Support nonce and acr with OIDC + Tests

[fflorent]

Context

• Some Identity provider don't support PKCE and instead impose Nonce;
• They also may impose passing some ACR values;
• And require to pass the state and the idToken in the logout

Proposed solution

• Introduce the GRIST_OIDC_IDP_ENABLED_PROTECTIONS variable who can contain comma-separated values with either: STATE, NONCE and PKCE, and defaults to STATE,PKCE;
• Introduce the GRIST_OIDC_IDP_ACR_VALUES variable with space separated values;
• Once logged in (after the callback), store the state and the idToken for the logout, and clear any other values;
• Introduce unit tests with mocks;
• Also redirect to the error page when something went wrong while signing in;

[fflorent]

Opening the PR for checking whether the tests work in the CI

[fflorent]

@SleepyLeslie I sent you in private everything you need to try my PR using Agent Connect. Please keep me informed otherwise.

[SleepyLeslie]

Thanks @fflorent for the updates and Agent Connect info. I'm waiting for an approval to sign up for Agent Connect. I'll get back to you as soon as I finish testing. Otherwise this looks good to me now, and should be able to get merged soon!

[fflorent]

@SleepyLeslie Hmm, I have given the env variables to use, but using your own email won't work.
There are credentials to use and some simple questions to answer, but asked in French.

I suggest we take some time to take a look at that together if you want to, that will be probably simpler and faster. It may take 10 / 15 minutes in case testing is just what you need, or more if you have questions regarding my developments.

I send you an email to see what slot we could find.

[SleepyLeslie]

@fflorent Thanks for working with me on testing. I ran your PR successfully against Agent Connect locally. Found a small issue when running with my Authentik server and left a comment. Otherwise this PR looks good to me.

Please disregard my previous comment (deleted). I messed up. Everything seems in good shape now.

[SleepyLeslie]

During my test against my own Authentik server, excluding STATE from GRIST_OIDC_IDP_ENABLED_PROTECTIONS caused login to fail. This was because Authentik sent an empty state while Grist expected it to not exist at all. Could you handle this and similar situations? I could imagine stripping empty fields from params before calling this._client.callback.

[fflorent]

Thanks for your feedback! I'll take a look at this next week (I am not working for the ANCT today).

The last time I took a look at Authentik, I failed to setup an instance (at least, it seemed to me it's not that easy). I'll take a look and see if a free account on their SAAS offer would be enough.

[dsagal]

This is great! Adds a lot of features to OIDC support, and it's great to see a comprehensive test! Sorry for having lots of comments -- but most are superficial. Overall it looks very solid, thank you!

[dsagal]

This allows GRIST_OIDC_IDP_EXTRA_CLIENT_METADATA to override the values set earlier. Is that intentional? If so, maybe that's worth mentioning in the description of that variable?

[dsagal]

Total nitpick, but after being a heavy lodash user myself, I've since found that it makes things a bit harder to understand (e.g. I'd have to refer to docs often), and native JS is more readable and almost as concise. E.g. I think this would be equivalent:

const showValueInClear = ['token_type', 'expires_in', 'expires_at', 'scope'];
const result = {};
for (const [key, value] of Object.entries(token)) {
  if (typeof value !== 'function') {
    result[key] = showValueInClear.includes(key) ? value : 'REDACTED';
  }
}
return result;

[dsagal]

We have a handy StringUnion class in app/common/StringUnion, which is great for things like this. More convenient than an enum, I think. It does typings, and has a method checkAll to check a list of values easily.

[dsagal]

I am confused by the purpose of this default message. When would you want to omit the second argument?

[dsagal]

If I recall correctly, the default won't come into play if the variable is set but is an empty string. I think it's easy to handle that case with JSON.parse(section.flag(...).readString(....) || "{}")?

[dsagal]

I see SERVER_NODE_OPTIONS here and NODE_SERVER_OPTIONS in develop.md documentation.

[dsagal]

Could you add a brief explanation of the oidc state (currently only codeVerifier is explained). E.g. I know, after reading the code, that some of state, codeVerifier, and nonce (depending on GRIST_OIDC_IDP_ENABLED_PROTECTIONS) will be set as protections during OIDC authentication, and it would be a helpful reminder to anyone else reading this code.

[dsagal]

I have no problem with this code, but would just like to share an idea. Each protection implements the same interface, so you could organize the code so that the configuration is translated to an array of checks that you can then scan through without re-checking the configuration each time. Something like this:

for (const protection of enabledProtections) {
  this._protections.push(Protections[protection])
}
const Protections: {[key: EnabledProtection]: ...} = {
  NONCE: {
    setProtection(sessionInfo, urlParams) {
     sessionInfo.nonce = urlParams.nonce = generator.nonce();
    },
    checkProtection(sessionInfo, checks) {
      if (!sessionInfo.nonce) { throw new Error("Login is stale"); }
      checks.nonce = sessionInfo.nonce;
    }
  }, ...
}

[dsagal]

My recommendation for repetitive tests is to factor out the common part into a function, but keep tests as individual manually written blocks. E.g.

it('should reject when ...', async () => {
   await assert.isRejected(doEndSessionTest({end_session_endpoint: undefined}),
     /...please set.../)
});

It's not too important (so ok not to refactor if you prefer to keep as is), but my reason for suggesting this is past experience when a bug crept into some logic that generated test cases, and then no one noticed for a while that some tests weren't running at all.

[dsagal]

This is the case that worries me. Do we not want this to default to the recommended options in this case? Maybe if we need to support "no checks" mode, we should require the user to set this variable to "UNPROTECTED", so they can't miss the danger?

[fflorent]

@dsagal Thanks a lot for your thorough review! I'll take a look next week (working for another client than the French administration today)