cloudron-box/src/oidcserver.js

'use strict';

exports = module.exports = {
    start,
    stop,
    revokeByUsername,
    consumeAuthCode,

    cleanupExpired,
};

const assert = require('node:assert'),
    apps = require('./apps.js'),
    AuditSource = require('./auditsource.js'),
    BoxError = require('./boxerror.js'),
    blobs = require('./blobs.js'),
    branding = require('./branding.js'),
    constants = require('./constants.js'),
    crypto = require('node:crypto'),
    dashboard = require('./dashboard.js'),
    debug = require('debug')('box:oidcserver'),
    dns = require('./dns.js'),
    ejs = require('ejs'),
    express = require('express'),
    eventlog = require('./eventlog.js'),
    fs = require('node:fs'),
    marked = require('marked'),
    middleware = require('./middleware'),
    oidcClients = require('./oidcclients.js'),
    path = require('node:path'),
    paths = require('./paths.js'),
    http = require('node:http'),
    HttpError = require('@cloudron/connect-lastmile').HttpError,
    jose = require('jose'),
    safe = require('safetydance'),
    settings = require('./settings.js'),
    tokens = require('./tokens.js'),
    url = require('node:url'),
    users = require('./users.js'),
    groups = require('./groups.js'),
    util = require('node:util');

// 1. Index.vue starts the OIDC flow by navigating to /openid/auth. Webadmin sets callback url to authcallback.html + implicit flow
// 2. oidcserver starts an interaction and redirects to oidc_login.html
// 3. oidc_login.html is rendered by renderInteractionPage() with the form submit url /interaction/:uid/login
// 4. When form is submitted, it invokes interactionLogin(). This validates user creds
// 5. We enter the scopes confirmation flow which is oidc_interaction_confirm.html rendered by renderInteractionPage()
// 6. We have no concept of confirmation. The page auto-submits the form immediately without user interaction
// 7. oidcserver calls interactionConfirm() which finishes it via interactionFinished().

// FIXME: webadmin's implicit flow (response_type=code token) results in authcallback.html being called with access_token query param. We should remove this

const ROUTE_PREFIX = '/openid';

let gHttpServer = null, gOidcProvider = null;

// Client data store is part of the database, so it's not saved in files
// https://github.com/panva/node-oidc-provider/blob/183dc4f4b1ec1a53c5254d809091737a95c31f14/example/my_adapter.js
class StorageAdapter {
    static #database = {}; // indexed by name. The format of entry is { id, expiresAt, payload, consumed }

    static async getData(name) {
        if (name === 'Client') throw new Error(`${name} is a database model`);

        if (StorageAdapter.#database[name]) return StorageAdapter.#database[name];

        StorageAdapter.#database[name] = {}; // init with empty table

        const filePath = path.join(paths.OIDC_STORE_DIR, `${name}.json`);
        const [error, data] = await safe(fs.promises.readFile(filePath, 'utf8'));
        if (!error) StorageAdapter.#database[name] = safe.JSON.parse(data) || {}; // reset table if file corrupt

        return StorageAdapter.#database[name];
    }

    static async saveData(name) {
        if (name === 'Client') throw new Error(`${name} is a database model`);

        const filePath = path.join(paths.OIDC_STORE_DIR, `${name}.json`);
        await fs.promises.writeFile(filePath, JSON.stringify(StorageAdapter.#database[name], null, 2), 'utf8');
    }

    static async updateData(name, action) {
        const data = await StorageAdapter.getData(name);
        await action(data);
        await StorageAdapter.saveData(name);
    }

    constructor(name) {
        debug(`Creating OpenID storage adapter for ${name}`);
        this.name = name;
    }

    async upsert(id, payload, expiresIn) {
        debug(`[${this.name}] upsert: ${id}`);

        const expiresAt = expiresIn ? new Date(Date.now() + (expiresIn * 1000)) : 0;

        // only AccessToken of webadmin are stored in the db. Dashboard uses REST API and the token middleware looks up tokens in db
        if (this.name === 'AccessToken' && (payload.clientId === oidcClients.ID_WEBADMIN || payload.clientId === oidcClients.ID_DEVELOPMENT)) {
            const expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION_MSECS;

