Possibility to configure an OpenID Connect provider on the instance level WIP (#128).

2024-04-16 17:18:14 +02:00
parent e646ebfd69
commit 669b260307
11 changed files with 158 additions and 24 deletions
--- a/server/lib/conversejs/params.ts
+++ b/server/lib/conversejs/params.ts
@ -77,13 +77,24 @@ async function getConverseJSParams (
    roomJID
  } = connectionInfos

-  const oidc = ExternalAuthOIDC.singleton()
-  // TODO:
-  const externalAuthOIDC = await oidc.isOk()
-    ? {
-        buttonLabel: oidc.getButtonLabel() ?? '???'
+  let externalAuthOIDC
+  if (userIsConnected !== true) {
+    try {
+      const oidc = ExternalAuthOIDC.singleton()
+      if (await oidc.isOk()) {
+        const authUrl = oidc.getAuthUrl()
+        const buttonLabel = oidc.getButtonLabel()
+        if (authUrl && buttonLabel) {
+          externalAuthOIDC = {
+            buttonLabel: buttonLabel,
+            url: authUrl
+          }
+        }
      }
-    : undefined
+    } catch (err) {
+      options.peertubeHelpers.logger.error(err)
+    }
+  }

  return {
    peertubeVideoOriginalUrl: roomInfos.video?.url,
--- a/server/lib/diagnostic/external-auth-custom-oidc.ts
+++ b/server/lib/diagnostic/external-auth-custom-oidc.ts
@ -41,9 +41,9 @@ export async function diagExternalAuthCustomOIDC (test: string, _options: Regist
  }

  const oidc = ExternalAuthOIDC.singleton()
-  const issuer = await oidc.loadIssuer()
-  if (issuer) {
-    result.messages.push('Discovery URL loaded: ' + JSON.stringify(issuer.metadata))
+  const oidcClient = await oidc.load()
+  if (oidcClient) {
+    result.messages.push('Discovery URL loaded: ' + JSON.stringify(oidcClient.issuer.metadata))
  } else {
    result.messages.push({
      level: 'error',
--- a/server/lib/external-auth/oidc.ts
+++ b/server/lib/external-auth/oidc.ts
@ -1,6 +1,8 @@
 import type { RegisterServerOptions } from '@peertube/peertube-types'
 import { URL } from 'url'
-import { Issuer } from 'openid-client'
+import { Issuer, BaseClient } from 'openid-client'
+import { getBaseRouterRoute } from '../helpers'
+import { canonicalizePluginUri } from '../uri/canonicalize'

 let singleton: ExternalAuthOIDC | undefined

@ -13,8 +15,14 @@ class ExternalAuthOIDC {
  private readonly discoveryUrl: string | undefined
  private readonly clientId: string | undefined
  private readonly clientSecret: string | undefined
+  private readonly redirectUri: string
+
  private ok: boolean | undefined
+
  private issuer: Issuer | undefined | null
+  private client: BaseClient | undefined | null
+  private authorizationUrl: string | null
+
  protected readonly logger: {
    debug: (s: string) => void
    info: (s: string) => void
@ -28,7 +36,8 @@ class ExternalAuthOIDC {
    buttonLabel: string | undefined,
    discoveryUrl: string | undefined,
    clientId: string | undefined,
-    clientSecret: string | undefined
+    clientSecret: string | undefined,
+    redirectUri: string
  ) {
    this.logger = {
      debug: (s) => logger.debug('[ExternalAuthOIDC] ' + s),
@ -38,6 +47,8 @@ class ExternalAuthOIDC {
    }

    this.enabled = !!enabled
+    this.redirectUri = redirectUri
+    this.authorizationUrl = null
    if (this.enabled) {
      this.buttonLabel = buttonLabel
      this.discoveryUrl = discoveryUrl
@ -55,6 +66,16 @@ class ExternalAuthOIDC {
    return !this.enabled
  }

+  /**
+   * Get the url to open for external authentication.
+   * Note: If the singleton is not loaded yet, returns null.
+   *   This means that the feature will only be available when the load as complete.
+   * @returns the url to open
+   */
+  getAuthUrl (): string | null {
+    return this.authorizationUrl ?? null
+  }
+
  /**
   * Get the button
   * @returns Button label
@ -122,14 +143,21 @@ class ExternalAuthOIDC {
  }

  /**
-   * Ensure the issuer is loaded.
+   * Ensure the issuer is loaded, and the client instanciated.
   * @returns the issuer if enabled
   */
-  async loadIssuer (): Promise<Issuer | null> {
-    // this.issuer === null means we already tried, but it failed.
-    if (this.issuer !== undefined) { return this.issuer }
+  async load (): Promise<BaseClient | null> {
+    // this.client === null means we already tried, but it failed.
+    if (this.client !== undefined) { return this.client }

