Преглед на файлове

feat: fix + enable OIDC auth method (#2282)

* fix: pass userinfo URL in oidc strategy

The userinfo URL from the definition was not being provided to the
passport strategy, which resulted in a type error trying to resolve the
user's profile. Furthermore, the name of the defined URL was
inconsistent with all other authentication method URLs.

* fix: pass all necessary scopes to oidc auth method

When no scopes are provided, passport-openidconnect uses only `openid`,
which does not contain the username or email address. Include `profile`
and `email` to ensure the necessary claims are included.

* fix: update oidc method to call processProfile correctly

Now the profile object and providerKey are passed to processProfile. The
usernameClaim no longer has any use as the email address is the
username.

* fix: mark oidc authentication method as available
Dan Nicholson преди 5 години
родител
ревизия
d5d368cd33
променени са 2 файла, в които са добавени 20 реда и са изтрити 13 реда
  1. 14 11
      server/modules/authentication/oidc/authentication.js
  2. 6 2
      server/modules/authentication/oidc/definition.yml

+ 14 - 11
server/modules/authentication/oidc/authentication.js

@@ -17,18 +17,21 @@ module.exports = {
         clientID: conf.clientId,
         clientSecret: conf.clientSecret,
         issuer: conf.issuer,
+        userInfoURL: conf.userInfoURL,
         callbackURL: conf.callbackURL
-      }, (iss, sub, profile, jwtClaims, accessToken, refreshToken, params, cb) => {
-        WIKI.models.users.processProfile({
-          id: jwtClaims.sub,
-          provider: 'oidc',
-          email: _.get(jwtClaims, conf.emailClaim),
-          name: _.get(jwtClaims, conf.usernameClaim)
-        }).then((user) => {
-          return cb(null, user) || true
-        }).catch((err) => {
-          return cb(err, null) || true
-        })
+      }, async (iss, sub, profile, cb) => {
+        try {
+          const user = await WIKI.models.users.processProfile({
+            profile: {
+              ...profile,
+              email: _.get(profile, '_json.' + conf.emailClaim)
+            },
+            providerKey: 'oidc'
+          })
+          cb(null, user)
+        } catch(err) {
+          cb(err, null)
+        }
       })
     )
   }

+ 6 - 2
server/modules/authentication/oidc/definition.yml

@@ -5,13 +5,17 @@ author: requarks.io
 logo: https://static.requarks.io/logo/oidc.svg
 color: blue-grey darken-2
 website: http://openid.net/connect/
+isAvailable: true
 useForm: false
+scopes:
+  - openid
+  - profile
+  - email
 props:
   clientId: String
   clientSecret: String
   authorizationURL: String
   tokenURL: String
   issuer: String
-  userInfoUrl: String
+  userInfoURL: String
   emailClaim: String
-  usernameClaim: String