chore: DSPX-1236 allow using proper endpoints for OIDC

Author: ntrevino-virtru

lib/src/auth/oidc-clientcredentials-provider.ts

@@ -9,6 +9,8 @@ export class OIDCClientCredentialsProvider implements AuthProvider {
     clientId,
     clientSecret,
     oidcOrigin,
+    oidcTokenEndpoint,
+    oidcUserInfoEndpoint,
   }: Partial<ClientSecretCredentials> & Omit<ClientSecretCredentials, 'exchange'>) {
     if (!clientId || !clientSecret) {
       throw new ConfigurationError('clientId & clientSecret required for client credentials flow');
@@ -19,6 +21,8 @@ export class OIDCClientCredentialsProvider implements AuthProvider {
       clientId,
       clientSecret,
       oidcOrigin,
+      oidcTokenEndpoint,
+      oidcUserInfoEndpoint,
     });
   }
 

lib/src/auth/oidc-externaljwt-provider.ts

@@ -10,6 +10,8 @@ export class OIDCExternalJwtProvider implements AuthProvider {
     clientId,
     externalJwt,
     oidcOrigin,
+    oidcTokenEndpoint,
+    oidcUserInfoEndpoint,
   }: Partial<ExternalJwtCredentials> & Omit<ExternalJwtCredentials, 'exchange'>) {
     if (!clientId || !externalJwt) {
       throw new ConfigurationError('external JWT exchange reequires client id and jwt');
@@ -18,8 +20,10 @@ export class OIDCExternalJwtProvider implements AuthProvider {
     this.oidcAuth = new AccessToken({
       exchange: 'external',
       clientId,
-      oidcOrigin,
       externalJwt,
+      oidcOrigin,
+      oidcTokenEndpoint,
+      oidcUserInfoEndpoint,
     });
 
     this.externalJwt = externalJwt;

lib/src/auth/oidc-refreshtoken-provider.ts

@@ -10,6 +10,8 @@ export class OIDCRefreshTokenProvider implements AuthProvider {
     clientId,
     refreshToken,
     oidcOrigin,
+    oidcTokenEndpoint,
+    oidcUserInfoEndpoint,
   }: Partial<RefreshTokenCredentials> & Omit<RefreshTokenCredentials, 'exchange'>) {
     if (!clientId || !refreshToken) {
       throw new ConfigurationError('refresh token or client id missing');
@@ -18,8 +20,10 @@ export class OIDCRefreshTokenProvider implements AuthProvider {
     this.oidcAuth = new AccessToken({
       exchange: 'refresh',
       clientId,
-      refreshToken: refreshToken,
+      refreshToken,
       oidcOrigin,
+      oidcTokenEndpoint,
+      oidcUserInfoEndpoint,
     });
     this.refreshToken = refreshToken;
   }

lib/src/auth/oidc.ts

@@ -12,6 +12,8 @@ export type CommonCredentials = {
   clientId: string;
   /** The endpoint of the OIDC IdP to authenticate against, ex. 'https://virtru.com/auth' */
   oidcOrigin: string;
+  oidcTokenEndpoint?: string;
+  oidcUserInfoEndpoint?: string;
   /** Whether or not DPoP is enabled. */
   dpopEnabled?: boolean;
 
@@ -89,6 +91,8 @@ export class AccessToken {
   data?: AccessTokenResponse;
 
   baseUrl: string;
+  tokenEndpoint: string;
+  userInfoEndpoint: string;
 
   signingKey?: CryptoKeyPair;
 
@@ -119,6 +123,9 @@ export class AccessToken {
     this.config = cfg;
     this.request = request;
     this.baseUrl = rstrip(cfg.oidcOrigin, '/');
+    this.tokenEndpoint = cfg.oidcTokenEndpoint || `${this.baseUrl}/protocol/openid-connect/token`;
+    this.userInfoEndpoint =
+      cfg.oidcUserInfoEndpoint || `${this.baseUrl}/protocol/openid-connect/userinfo`;
     this.signingKey = cfg.signingKey;
   }
 
@@ -128,21 +135,20 @@ export class AccessToken {
    * @returns
    */
   async info(accessToken: string): Promise<unknown> {
-    const url = `${this.baseUrl}/protocol/openid-connect/userinfo`;
     const headers = {
       ...this.extraHeaders,
       Authorization: `Bearer ${accessToken}`,
     } as Record<string, string>;
     if (this.config.dpopEnabled && this.signingKey) {
-      headers.DPoP = await dpopFn(this.signingKey, url, 'POST');
+      headers.DPoP = await dpopFn(this.signingKey, this.userInfoEndpoint, 'POST');
     }
-    const response = await (this.request || fetch)(url, {
+    const response = await (this.request || fetch)(this.userInfoEndpoint, {
       headers,
     });
     if (!response.ok) {
       console.error(await response.text());
       throw new TdfError(
-        `auth info fail: GET [${url}] => ${response.status} ${response.statusText}`
+        `auth info fail: GET [${this.userInfoEndpoint}] => ${response.status} ${response.statusText}`
       );
     }
 
@@ -171,7 +177,6 @@ export class AccessToken {
   }
 
   async accessTokenLookup(cfg: OIDCCredentials) {
-    const url = `${this.baseUrl}/protocol/openid-connect/token`;
     let body;
     switch (cfg.exchange) {
       case 'client':
@@ -198,11 +203,11 @@ export class AccessToken {
         };
         break;
     }
-    const response = await this.doPost(url, body);
+    const response = await this.doPost(this.tokenEndpoint, body);
     if (!response.ok) {
       console.error(await response.text());
       throw new TdfError(
-        `token/code exchange fail: POST [${url}] => ${response.status} ${response.statusText}`
+        `token/code exchange fail: POST [${this.tokenEndpoint}] => ${response.status} ${response.statusText}`
       );
     }
     return response.json();

lib/src/auth/providers.ts

@@ -36,6 +36,8 @@ export const clientSecretAuthProvider = async (
     clientId: clientConfig.clientId,
     clientSecret: clientConfig.clientSecret,
     oidcOrigin: clientConfig.oidcOrigin,
+    oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
+    oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
   });
 };
 
@@ -62,6 +64,8 @@ export const externalAuthProvider = async (
     clientId: clientConfig.clientId,
     externalJwt: clientConfig.externalJwt,
     oidcOrigin: clientConfig.oidcOrigin,
+    oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
+    oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
   });
 };
 
@@ -86,6 +90,8 @@ export const refreshAuthProvider = async (
     clientId: clientConfig.clientId,
     refreshToken: clientConfig.refreshToken,
     oidcOrigin: clientConfig.oidcOrigin,
+    oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
+    oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
   });
 };