            // oidc uses the username as accountId but accesstoken identifiers are userIds
            const user = await users.getByUsername(payload.accountId);
            if (!user) throw new Error(`user for username ${payload.accountId} not found`);

            const [error] = await safe(tokens.add({ clientId: payload.clientId, identifier: user.id, expires, accessToken: id, allowedIpRanges: '' }));
            if (error) {
                debug('Error adding access token', error);
                throw error;
            }
        } else {
            await StorageAdapter.updateData(this.name, (data) => data[id] = { id, expiresAt, payload, consumed: false });
        }
    }

    async find(id) {
        debug(`[${this.name}] find: ${id}`);

        if (this.name === 'Client') {
            const [error, client] = await safe(oidcClients.get(id));
            if (error || !client) {
                debug('find: error getting client', error);
                return null;
            }

            const tmp = {};
            tmp.application_type = client.application_type || 'native';  // default is web but we want more flexible redirectUris and this is only used in https://github.com/panva/node-oidc-provider/blob/03c9bc513860e68ee7be84f99bfc9dc930b224e8/lib/helpers/client_schema.js#L536
            tmp.client_id = id;
            tmp.client_secret = client.secret;
            tmp.id_token_signed_response_alg = client.tokenSignatureAlgorithm || 'RS256';

            if (client.response_types) tmp.response_types = client.response_types;
            if (client.grant_types) tmp.grant_types = client.grant_types;

            if (client.appId) {
                const [error, app] = await safe(apps.get(client.appId));
                if (error || !app) {
                    debug(`find: Unknown app for client with appId ${client.appId}`);
                    return null;
                }

                const domains = [ app.fqdn ].concat(app.aliasDomains.map(d => d.fqdn));

                // prefix login redirect uris with app.fqdn if it is just a path without a schema
                // native callbacks for apps have custom schema like app.immich:/
                tmp.redirect_uris = [];
                client.loginRedirectUri.split(',').map(s => s.trim()).forEach((s) => {
                    if (url.parse(s).protocol) tmp.redirect_uris.push(s);
                    else tmp.redirect_uris = tmp.redirect_uris.concat(domains.map(fqdn => `https://${fqdn}${s}`));
                });
            } else {
                tmp.redirect_uris = client.loginRedirectUri.split(',').map(s => s.trim());
            }

            return tmp;
        } else if (this.name === 'AccessToken') {
            // dashboard AccessToken are in the db. the app tokens are in the json files
            const [error, result] = await safe(tokens.getByAccessToken(id));
            if (!error && result) {
                // translate from userId in the token to username for oidc
                const user = await users.get(result.identifier);
                if (user) {
                    return {
                        accountId: user.username,
                        clientId: result.clientId
                    };
                }
            }
        } else if (this.name === 'Session') {
            const data = await StorageAdapter.getData(this.name);
            const session = data[id];
            if (!session) return null;

            if (session.payload.accountId) {
                // check if the session user still exists and is active
                const user = await users.getByUsername(session.payload.accountId);
                if (!user || !user.active) return null;
            }

            return session.payload;
        }

        const data = await StorageAdapter.getData(this.name);
        if (!data[id]) return null;
        return data[id].payload;
    }

    async findByUserCode(userCode) {
        debug(`[${this.name}] FIXME findByUserCode userCode:${userCode}`);
    }

    // this is called only on Session store. there is a payload.uid
    async findByUid(uid) {
        debug(`[${this.name}] findByUid: ${uid}`);

        const data = await StorageAdapter.getData(this.name);
        for (const d in data) {
            if (data[d].payload.uid === uid) return data[d].payload;
        }

        return null;
    }

    async consume(id) {
        debug(`[${this.name}] consume: ${id}`);

        await StorageAdapter.updateData(this.name, (data) => data[id].consumed = true);
    }

    async destroy(id) {
        debug(`[${this.name}] destroy: ${id}`);

        await StorageAdapter.updateData(this.name, (data) => delete data[id]);
    }

    async revokeByGrantId(grantId) {
        debug(`[${this.name}] revokeByGrantId: ${grantId}`);

        await StorageAdapter.updateData(this.name, (data) => {
            for (const d in data) {
                if (data[d].grantId === grantId) {
                    delete data[d];
                    return;
                }
            }
        });
    }
}

