2021-07-06 04:16:45 +12:00
|
|
|
const fetch = require("node-fetch")
|
2021-06-28 02:46:04 +12:00
|
|
|
const OIDCStrategy = require("@techpass/passport-openidconnect").Strategy
|
2021-07-08 22:12:34 +12:00
|
|
|
const { authenticateThirdParty } = require("./third-party-common")
|
2021-06-28 02:46:04 +12:00
|
|
|
|
2021-07-08 00:45:33 +12:00
|
|
|
/**
|
|
|
|
* @param {*} profile The structured profile created by passport using the user info endpoint
|
2021-07-08 22:12:34 +12:00
|
|
|
* @param {*} jwtClaims The claims returned in the id token
|
2021-07-08 00:45:33 +12:00
|
|
|
*/
|
|
|
|
function getEmail(profile, jwtClaims) {
|
2021-07-08 22:12:34 +12:00
|
|
|
// profile not guaranteed to contain email e.g. github connected azure ad account
|
2021-07-08 00:45:33 +12:00
|
|
|
if (profile._json.email) {
|
|
|
|
return profile._json.email
|
|
|
|
}
|
|
|
|
|
2021-07-08 22:12:34 +12:00
|
|
|
// fallback to id token
|
2021-07-08 00:45:33 +12:00
|
|
|
if (jwtClaims.email) {
|
|
|
|
return jwtClaims.email
|
|
|
|
}
|
|
|
|
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @param {*} issuer The identity provider base URL
|
|
|
|
* @param {*} sub The user ID
|
|
|
|
* @param {*} profile The user profile information. Created by passport from the /userinfo response
|
|
|
|
* @param {*} jwtClaims The parsed id_token claims
|
|
|
|
* @param {*} accessToken The access_token for contacting the identity provider - may or may not be a JWT
|
|
|
|
* @param {*} refreshToken The refresh_token for obtaining a new access_token - usually not a JWT
|
|
|
|
* @param {*} idToken The id_token - always a JWT
|
|
|
|
* @param {*} params The response body from requesting an access_token
|
|
|
|
* @param {*} done The passport callback: err, user, info
|
|
|
|
* @returns
|
|
|
|
*/
|
2021-07-06 04:16:45 +12:00
|
|
|
async function authenticate(
|
|
|
|
issuer,
|
|
|
|
sub,
|
|
|
|
profile,
|
|
|
|
jwtClaims,
|
|
|
|
accessToken,
|
|
|
|
refreshToken,
|
|
|
|
idToken,
|
|
|
|
params,
|
|
|
|
done
|
|
|
|
) {
|
2021-07-08 22:12:34 +12:00
|
|
|
const thirdPartyUser = {
|
|
|
|
// store the issuer info to enable sync in future
|
|
|
|
provider: issuer,
|
|
|
|
providerType: "oidc",
|
|
|
|
userId: profile.id,
|
|
|
|
profile: profile,
|
|
|
|
email: getEmail(profile, jwtClaims),
|
|
|
|
oauth2: {
|
|
|
|
accessToken: accessToken,
|
|
|
|
refreshToken: refreshToken
|
2021-06-28 02:46:04 +12:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-07-08 22:12:34 +12:00
|
|
|
return authenticateThirdParty(
|
|
|
|
thirdPartyUser,
|
|
|
|
false, // don't require local accounts to exist
|
|
|
|
done)
|
2021-06-28 02:46:04 +12:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2021-07-06 04:16:45 +12:00
|
|
|
* Create an instance of the oidc passport strategy. This wrapper fetches the configuration
|
2021-06-28 02:46:04 +12:00
|
|
|
* from couchDB rather than environment variables, using this factory is necessary for dynamically configuring passport.
|
2021-07-06 04:16:45 +12:00
|
|
|
* @returns Dynamically configured Passport OIDC Strategy
|
2021-06-28 02:46:04 +12:00
|
|
|
*/
|
2021-07-06 04:16:45 +12:00
|
|
|
exports.strategyFactory = async function (callbackUrl) {
|
2021-06-28 02:46:04 +12:00
|
|
|
try {
|
2021-07-06 04:16:45 +12:00
|
|
|
const configurationUrl =
|
|
|
|
"https://login.microsoftonline.com/2668c0dd-7ed2-4db3-b387-05b6f9204a70/v2.0/.well-known/openid-configuration"
|
|
|
|
const clientSecret = "g-ty~2iW.bo.88xj_QI6~hdc-H8mP2Xbnd"
|
|
|
|
const clientId = "bed2017b-2f53-42a9-8ef9-e58918935e07"
|
2021-06-28 02:46:04 +12:00
|
|
|
|
2021-07-06 04:16:45 +12:00
|
|
|
if (!clientId || !clientSecret || !callbackUrl || !configurationUrl) {
|
2021-06-28 02:46:04 +12:00
|
|
|
throw new Error(
|
2021-07-06 04:16:45 +12:00
|
|
|
"Configuration invalid. Must contain clientID, clientSecret, callbackUrl and configurationUrl"
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
const response = await fetch(configurationUrl)
|
2021-07-06 04:28:55 +12:00
|
|
|
|
|
|
|
if (!response.ok) {
|
|
|
|
throw new Error(`Unexpected response when fetching openid-configuration: ${response.statusText}`)
|
2021-06-28 02:46:04 +12:00
|
|
|
}
|
2021-07-06 04:28:55 +12:00
|
|
|
|
|
|
|
const body = await response.json()
|
|
|
|
|
|
|
|
return new OIDCStrategy(
|
|
|
|
{
|
|
|
|
issuer: body.issuer,
|
|
|
|
authorizationURL: body.authorization_endpoint,
|
|
|
|
tokenURL: body.token_endpoint,
|
|
|
|
userInfoURL: body.userinfo_endpoint,
|
|
|
|
clientID: clientId,
|
|
|
|
clientSecret: clientSecret,
|
|
|
|
callbackURL: callbackUrl,
|
|
|
|
scope: "profile email",
|
|
|
|
},
|
|
|
|
authenticate
|
|
|
|
)
|
|
|
|
|
2021-06-28 02:46:04 +12:00
|
|
|
} catch (err) {
|
|
|
|
console.error(err)
|
|
|
|
throw new Error("Error constructing OIDC authentication strategy", err)
|
|
|
|
}
|
|
|
|
}
|