diff --git a/webserver.js b/webserver.js index 5acfebcf..55e4aaa9 100644 --- a/webserver.js +++ b/webserver.js @@ -6241,20 +6241,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF }, handleStrategyLogin); } - - // passport-openidconnect example code -/* var OpenIDConnectStrategy = require('passport-openidconnect'); - - passport.use(new OpenIDConnectStrategy({ - issuer: 'https://server.example.com', - authorizationURL: 'https://server.example.com/authorize', - tokenURL: 'https://server.example.com/token', - userInfoURL: 'https://server.example.com/userinfo', - clientID: process.env['CLIENT_ID'], - clientSecret: process.env['CLIENT_SECRET'], - callbackURL: 'https://client.example.org/cb' - - )); */ // Generic OpenID Connect if ((typeof domain.authstrategies.oidc == 'object') && (typeof domain.authstrategies.oidc.clientid == 'string') && (typeof domain.authstrategies.oidc.clientsecret == 'string') && (typeof domain.authstrategies.oidc.issuer == 'string')) { var options = { @@ -6265,55 +6251,22 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF issuer: domain.authstrategies.oidc.issuer, tokenURL: domain.authstrategies.oidc.tokenurl, userInfoURL: domain.authstrategies.oidc.userinfourl, - scope: [ 'openid email profile' ], + scope: [ 'openid profile email' ], + responseMode: 'form_post' , state: true }; const OIDCStrategy = require('passport-openidconnect'); if (typeof domain.authstrategies.oidc.callbackurl == 'string') { options.callbackURL = domain.authstrategies.oidc.callbackurl; } else { options.callbackURL = url + 'oidc-callback'; } parent.debug('web', 'Adding Generic OIDC SSO with options: ' + JSON.stringify(options)); - passport.use('oidc-' + domain.id, new OIDCStrategy(options, - function (accessToken, refreshtoken, params, profile, done) { - var userex = null; - try { userex = require('jwt-simple').decode(params.id_token, "", true); } catch (ex) { } - parent.debug('web', 'OpenID Connect profile: ' + JSON.stringify(userex)); - var user = null; - if (userex != null) { - var user = { sid: '~oidc:' + userex.unique_name, name: userex.name, strategy: 'oidc' }; - if (typeof userex.email == 'string') { user.email = userex.email; } - } - return done(null, user); - } - )); -/* passport.use('oidc-' + domain.id, new OIDCStrategy.Strategy(options, - function (authorization_code, refresh_token, profile, cb) { - parent.debug('web', 'OIDC profile: ' + JSON.stringify(profile)); - var user = { sid: '~oidc:' + profile.id, name: profile.displayName, strategy: 'oidc' }; - if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string')) { user.email = profile.emails[0].value; } + passport.use('openidconnect', new OIDCStrategy.Strategy(options, + function verify( iss, sub, profile, cb ) { + var user = { sid: '~oidc:' + profile.id, name: profile.displayName, email: profile.email, strategy: 'oidc' }; + parent.debug('AUTH', 'OIDC: Configured user: ' + JSON.stringify(user)); return cb(null, user); } - )); */ - obj.app.get(url + 'auth-oidc', function (req, res, next) { - var domain = getDomain(req); - if (domain.passport == null) { next(); return; } - domain.passport.authenticate('oidc-' + domain.id, { scope: 'openid email profile', state: obj.parent.encodeCookie({ 'p': 'azure' }, obj.parent.loginCookieEncryptionKey) })(req, res, next); - }); - obj.app.get(url + 'oidc-callback', function (req, res, next) { - var domain = getDomain(req); - if (domain.passport == null) { next(); return; } - if ((Object.keys(req.session).length == 0) && (req.query.nmr == null)) { - // This is an empty session likely due to the 302 redirection, redirect again (this is a bit of a hack). - var url = req.url; - if (url.indexOf('?') >= 0) { url += '&nmr=1'; } else { url += '?nmr=1'; } // Add this to the URL to prevent redirect loop. - res.set('Content-Type', 'text/html'); - res.end(''); - } else { - if (req.query.state != null) { - var c = obj.parent.decodeCookie(req.query.state, obj.parent.loginCookieEncryptionKey, 10); // 10 minute timeout - if ((c != null) && (c.p == 'oidc')) { domain.passport.authenticate('oidc-' + domain.id, { failureRedirect: '/' })(req, res, next); return; } - } - next(); - } - }, handleStrategyLogin); + )); + obj.app.get(url + 'auth-oidc', domain.passport.authenticate('openidconnect')); + obj.app.get(url + 'oidc-callback', domain.passport.authenticate('openidconnect', { failureRedirect: '/login?failed-auth-attempt', failureFlash: true }), handleStrategyLogin); }