Added OpenID Connect support

73cd6af5 · Geraud Gratacap · Nicolas Giard · f8ac2fbe · 73cd6af5 · 73cd6af5
Commit 73cd6af5 authored Jul 31, 2018 by Geraud Gratacap Committed by Nicolas Giard Aug 02, 2018
8 changed files
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,6 @@ config.yml

 # Test results
 test-results/
+
+# VS Code Local History extension
+.history
--- a/config.sample.yml
+++ b/config.sample.yml
@@ -103,7 +103,16 @@ auth:
    clientSecret: OAUTH2_CLIENT_SECRET
    authorizationURL: OAUTH2_AUTH_URL
    tokenURL: OAUTH2_TOKEN_URL
-
+  oidc:
+    enabled: false
+    clientId: OPENID_CONNECT_CLIENT_ID
+    clientSecret: OPENID_CONNECT_CLIENT_SECRET
+    issuer: OPENID_CONNECT_ISSUER
+    userInfoUrl: OPENID_CONNECT_USER_INFO_URL
+    authorizationURL: OPENID_CONNECT_AUTHORIZATION_URL
+    tokenURL: OPENID_CONNECT_TOKEN_URL
+    emailClaim: OPENID_CONNECT_EMAIL_CLAIM_PATH
+    usernameClaim: OPENID_CONNECT_USERNAME_CLAIM_PATH
 # ---------------------------------------------------------------------
 # Secret key to use when encrypting sessions
 # ---------------------------------------------------------------------

--- a/package.json
+++ b/package.json
@@ -103,6 +103,7 @@
    "passport-google-oauth20": "~1.0.0",
    "passport-ldapauth": "~2.0.0",
    "passport-local": "~1.0.0",
+    "passport-openidconnect": "~0.0.2",
    "passport-slack": "0.0.7",
    "passport-windowslive": "~1.0.2",
    "passport.socketio": "~3.7.0",

--- a/server/controllers/auth.js
+++ b/server/controllers/auth.js
@@ -98,6 +98,7 @@ router.get('/login/github', passport.authenticate('github', { scope: ['user:emai
 router.get('/login/slack', passport.authenticate('slack', { scope: ['identity.basic', 'identity.email'] }))
 router.get('/login/azure', passport.authenticate('azure_ad_oauth2'))
 router.get('/login/oauth2', passport.authenticate('oauth2'))
+router.get('/login/oidc', passport.authenticate('oidc'))

 router.get('/login/ms/callback', passport.authenticate('windowslive', { failureRedirect: '/login', successRedirect: '/' }))
 router.get('/login/google/callback', passport.authenticate('google', { failureRedirect: '/login', successRedirect: '/' }))
@@ -106,6 +107,7 @@ router.get('/login/github/callback', passport.authenticate('github', { failureRe
 router.get('/login/slack/callback', passport.authenticate('slack', { failureRedirect: '/login', successRedirect: '/' }))
 router.get('/login/azure/callback', passport.authenticate('azure_ad_oauth2', { failureRedirect: '/login', successRedirect: '/' }))
 router.get('/login/oauth2/callback', passport.authenticate('oauth2', { failureRedirect: '/login', successRedirect: '/' }))
+router.get('/login/oidc/callback', passport.authenticate('oidc', { failureRedirect: '/login', successRedirect: '/' }))

 /**
 * Logout

--- a/server/libs/auth.js
+++ b/server/libs/auth.js
@@ -3,6 +3,7 @@
 /* global appconfig, appdata, db, lang, winston */

 const fs = require('fs')
+const _ = require('lodash')

 module.exports = function (passport) {
  // Serialization user methods
@@ -226,6 +227,33 @@ module.exports = function (passport) {
      ))
  }

+  // OpenID Connect
+
+  if (appconfig.auth.oidc && appconfig.auth.oidc.enabled) {
+    const OIDCStrategy = require('passport-openidconnect').Strategy
+    passport.use('oidc', new OIDCStrategy({
+      userInfoURL: appconfig.auth.oidc.userInfoUrl,
+      authorizationURL: appconfig.auth.oidc.authorizationURL,
+      tokenURL: appconfig.auth.oidc.tokenURL,
+      clientID: appconfig.auth.oidc.clientId,
+      clientSecret: appconfig.auth.oidc.clientSecret,
+      issuer: appconfig.auth.oidc.issuer,
+      callbackURL: appconfig.host + '/login/oidc/callback'
+    }, (iss, sub, profile, jwtClaims, accessToken, refreshToken, params, cb) => {
+      db.User.processProfile({
+        id: jwtClaims.sub,
+        provider: 'oidc',
+        email: _.get(jwtClaims, appconfig.auth.oidc.emailClaim),
+        name: _.get(jwtClaims, appconfig.auth.oidc.usernameClaim)
+      }).then((user) => {
+        return cb(null, user) || true
+      }).catch((err) => {
+        return cb(err, null) || true
+      })
+    }
+    ))
+  }
+
  // Create users for first-time

  db.onReady.then(() => {

--- a/server/locales/en/auth.json
+++ b/server/locales/en/auth.json
@@ -28,6 +28,7 @@
    "github": "GitHub",
    "slack": "Slack",
    "ldap": "LDAP / Active Directory",
-    "oauth2": "OAuth2"
+    "oauth2": "OAuth2",
+    "oidc": "OpenID Connect"
  }
 }
--- a/server/views/auth/login.pug
+++ b/server/views/auth/login.pug
@@ -72,6 +72,10 @@ html(data-logic='login')
            button.slack(onclick='window.location.assign("/login/oauth2")')
              i.icon-box
              span= t('auth:providers.oauth2')
+          if appconfig.auth.oidc && appconfig.auth.oidc.enabled
+            button.slack(onclick='window.location.assign("/login/oidc")')
+              i.icon-box
+              span= t('auth:providers.oidc')
    #copyright
      = t('footer.poweredby') + ' '
      a.icon(href='https://github.com/Requarks/wiki')

--- a/yarn.lock
+++ b/yarn.lock