// Session, Grant and Token management. This is based on the same storage as the below CloudronAdapter
async function revokeByUsername(username) {
    assert.strictEqual(typeof username, 'string');

    const types = [ 'Session', 'Grant', 'AuthorizationCode', 'AccessToken' ];
    for (const type of types) {
        await StorageAdapter.updateData(type, (data) => {
            for (const id in data) {
                if (data[id].payload?.accountId === username) delete data[id];
            }
        });
    }
}

// used by proxyauth logic to authenticate using a one time code
async function consumeAuthCode(authCode) {
    assert.strictEqual(typeof authCode, 'string');

    let username = null;
    await StorageAdapter.updateData('AuthorizationCode', (data) => {
        const authData = data[authCode];
        if (authData) {
            username = authData.payload.accountId;
            authData.consumed = true;
        }
    });

    return username;
}

// This exposed to run on a cron job
async function cleanupExpired() {
    debug('cleanupExpired');

    const types = [ 'AuthorizationCode', 'AccessToken', 'Grant', 'Interaction', 'RefreshToken', 'Session' ];
    for (const type of types) {
        await StorageAdapter.updateData(type, (data) => {
            for (const key in data) {
                if (!data[key].expiresAt || data[key].expiresAt < Date.now()) delete data[key];
            }
        });
    }
}

const TEMPLATE_LOGIN = fs.readFileSync(path.join(paths.DASHBOARD_DIR, 'oidc_login.html'), 'utf-8');
const TEMPLATE_INTERACTION_CONFIRM = fs.readFileSync(path.join(paths.DASHBOARD_DIR, 'oidc_interaction_confirm.html'), 'utf8');
const TEMPLATE_INTERACTION_ABORT = fs.readFileSync(path.join(paths.DASHBOARD_DIR, 'oidc_interaction_abort.html'), 'utf8');
const TEMPLATE_ERROR = fs.readFileSync(path.join(paths.DASHBOARD_DIR, 'oidc_error.html'), 'utf8');

async function renderError(error) {
    const data = {
        iconUrl: '/api/v1/cloudron/avatar',
        name: 'Cloudron',
        errorMessage: error.error_description || error.error_detail || error.message || 'Internal error',
        footer: marked.parse(await branding.renderFooter()),
        language: await settings.get(settings.LANGUAGE_KEY),
    };

    debug('renderError: %o', error);

    return ejs.render(TEMPLATE_ERROR, data);
}

async function renderInteractionPage(req, res) {
    const [detailsError, details] = await safe(gOidcProvider.interactionDetails(req, res));
    if (detailsError) return res.send(await renderError(new Error('Invalid session')));

    const { uid, prompt, params, session } = details;

    const client = await oidcClients.get(params.client_id);
    if (!client) return res.send(await renderError(new Error('Client not found')));

    const app = client.appId ? await apps.get(client.appId) : null;
    if (client.appId && !app) return res.send(await renderError(new Error('App not found')));

    res.set('Content-Type', 'text/html');

    if (prompt.name === 'login') {
        const data = {
            submitUrl: `${ROUTE_PREFIX}/interaction/${uid}/login`,
            iconUrl: '/api/v1/cloudron/avatar',
            name: client.name || await branding.getCloudronName(),
            footer: marked.parse(await branding.renderFooter()),
            note: constants.DEMO ? `This is a demo. Username and password is "${constants.DEMO_USERNAME}"` : '',
            language: await settings.get(settings.LANGUAGE_KEY),
        };

        if (app) {
            data.name = app.label || app.subdomain || app.fqdn;
            data.iconUrl = app.iconUrl;
        }

        return res.send(ejs.render(TEMPLATE_LOGIN, data));
    } else if (prompt.name === 'consent') {
        let hasAccess = false;

        const data = {
            iconUrl: '/api/v1/cloudron/avatar',
            name: client.name || '',
            footer: marked.parse(await branding.renderFooter()),
            language: await settings.get(settings.LANGUAGE_KEY),
        };

