From 03e15c6be1696e4f5a011d4039de9d7bc6870b1c Mon Sep 17 00:00:00 2001 From: mstrhakr <37352843+mstrhakr@users.noreply.github.com> Date: Wed, 31 Aug 2022 23:51:24 -0400 Subject: [PATCH] update oidc passport module Updated to official passport-openidconnect module, removed custom module. --- meshcentral.js | 2 +- webserver.js | 31 ++++++++++++++++++------------- 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/meshcentral.js b/meshcentral.js index aa43646b..7f2a1d0d 100644 --- a/meshcentral.js +++ b/meshcentral.js @@ -3885,7 +3885,7 @@ function mainStart() { if ((typeof config.domains[i].authstrategies.github == 'object') && (typeof config.domains[i].authstrategies.github.clientid == 'string') && (typeof config.domains[i].authstrategies.github.clientsecret == 'string') && (passport.indexOf('passport-github2') == -1)) { passport.push('passport-github2'); } if ((typeof config.domains[i].authstrategies.reddit == 'object') && (typeof config.domains[i].authstrategies.reddit.clientid == 'string') && (typeof config.domains[i].authstrategies.reddit.clientsecret == 'string') && (passport.indexOf('passport-reddit') == -1)) { passport.push('passport-reddit'); } if ((typeof config.domains[i].authstrategies.azure == 'object') && (typeof config.domains[i].authstrategies.azure.clientid == 'string') && (typeof config.domains[i].authstrategies.azure.clientsecret == 'string') && (typeof config.domains[i].authstrategies.azure.tenantid == 'string') && (passport.indexOf('passport-azure-oauth2') == -1)) { passport.push('passport-azure-oauth2'); passport.push('jwt-simple'); } - if ((typeof config.domains[i].authstrategies.oidc == 'object') && (typeof config.domains[i].authstrategies.oidc.clientid == 'string') && (typeof config.domains[i].authstrategies.oidc.clientsecret == 'string') && (passport.indexOf('@mstrhakr/passport-generic-oidc') == -1)) { passport.push('@mstrhakr/passport-generic-oidc'); } + if ((typeof config.domains[i].authstrategies.oidc == 'object') && (typeof config.domains[i].authstrategies.oidc.clientid == 'string') && (typeof config.domains[i].authstrategies.oidc.clientsecret == 'string') && (passport.indexOf('passport-openidconnect') == -1)) { passport.push('passport-openidconnect'); } if ((typeof config.domains[i].authstrategies.saml == 'object') || (typeof config.domains[i].authstrategies.jumpcloud == 'object')) { passport.push('passport-saml'); } } if (config.domains[i].sessionrecording != null) { sessionRecording = true; } diff --git a/webserver.js b/webserver.js index b9e7e8d6..017cba46 100644 --- a/webserver.js +++ b/webserver.js @@ -6421,8 +6421,16 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF // Generic OpenID if ((domain.authstrategies.authStrategyFlags & domainAuthStrategyConsts.openid) != 0) { - obj.app.get(url + 'auth-oidc', domain.passport.authenticate('openidconnect')); - obj.app.get(url + 'oidc-callback', domain.passport.authenticate('openidconnect', { failureRedirect: '/login?failed-auth-attempt', failureFlash: true }), handleStrategyLogin); + obj.app.get(url + 'auth-oidc', function (req, res, next) { + var domain = getDomain(req); + if (domain.passport == null) { next(); return; } + domain.passport.authenticate('oidc-' + domain.id, { failureRedirect: '/', failureFlash: true })(req, res, next); + }); + obj.app.get(url + 'oidc-callback', function (req, res, next) { + var domain = getDomain(req); + if (domain.passport == null) { next(); return; } + domain.passport.authenticate('oidc-' + domain.id, { failureRedirect: '/', failureFlash: true })(req, res, next); + }, handleStrategyLogin); } // Generic SAML @@ -6886,25 +6894,22 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF // Generic OpenID Connect if ((typeof domain.authstrategies.oidc == 'object') && (typeof domain.authstrategies.oidc.clientid == 'string') && (typeof domain.authstrategies.oidc.clientsecret == 'string') && (typeof domain.authstrategies.oidc.issuer == 'string')) { var options = { - authorizationURL: domain.authstrategies.oidc.authorizationurl, - callbackURL: domain.authstrategies.oidc.callbackurl, - clientID: domain.authstrategies.oidc.clientid, - clientSecret: domain.authstrategies.oidc.clientsecret, issuer: domain.authstrategies.oidc.issuer, + authorizationURL: domain.authstrategies.oidc.authorizationurl, tokenURL: domain.authstrategies.oidc.tokenurl, userInfoURL: domain.authstrategies.oidc.userinfourl, - scope: ['openid profile email'], - responseMode: 'form_post', - state: true + clientID: domain.authstrategies.oidc.clientid, + clientSecret: domain.authstrategies.oidc.clientsecret, + scope: ['openid profile email groups'], }; - const OIDCStrategy = require('@mstrhakr/passport-generic-oidc'); + var OIDCStrategy = require('passport-openidconnect'); if (typeof domain.authstrategies.oidc.callbackurl == 'string') { options.callbackURL = domain.authstrategies.oidc.callbackurl; } else { options.callbackURL = url + 'oidc-callback'; } parent.debug('web', 'Adding Generic OIDC SSO with options: ' + JSON.stringify(options)); - passport.use('openidconnect', new OIDCStrategy.Strategy(options, - function verify(iss, sub, profile, cb) { + passport.use('oidc-' + domain.id, new OIDCStrategy.Strategy(options, + function verify(issuer, profile, verified) { var user = { sid: '~oidc:' + profile.id, name: profile.displayName, email: profile.email, strategy: 'oidc' }; parent.debug('AUTH', 'OIDC: Configured user: ' + JSON.stringify(user)); - return cb(null, user); + return verified(null, user); } )); authStrategyFlags |= domainAuthStrategyConsts.openid;