Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
throw new Error('OidcStrategy has already been set up');
}
const { configManager } = this.crowi;
const isOidcEnabled = configManager.getConfig('crowi', 'security:passport-oidc:isEnabled');
// when disabled
if (!isOidcEnabled) {
return;
}
debug('OidcStrategy: setting up..');
// setup client
// extend oidc request timeouts
OIDCIssuer.defaultHttpOptions = { timeout: 5000 };
const issuerHost = configManager.getConfig('crowi', 'security:passport-oidc:issuerHost');
const clientId = configManager.getConfig('crowi', 'security:passport-oidc:clientId');
const clientSecret = configManager.getConfig('crowi', 'security:passport-oidc:clientSecret');
const redirectUri = (configManager.getConfig('crowi', 'app:siteUrl') != null)
? urljoin(this.crowi.appService.getSiteUrl(), '/passport/oidc/callback')
: configManager.getConfig('crowi', 'security:passport-oidc:callbackUrl'); // DEPRECATED: backward compatible with v3.2.3 and below
const oidcIssuer = await OIDCIssuer.discover(issuerHost);
debug('Discovered issuer %s %O', oidcIssuer.issuer, oidcIssuer.metadata);
const client = new oidcIssuer.Client({
client_id: clientId,
client_secret: clientSecret,
redirect_uris: [redirectUri],
response_types: ['code'],
});
export async function authenticate(icpMasterIP: string): Promise {
Log.i("Authenticating against:", icpMasterIP);
const openLoginResponse = await AuthUtils.shouldOpenBrowser();
if (!openLoginResponse) {
throw new Error(`Cancelled logging in to ${icpMasterIP}`);
}
if (pendingAuth != null) {
rejectPendingAuth("Previous login cancelled - Multiple concurrent logins.");
}
const oidcServerUrl: string = AuthUtils.getOIDCServerURL(icpMasterIP).toString();
Log.d("OIDC server is at " + oidcServerUrl);
Issuer.defaultHttpOptions = {
timeout: AuthUtils.TIMEOUT,
rejectUnauthorized: Requester.shouldRejectUnauthed(oidcServerUrl),
};
const icpIssuer = await Issuer.discover(oidcServerUrl);
const openIDClient = new icpIssuer.Client({
client_id: CLIENT_ID,
});
// https://auth0.com/docs/protocols/oauth2/mitigate-csrf-attacks
const stateParam = AuthUtils.getCryptoRandomHex();
// https://auth0.com/docs/api-auth/tutorials/nonce
const nonceParam = AuthUtils.getCryptoRandomHex();
const authUrlStr: string = openIDClient.authorizationUrl({
redirect_uri: AUTH_REDIRECT_CB,
scope: OAUTH_SCOPE,
const { Assertion } = require("../../assertion");
const { BasePlugin } = require("../../plugin");
const { Issuer } = require("openid-client");
const jwt = require("jsonwebtoken");
const oauth2 = require("simple-oauth2");
const queryString = require("query-string");
const request = require("request");
const URI = require("uri-js");
Issuer.useRequest();
Issuer.defaultHttpOptions = { timeout: 10000, headers: {} };
const exit_failure = function(message = "", code = 1) {
if (message) {
console.log(message);
}
process.exit(code);
};
const issuer_encrypt_secret =
process.env.EAS_ISSUER_ENCRYPT_SECRET ||
exit_failure("missing EAS_ISSUER_ENCRYPT_SECRET env variable");
const issuer_sign_secret =
process.env.EAS_ISSUER_SIGN_SECRET ||
exit_failure("missing EAS_ISSUER_SIGN_SECRET env variable");
const SESSION_CACHE_PREFIX = "session:oauth:";
require('dotenv').config();
const { Issuer } = require('openid-client');
const express = require('express');
const session = require('express-session');
const app = express();
const port = 3000;
app.use(session({
secret: '123456',
resave: true,
saveUninitialized: true
}));
Issuer.defaultHttpOptions = { timeout: 15000 }
const issuer = new Issuer({
issuer: process.env.APPID_ISSUER,
authorization_endpoint: process.env.APPID_AUTHORIZATION_ENDPOINT,
token_endpoint: process.env.APPID_TOKEN_ENDPOINT,
userinfo_endpoint: process.env.APPID_USERINFO_ENDPOINT,
jwks_uri: process.env.APPID_JWKS_URI,
});
console.log('Issuer %s %O', issuer.issuer, issuer.metadata);
issuer.defaultHttpOptions = { timeout: 15000 }
const client = new issuer.Client({
client_id: process.env.APPID_CLIENTID,
client_secret: process.env.APPID_SECRET
});
const initSignOnSync = () => {
Issuer.defaultHttpOptions = { timeout: config.Auth.dfeSignIn.issuerDiscoveryTimeoutMs }
logger.debug('discovering dfe signin service issuer...')
Issuer.discover(config.Auth.dfeSignIn.authUrl)
.then((issuer) => {
logger.info('dfe sign on discovered successfully')
const client = new issuer.Client({
client_id: config.Auth.dfeSignIn.clientId,
client_secret: config.Auth.dfeSignIn.clientSecret
})
if (config.Auth.dfeSignIn.clockToleranceSeconds && config.Auth.dfeSignIn.clockToleranceSeconds > 0) {
client.CLOCK_TOLERANCE = config.Auth.dfeSignIn.clockToleranceSeconds
}
const dfeStrategy = new Strategy({
client,
params: {
scope: config.Auth.dfeSignIn.openIdScope
}
const getClient = async () => {
Issuer.defaultHttpOptions = { timeout: 30000 };
const issuer = await Issuer.discover(oidcIssuer);
return new issuer.Client({
client_id: clientId,
client_secret: clientSecret,
});
};