-
Notifications
You must be signed in to change notification settings - Fork 70
/
oidc.provider.ts
134 lines (127 loc) · 4.14 KB
/
oidc.provider.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
import {
BindingScope,
ContextTags,
Provider,
inject,
injectable,
} from '@loopback/core';
import {repository} from '@loopback/repository';
// eslint-disable-next-line @typescript-eslint/naming-convention
import OidcProvider, {
Configuration,
FindAccount,
ResponseType,
} from 'oidc-provider';
import {FindAccountProvider} from '.';
import {OIDCServiceBindings} from '../keys';
import {AuthClientRepository, UserRepository} from '../repositories';
const defaultClaims = ['firstName', 'lastName', 'email'];
const claimsProfile =
process.env.OIDC_CLAIMS_PROFILE?.split(',') ?? defaultClaims;
const oneHour = '3600';
export const jwks = {
keys: [
{
kty: process.env.OIDC_JWKS_KTY,
alg: process.env.OIDC_JWKS_ALG,
use: process.env.OIDC_JWKS_USE,
d: process.env.OIDC_JWKS_D,
dp: process.env.OIDC_JWKS_DP,
dq: process.env.OIDC_JWKS_DQ,
e: process.env.OIDC_JWKS_E,
n: process.env.OIDC_JWKS_N,
p: process.env.OIDC_JWKS_P,
q: process.env.OIDC_JWKS_Q,
qi: process.env.OIDC_JWKS_QI,
kid: process.env.OIDC_JWKS_KID,
},
],
};
const cookies = {
keys: [process.env.OIDC_COOKIES ?? ''],
};
@injectable({
scope: BindingScope.SINGLETON,
tags: {[ContextTags.KEY]: OIDCServiceBindings.OIDC_PROVIDER},
})
export class OidcProviderProvider implements Provider<OidcProvider> {
constructor(
@inject(`repositories.AuthClientRepository`)
private authClientRepository: AuthClientRepository,
@inject(OIDCServiceBindings.FIND_ACCOUNT_PROVIDER)
private findAccountProvider: FindAccountProvider,
@repository(UserRepository)
protected readonly userRepository: UserRepository,
) {}
async value(): Promise<OidcProvider> {
// Retrieve the client configurations from the AuthClientRepository
const allClients = await this.authClientRepository.find();
const config: Configuration = {
clients: allClients.map(client => {
// default Values
const defaultGrantTypes = ['authorization_code', 'implicit'];
const defaultResponseTypes = ['code', 'id_token'];
const defaultRedirectUris = ['https://oidcdebugger.com/debug'];
/* eslint-disable @typescript-eslint/naming-convention */
return {
client_id: client.clientId,
client_secret: client.clientSecret,
grant_types: client.grantTypes ?? defaultGrantTypes,
response_types:
client.responseTypes?.map(type => type as ResponseType) ??
defaultResponseTypes?.map(type => type as ResponseType),
redirect_uris: client.redirectUrl?.split(',') ?? defaultRedirectUris,
// ... other client properties
};
}),
pkce: {
methods: ['S256'],
required: () => false,
},
features: {
devInteractions: {enabled: false}, // defaults to true
},
claims: {
openid: claimsProfile,
// ... other claims
},
jwks: jwks,
cookies: cookies,
// sonarignore:start
ttl: {
/* eslint-disable @typescript-eslint/naming-convention */
Interaction: (ctx, interaction) => {
const expirationInSeconds = parseInt(
process.env.OIDC_INTERACTION_TIME ?? oneHour,
);
return expirationInSeconds;
},
Session: (ctx, session) => {
const sessionExpirationInSeconds = parseInt(
process.env.OIDC_SESSION_TIME ?? oneHour,
);
return sessionExpirationInSeconds;
},
Grant: (ctx, grant) => {
const grantExpirationInSeconds = parseInt(
process.env.OIDC_GRANT_TIME ?? oneHour,
);
return grantExpirationInSeconds;
},
IdToken: (ctx, client, accountId) => {
const idTokenExpirationInSeconds = parseInt(
process.env.OIDC_ID_TOKEN_TIME ?? oneHour,
);
return idTokenExpirationInSeconds;
},
},
findAccount: this.findAccountProvider as unknown as FindAccount,
// sonarignore:end
};
const oidcProvider = new OidcProvider(
process.env.OIDC_ISSUER_URL ?? 'http://localhost:3000',
config,
);
return oidcProvider;
}
}