        // check if user has access to the app if client refers to an app
        if (app) {
            const user = await users.getByUsername(session.accountId);

            data.name = app.label || app.fqdn;
            data.iconUrl = app.iconUrl;
            hasAccess = apps.canAccess(app, user);
        } else {
            hasAccess = true;
        }

        data.submitUrl = `${ROUTE_PREFIX}/interaction/${uid}/${hasAccess ? 'confirm' : 'abort'}`;

        return res.send(ejs.render(hasAccess ? TEMPLATE_INTERACTION_CONFIRM : TEMPLATE_INTERACTION_ABORT, data));
    }
}

async function interactionLogin(req, res, next) {
    const [detailsError, details] = await safe(gOidcProvider.interactionDetails(req, res));
    if (detailsError) return next(new HttpError(detailsError.statusCode, detailsError.error_description));

    const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || null;
    const clientId = details.params.client_id;

    debug(`interactionLogin: for OpenID client ${clientId} from ${ip}`);

    if (req.body.autoLoginToken) { // auto login for first admin/owner
        if (typeof req.body.autoLoginToken !== 'string') return next(new HttpError(400, 'autoLoginToken must be string if provided'));

        const token = await tokens.getByAccessToken(req.body.autoLoginToken);
        if (!token) return next(new HttpError(401, 'No such token'));

        const user = await users.get(token.identifier);
        if (!user) return next(new HttpError(401,'User not found'));

        const result = {
            login: {
                accountId: user.username,
            },
        };

        const [interactionFinishError, redirectTo] = await safe(gOidcProvider.interactionResult(req, res, result));
        if (interactionFinishError) return next(new HttpError(500, interactionFinishError));

        await tokens.delByAccessToken(req.body.autoLoginToken); // clear token as it is one-time use

        return res.status(200).send({ redirectTo });
    }

    if (!req.body.username || typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));
    if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'A password must be non-empty string'));
    if ('totpToken' in req.body && typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));

    const { username, password, totpToken } = req.body;

    const verifyFunc = username.indexOf('@') === -1 ? users.verifyWithUsername : users.verifyWithEmail;

    const [verifyError, user] = await safe(verifyFunc(username, password, users.AP_WEBADMIN, { totpToken, skipTotpCheck: false }));
    if (verifyError && verifyError.reason === BoxError.INVALID_CREDENTIALS) return next(new HttpError(401, verifyError.message));
    if (verifyError && verifyError.reason === BoxError.NOT_FOUND) return next(new HttpError(401, 'Username and password does not match'));
    if (verifyError) return next(new HttpError(500, verifyError));
    if (!user) return next(new HttpError(401, 'Username and password does not match'));

    // this is saved as part of interaction.lastSubmission
    const result = {
        login: {
            accountId: user.username,
        },
        ghost: !!user.ghost
    };

    const [interactionFinishError, redirectTo] = await safe(gOidcProvider.interactionResult(req, res, result));
    if (interactionFinishError) return next(new HttpError(500, interactionFinishError));

    res.status(200).send({ redirectTo });
}

async function interactionConfirm(req, res, next) {
    const [detailsError, interactionDetails] = await safe(gOidcProvider.interactionDetails(req, res));
    if (detailsError) return next(new HttpError(detailsError.statusCode, detailsError.error_description));
    const { grantId, uid, prompt: { name, details }, params, session: { accountId }, lastSubmission } = interactionDetails;

    debug(`route interaction confirm post uid:${uid} prompt.name:${name} accountId:${accountId}`);

    const client = await oidcClients.get(params.client_id);
    if (!client) return next(new Error('Client not found'));

    const user = await users.getByUsername(accountId);
    if (!user) return next(new Error('User not found'));
    user.ghost = !!lastSubmission?.ghost; // restore ghost flag. lastSubmission can be empty if login interaction was skipped (already logged in)

    // Check if user has access to the app if client refers to an app
    if (client.appId) {
        const app = await apps.get(client.appId);
        if (!app) return next(new Error('App not found'));

        if (!apps.canAccess(app, user)) {
            const result = {
                error: 'access_denied',
                error_description: 'User has no access to this app',
            };

            return await gOidcProvider.interactionFinished(req, res, result, { mergeWithLastSubmission: false });
        }
    }

    let grant;
    if (grantId) {
        grant = await gOidcProvider.Grant.find(grantId);
    } else {
        grant = new gOidcProvider.Grant({
            accountId,
            clientId: params.client_id,
        });
    }

    // just confirm everything
    if (details.missingOIDCScope) grant.addOIDCScope(details.missingOIDCScope.join(' '));
    if (details.missingOIDCClaims) grant.addOIDCClaims(details.missingOIDCClaims);

    if (details.missingResourceScopes) {
        for (const [indicator, scopes] of Object.entries(details.missingResourceScopes)) {
            grant.addResourceScope(indicator, scopes.join(' '));
        }
    }

    const savedGrantId = await grant.save();

    const consent = {};
    if (!interactionDetails.grantId) consent.grantId = savedGrantId;

