Implement OIDC /signout support

Author: dmitrizagidulin

lib/api/accounts/signout.js

@@ -1,9 +1,37 @@
 module.exports = signout
 
+const debug = require('../../debug')
+
+/**
+ * Handles the /signout API call.
+ * @param req
+ * @param res
+ */
 function signout () {
-  return (req, res, next) => {
+  return (req, res) => {
+    const locals = req.app.locals
+    const ldp = locals.ldp
+    const userId = req.session.userId
+    debug.idp(`Signing out user: ${userId}`)
+    const idToken = req.session.idToken
+    if (idToken && ldp.auth === 'oidc') {
+      const issuer = req.session.issuer
+      const oidcRpClient = locals.oidc
+      Promise.resolve()
+        .then(() => {
+          return oidcRpClient.clientForIssuer(issuer)
+        })
+        .then((userOidcClient) => {
+          return userOidcClient.client.signout(idToken)
+        })
+        .catch((err) => {
+          debug.oidc('Error signing out: ', err)
+        })
+    }
     req.session.userId = ''
     req.session.identified = false
-    res.status(200).send()
+    debug.oidc('signout() finished. Redirecting.')
+    res.redirect('/signed_out.html')
+    // res.status(200).send('You have been signed out.')
   }
 }

lib/create-app.js

@@ -157,6 +157,7 @@ function createApp (argv = {}) {
     app.post('/api/accounts/signin',
       bodyParser.urlencoded({ extended: false }), API.accounts.signin())
     app.use('/api/accounts', needsOverwrite)
+    app.get('/signout', API.accounts.signout())
     app.post('/api/accounts/signout', API.accounts.signout())
   }
 

lib/handlers/oidc.js

@@ -58,8 +58,8 @@ function oidcIssuerHeader (req, res, next) {
  * creates an OIDC client if necessary, etc.
  * After successful authentication, the `req` object has the following
  * attributes set:
- *   - `req.accessToken`  (Raw token in encoded string form)
- *   - `req.accessTokenClaims`  (JWT OIDC AccessToken decoded & verified)
+ *   - `req.idToken`  (Raw OIDC ID token in encoded string form)
+ *   - `req.refreshToken`  (OIDC Refresh Token in encoded string form)
  *   - `req.oidcClient`  (OIDC client *for this particular request*)
  * If there is no access token (and thus no authentication), all those values
  * above will be null.
@@ -188,31 +188,31 @@ function authCodeFlowCallback (oidcRpClient) {
       // local / trusted issuer
       issuer = oidcRpClient.trustedClient.client.issuer
     }
-
     oidcRpClient.clientForIssuer(issuer)
-      .then((client) => {
+      .then((oidcClient) => {
         debug.oidc('loadAuthClient: Client initialized')
         req.oidcIssuer = issuer
-        req.oidcClient = client
-        return client
-      })
-      .then(() => {
-        return req.oidcClient.client.token(tokenOptions)
+        req.oidcClient = oidcClient
+        // Send a request to trade the Auth flow code for an ID Token
+        return oidcClient.client.token(tokenOptions)
       })
       .then((tokenResult) => {
         accessToken = tokenResult.access_token
-        debug.oidc(tokenResult)
-        debug.oidc('Verifying token')
-        return req.oidcClient.verifyToken(req, accessToken)
-      })
-      .then(() => {
-        // Verification of token successful. Load the webid from id token
-        debug.oidc('Token verified')
-        let webId = req.accessTokenClaims['sub']
+        let idToken = tokenResult.id_token
+        let refreshToken = tokenResult.refresh_token
+        // debug.oidc(tokenResult)
+        let webId = tokenResult.id_claims.sub
         // req.userInfo = { profile: webId }
-        req.accessToken = accessToken
+        req.accessTokenClaims = tokenResult.access_claims
+        req.session.accessToken = accessToken
+        req.session.idToken = idToken
+        req.session.refreshToken = refreshToken
+        req.session.issuer = issuer
         req.session.userId = webId
         req.session.identified = true
+
+        // Also store the client in the user's session. Used later by signout()
+        req.session.oidcClient = req.oidcClient
         next()
         // return oidcRpClient.trustedClient.client.userInfo({ token: accessToken })
       })
@@ -237,8 +237,8 @@ function resumeUserFlow (req, res, next) {
 
   if (req.session.returnToUrl) {
     let returnToUrl = req.session.returnToUrl
-    if (req.accessToken) {
-      returnToUrl += '?access_token=' + req.accessToken
+    if (req.session.accessToken) {
+      returnToUrl += '?access_token=' + req.session.accessToken
     }
     debug.oidc('  Redirecting to ' + returnToUrl)
     delete req.session.returnToUrl

lib/oidc-rp-client.js

@@ -34,11 +34,11 @@ module.exports = class OidcRpClient {
    * is tied to / registered with a specific OIDC Provider).
    * @method authUrl
    * @param oidcClient {OIDCExpressClient}
-   * @param flowType {String} OIDC workflow type, one of 'code' or 'implicit'.
+   * @param workflow {String} OIDC workflow type, one of 'code' or 'implicit'.
    * @return {String} Absolute URL for an OIDC auth call (to start either
    *   the Authorization Code workflow, or the Implicit workflow).
    */
-  authUrl (oidcClient, flowType = 'code') {
+  authUrl (oidcClient, workflow = 'code') {
     let authParams = {
       endpoint: 'signin',
       response_mode: 'query',
@@ -48,9 +48,9 @@ module.exports = class OidcRpClient {
       // state: '...',  // not doing state for the moment
       scope: 'openid profile'  // not doing 'openid profile' for the moment
     }
-    if (flowType === 'code') {  // Authorization Code workflow
+    if (workflow === 'code') {  // Authorization Code workflow
       authParams.response_type = 'code'
-    } else if (flowType === 'implicit') {
+    } else if (workflow === 'implicit') {
       authParams.response_type = 'id_token token'
       authParams.nonce = '123'  // TODO: Implement proper nonce generation
     }
@@ -60,10 +60,17 @@ module.exports = class OidcRpClient {
     return signinUrl
   }
 
