Merge pull request #435 from hsimah/feature/add_proxy_support

#341 add in basic proxy agent

Author: jasonnutter

README.md

@@ -67,6 +67,7 @@ passport.use(new OIDCStrategy({
     cookieSameSite: config.creds.cookieSameSite, // boolean
     cookieEncryptionKeys: config.creds.cookieEncryptionKeys,
     clockSkew: config.creds.clockSkew,
+    proxy: { port: 'proxyport', host: 'proxyhost', protocol: 'http' },
   },
   function(iss, sub, profile, accessToken, refreshToken, done) {
     if (!profile.oid) {
@@ -532,6 +533,10 @@ var bearerStrategy = new BearerStrategy(options,
 
   This value is the clock skew (in seconds) allowed in token validation. It must be a positive integer. The default value is 300 seconds.
 
+ * `proxy` (optional)
+
+  This value is the proxy settings object:  { port: 'proxyport', host: 'proxyhost', protocol: 'http' }
+  
 ##### 4.2.1.3 Verify callback
 
 If you set `passReqToCallback` option to false, you can use the following verify callback

lib/metadata.js

@@ -26,7 +26,7 @@
 const request = require('request');
 const async = require('async');
 const aadutils = require('./aadutils');
-
+const HttpsProxyAgent = require('https-proxy-agent');
 const Log = require('./logging').getLogger;
 
 const log = new Log('AzureAD: Metadata Parser');
@@ -46,6 +46,10 @@ function Metadata(url, authtype, options) {
   this.metadata = null;
   this.authtype = authtype;
   this.loggingNoPII = options.loggingNoPII;
+  if (options.proxy) {
+    // if user has specified proxy settings instantiate agent
+    this.httpsProxyAgent = new HttpsProxyAgent(options.proxy);
+  }
 }
 
 Object.defineProperty(Metadata, 'url', {
@@ -66,6 +70,12 @@ Object.defineProperty(Metadata, 'metadata', {
   },
 });
 
+Object.defineProperty(Metadata, 'httpsProxyAgent', {
+  get: function getHttpsProxyAgent() {
+    return this.httpsProxyAgent;
+  }
+});
+
 Metadata.prototype.updateOidcMetadata = function updateOidcMetadata(doc, next) {
   log.info('Request to update the Open ID Connect Metadata');
 
@@ -93,7 +103,7 @@ Metadata.prototype.updateOidcMetadata = function updateOidcMetadata(doc, next) {
   }
 
   // fetch the signing keys
-  request.get(jwksUri, { json: true }, (err, response, body) => {
+  request.get({ uri: jwksUri, agent: self.httpsProxyAgent, json: true }, (err, response, body) => {
     if (err) {
       return next(err);
     }
@@ -151,7 +161,7 @@ Metadata.prototype.generateOidcPEM = function generateOidcPEM(kid) {
     // generate PEM from `modulus` and `exponent`
     pubKey = aadutils.rsaPublicKeyPem(key.n, key.e);
     foundKey = true;
-    
+
     return pubKey;
   });
 
@@ -161,14 +171,14 @@ Metadata.prototype.generateOidcPEM = function generateOidcPEM(kid) {
     else
       throw new Error(`a key with kid %s cannot be found`, kid);
   }
-    
+
   if (!pubKey) {
     if (self.loggingNoPII)
       throw new Error('generating public key pem failed');
     else
       throw new Error(`generating public key pem failed for kid: %s`, kid);
   }
-    
+
   return pubKey;
 };
 
@@ -178,7 +188,7 @@ Metadata.prototype.fetch = function fetch(callback) {
   async.waterfall([
     // fetch the Federation metadata for the AAD tenant
     (next) => {
-      request.get(self.url, (err, response, body) => {
+      request.get({ uri: self.url, agent: self.httpsProxyAgent }, (err, response, body) => {
         if (err) {
           return next(err);
         }

lib/oidcstrategy.js

@@ -49,6 +49,7 @@ const InternalOpenIDError = require('./errors/internalopeniderror');
 const Log = require('./logging').getLogger;
 const Metadata = require('./metadata').Metadata;
 const OAuth2 = require('oauth').OAuth2;
+const HttpsProxyAgent = require('https-proxy-agent');
 const SessionContentHandler = require('./sessionContentHandler').SessionContentHandler;
 const CookieContentHandler = require('./cookieContentHandler').CookieContentHandler;
 const Validator = require('./validator').Validator;
@@ -285,6 +286,10 @@ function onProfileLoaded(strategy, args) {
  *                          (2) must be a positive integer
  *                          (3) Description:
  *                          the clock skew (in seconds) allowed in token validation, default value is CLOCK_SKEW
+ * 
+ *   - `proxy`              (1) Optional
+ *                          (2) Description:
+ *                          the configuration parameters for HttpsProxyAgent
  *
  * Examples:
  *
@@ -476,7 +481,7 @@ function Strategy(options, verify) {
   /****************************************************************************************
    * Take care of scope
    ***************************************************************************************/
-   // make scope an array
+  // make scope an array
   if (!options.scope)
     options.scope = [];
   if (!Array.isArray(options.scope))
@@ -601,9 +606,9 @@ Strategy.prototype.authenticate = function authenticateStrategy(req, options) {
   var response = options && options.response || req.res;
 