    // create login event
    const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || null;
    const userAgent = req.headers['user-agent'] || '';
    const auditSource = AuditSource.fromOidcRequest(req);

    await eventlog.add(user.ghost ? eventlog.ACTION_USER_LOGIN_GHOST : eventlog.ACTION_USER_LOGIN, auditSource, { userId: user.id, user: users.removePrivateFields(user), appId: params.client_id });
    await users.notifyLoginLocation(user, ip, userAgent, auditSource);

    const result = { consent };
    await gOidcProvider.interactionFinished(req, res, result, { mergeWithLastSubmission: true });
}

async function interactionAbort(req, res, next) {
    const result = {
        error: 'access_denied',
        error_description: 'End-User aborted interaction',
    };
    const [error] = await safe(gOidcProvider.interactionFinished(req, res, result, { mergeWithLastSubmission: false }));
    if (error) return next(error);
}

async function getClaims(username/*, use, scope*/) {
    const [error, user] = await safe(users.getByUsername(username));
    if (error) return { error: 'user not found' };

    const [groupsError, allGroups] = await safe(groups.listWithMembers());
    if (groupsError) return { error: groupsError.message };

    const displayName = user.displayName || user.username || ''; // displayName can be empty and username can be null
    const { firstName, lastName, middleName } = users.parseDisplayName(displayName);

    const { fqdn:dashboardFqdn } = await dashboard.getLocation();

    // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
    const claims = {
        sub: user.username, // it is essential to always return a sub claim
        email: user.email,
        email_verified: true,
        family_name: lastName,
        middle_name: middleName,
        given_name: firstName,
        locale: 'en-US',
        name: user.displayName,
        picture: `https://${dashboardFqdn}/api/v1/profile/avatar/${user.id}.png`, // some apps get surprised if we respond with a svg
        preferred_username: user.username,
        groups: allGroups.filter(function (g) { return g.userIds.indexOf(user.id) !== -1; }).map(function (g) { return `${g.name}`; })
    };

    return claims;
}

async function start() {
    assert(gHttpServer === null, 'OIDC server already started');
    assert(gOidcProvider === null, 'OIDC provider already started');

    const app = express();

    gHttpServer = http.createServer(app);

    const jwksKeys = [];

    let keyEdDsa = await blobs.getString(blobs.OIDC_KEY_EDDSA);
    if (!keyEdDsa) {
        debug('Generating new OIDC EdDSA key');
        const { privateKey } = await jose.generateKeyPair('EdDSA', { extractable: true });
        keyEdDsa = await jose.exportJWK(privateKey);
        await blobs.setString(blobs.OIDC_KEY_EDDSA, JSON.stringify(keyEdDsa));
        jwksKeys.push(keyEdDsa);
    } else {
        debug('Using existing OIDC EdDSA key');
        jwksKeys.push(JSON.parse(keyEdDsa));
    }

    let keyRs256 = await blobs.getString(blobs.OIDC_KEY_RS256);
    if (!keyRs256) {
        debug('Generating new OIDC RS256 key');
        const { privateKey } = await jose.generateKeyPair('RS256', { extractable: true });
        keyRs256 = await jose.exportJWK(privateKey);
        await blobs.setString(blobs.OIDC_KEY_RS256, JSON.stringify(keyRs256));
        jwksKeys.push(keyRs256);
    } else {
        debug('Using existing OIDC RS256 key');
        jwksKeys.push(JSON.parse(keyRs256));
    }

    let cookieSecret = await settings.get(settings.OIDC_COOKIE_SECRET_KEY);
    if (!cookieSecret) {
        debug('Generating new cookie secret');
        cookieSecret = crypto.randomBytes(256).toString('base64');
        await settings.set(settings.OIDC_COOKIE_SECRET_KEY, cookieSecret);
    }

