feat(auth): refactor to use openid-client instead of passport-openidconnect

Author: jescalada

package-lock.json

@@ -59,11 +59,11 @@
     "moment": "^2.29.4",
     "mongodb": "^5.0.0",
     "nodemailer": "^6.6.1",
+    "openid-client": "^6.2.0",
     "parse-diff": "^0.11.1",
     "passport": "^0.7.0",
     "passport-activedirectory": "^1.0.4",
     "passport-local": "^1.0.0",
-    "passport-openidconnect": "^0.1.2",
     "perfect-scrollbar": "^1.5.5",
     "prop-types": "15.8.1",
     "react": "^16.13.1",

package.json

@@ -21,7 +21,9 @@ const configure = async () => {
     default:
       throw Error(`uknown authentication type ${type}`);
   }
-  _passport.type = authenticationConfig.type;
+  if (!_passport.type) {
+    _passport.type = type;
+  }
   return _passport;
 };
 

src/service/passport/index.js

@@ -1,81 +1,103 @@
-const configure = async () => {
-  const passport = require('passport');
-  const { Strategy: OIDCStrategy } = require('passport-openidconnect');
-  const db = require('../../db');
+const openIdClient = require('openid-client');
+const { Strategy } = require('openid-client/passport');
+const passport = require('passport');
+const db = require('../../db');
 
+const configure = async () => {
   const config = require('../../config').getAuthentication();
-  const oidcConfig = config.oidcConfig;
+  const { oidcConfig } = config;
+  const { issuer, clientID, clientSecret, callbackURL, scope } = oidcConfig;
+
+  if (!oidcConfig || !oidcConfig.issuer) {
+    throw new Error('Missing OIDC issuer in configuration')
+  }
+
+  const server = new URL(issuer);
+
+  try {
+    const config = await openIdClient.discovery(server, clientID, clientSecret);
+
+    const strategy = new Strategy({ callbackURL, config, scope }, async (tokenSet, done) => {
+      // Validate token sub for added security
+      const idTokenClaims = tokenSet.claims();
+      const expectedSub = idTokenClaims.sub;
+      const userInfo = await openIdClient.fetchUserInfo(config, tokenSet.access_token, expectedSub);
+      handleUserAuthentication(userInfo, done);
+    });
+    
+    // currentUrl must be overridden to match the callback URL
+    strategy.currentUrl = (request) => {
+      const callbackUrl = new URL(callbackURL);
+      const currentUrl = Strategy.prototype.currentUrl.call(this, request);
+      currentUrl.host = callbackUrl.host;
+      currentUrl.protocol = callbackUrl.protocol;
+      return currentUrl;
+    };
 
-  passport.use(
-    new OIDCStrategy(oidcConfig, async function verify(issuer, profile, cb) {
+    passport.use(strategy);
+
+    passport.serializeUser((user, done) => {
+      done(null, user.oidcId || user.username);
+    })
+
+    passport.deserializeUser(async (id, done) => {
       try {
-        const user = await db.findUserByOIDC(profile.id);
-
-        if (!user) {
-          const email = safelyExtractEmail(profile);
-          if (!email) {
-            return cb(new Error('No email found in OIDC profile'));
-          }
-
-          const username = getUsername(email);
-          const newUser = {
-            username: username,
-            email: email,
-            oidcId: profile.id,
-          };
-
-          await db.createUser(
-            newUser.username,
-            null,
-            newUser.email,
-            'Edit me',
-            false,
-            newUser.oidcId,
-          );
-
-          return cb(null, newUser);
-        }
-        return cb(null, user);
+        const user = await db.findUserByOIDC(id);
+        done(null, user);
       } catch (err) {
-        return cb(err);
+        done(err);
       }
-    }),
-  );
-
-  passport.serializeUser((user, cb) => {
-    cb(null, user.oidcId || user.username);
-  });
-
-  passport.deserializeUser(async (id, cb) => {
-    try {
-      const user = (await db.findUserByOIDC(id)) || (await db.findUser(id));
-      cb(null, user);
-    } catch (err) {
-      cb(err);
-    }
-  });
+    })
+    passport.type = server.host;
+
+    return passport;
+  } catch (error) {
+    console.error('OIDC configuration failed:', error);
+    throw error;
+  }
+}
 
-  passport.type = 'openidconnect';
-  return passport;
-};
 
 module.exports.configure = configure;
 
+/**
+ * Handles user authentication with OIDC.
+ * @param userInfo the OIDC user info object 
+ * @param done the callback function
+ * @returns a promise with the authenticated user or an error
+ */
+const handleUserAuthentication = async (userInfo, done) => {
+  try {
+    let user = await db.findUserByOIDC(userInfo.sub);
+
+    if (!user) {
+      const email = safelyExtractEmail(userInfo);
+      if (!email) return done(new Error('No email found in OIDC profile'));
+
+      const newUser = {
+        username: getUsername(email),
+        email,
+        oidcId: userInfo.sub,
+      };
+
+      await db.createUser(newUser.username, null, newUser.email, 'Edit me', false, newUser.oidcId);
+      return done(null, newUser);
+    }
+
+    return done(null, user);
+  } catch (err) {
+    return done(err);
+  }
+};
+
 /**
  * Extracts email from OIDC profile.
  * This function is necessary because OIDC providers have different ways of storing emails.
  * @param {object} profile the profile object from OIDC provider
  * @return {string | null} the email address
  */
 const safelyExtractEmail = (profile) => {
-  if (profile.emails && profile.emails.length > 0) {
-    return profile.emails[0].value;
-  }
-
-  if (profile.email) {
-    return profile.email;
-  }
-  return null;
+  return profile.email || (profile.emails && profile.emails.length > 0 ? profile.emails[0].value : null);
 };
 
 /**

src/service/passport/oidc.js

@@ -46,7 +46,6 @@ router.get('/oidc', passport.authenticate(passportType));
 
 router.get('/oidc/callback', (req, res, next) => {
   passport.authenticate(passportType, (err, user, info) => {
-    console.log('authenticate callback executed');
     if (err) {
       console.error('Authentication error:', err);
       return res.status(401).end();