Home Explore Help
Sign In
mirrors
/
wekan
mirror of https://github.com/wekan/wekan.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: ff8a10c231
Branches Tags
wekan
/
packages
/
wekan-oidc
/
oidc_server.js

oidc_server.js 4.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143 
  1. Oidc = {};
    2. 

  2. 

  3. OAuth.registerService('oidc', 2, null, function (query) {
    4. 

  4. 

  5.   var debug = process.env.DEBUG || false;
    6. 

  6.   var token = getToken(query);
    7. 

  7.   if (debug) console.log('XXX: register token:', token);
    8. 

  8. 

  9.   var accessToken = token.access_token || token.id_token;
    10. 

  10.   var expiresAt = (+new Date) + (1000 * parseInt(token.expires_in, 10));
    11. 

  11. 

  12.   var userinfo = getUserInfo(accessToken);
    13. 

  13.   if (debug) console.log('XXX: userinfo:', userinfo);
    14. 

  14. 

  15.   var serviceData = {};
    16. 

  16.   serviceData.id = userinfo[process.env.OAUTH2_ID_MAP] || userinfo[id];
    17. 

  17.   serviceData.username = userinfo[process.env.OAUTH2_USERNAME_MAP] || userinfo[uid];
    18. 

  18.   serviceData.fullname = userinfo[process.env.OAUTH2_FULLNAME_MAP] || userinfo[displayName];
    19. 

  19.   serviceData.accessToken = accessToken;
    20. 

  20.   serviceData.expiresAt = expiresAt;
    21. 

  21.   serviceData.email = userinfo[process.env.OAUTH2_EMAIL_MAP] || userinfo[email];
    22. 

  22. 

  23.   if (accessToken) {
    24. 

  24.     var tokenContent = getTokenContent(accessToken);
    25. 

  25.     var fields = _.pick(tokenContent, getConfiguration().idTokenWhitelistFields);
    26. 

  26.     _.extend(serviceData, fields);
    27. 

  27.   }
    28. 

  28. 

  29.   if (token.refresh_token)
    30. 

  30.     serviceData.refreshToken = token.refresh_token;
    31. 

  31.   if (debug) console.log('XXX: serviceData:', serviceData);
    32. 

  32. 

  33.   var profile = {};
    34. 

  34.   profile.name = userinfo[process.env.OAUTH2_FULLNAME_MAP] || userinfo[displayName];
    35. 

  35.   profile.email = userinfo[process.env.OAUTH2_EMAIL_MAP] || userinfo[email];
    36. 

  36.   if (debug) console.log('XXX: profile:', profile);
    37. 

  37. 

  38.   return {
    39. 

  39.     serviceData: serviceData,
    40. 

  40.     options: { profile: profile }
    41. 

  41.   };
    42. 

  42. });
    43. 

  43. 

  44. var userAgent = "Meteor";
    45. 

  45. if (Meteor.release) {
    46. 

  46.   userAgent += "/" + Meteor.release;
    47. 

  47. }
    48. 

  48. 

  49. var getToken = function (query) {
    50. 

  50.   var debug = process.env.DEBUG || false;
    51. 

  51.   var config = getConfiguration();
    52. 

  52.   var serverTokenEndpoint = config.serverUrl + config.tokenEndpoint;
    53. 

  53.   var response;
    54. 

  54. 

  55.   try {
    56. 

  56.     response = HTTP.post(
    57. 

  57.       serverTokenEndpoint,
    58. 

  58.       {
    59. 

  59.         headers: {
    60. 

  60.           Accept: 'application/json',
    61. 

  61.           "User-Agent": userAgent
    62. 

  62.         },
    63. 

  63.         params: {
    64. 

  64.           code: query.code,
    65. 

  65.           client_id: config.clientId,
    66. 

  66.           client_secret: OAuth.openSecret(config.secret),
    67. 

  67.           redirect_uri: OAuth._redirectUri('oidc', config),
    68. 

