Possibility to configure an OpenID Connect provider on the instance level WIP (#128).

2024-04-17 12:09:25 +02:00
parent 43d0fba274
commit 6c75863472
9 changed files with 135 additions and 37 deletions
--- a/server/lib/external-auth/oidc.ts
+++ b/server/lib/external-auth/oidc.ts
@ -1,5 +1,5 @@
 import type { RegisterServerOptions } from '@peertube/peertube-types'
-import type { Request } from 'express'
+import type { Request, Response, CookieOptions } from 'express'
 import { URL } from 'url'
 import { Issuer, BaseClient, generators } from 'openid-client'
 import { getBaseRouterRoute } from '../helpers'
@ -37,6 +37,14 @@ class ExternalAuthOIDC {
    outputEncoding: 'hex' as Encoding
  }

+  private readonly cookieNamePrefix: string = 'peertube-plugin-livechat-oidc-'
+  private readonly cookieOptions: CookieOptions = {
+    secure: true,
+    httpOnly: true,
+    sameSite: 'none',
+    maxAge: 1000 * 60 * 10 // 10 minutes
+  }
+
  private ok: boolean | undefined

  private issuer: Issuer | undefined | null
@ -217,12 +225,11 @@ class ExternalAuthOIDC {

  /**
   * Returns everything that is needed to instanciate an OIDC authentication.
+   * @param req express request
+   * @param res express response. Will add some cookies.
+   * @return the url to which redirect
   */
-  async initAuthenticationProcess (): Promise<{
-    encryptedCodeVerifier: string
-    encryptedState: string
-    redirectUrl: string
-  }> {
+  async initAuthenticationProcess (req: Request, res: Response): Promise<string> {
    if (!this.client) {
      throw new Error('External Auth OIDC not loaded yet, too soon to call oidc.initAuthentication')
    }
@ -242,29 +249,27 @@ class ExternalAuthOIDC {
      state
    })

-    return {
-      encryptedCodeVerifier,
-      encryptedState,
-      redirectUrl
-    }
+    res.cookie(this.cookieNamePrefix + 'code-verifier', encryptedCodeVerifier, this.cookieOptions)
+    res.cookie(this.cookieNamePrefix + 'state', encryptedState, this.cookieOptions)
+    return redirectUrl
  }

  /**
   * Authentication process callback.
-   * @param req The ExpressJS request object.
+   * @param req The ExpressJS request object. Will read cookies.
   * @return user info
   */
-  async validateAuthenticationProcess (req: Request, cookieNamePrefix: string): Promise<any> {
+  async validateAuthenticationProcess (req: Request): Promise<any> {
    if (!this.client) {
      throw new Error('External Auth OIDC not loaded yet, too soon to call oidc.validateAuthenticationProcess')
    }

-    const encryptedCodeVerifier = req.cookies[cookieNamePrefix + 'code-verifier']
+    const encryptedCodeVerifier = req.cookies[this.cookieNamePrefix + 'code-verifier']
    if (!encryptedCodeVerifier) {
      throw new Error('Received callback but code verifier not found in request cookies.')
    }

-    const encryptedState = req.cookies[cookieNamePrefix + 'state']
+    const encryptedState = req.cookies[this.cookieNamePrefix + 'state']
    if (!encryptedState) {
      throw new Error('Received callback but state not found in request cookies.')
    }
--- a/server/lib/routers/oidc.ts
+++ b/server/lib/routers/oidc.ts
@ -1,14 +1,32 @@
 import type { RegisterServerOptions } from '@peertube/peertube-types'
-import type { Router, Request, Response, NextFunction, CookieOptions } from 'express'
+import type { Router, Request, Response, NextFunction } from 'express'
+import type { OIDCAuthResult } from '../../../shared/lib/types'
 import { asyncMiddleware } from '../middlewares/async'
 import { ExternalAuthOIDC } from '../external-auth/oidc'

-const cookieNamePrefix = 'peertube-plugin-livechat-oidc-'
-const cookieOptions: CookieOptions = {
-  secure: true,
-  httpOnly: true,
-  sameSite: 'none',
-  maxAge: 1000 * 60 * 10 // 10 minutes
+/**
+ * When using a popup for OIDC, writes the HTML/Javascript to close the popup
+ * and send the result to the parent window.
+ * @param result the result to send to the parent window
+ */
+function popupResultHTML (result: OIDCAuthResult): string {
+  return `<!DOCTYPE html><html>
+    <body>
+      <noscript>Your browser must enable javascript for this page to work.</noscript>
+      <script>
+        try {
+          const data = ${JSON.stringify(result)};
+          if (!window.opener || !window.opener.oidcGetResult) {
+            throw new Error("Can't find parent window callback handler.")
+          }
+          window.opener.oidcGetResult(data);
+          window.close();
+        } catch (err) {
+          document.body.innerText = 'Error: ' + err;
+        }
+      </script>
+    </body>
+  </html> `
 }

 async function initOIDCRouter (options: RegisterServerOptions): Promise<Router> {
@ -26,10 +44,8 @@ async function initOIDCRouter (options: RegisterServerOptions): Promise<Router>
          throw new Error('[oidc router] External Auth OIDC not loaded yet')
        }

-        const authenticationProcess = await oidc.initAuthenticationProcess()
-        res.cookie(cookieNamePrefix + 'code-verifier', authenticationProcess.encryptedCodeVerifier, cookieOptions)
-        res.cookie(cookieNamePrefix + 'state', authenticationProcess.encryptedState, cookieOptions)
-        return res.redirect(authenticationProcess.redirectUrl)
+        const redirectUrl = await oidc.initAuthenticationProcess(req, res)
+        res.redirect(redirectUrl)
      } catch (err) {
        logger.error('[oidc router] Failed to process the OIDC callback: ' + (err as string))
        next()
@ -38,7 +54,7 @@ async function initOIDCRouter (options: RegisterServerOptions): Promise<Router>
  ))

  router.get('/cb', asyncMiddleware(
-    async (req: Request, res: Response, next: NextFunction) => {
+    async (req: Request, res: Response, _next: NextFunction) => {
      logger.info('[oidc router] OIDC callback call')
      try {
        const oidc = ExternalAuthOIDC.singleton()
@ -47,13 +63,20 @@ async function initOIDCRouter (options: RegisterServerOptions): Promise<Router>
          throw new Error('[oidc router] External Auth OIDC not loaded yet')
        }

-        const userInfos = await oidc.validateAuthenticationProcess(req, cookieNamePrefix)
-        logger.info(JSON.stringify(userInfos)) // FIXME
+        const userInfos = await oidc.validateAuthenticationProcess(req)
+        logger.info(JSON.stringify(userInfos)) // FIXME (normalize data type, process, ...)

-        res.send('ok')
+        res.send(popupResultHTML({
+          ok: true,
+          username: userInfos.username,
+          password: 'TODO'
+        }))
      } catch (err) {
        logger.error('[oidc router] Failed to process the OIDC callback: ' + (err as string))
-        next()
+        res.sendStatus(500)
+        res.send(popupResultHTML({
+          ok: false
+        }))
      }
    }
  ))