ISSUER;
+  if (!issuer) {
+    strapi2.log.warn(errorMessages.OIDC_ISSUER_NOT_CONFIGURED);
+    return;
+  }
+  let discoveryUrl;
+  let canonicalIssuer;
+  if (issuer.includes(OIDC_DISCOVERY_PATH)) {
+    discoveryUrl = issuer;
+    canonicalIssuer = issuer.replace(OIDC_DISCOVERY_PATH, "");
+  } else {
+    discoveryUrl = issuer.replace(/\/$/, "") + OIDC_DISCOVERY_PATH;
+    canonicalIssuer = issuer.replace(/\/$/, "");
+  }
   let doc;
   try {
     const res = await fetch(discoveryUrl, { signal: AbortSignal.timeout(DISCOVERY_TIMEOUT_MS) });
@@ -216,13 +228,13 @@ async function applyDiscovery(strapi2) {
     );
     return;
   }
-  const updates = {};
+  const updates = { OIDC_ISSUER: canonicalIssuer };
   for (const [docField, configKey] of FIELD_MAP) {
     if (doc[docField]) {
       updates[configKey] = doc[docField];
     }
   }
-  if (Object.keys(updates).length > 0) {
+  if (Object.keys(updates).length > 1) {
     strapi2.config.set("plugin::strapi-plugin-oidc", { ...config2, ...updates });
     strapi2.log.info(`[strapi-plugin-oidc] Discovery applied: ${Object.keys(updates).join(", ")}`);
   }
@@ -379,7 +391,6 @@ function destroy() {
 const config = {
   default: {
     REMEMBER_ME: false,
-    OIDC_DISCOVERY_URL: "",
     OIDC_REDIRECT_URI: "http://localhost:1337/strapi-plugin-oidc/oidc/callback",
     OIDC_CLIENT_ID: "",
     OIDC_CLIENT_SECRET: "",
@@ -395,7 +406,7 @@ const config = {
     OIDC_REQUIRE_EMAIL_VERIFIED: true,
     OIDC_TRUSTED_IP_HEADER: "",
     OIDC_FORCE_SECURE_COOKIES: false,
-    // Populated at bootstrap from OIDC_DISCOVERY_URL — not user-configurable directly
+    // Populated at bootstrap from OIDC_ISSUER — not user-configurable directly
     OIDC_AUTHORIZATION_ENDPOINT: "",
     OIDC_TOKEN_ENDPOINT: "",
     OIDC_USERINFO_ENDPOINT: "",
@@ -516,14 +527,14 @@ function toMessage(e) {
   return e instanceof Error ? e.message : String(e);
 }
 const REQUIRED_CONFIG_KEYS = [
-  "OIDC_DISCOVERY_URL",
+  "OIDC_ISSUER",
   "OIDC_CLIENT_ID",
   "OIDC_CLIENT_SECRET",
   "OIDC_REDIRECT_URI",
   "OIDC_SCOPE",
   "OIDC_FAMILY_NAME_FIELD",
   "OIDC_GIVEN_NAME_FIELD",
-  // Populated at bootstrap from OIDC_DISCOVERY_URL — checked here as a runtime safety net
+  // Populated at bootstrap from OIDC_ISSUER — checked here as a runtime safety net
   "OIDC_TOKEN_ENDPOINT",
   "OIDC_USERINFO_ENDPOINT",
   "OIDC_AUTHORIZATION_ENDPOINT"

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "strapi-plugin-oidc",
-  "version": "1.9.3",
+  "version": "1.9.5",
   "description": "A Strapi plugin that provides OpenID Connect (OIDC) authentication functionality for the Strapi Admin Panel.",
   "strapi": {
     "displayName": "OIDC Plugin",