Skip to content

Commit

Permalink
fix: oidc fixes (#884)
Browse files Browse the repository at this point in the history
* fix: oidc fixes

* fix: comment
  • Loading branch information
sattvikc authored Jul 15, 2024
1 parent 952c199 commit 452b249
Show file tree
Hide file tree
Showing 14 changed files with 92 additions and 3 deletions.
15 changes: 13 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ ThirdParty.init({
});
```

#### Migrating `oidcDiscoveryEndpoint` in core:
#### Migrating `oidcDiscoveryEndpoint` in core (for custom providers only):

For each tenant, do the following

Expand All @@ -169,9 +169,20 @@ import Multitenancy from "supertokens-node/recipe/multitenancy";
const tenantsRes = await Multitenancy.listAllTenants();
function isCustomProvider(thirdPartyId: string): boolean {
const customProviders = [
"custom",
//... all your custom thirdPartyIds
];
return customProviders.includes(thirdPartyId);
}
for (const tenant of tenantsRes.tenants) {
for (const provider of tenant.thirdParty.providers) {
if (provider.oidcDiscoveryEndpoint !== undefined) {
if (isCustomProvider(provider.thirdPartyId) && provider.oidcDiscoveryEndpoint !== undefined) {
if (provider.oidcDiscoveryEndpoint.endsWith("/")) {
provider.oidcDiscoveryEndpoint = provider.oidcDiscoveryEndpoint.slice(0, -1);
}
provider.oidcDiscoveryEndpoint = `${provider.config.oidcDiscoveryEndpoint}/.well-known/openid-configuration`;
await Multitenancy.createOrUpdateThirdPartyConfig(tenant.tenantId, provider);
Expand Down
5 changes: 5 additions & 0 deletions lib/build/recipe/thirdparty/providers/activeDirectory.js
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ var __importDefault =
};
Object.defineProperty(exports, "__esModule", { value: true });
const custom_1 = __importDefault(require("./custom"));
const utils_1 = require("./utils");
function ActiveDirectory(input) {
if (input.config.name === undefined) {
input.config.name = "Active Directory";
Expand All @@ -38,6 +39,10 @@ function ActiveDirectory(input) {
} else {
config.oidcDiscoveryEndpoint = `https://login.microsoftonline.com/${config.additionalConfig.directoryId}/v2.0/.well-known/openid-configuration`;
}
// The config could be coming from core where we didn't add the well-known previously
config.oidcDiscoveryEndpoint = utils_1.normaliseOIDCEndpointToIncludeWellKnown(
config.oidcDiscoveryEndpoint
);
if (config.scope === undefined) {
config.scope = ["openid", "email"];
}
Expand Down
5 changes: 5 additions & 0 deletions lib/build/recipe/thirdparty/providers/apple.js
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ var __importStar =
Object.defineProperty(exports, "__esModule", { value: true });
const custom_1 = __importStar(require("./custom"));
const jose = __importStar(require("jose"));
const utils_1 = require("./utils");
async function getClientSecret(clientId, keyId, teamId, privateKey) {
const alg = "ES256";
const key = await jose.importPKCS8(privateKey.replace(/\\n/g, "\n"), alg);
Expand Down Expand Up @@ -101,6 +102,10 @@ function Apple(input) {
config.additionalConfig.privateKey
);
}
// The config could be coming from core where we didn't add the well-known previously
config.oidcDiscoveryEndpoint = utils_1.normaliseOIDCEndpointToIncludeWellKnown(
config.oidcDiscoveryEndpoint
);
return config;
};
const oExchangeAuthCodeForOAuthTokens = originalImplementation.exchangeAuthCodeForOAuthTokens;
Expand Down
5 changes: 5 additions & 0 deletions lib/build/recipe/thirdparty/providers/gitlab.js
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
const normalisedURLDomain_1 = __importDefault(require("../../../normalisedURLDomain"));
const normalisedURLPath_1 = __importDefault(require("../../../normalisedURLPath"));
const custom_1 = __importDefault(require("./custom"));
const utils_1 = require("./utils");
// import NormalisedURLDomain from "../../../normalisedURLDomain";
function Gitlab(input) {
if (input.config.name === undefined) {
Expand All @@ -42,6 +43,10 @@ function Gitlab(input) {
} else if (config.oidcDiscoveryEndpoint === undefined) {
config.oidcDiscoveryEndpoint = "https://gitlab.com/.well-known/openid-configuration";
}
// The config could be coming from core where we didn't add the well-known previously
config.oidcDiscoveryEndpoint = utils_1.normaliseOIDCEndpointToIncludeWellKnown(
config.oidcDiscoveryEndpoint
);
return config;
};
if (oOverride !== undefined) {
Expand Down
5 changes: 5 additions & 0 deletions lib/build/recipe/thirdparty/providers/google.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ var __importDefault =
};
Object.defineProperty(exports, "__esModule", { value: true });
const custom_1 = __importDefault(require("./custom"));
const utils_1 = require("./utils");
function Google(input) {
if (input.config.name === undefined) {
input.config.name = "Google";
Expand All @@ -25,6 +26,10 @@ function Google(input) {
if (config.scope === undefined) {
config.scope = ["openid", "email"];
}
// The config could be coming from core where we didn't add the well-known previously
config.oidcDiscoveryEndpoint = utils_1.normaliseOIDCEndpointToIncludeWellKnown(
config.oidcDiscoveryEndpoint
);
return config;
};
if (oOverride !== undefined) {
Expand Down
5 changes: 5 additions & 0 deletions lib/build/recipe/thirdparty/providers/okta.js
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
const normalisedURLDomain_1 = __importDefault(require("../../../normalisedURLDomain"));
