OIDC Integration - WIP

- WIP (fix standard warnings)
- WIP (moving oidcConfig to config.json)
- Add OIDC Issuer discovery link header on OPTIONS
- Refactor OIDC client/handler code
- Bump dep version, fix gitignore
- Integrate Sign In w WebID page with OIDC login
- Fix OIDC create user functionality
- Fix storing redirectTo URL in session
- Remove unneeded options obj (oidc.js)
- WIP (create account using webid as OIDC _id)
- Fix extraneous oidcIssuerHeader
- WIP (fix response types)
- Fix token() params
- Fix authCallback()
- WIP (switch to implicit workflow)
- WIP (fix registration configs)
- wip - Switch to authz code flow
- Move createOIDCUser to oidc-rp-client (from identity-provider)
- Implement OIDC /signout support

Author: dmitrizagidulin

.gitignore

@@ -9,3 +9,4 @@ npm-debug.log
 /.acl
 /config.json
 /settings
+

lib/api/accounts/signin.js

@@ -3,31 +3,60 @@ module.exports = signin
 const validUrl = require('valid-url')
 const request = require('request')
 const li = require('li')
+const debug = require('../../debug')
+// const util = require('../../utils')
 
 function signin () {
   return (req, res, next) => {
     if (!validUrl.isUri(req.body.webid)) {
       return res.status(400).send('This is not a valid URI')
     }
 
-    request({ method: 'OPTIONS', uri: req.body.webid }, function (err, req) {
+    let ldp = req.app.locals.ldp
+    if (ldp.auth !== 'oidc') {
+      res
+        .status(500)
+        .send('Not implemented')
+      return
+    }
+    // let baseUrl = util.uriBase(req)
+
+    // Save the previously-requested URL to session
+    // (so that the user can be redirected to it after signin)
+    let returnToUrl = req.body.returnToUrl
+    if (returnToUrl) {
+      req.session.returnToUrl = returnToUrl
+      debug.oidc('Saving returnToUrl in session as: ' + returnToUrl)
+    } else {
+      debug.oidc('Not saving returnToUrl to session (not found)!')
+    }
+
+    // Discover the OIDC issuer from the WebID (or account URL)
+    // via an OPTIONS request and its `oidc.issuer` link header
+    request({ method: 'OPTIONS', uri: req.body.webid }, function (err, response) {
       if (err) {
         res.status(400).send('Did not find a valid endpoint')
         return
       }
-      if (!req.headers.link) {
+      if (!response.headers.link) {
         res.status(400).send('The URI requested is not a valid endpoint')
         return
       }
 
-      const linkHeaders = li.parse(req.headers.link)
-      console.log(linkHeaders)
+      const linkHeaders = li.parse(response.headers.link)
       if (!linkHeaders['oidc.issuer']) {
         res.status(400).send('The URI requested is not a valid endpoint')
         return
       }
+      let issuer = linkHeaders['oidc.issuer']
 
-      res.redirect(linkHeaders['oidc.issuer'])
+      // load the client for the issuer
+      let oidcRpClient = req.app.locals.oidc
+      oidcRpClient.authUrlForIssuer(issuer)
+        .then((authUrl) => {
+          res.redirect(authUrl)
+        })
+        .catch(next)
     })
   }
 }

lib/api/accounts/signout.js

@@ -1,9 +1,37 @@
 module.exports = signout
 
+const debug = require('../../debug')
+
+/**
+ * Handles the /signout API call.
+ * @param req
+ * @param res
+ */
 function signout () {
-  return (req, res, next) => {
+  return (req, res) => {
+    const locals = req.app.locals
+    const ldp = locals.ldp
+    const userId = req.session.userId
+    debug.idp(`Signing out user: ${userId}`)
+    const idToken = req.session.idToken
+    if (idToken && ldp.auth === 'oidc') {
+      const issuer = req.session.issuer
+      const oidcRpClient = locals.oidc
+      Promise.resolve()
+        .then(() => {
+          return oidcRpClient.clientForIssuer(issuer)
+        })
+        .then((userOidcClient) => {
+          return userOidcClient.client.signout(idToken)
+        })
+        .catch((err) => {
+          debug.oidc('Error signing out: ', err)
+        })
+    }
     req.session.userId = ''
     req.session.identified = false
-    res.status(200).send()
+    debug.oidc('signout() finished. Redirecting.')
+    res.redirect('/signed_out.html')
+    // res.status(200).send('You have been signed out.')
   }
 }

lib/capability-discovery.js

@@ -11,6 +11,8 @@ const serviceConfigDefaults = {
     'accounts': {
       // 'changePassword': '/api/account/changePassword',
       // 'delete': '/api/accounts/delete',
+
+      // Create new user (see IdentityProvider.post() in identity-provider.js)
       'new': '/api/accounts/new',
       'recover': '/api/accounts/recover',
       'signin': '/api/accounts/signin',
@@ -37,7 +39,7 @@ function capabilityDiscovery () {
 }
 