   // 'params': items we get from the request or metadata, such as id_token, code, policy, metadata, cacheKey, etc
-  var params = { 'tenantIdOrName': tenantIdOrName, 'extraAuthReqQueryParams': extraAuthReqQueryParams, 'extraTokenReqQueryParams': extraTokenReqQueryParams };
+  var params = { 'proxy': self._options.proxy, 'tenantIdOrName': tenantIdOrName, 'extraAuthReqQueryParams': extraAuthReqQueryParams, 'extraTokenReqQueryParams': extraTokenReqQueryParams };
   // 'oauthConfig': items needed for oauth flow (like redirection, code redemption), such as token_endpoint, userinfo_endpoint, etc
-  var oauthConfig = { 'resource': resource, 'customState': customState, 'domain_hint': domain_hint, 'login_hint': login_hint, 'prompt': prompt, 'response': response };
+  var oauthConfig = { 'proxy': self._options.proxy, 'resource': resource, 'customState': customState, 'domain_hint': domain_hint, 'login_hint': login_hint, 'prompt': prompt, 'response': response };
   // 'optionsToValidate': items we need to validate id_token against, such as issuer, audience, etc
   var optionsToValidate = {};
 
@@ -672,7 +677,7 @@ Strategy.prototype.authenticate = function authenticateStrategy(req, options) {
  * @param {Object} req
  * @param {Object} next
  */
-Strategy.prototype.collectInfoFromReq = function(params, req, next, response) {
+Strategy.prototype.collectInfoFromReq = function (params, req, next, response) {
   const self = this;
 
   // the things we will put into 'params':
@@ -858,7 +863,7 @@ Strategy.prototype.setOptions = function setOptions(params, oauthConfig, options
       }
 
       // for B2C, verify the endpoints in oauthConfig has the correct policy
-      if (self._options.isB2C){
+      if (self._options.isB2C) {
         var policyChecker = (endpoint, policy) => {
           var u = {};
           try {
@@ -956,7 +961,7 @@ Strategy.prototype._idTokenHandler = function idTokenHandler(params, optionsToVa
     var decrypted_token;
 
     return jwe.decrypt(id_token, optionsToValidate.jweKeyStore, log, (err, decrypted_token) => {
-      if(err)
+      if (err)
         return next(err);
 
       params.id_token = decrypted_token;
@@ -1462,7 +1467,7 @@ Strategy.prototype._getAccessTokenBySecretOrAssertion = function getAccessTokenB
           return next(err);
         else
           post_params['client_assertion'] = assertion;
-    });
+      });
 
     if (self._options.loggingNoPII)
       log.info('In _getAccessTokenBySecretOrAssertion: we created a client assertion');
@@ -1480,7 +1485,7 @@ Strategy.prototype._getAccessTokenBySecretOrAssertion = function getAccessTokenB
       var results;
       try {
         results = JSON.parse(data);
-      } catch(e) {
+      } catch (e) {
         results = querystring.parse(data);
       }
       callback(null, results);
@@ -1519,6 +1524,11 @@ var createOauth2Instance = function(oauthConfig) {
      libraryVersionParameterName : libraryVersion} // customHeaders
   );
 
+  if (oauthConfig.proxy) {
+    // if user has specified proxy settings instantiate agent
+    oauth2.setAgent(new HttpsProxyAgent(oauthConfig.proxy));
+  }
+
   return oauth2;
 };
 

package.json

@@ -36,10 +36,11 @@
     "base64url": "^3.0.0",
     "bunyan": "^1.8.0",
     "cache-manager": "2.10.2",
+    "https-proxy-agent": "^2.2.2",
     "jws": "^3.1.3",
     "jwk-to-pem": "^1.2.6",
     "lodash": "^4.11.2",
-    "oauth": "0.9.14",
+    "oauth": "0.9.15",
     "passport": "^0.3.2",
     "request": "^2.72.0",
     "valid-url": "^1.0.6"