-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client Side OAUTH with Token Refresh #82
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -30,6 +30,18 @@ const FIREBASE_CONFIG = JSON.stringify({ | |
vapidKey: process.env.FIREBASE_VAPID_KEY, | ||
}) | ||
|
||
function getOAuthConfig(req) { return JSON.stringify({ | ||
authority: "cf-reference", // dummy authority | ||
metadata: { | ||
issuer: process.env.SIGNALWIRE_FABRIC_API_URL, | ||
authorization_endpoint: process.env.OAUTH_AUTH_URI, | ||
token_endpoint: process.env.OAUTH_TOKEN_URI, | ||
}, | ||
client_id: process.env.OAUTH_CLIENT_ID, | ||
redirect_uri: getCallbackUrl(req), | ||
response_type: "code", | ||
})} | ||
|
||
const host = process.env.RELAY_HOST | ||
const fabricApiUrl = process.env.SIGNALWIRE_FABRIC_API_URL | ||
|
||
|
@@ -99,7 +111,7 @@ async function getSubscriberToken(reference, password) { | |
} | ||
|
||
app.get('/', async (req, res) => { | ||
let token | ||
let token | ||
let user | ||
if (req.session && req.session.token) { | ||
token = req.session.token | ||
|
@@ -108,11 +120,12 @@ app.get('/', async (req, res) => { | |
|
||
res.render('index', { | ||
host, | ||
token: token, | ||
token: token, | ||
user: user, | ||
fabricApiUrl: fabricApiUrl, | ||
destination: process.env.DEFAULT_DESTINATION, | ||
firebaseConfig: FIREBASE_CONFIG, | ||
oauthConfig: getOAuthConfig(req) | ||
}) | ||
}) | ||
|
||
|
@@ -131,46 +144,32 @@ app.get('/minimal', async (req, res) => { | |
}) | ||
}) | ||
|
||
app.get('/oauth', (req, res) => { | ||
console.log('oauth: begin initiation') | ||
|
||
const authEndpoint = process.env.OAUTH_AUTH_URI | ||
const verifier = base64url(crypto.pseudoRandomBytes(32)) | ||
req.session.verifier = verifier | ||
const challenge = base64url( | ||
crypto.createHash('sha256').update(verifier).digest() | ||
) | ||
const currentHost = `${req.protocol}://${req.get('host')}` | ||
|
||
const queryParams = new URLSearchParams({ | ||
response_type: 'code', | ||
client_id: process.env.OAUTH_CLIENT_ID, | ||
redirect_uri: getCallbackUrl(req), | ||
code_challenge: challenge, | ||
code_challenge_method: 'S256', | ||
}) | ||
|
||
const authorizationUri = `${authEndpoint}?${queryParams}` | ||
|
||
res.redirect(authorizationUri) | ||
}) | ||
|
||
app.get('/callback', async (req, res) => { | ||
console.log('oauth: process callback') | ||
const callbackUrl = getCallbackUrl(req) | ||
|
||
try { | ||
const tokenData = await getAccessToken(req.query.code, req.session.verifier, callbackUrl) | ||
const token = tokenData.access_token | ||
req.session.token = token | ||
res.render('index', { | ||
host, | ||
token: null, | ||
user: null, | ||
fabricApiUrl: fabricApiUrl, | ||
destination: process.env.DEFAULT_DESTINATION, | ||
firebaseConfig: FIREBASE_CONFIG, | ||
oauthConfig: getOAuthConfig(req), | ||
}) | ||
}) | ||
|
||
const userInfo = await getUserInfo(token) | ||
req.session.user = userInfo | ||
app.get('/userinfo', async (req, res) => { | ||
const accessToken = req.headers['authorization'].split(' ')[1]; | ||
|
||
|
||
res.redirect('/') | ||
} catch (error) { | ||
console.error(error) | ||
if(!accessToken || !accessToken.length) { | ||
res.sendStatus(401) | ||
} | ||
req.session.token = accessToken | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If the token is being accessed using oidc: const _token = (await window.UserManager.getUser())?.access_token We probably no longer need to maintain the session on our side. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Or do we? I am thinking... ..we need to check this. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, we shouldn't There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we remove it then, please? |
||
const userInfo = await getUserInfo(accessToken) | ||
req.session.user = userInfo | ||
|
||
res.json(userInfo) | ||
}) | ||
|
||
app.get('/subscriber', (req, res) => { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,6 +10,9 @@ | |
<script type="text/javascript" src="https://webrtc.github.io/adapter/adapter-latest.js"></script> | ||
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/pako/2.1.0/pako.min.js"></script> | ||
|
||
<!-- OpenId Client for OAuth support --> | ||
<script src="https://cdnjs.cloudflare.com/ajax/libs/oidc-client-ts/3.0.1/browser/oidc-client-ts.min.js" integrity="sha512-dbp16seDDFaTwxhmIRipIY43lyMA70TDsc0zBODkVoM2LmD+UI8ndMbW8Qospq5+st97jIiaGCg2/vl0lBDBqQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script> | ||
|
||
<!-- To style up the demo a little --> | ||
<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet" | ||
integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous"> | ||
|
@@ -29,7 +32,7 @@ | |
<a class="nav-link" href="/minimal">Minimal</a> | ||
</li> | ||
<li class="nav-item"> | ||
<a class="nav-link" href="/oauth">Subscriber OAuth</a> | ||
<a class="nav-link" href="#" onclick="signin()">Subscriber OAuth</a> | ||
</li> | ||
<li class="nav-item"> | ||
<a class="nav-link" href="/subscriber">Subscriber Signin/Signup</a> | ||
|
@@ -49,9 +52,9 @@ | |
<div class="row py-3"> | ||
<!-- Connect options --> | ||
<div class="col-12 col-md-4"> | ||
<% if (user) { %> | ||
<div id="user-info" class="card"> | ||
<div class="card-header">User Info</div> | ||
<div id="userInfo" class="card"> | ||
<% if (user) { %> | ||
<div class="card-header">User Info</div> | ||
<div class="card-body"> | ||
<ul class="list-group list-group-flush"> | ||
<li class="list-group-item">id: <%= user.id %></li> | ||
|
@@ -66,8 +69,9 @@ | |
<li class="list-group-item">Company Name: <%= user.company_name %></li> | ||
</ul> | ||
</div> | ||
<% } %> | ||
|
||
</div> | ||
<% } %> | ||
|
||
<div id="callConsole" class="card"> | ||
<div class="card-body"> | ||
|
@@ -531,6 +535,7 @@ | |
const _host = "<%= host %>"; | ||
const _fabricApiUrl = "<%= fabricApiUrl %>"; | ||
const _firebaseConfig = <%- firebaseConfig %>; | ||
const _oauth_config = <%- oauthConfig %>; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We are not using it anywhere on the client side, are we? The same goes for There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We need to authConfig to initialize the oicd instance. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh yeah, I saw the |
||
</script> | ||
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js" integrity="sha384-C6RzsynM9kWDrMNeT87bh95OGNyZPhcTNXj1NW7RuBCsyN/o0jlpcV8Qyq46cDfL" crossorigin="anonymous"></script> | ||
<script type="text/javascript" src="https://unpkg.com/@signalwire/js@dev"></script> | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the token is being accessed using oidc:
We probably no longer need to maintain the session on our side.