OpenID Connect Identity Platform

The synapse OpenID Connect platform uses node-oidc-provider to provide user authentication for our clients' applications. node-oidc-provider is an OpenID Connect provider library. In order to fully understand the ins and outs of this application, understanding OpenID Connect is a must.

Usage Documentation

Setting up for development

Copy common.template.env as common.env and provide a mailgun, SES, or sendgrid key
Set the OIDC_DB_* vars based on what RDBMS you are using.
Run either ./compose-mysql up or ./compose-postgres up. You can also just do docker-compose up which will use postgres.
Create an oauth client by posting to http://localhost:9001/op/reg with the following:

Headers:
{
    "Content-Type": "application/json",
    "Authorization": "Bearer token1", // common.env -> OIDC_INITIAL_ACCESS_TOKEN value
}
Body:
{
    "response_types": ["code id_token token"],
    "grant_types": [
        "authorization_code",
        "implicit",
        "client_credentials"
    ],
    "redirect_uris": ["https://sso-client.test:3000/"],
    "post_logout_redirect_uris": ["https://sso-client.test:3000/logout"]
}

In test-client/src create a copy of config.template.js and call it config.js. Fill in the client_id and client_secret of the client you created in the previous step.
Add sso-client.testfor 127.0.0.1 to your hosts file
npm i and npm start in test-client and test-client/test-server

Session Management

Sessions are persisted by default, a user can manually log out by visiting ${prefix}/session/end. The following query parameters should also be sent: id_token_hint is to allow the client to determine which user is logging out, and post_logout_redirect_uri allows the user to be redirected back to the client app.

Clients

Clients can be registered dynamically with the registration endpoint defined in the OICD provider's Hapi plugin. By default this is ${prefix}/reg. Any of the OpenID Client Metadata can be supplied. The Bearer token for this request is validated against the OIDC_INITIAL_ACCESS_TOKEN environment variable. YOU MUST PROVIDE A STRONG TOKEN in production to prevent unauthorized clients from being added.

Releasing

Ensure you've checked out master and that it's up-to-date (or if hotfixing, check out a new branch from a previous release's tag)
Update the version number in api/package.json and api/package-lock.json and commit the changes
cd api if you're in the root of the repo
docker build -t synapsestudios/oidc-platform:vX.Y.Z .
docker push synapsestudios/oidc-platform:vX.Y.Z
git push
git tag vX.Y.Z && git push tags
If hotfixing, you can git push :refs/heads/hotfix-branch-name to delete the hotfix branch

Name		Name	Last commit message	Last commit date
Latest commit History 1,035 Commits
.github/workflows		.github/workflows
api		api
docs		docs
e2e		e2e
redis		redis
scripts		scripts
shared		shared
test-client		test-client
.DS_Store		.DS_Store
.dockerignore		.dockerignore
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
Dockerfile.mysql		Dockerfile.mysql
Dockerfile.webpack-build		Dockerfile.webpack-build
LICENSE		LICENSE
README.md		README.md
UPGRADE.md		UPGRADE.md
acceptance.env		acceptance.env
artifact_purge.yml		artifact_purge.yml
common.template.env		common.template.env
compose-mysql		compose-mysql
compose-postgres		compose-postgres
docker-compose.base.yml		docker-compose.base.yml
docker-compose.mysql.yml		docker-compose.mysql.yml
docker-compose.override.yml		docker-compose.override.yml
docker-compose.qa.yml		docker-compose.qa.yml
docker-compose.yml		docker-compose.yml
frontend-proxy.conf		frontend-proxy.conf
frontend.conf		frontend.conf
mysql.cnf		mysql.cnf
oidc-provider.paw		oidc-provider.paw
package-lock.json		package-lock.json

License

synapsestudios/oidc-platform

Folders and files

Latest commit

History

Repository files navigation

OpenID Connect Identity Platform

Usage Documentation

Setting up for development

Session Management

Clients

Releasing

About

Topics

Resources

License

Stars

Watchers

Forks

Languages