-  authUrlForIssuer (issuer) {
+  /**
+   * Returns a constructed `/authorization` URL for a given issuer. Used for
+   * starting the OIDC workflow.
+   * @param issuer {String} OIDC Provider URL
+   * @param workflow {String} OIDC workflow type, one of 'code' or 'implicit'
+   * @returns {Promise}
+   */
+  authUrlForIssuer (issuer, workflow = 'code') {
     return this.clientForIssuer(issuer)
       .then((client) => {
-        return this.authUrl(client, 'code')
+        return this.authUrl(client, workflow)
       })
   }
 
@@ -146,6 +153,7 @@ module.exports = class OidcRpClient {
    * @param config.redirect_uri {String} Callback URL invoked by provider
    * @param config.client_id {String} Pre-registered trusted client id
    * @param config.client_secret {String} Pre-registered trusted client secret
+   * @param config.post_logout_redirect_uris {Array<String>}
    * @return {Promise<OIDCExpressClient>}
    */
   ensureTrustedClient (config) {
@@ -169,6 +177,9 @@ module.exports = class OidcRpClient {
             return client
           })
       })
+      .catch((err) => {
+        debug.oidc('Error initializing trusted client!', err)
+      })
   }
 
   /**
@@ -180,13 +191,15 @@ module.exports = class OidcRpClient {
    * @param config.redirect_uri {String}
    * @param [config.client_id] {String} Pre-registered trusted client id
    * @param [config.client_secret] {String} Pre-registered trusted client secret
+   * @param [config.post_logout_redirect_uris] {Array<String>}
    * @return {Promise<OIDCExpressClient>} Initialized/registered api client
    */
   initClient (config, isTrustedClient = false) {
     var oidcExpress = new OIDCExpressClient(config)
     // registration spec takes a list of redirect uris. just go with it..
     let redirectUris = [ config.redirect_uri ]
-    var registration = this.registrationConfig(config.issuer, redirectUris)
+    var registration = this.registrationConfig(config.issuer, redirectUris,
+      config.post_logout_redirect_uris)
     debug.oidc('Registration config: ')
     debug.oidc(registration)
     debug.oidc('Running client.initProvider()...')
@@ -197,6 +210,10 @@ module.exports = class OidcRpClient {
           // Register if you haven't already.
           debug.oidc('Registering client')
           return oidcExpress.client.register(registration)
+        } else {
+          // Already registered.
+          oidcExpress.client.registration = registration
+          return oidcExpress
         }
       })
       .then(() => {
@@ -226,9 +243,10 @@ module.exports = class OidcRpClient {
    * @param issuer {String} URL of the OIDC Provider / issuer.
    * @param redirectUris {Array<String>} List of allowed URIs to which the
    *   provider will redirect users after login etc.
+   * @param [postLogoutUris] {Array<String>}
    * @return {Object} OIDC Client registration config options
    */
-  registrationConfig (issuer, redirectUris) {
+  registrationConfig (issuer, redirectUris, postLogoutUris) {
     let clientName = `Solid OIDC Client for ${issuer}`
     let config = {
       client_name: clientName,
@@ -245,6 +263,9 @@ module.exports = class OidcRpClient {
       response_types: ['code', 'id_token token', 'code id_token token'],
       scope: 'openid profile'
     }
+    if (postLogoutUris) {
+      config.post_logout_redirect_uris = postLogoutUris
+    }
     return config
   }
 }

static/oidc/signed_out.html

@@ -0,0 +1,37 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Signed Out</title>
+  <!-- Bootstrap CSS and Theme for demo purposes -->
+  <link rel="stylesheet" href="css/bootstrap-3.3.6.min.css">
+</head>
+<body>
+<div class="container">
+  <h3>You have signed out.</h3>
+</div>
+<div class="container">
+  <form method="post" action="/api/accounts/signin">
+    <div class="form-group">
+      <label for="webid">WebID or server URL:</label>
+      <input type="text" class="form-control" name="webid" id="webid" placeholder="databox.me" />
+      <input type="hidden" name="returnToUrl" id="returnToUrl" value="" />
+    </div>
+    <button type="submit" class="btn btn-primary"
+            id="login">Sign In Again</button>
+  </form>
+</div>
+<script>
+  document.addEventListener('DOMContentLoaded', function () { init() })
+
+  function init () {
+    var query = window.location.search
+    query = query.replace('?', '')
+    var returnToUrl = query.split('=')[1]
+    console.log(returnToUrl)
+    document.getElementById('returnToUrl').value = returnToUrl
+  }
+</script>
+</body>
+</html>