 /**
- * Handles advertising the server capability endpoint (adds a Link Relation
+ * Advertises the server capability endpoint (adds a Link Relation
  * header of type `service`, points to the capability document).
  * To be used with OPTIONS requests.
  * @method serviceEndpointHeader
@@ -60,7 +62,7 @@ function serviceEndpointHeader (req, res, next) {
  * @param next
  */
 function serviceCapabilityDocument (serviceConfig) {
-  return (req, res, next) => {
+  return (req, res) => {
     // Add the server root url
     serviceConfig.root = util.uriBase(req) // TODO make sure we align with the rest
     // Add the 'apps' urls section

lib/create-app.js

@@ -15,12 +15,15 @@ const AccountRecovery = require('./account-recovery')
 const capabilityDiscovery = require('./capability-discovery')
 const bodyParser = require('body-parser')
 const API = require('./api')
+var debug = require('./debug')
+var OidcRpClient = require('./oidc-rp-client')
+var oidcHandler = require('./handlers/oidc')
 
 var corsSettings = cors({
   methods: [
     'OPTIONS', 'HEAD', 'GET', 'PATCH', 'POST', 'PUT', 'DELETE'
   ],
-  exposedHeaders: 'User, Location, Link, Vary, Last-Modified, ETag, Accept-Patch, Updates-Via, Allow, Content-Length',
+  exposedHeaders: 'Authorization, User, Location, Link, Vary, Last-Modified, ETag, Accept-Patch, Updates-Via, Allow, Content-Length',
   credentials: true,
   maxAge: 1728000,
   origin: true,
@@ -30,6 +33,7 @@ var corsSettings = cors({
 function createApp (argv = {}) {
   var ldp = new LDP(argv)
   var app = express()
+  var oidcConfig = argv.oidc
 
   app.use(corsSettings)
 
@@ -56,6 +60,8 @@ function createApp (argv = {}) {
   // Setting options as local variable
   app.locals.ldp = ldp
   app.locals.appUrls = argv.apps  // used for service capability discovery
+  app.locals.oidcConfig = oidcConfig
+  app.locals.rootUrl = argv.rootUrl
 
   if (argv.email && argv.email.host) {
     app.locals.email = new EmailService(argv.email)
@@ -93,6 +99,21 @@ function createApp (argv = {}) {
   // Session
   app.use(session(sessionSettings))
 
+  // OpenID Connect Auth
+  if (oidcConfig && ldp.auth === 'oidc') {
+    app.options('*', oidcHandler.oidcIssuerHeader)
+    debug.idp('Auth: OIDC!')
+    var oidcRpClient = new OidcRpClient()
+    // TODO: ensureTrustedClient is async, fix race condition on server startup
+    debug.oidc('Initializing local/trusted client...')
+    oidcRpClient.ensureTrustedClient(oidcConfig)
+    app.locals.oidc = oidcRpClient
+
+    app.use('/', express.static(path.join(__dirname, '../static/oidc')))
+    app.use('/', oidcHandler.authenticate(oidcRpClient))
+    app.use('/api/oidc', oidcHandler.api(oidcRpClient))
+  }
+
   // Adding proxy
   if (ldp.proxy) {
     proxy(app, ldp.proxy)
@@ -119,10 +140,10 @@ function createApp (argv = {}) {
 
     var needsOverwrite = function (req, res, next) {
       checkMasterAcl(req, function (found) {
-        if (!found) {
+        if (!found && !ldp.idp) {
           // this allows IdentityProvider to overwrite root acls
           idp.middleware(true)(req, res, next)
-        } else if (found && ldp.idp) {
+        } else if (ldp.idp) {
           idp.middleware(false)(req, res, next)
         } else {
           next()
@@ -133,8 +154,10 @@ function createApp (argv = {}) {
     // adds POST /api/accounts/new
     // adds POST /api/accounts/newCert
     app.get('/', idp.get.bind(idp))
+    app.post('/api/accounts/signin',
+      bodyParser.urlencoded({ extended: false }), API.accounts.signin())
     app.use('/api/accounts', needsOverwrite)
-    app.post('/api/accounts/signin', bodyParser.urlencoded({ extended: false }), API.accounts.signin())
+    app.get('/signout', API.accounts.signout())
     app.post('/api/accounts/signout', API.accounts.signout())
   }
 

lib/debug.js

@@ -12,3 +12,4 @@ exports.subscription = debug('solid:subscription')
 exports.container = debug('solid:container')
 exports.idp = debug('solid:idp')
 exports.ldp = debug('solid:ldp')
+exports.oidc = debug('solid:oidc')

lib/handlers/error-pages.js

@@ -2,6 +2,7 @@ module.exports = handler
 
 var debug = require('../debug').server
 var fs = require('fs')
+var util = require('../utils')
 
 function handler (err, req, res, next) {
   debug('Error page because of ' + err.message)
@@ -17,9 +18,18 @@ function handler (err, req, res, next) {
   // If noErrorPages is set,
   // then use built-in express default error handler
   if (ldp.noErrorPages) {
-    return res
+    if (err.status === 401 &&
+        req.accepts('text/html') &&
+        ldp.auth === 'oidc') {
+      debug('On error pages redirect on 401')
+      res.status(err.status)
+      redirectToLogin(req, res, next)
+      return
+    }
+    res
       .status(err.status)
       .send(err.message + '\n' || '')
+    return
   }
 
   // Check if error page exists
@@ -36,3 +46,31 @@ function handler (err, req, res, next) {
     res.send(text)
   })
 }
+
+function redirectBody (url) {
+  return `<!DOCTYPE HTML>
+<meta charset="UTF-8">
+<script>
+  window.location.href = "${url}"
+</script>
+<noscript>
+  <meta http-equiv="refresh" content="0; url=${url}">
+</noscript>
+<title>Redirecting...</title>
+If you are not redirected automatically, follow the <a href='${url}'>link to login</a>
+`
+}
+
+function redirectToLogin (req, res, next) {
+  res.header('Content-Type', 'text/html')
+  var currentUrl = util.fullUrlForReq(req)
+  let locals = req.app.locals
+  // let loginUrl = util.uriBase(req) + '/signin.html?returnToUrl=' +
+  //     currentUrl
+  let loginUrl = locals.rootUrl + '/signin.html?returnToUrl=' +
+      currentUrl
+  debug('Redirecting to login: ' + loginUrl)
+
+  var body = redirectBody(loginUrl)
+  res.send(body)
+}