  68.           grant_type: 'authorization_code',
    69. 

  69.           state: query.state
    70. 

  70.         }
    71. 

  71.       }
    72. 

  72.     );
    73. 

  73.   } catch (err) {
    74. 

  74.     throw _.extend(new Error("Failed to get token from OIDC " + serverTokenEndpoint + ": " + err.message),
    75. 

  75.       { response: err.response });
    76. 

  76.   }
    77. 

  77.   if (response.data.error) {
    78. 

  78.     // if the http response was a json object with an error attribute
    79. 

  79.     throw new Error("Failed to complete handshake with OIDC " + serverTokenEndpoint + ": " + response.data.error);
    80. 

  80.   } else {
    81. 

  81.     if (debug) console.log('XXX: getToken response: ', response.data);
    82. 

  82.     return response.data;
    83. 

  83.   }
    84. 

  84. };
    85. 

  85. 

  86. var getUserInfo = function (accessToken) {
    87. 

  87.   var debug = process.env.DEBUG || false;
    88. 

  88.   var config = getConfiguration();
    89. 

  89.   // Some userinfo endpoints use a different base URL than the authorization or token endpoints.
    90. 

  90.   // This logic allows the end user to override the setting by providing the full URL to userinfo in their config.
    91. 

  91.   if (config.userinfoEndpoint.includes("https://")) {
    92. 

  92.     var serverUserinfoEndpoint = config.userinfoEndpoint;
    93. 

  93.   } else {
    94. 

  94.     var serverUserinfoEndpoint = config.serverUrl + config.userinfoEndpoint;
    95. 

  95.   }
    96. 

  96.   var response;
    97. 

  97.   try {
    98. 

  98.     response = HTTP.get(
    99. 

  99.       serverUserinfoEndpoint,
    100. 

  100.       {
    101. 

  101.         headers: {
    102. 

  102.           "User-Agent": userAgent,
    103. 

  103.           "Authorization": "Bearer " + accessToken
    104. 

  104.         }
    105. 

  105.       }
    106. 

  106.     );
    107. 

  107.   } catch (err) {
    108. 

  108.     throw _.extend(new Error("Failed to fetch userinfo from OIDC " + serverUserinfoEndpoint + ": " + err.message),
    109. 

  109.                    {response: err.response});
    110. 

  110.   }
    111. 

  111.   if (debug) console.log('XXX: getUserInfo response: ', response.data);
    112. 

  112.   return response.data;
    113. 

  113. };
    114. 

  114. 

  115. var getConfiguration = function () {
    116. 

  116.   var config = ServiceConfiguration.configurations.findOne({ service: 'oidc' });
    117. 

  117.   if (!config) {
    118. 

  118.     throw new ServiceConfiguration.ConfigError('Service oidc not configured.');
    119. 

  119.   }
    120. 

  120.   return config;
    121. 

  121. };
    122. 

  122. 

  123. var getTokenContent = function (token) {
    124. 

  124.   var content = null;
    125. 

  125.   if (token) {
    126. 

  126.     try {
    127. 

  127.       var parts = token.split('.');
    128. 

  128.       var header = JSON.parse(new Buffer(parts[0], 'base64').toString());
    129. 

  129.       content = JSON.parse(new Buffer(parts[1], 'base64').toString());
    130. 

  130.       var signature = new Buffer(parts[2], 'base64');
    131. 

  131.       var signed = parts[0] + '.' + parts[1];
    132. 

  132.     } catch (err) {
    133. 

  133.       this.content = {
    134. 

  134.         exp: 0
    135. 

  135.       };
    136. 

  136.     }
    137. 

  137.   }
    138. 

  138.   return content;
    139. 

  139. }
    140. 

  140. 

  141. Oidc.retrieveCredential = function (credentialToken, credentialSecret) {
    142. 

  142.   return OAuth.retrieveCredential(credentialToken, credentialSecret);
    143. 

  143. };
    144.