oidc: support app addon oidc configs as normal clients

2023-04-14 21:18:44 +02:00
parent 5688b51abc
commit da38d8a045
3 changed files with 28 additions and 10 deletions
--- a/src/oidc.js
+++ b/src/oidc.js
@@ -14,6 +14,7 @@ exports = module.exports = {
 };

 const assert = require('assert'),
+    apps = require('./apps.js'),
    BoxError = require('./boxerror.js'),
    blobs = require('./blobs.js'),
    constants = require('./constants.js'),
@@ -30,6 +31,7 @@ const assert = require('assert'),
    jose = require('jose'),
    safe = require('safetydance'),
    settings = require('./settings.js'),
+    url = require('url'),
    users = require('./users.js'),
    util = require('util');

@@ -246,15 +248,29 @@ class CloudronAdapter {

            debug(`[${this.name}] find id:${id}`, client);

-            const tmp = {
-                client_id: id,
-                client_secret: client.secret,
-                application_type: 'native',  // default is web but we want more flexible redirectUris and this is only used in https://github.com/panva/node-oidc-provider/blob/03c9bc513860e68ee7be84f99bfc9dc930b224e8/lib/helpers/client_schema.js#L536
-                redirect_uris: client.loginRedirectUri.split(',').map(s => s.trim()),
-                id_token_signed_response_alg: client.tokenSignatureAlgorithm || 'RS256'
-            };
+            const tmp = {};
+            tmp.application_type = 'native';  // default is web but we want more flexible redirectUris and this is only used in https://github.com/panva/node-oidc-provider/blob/03c9bc513860e68ee7be84f99bfc9dc930b224e8/lib/helpers/client_schema.js#L53
+            tmp.client_id = id;
+            tmp.client_secret = client.secret;
+            tmp.id_token_signed_response_alg = client.tokenSignatureAlgorithm || 'RS256';

-            if (client.logoutRedirectUri) tmp.post_logout_redirect_uris = [ client.logoutRedirectUri ];
+            if (client.appId) {
+                const [error, app] = await safe(apps.get(client.appId));
+                if (error || !app) {
+                    console.error(`oidc: Unkown app for client with appId ${client.appId}`);
+                    return null;
+                }
+
+                // prefix login and logout redirect uris with app.fqdn if it is just a path without a schema
+                // native callbacks for apps have custom schema like app.immich:/
+                tmp.redirect_uris = client.loginRedirectUri.split(',').map(s => s.trim()).map(s => url.parse(s).protocol ? s : `https://${app.fqdn}${s}`);
+
+                if (client.logoutRedirectUri) tmp.post_logout_redirect_uris = [ url.parse(client.logoutRedirectUri).protocol ? client.logoutRedirectUri : `https://${app.fqdn}${client.logoutRedirectUri}` ];
+            } else {
+                tmp.redirect_uris = client.loginRedirectUri.split(',').map(s => s.trim());
+
+                if (client.logoutRedirectUri) tmp.post_logout_redirect_uris = [ client.logoutRedirectUri ];
+            }

            return tmp;
        } else {