    const configuration = {
        findAccount: async function (ctx, id) {
            return {
                accountId: id,
                claims: async (use, scope) => await getClaims(id, use, scope)
            };
        },
        renderError: async function (ctx, out, error) {
            ctx.type = 'html';
            ctx.body = await renderError(error);
        },
        adapter: StorageAdapter,
        interactions: {
            url: async function (ctx, interaction) {
                return `${ROUTE_PREFIX}/interaction/${interaction.uid}`;
            }
        },
        jwks: {
            keys: jwksKeys
        },
        claims: {
            email: ['email', 'email_verified'],
            profile: [ 'family_name', 'given_name', 'locale', 'name', 'preferred_username', 'picture' ],
            groups: [ 'groups' ]
        },
        features: {
            rpInitiatedLogout: { enabled: false },
            devInteractions: { enabled: false }
        },
        clientDefaults: {
            response_types: ['code', 'id_token'],
            grant_types: ['authorization_code', 'implicit', 'refresh_token']
        },
        responseTypes: [
            'code',
            'id_token', 'id_token token',
            'code id_token', 'code token', 'code id_token token',
            'none',
        ],
        // if a client only has one redirect uri specified, the client does not have to provide it in the request
        allowOmittingSingleRegisteredRedirectUri: true,
        clients: [],
        cookies: {
            keys: [ cookieSecret ]
        },
        pkce: {
            required: function pkceRequired(/*ctx, client*/) {
                return false;
            }
        },
        clientBasedCORS(ctx, origin, client) {
            // allow CORS for clients where at least the origin matches where we redirect back to
            if (client.redirectUris.find((u) => u.indexOf(origin) === 0)) return true;

            return false;
        },
        conformIdTokenClaims: false,
        loadExistingGrant: async function (ctx) {
            const grantId = ctx.oidc.result?.consent?.grantId || ctx.oidc.session.grantIdFor(ctx.oidc.client.clientId);

            if (grantId) return await ctx.oidc.provider.Grant.find(grantId);

            // if required, we can skip the consent screen altogether. See https://github.com/panva/node-oidc-provider/discussions/1307 . but then we have to raise login events here
            return null;
        },
        // https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#issuerefreshtoken
        async issueRefreshToken(ctx, client, code) {
            if (!client.grantTypeAllowed('refresh_token') && !client.grantTypeAllowed('authorization_code')) {
                return false;
            }
            return code.scopes.has('offline_access') || (client.applicationType === 'native' && client.clientAuthMethod === 'client_secret_basic');
        },
        ttl: {
            // in seconds, can also be a function returning the seconds https://github.com/panva/node-oidc-provider/blob/b1c1a9318036c2d3793cc9e668f99937c5c36bc6/docs/README.md#ttl
            AccessToken: 3600, // 1 hour
            IdToken: 3600, // 1 hour
            Grant: 1209600, // 14 days
            Session: 1209600, // 14 days
            Interaction: 3600, // 1 hour
            RefreshToken: 1209600 // 14 days
        }
    };

    const { subdomain, domain } = await dashboard.getLocation();
    const fqdn = dns.fqdn(subdomain, domain);
    debug(`start: create provider for ${fqdn} at ${ROUTE_PREFIX}`);

    const Provider = (await import('oidc-provider')).default;
    gOidcProvider = new Provider(`https://${fqdn}${ROUTE_PREFIX}`, configuration);

    app.enable('trust proxy');
    gOidcProvider.proxy = true;

    const json = express.json({ strict: true, limit: '2mb' });
    function setNoCache(req, res, next) {
        res.set('cache-control', 'no-store');
        next();
    }

    app.get (`${ROUTE_PREFIX}/interaction/:uid`,          setNoCache,       renderInteractionPage);
    app.post(`${ROUTE_PREFIX}/interaction/:uid/login`,    setNoCache, json, interactionLogin);
    app.post(`${ROUTE_PREFIX}/interaction/:uid/confirm`,  setNoCache, json, interactionConfirm);
    app.get (`${ROUTE_PREFIX}/interaction/:uid/abort`,    setNoCache,       interactionAbort);

    app.use(ROUTE_PREFIX, gOidcProvider.callback());
    app.use(middleware.lastMile());

    await util.promisify(gHttpServer.listen.bind(gHttpServer))(constants.OIDC_PORT, '127.0.0.1');
}

async function stop() {
    if (!gHttpServer) return;

    await util.promisify(gHttpServer.close.bind(gHttpServer))();
    gHttpServer = null;
    gOidcProvider = null;
}