step 7: Consent page

app.js

@@ -6,7 +6,8 @@ const
   bearerToken = require('express-bearer-token'),
   session = require('express-session'),
   sessionstore = require('sessionstore'),
-  bodyParser = require('body-parser');
+  bodyParser = require('body-parser'),
+  cookieParser = require('cookie-parser');
 
 const {
   localLogin,
@@ -15,9 +16,9 @@ const {
 
 const {
   userAuthorize,
-  loginRedirect,
   userToken,
   userInfo,
+  checkUserConsent,
 } = require('./controllers/oidcProvider');
 
 const memoryStorage = require('./services/memoryStorage');
@@ -40,6 +41,8 @@ app.use(session({
 
 app.use(express.static('public'));
 
+app.use(cookieParser());
+
 app.use(bodyParser.urlencoded({ extended: true }));
 app.use(bodyParser.json());
 
@@ -58,10 +61,9 @@ app.get('/logout', localLogout);
 
 /**** OIDC End points ****/
 app.get('/user/authorize', userAuthorize);
-app.get('/user/loginRedirect', loginRedirect);
 app.post('/user/token', userToken);
 app.get('/api/user', userInfo);
-
+app.get('/user/consent', checkUserConsent);
 /**** END OIDC End points ****/
 
 // Setting app port

controllers/localAuthController.js

@@ -8,7 +8,7 @@ const localLogin = async (req, res, next) => {
 
     // Redirect to client's loginCallback if we are in oidc context:
     if (req.session.oidc_query) {
-      return res.redirect('/user/loginRedirect');
+      return res.redirect('/user/consent');
     }
 
     return res.redirect('/');

controllers/oidcProvider.js

@@ -40,9 +40,9 @@ const userAuthorize = (req, res) => {
   // store input request parameters into session to be used after authentification
   req.session.oidc_query = req.query;
 
-  // if user is already authenticated, redirect directly to client's redirect_uri
+  // if user is already authenticated, check directly user consents
   if (req.session.user) {
-    return loginRedirect(req, res);
+    return checkUserConsent(req, res);
   }
 
   // redirect to  login form
@@ -138,6 +138,36 @@ const userToken = (req, res) => {
   }
 };
 
+const checkUserConsent = (req, res) => {
+  const { client_id, scope } = req.session.oidc_query;
+  if (hasConsent(client_id, scope, req.cookies.consent )) {
+    return loginRedirect(req, res);
+  }
+
+  return res.render('consent', {
+    user: formatUserInfo(req.session.user, scope),
+    redirect_uri: req.session.oidc_query.redirect_uri
+  });
+};
+
+const hasConsent = (client_id, scope, consent) => {
+  if (! consent) {
+    return false;
+  }
+
+  if (! consent[client_id]) {
+    return false;
+  }
+
+  for (const item of scope.split(' ')) {
+    if (! consent[client_id][item]) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
 const userInfo = (req, res) => {
   const memoryStorage = req.app.get('memoryStorage');
 
@@ -158,7 +188,7 @@ const userInfo = (req, res) => {
 
 module.exports = {
   userAuthorize,
-  loginRedirect,
   userToken,
   userInfo,
+  checkUserConsent,
 }

views/consent.ejs

@@ -0,0 +1,37 @@
+<!doctype html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport"
+          content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
+    <meta http-equiv="X-UA-Compatible" content="ie=edge">
+    <link rel="stylesheet" href="/css/bulma.min.css" />
+    <link rel="stylesheet" href="/css/bulma-tooltip.min.css" />
+    <link rel="stylesheet" href="/css/main.css" />
+    <title>OpenID Connect Client Demo</title>
+</head>
+
+<body>
+
+
+<div class="container has-text-centered">
+
+  <img src="/img/openid.png" />
+
+  <h1 class="title has-text-grey">Consent needed</h1>
+  <p>
+    Do you agree to send following attributes to <%- locals.redirect_uri %> ?
+  </p>
+  <table>
+    <% for (key of Object.keys(locals.user)) { %>
+      <tr><th><%- key %></th> <td><%- locals.user[key] %></td></tr>
+    <% } %>
+  </table>
+  <form action="/user/consent" method="post">
+    <input type="submit" name="consent" value="YES"/>
+    <input type="submit" name="consent" value="NO"/>
+  </form>
+</div>
+
+</body>
+</html>