jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

oidcserver: fix login events not being raised for webadmin

Browse Source 
we should remove implicit flow at some point . also #844
This commit is contained in:
Girish Ramakrishnan
2025-07-10 13:06:13 +02:00
parent 4db5855b74
commit 820aeee659
2 changed files with 12 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/oidcserver.js
View File

@@ -39,12 +39,15 @@ const assert = require('assert'),
groups = require('./groups.js'),
util = require('util');
// Index.vue starts the OIDC flow by navigating to /openid/auth. OIDC logic redirects to login.html // which is rendered by
// renderInteractionPage() with the submitUrl /interaction/:uid/login
// When submitted, it invokes interactionLogin() and validates user creds. At this point,// a grant is created by loadExistingGrant.
// For webadmin, we issue a grant with scopes and this skips // the confirmation flow. For apps (for no specific reason), we continue
// with confirmation flow which is rendered by renderInteractionPage() . The consent page renders oidc_interaction_confirm.html
// which immediately auto submits without user interaction. The page calls interactionConfirm() which finishes it via interactionFinished().
// 1. Index.vue starts the OIDC flow by navigating to /openid/auth. Webadmin sets callback url to authcallback.html + implicit flow
// 2. oidcserver starts an interaction and redirects to login.html
// 3. login.html is rendered by renderInteractionPage() with the form submit url /interaction/:uid/login
// 4. When form is submitted, it invokes interactionLogin(). This validates user creds
// 5. We enter the scopes confirmation flow which is oidc_interaction_confirm.html rendered by renderInteractionPage()
// 6. We have no concept of confirmation. The page auto-submits the form immediately without user interaction
// 7. oidcserver calls interactionConfirm() which finishes it via interactionFinished().
// FIXME: webadmin's implicit flow (response_type=code token) results in authcallback.html being called with access_token query param. We should remove this
const ROUTE_PREFIX = '/openid';
@@ -617,18 +620,8 @@ async function start() {
if (grantId) return await ctx.oidc.provider.Grant.find(grantId);
// create a grant with scopes to skip the consent dialog (https://github.com/panva/node-oidc-provider/discussions/1307)
if (ctx.oidc.client.clientId === oidcClients.ID_WEBADMIN || ctx.oidc.client.clientId === oidcClients.ID_DEVELOPMENT) {
const grant = new ctx.oidc.provider.Grant({
clientId: ctx.oidc.client.clientId,
accountId: ctx.oidc.session.accountId,
});
grant.addOIDCScope('openid email profile groups');
await grant.save();
return grant;
}
// if required, we can skip the consent screen altogether. See https://github.com/panva/node-oidc-provider/discussions/1307 . but then we have to raise login events here
return null;
},
// https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#issuerefreshtoken
async issueRefreshToken(ctx, client, code) {