oidc dashboard login
This commit is contained in:
Johannes Zellner
58
src/oidc.js
58
src/oidc.js
@@ -31,6 +31,7 @@ const assert = require('assert'),
|
||||
jose = require('jose'),
|
||||
safe = require('safetydance'),
|
||||
settings = require('./settings.js'),
|
||||
tokens = require('./tokens.js'),
|
||||
url = require('url'),
|
||||
users = require('./users.js'),
|
||||
util = require('util');
|
||||
@@ -74,6 +75,16 @@ async function clientsAdd(id, data) {
|
||||
async function clientsGet(id) {
|
||||
assert.strictEqual(typeof id, 'string');
|
||||
|
||||
if (id === 'dashboard') {
|
||||
return {
|
||||
id: 'dashboard',
|
||||
secret: 'notused',
|
||||
response_types: ['code', 'code token'],
|
||||
grant_types: ['authorization_code', 'implicit'],
|
||||
loginRedirectUri: settings.dashboardOrigin() + '/authcallback.html'
|
||||
};
|
||||
}
|
||||
|
||||
const result = await database.query(`SELECT ${OIDC_CLIENTS_FIELDS} FROM ${OIDC_CLIENTS_TABLE_NAME} WHERE id = ?`, [ id ]);
|
||||
if (result.length === 0) return null;
|
||||
|
||||
@@ -166,7 +177,6 @@ async function revokeByUserId(userId) {
|
||||
revokeObjects('Session');
|
||||
revokeObjects('Grant');
|
||||
revokeObjects('AuthorizationCode');
|
||||
revokeObjects('AccessToken');
|
||||
}
|
||||
|
||||
// -----------------------------
|
||||
@@ -189,7 +199,9 @@ class CloudronAdapter {
|
||||
|
||||
debug(`Creating OpenID storage adapter for ${name}`);
|
||||
|
||||
if (this.name !== 'Client') {
|
||||
if (this.name === 'Client' || this.name === 'AccessToken') {
|
||||
return;
|
||||
} else {
|
||||
load(name);
|
||||
}
|
||||
}
|
||||
@@ -209,6 +221,17 @@ class CloudronAdapter {
|
||||
async upsert(id, payload, expiresIn) {
|
||||
if (this.name === 'Client') {
|
||||
debug('upsert: this should not happen as it is stored in our db');
|
||||
} else if (this.name === 'AccessToken') {
|
||||
const clientId = payload.clientId;
|
||||
const identifier = payload.accountId;
|
||||
const expires = Date.now() + constants.DEFAULT_TOKEN_EXPIRATION_MSECS;
|
||||
const accessToken = id;
|
||||
|
||||
const [error] = await safe(tokens.add({ clientId, identifier, expires, accessToken }));
|
||||
if (error) {
|
||||
console.log('Error adding access token', error);
|
||||
throw error;
|
||||
}
|
||||
} else {
|
||||
DATA_STORE[this.name][id] = { id, expiresIn, payload, consumed: false };
|
||||
save(this.name);
|
||||
@@ -240,6 +263,9 @@ class CloudronAdapter {
|
||||
tmp.client_secret = client.secret;
|
||||
tmp.id_token_signed_response_alg = client.tokenSignatureAlgorithm || 'RS256';
|
||||
|
||||
if (client.response_types) tmp.response_types = client.response_types;
|
||||
if (client.grant_types) tmp.grant_types = client.grant_types;
|
||||
|
||||
if (client.appId) {
|
||||
const [error, app] = await safe(apps.get(client.appId));
|
||||
if (error || !app) {
|
||||
@@ -258,6 +284,20 @@ class CloudronAdapter {
|
||||
if (client.logoutRedirectUri) tmp.post_logout_redirect_uris = [ client.logoutRedirectUri ];
|
||||
}
|
||||
|
||||
return tmp;
|
||||
} else if (this.name === 'AccessToken') {
|
||||
debug('find: we dont support finding AccessTokens', id);
|
||||
const [error, result] = await safe(tokens.getByAccessToken(id));
|
||||
if (error || !result) {
|
||||
debug(`find: Unknown accessToken for id ${id}`);
|
||||
return null;
|
||||
}
|
||||
|
||||
const tmp = {
|
||||
accountId: result.identifier,
|
||||
clientId: result.clientId
|
||||
};
|
||||
|
||||
return tmp;
|
||||
} else {
|
||||
if (!DATA_STORE[this.name][id]) return null;
|
||||
@@ -292,7 +332,7 @@ class CloudronAdapter {
|
||||
*
|
||||
*/
|
||||
async findByUid(uid) {
|
||||
if (this.name === 'Client') {
|
||||
if (this.name === 'Client' || this.name === 'AccessToken') {
|
||||
debug('findByUid: this should not happen as it is stored in our db');
|
||||
} else {
|
||||
for (let d in DATA_STORE[this.name]) {
|
||||
@@ -315,7 +355,7 @@ class CloudronAdapter {
|
||||
*
|
||||
*/
|
||||
async consume(id) {
|
||||
if (this.name === 'Client') {
|
||||
if (this.name === 'Client' || this.name === 'AccessToken') {
|
||||
debug('consume: this should not happen as it is stored in our db');
|
||||
} else {
|
||||
if (DATA_STORE[this.name][id]) DATA_STORE[this.name][id].consumed = true;
|
||||
@@ -334,7 +374,7 @@ class CloudronAdapter {
|
||||
*
|
||||
*/
|
||||
async destroy(id) {
|
||||
if (this.name === 'Client') {
|
||||
if (this.name === 'Client' || this.name === 'AccessToken') {
|
||||
debug('destroy: this should not happen as it is stored in our db');
|
||||
} else {
|
||||
delete DATA_STORE[this.name][id];
|
||||
@@ -353,7 +393,7 @@ class CloudronAdapter {
|
||||
*
|
||||
*/
|
||||
async revokeByGrantId(grantId) {
|
||||
if (this.name === 'Client') {
|
||||
if (this.name === 'Client' || this.name === 'AccessToken') {
|
||||
debug('revokeByGrantId: this should not happen as it is stored in our db');
|
||||
} else {
|
||||
for (let d in DATA_STORE[this.name]) {
|
||||
@@ -685,6 +725,12 @@ async function start() {
|
||||
postLogoutSuccessSource
|
||||
},
|
||||
},
|
||||
responseTypes: [
|
||||
'code',
|
||||
'id_token', 'id_token token',
|
||||
'code id_token', 'code token', 'code id_token token',
|
||||
'none',
|
||||
],
|
||||
// if a client only has one redirect uri specified, the client does not have to provide it in the request
|
||||
allowOmittingSingleRegisteredRedirectUri: true,
|
||||
clients: [],
|
||||
|
||||
Reference in New Issue
Block a user