-    if (!await this.isOk()) { return null }
+    // First, reset the authentication url:
+    this.authorizationUrl = null
+
+    if (!await this.isOk()) {
+      this.issuer = null
+      this.client = null
+      return null
+    }

    try {
      this.issuer = await Issuer.discover(this.discoveryUrl as string)
@ -137,8 +165,38 @@ class ExternalAuthOIDC {
    } catch (err) {
      this.logger.error(err as string)
      this.issuer = null
+      this.client = null
    }
-    return this.issuer
+
+    if (!this.issuer) {
+      this.client = null
+      return null
+    }
+
+    try {
+      this.client = new this.issuer.Client({
+        client_id: this.clientId as string,
+        client_secret: this.clientSecret as string,
+        redirect_uris: [this.redirectUri],
+        response_types: ['code']
+      })
+    } catch (err) {
+      this.logger.error(err as string)
+      this.client = null
+    }
+
+    if (!this.client) {
+      return null
+    }
+
+    try {
+      this.authorizationUrl = this.client.authorizationUrl()
+    } catch (err) {
+      this.logger.error(err as string)
+      this.authorizationUrl = null
+    }
+
+    return this.client
  }

  /**
@ -167,7 +225,8 @@ class ExternalAuthOIDC {
      settings['external-auth-custom-oidc-button-label'] as string | undefined,
      settings['external-auth-custom-oidc-discovery-url'] as string | undefined,
      settings['external-auth-custom-oidc-client-id'] as string | undefined,
-      settings['external-auth-custom-oidc-client-secret'] as string | undefined
+      settings['external-auth-custom-oidc-client-secret'] as string | undefined,
+      ExternalAuthOIDC.redirectUri(options)
    )

    return singleton
@ -183,6 +242,13 @@ class ExternalAuthOIDC {
    }
    return singleton
  }
+
+  public static redirectUri (options: RegisterServerOptions): string {
+    const path = getBaseRouterRoute(options) + 'oidc/cb'
+    return canonicalizePluginUri(options, path, {
+      removePluginVersion: true
+    })
+  }
 }

 export {
--- a/server/lib/settings.ts
+++ b/server/lib/settings.ts
@ -5,11 +5,13 @@ import { RoomChannel } from './room-channel'
 import { BotsCtl } from './bots/ctl'
 import { ExternalAuthOIDC } from './external-auth/oidc'
 import { loc } from './loc'
+const escapeHTML = require('escape-html')

 type AvatarSet = 'sepia' | 'cat' | 'bird' | 'fenec' | 'abstract' | 'legacy'

 async function initSettings (options: RegisterServerOptions): Promise<void> {
  const { peertubeHelpers, settingsManager } = options
+  const logger = peertubeHelpers.logger

  initImportantNotesSettings(options)
  initChatSettings(options)
@ -21,6 +23,30 @@ async function initSettings (options: RegisterServerOptions): Promise<void> {
  initChatServerAdvancedSettings(options)

  await ExternalAuthOIDC.initSingleton(options)
+  const loadOidc = (): void => {
+    try {
+      const oidc = ExternalAuthOIDC.singleton()
+      oidc.isOk().then(
+        () => {
+          logger.info('Loading External Auth OIDC...')
+          oidc.load().then(
+            () => {
+              logger.info('External Auth OIDC loaded')
+            },
+            () => {
+              logger.error('Loading the External Auth OIDC failed')
+            }
+          )
+        },
+        () => {
+          logger.info('No valid External Auth OIDC, nothing loaded')
+        }
+      )
+    } catch (err) {
+      logger.error(err as string)
+    }
+  }
+  loadOidc() // we don't have to wait (can take time, it will do external http requests)

  let currentProsodyRoomtype = (await settingsManager.getSettings(['prosody-room-type']))['prosody-room-type']

@ -30,6 +56,7 @@ async function initSettings (options: RegisterServerOptions): Promise<void> {
    // To avoid race condition, we will just stop and start the bots at every settings saving.
    await BotsCtl.destroySingleton()
    await BotsCtl.initSingleton(options)
+    loadOidc() // we don't have to wait (can take time, it will do external http requests)

    await ExternalAuthOIDC.initSingleton(options)

@ -145,12 +172,21 @@ function initFederationSettings ({ registerSetting }: RegisterServerOptions): vo
 * Registers settings related to the "External Authentication" section.
 * @param param0 server options
 */
-function initExternalAuth ({ registerSetting }: RegisterServerOptions): void {
+function initExternalAuth (options: RegisterServerOptions): void {
+  const registerSetting = options.registerSetting
+
  registerSetting({
    type: 'html',
    private: true,
    descriptionHTML: loc('external_auth_description')
  })
+
+  registerSetting({
+    type: 'html',
+    private: true,
+    descriptionHTML: loc('experimental_warning')
+  })
+
  registerSetting({
    name: 'external-auth-custom-oidc',
    label: loc('external_auth_custom_oidc_label'),
@ -159,6 +195,20 @@ function initExternalAuth ({ registerSetting }: RegisterServerOptions): void {
    default: false,
    private: true
  })
+
+  registerSetting({
+    type: 'html',
+    name: 'external-auth-custom-oidc-redirect-uris-info',
+    private: true,
+    descriptionHTML: loc('external_auth_custom_oidc_redirect_uris_info_description')
+  })
+  registerSetting({
+    type: 'html',
+    name: 'external-auth-custom-oidc-redirect-uris',
+    private: true,
+    descriptionHTML: `<ul><li>${escapeHTML(ExternalAuthOIDC.redirectUri(options)) as string}</li></ul>`
+  })
+
  registerSetting({
    name: 'external-auth-custom-oidc-button-label',
    label: loc('external_auth_custom_oidc_button_label_label'),