const normalisedURLPath_1 = __importDefault(require("../../../normalisedURLPath"));
const custom_1 = __importDefault(require("./custom"));
const utils_1 = require("./utils");
function Okta(input) {
if (input.config.name === undefined) {
input.config.name = "Okta";
Expand All @@ -40,6 +41,10 @@ function Okta(input) {
const oidcPath = new normalisedURLPath_1.default("/.well-known/openid-configuration");
config.oidcDiscoveryEndpoint = oidcDomain.getAsStringDangerous() + oidcPath.getAsStringDangerous();
}
// The config could be coming from core where we didn't add the well-known previously
config.oidcDiscoveryEndpoint = utils_1.normaliseOIDCEndpointToIncludeWellKnown(
config.oidcDiscoveryEndpoint
);
if (config.scope === undefined) {
config.scope = ["openid", "email"];
}
Expand Down
1 change: 1 addition & 0 deletions lib/build/recipe/thirdparty/providers/utils.d.ts
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,4 @@ export declare function verifyIdTokenFromJWKSEndpointAndGetPayload(
otherOptions: jose.JWTVerifyOptions
): Promise<any>;
export declare function discoverOIDCEndpoints(config: ProviderConfigForClientType): Promise<void>;
export declare function normaliseOIDCEndpointToIncludeWellKnown(url: string): string;
17 changes: 16 additions & 1 deletion lib/build/recipe/thirdparty/providers/utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ var __importDefault =
return mod && mod.__esModule ? mod : { default: mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.discoverOIDCEndpoints = exports.verifyIdTokenFromJWKSEndpointAndGetPayload = exports.doPostRequest = exports.doGetRequest = void 0;
exports.normaliseOIDCEndpointToIncludeWellKnown = exports.discoverOIDCEndpoints = exports.verifyIdTokenFromJWKSEndpointAndGetPayload = exports.doPostRequest = exports.doGetRequest = void 0;
const jose = __importStar(require("jose"));
const normalisedURLDomain_1 = __importDefault(require("../../../normalisedURLDomain"));
const normalisedURLPath_1 = __importDefault(require("../../../normalisedURLPath"));
Expand Down Expand Up @@ -141,3 +141,18 @@ async function discoverOIDCEndpoints(config) {
}
}
exports.discoverOIDCEndpoints = discoverOIDCEndpoints;
function normaliseOIDCEndpointToIncludeWellKnown(url) {
// we call this only for built-in providers that use OIDC. We no longer generically add well-known in the custom provider
if (url.endsWith("/.well-known/openid-configuration") === true) {
return url;
}
const normalisedDomain = new normalisedURLDomain_1.default(url);
const normalisedPath = new normalisedURLPath_1.default(url);
const normalisedWellKnownPath = new normalisedURLPath_1.default("/.well-known/openid-configuration");
return (
normalisedDomain.getAsStringDangerous() +
normalisedPath.getAsStringDangerous() +
normalisedWellKnownPath.getAsStringDangerous()
);
}
exports.normaliseOIDCEndpointToIncludeWellKnown = normaliseOIDCEndpointToIncludeWellKnown;
4 changes: 4 additions & 0 deletions lib/ts/recipe/thirdparty/providers/activeDirectory.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@

import { ProviderInput, TypeProvider } from "../types";
import NewProvider from "./custom";
import { normaliseOIDCEndpointToIncludeWellKnown } from "./utils";

export default function ActiveDirectory(input: ProviderInput): TypeProvider {
if (input.config.name === undefined) {
Expand All @@ -38,6 +39,9 @@ export default function ActiveDirectory(input: ProviderInput): TypeProvider {
config.oidcDiscoveryEndpoint = `https://login.microsoftonline.com/${config.additionalConfig.directoryId}/v2.0/.well-known/openid-configuration`;
}

// The config could be coming from core where we didn't add the well-known previously
config.oidcDiscoveryEndpoint = normaliseOIDCEndpointToIncludeWellKnown(config.oidcDiscoveryEndpoint);

if (config.scope === undefined) {
config.scope = ["openid", "email"];
}
Expand Down
4 changes: 4 additions & 0 deletions lib/ts/recipe/thirdparty/providers/apple.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
import { ProviderInput, TypeProvider } from "../types";
import NewProvider, { getActualClientIdFromDevelopmentClientId } from "./custom";
import * as jose from "jose";
import { normaliseOIDCEndpointToIncludeWellKnown } from "./utils";

async function getClientSecret(clientId: string, keyId: string, teamId: string, privateKey: string): Promise<string> {
const alg = "ES256";
Expand Down Expand Up @@ -76,6 +77,9 @@ export default function Apple(input: ProviderInput): TypeProvider {
);
}

// The config could be coming from core where we didn't add the well-known previously
config.oidcDiscoveryEndpoint = normaliseOIDCEndpointToIncludeWellKnown(config.oidcDiscoveryEndpoint!);

return config;
};

Expand Down
4 changes: 4 additions & 0 deletions lib/ts/recipe/thirdparty/providers/gitlab.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ import NormalisedURLDomain from "../../../normalisedURLDomain";
import NormalisedURLPath from "../../../normalisedURLPath";
import { TypeProvider, ProviderInput } from "../types";
import NewProvider from "./custom";
import { normaliseOIDCEndpointToIncludeWellKnown } from "./utils";
// import NormalisedURLDomain from "../../../normalisedURLDomain";

export default function Gitlab(input: ProviderInput): TypeProvider {
Expand All @@ -43,6 +44,9 @@ export default function Gitlab(input: ProviderInput): TypeProvider {
config.oidcDiscoveryEndpoint = "https://gitlab.com/.well-known/openid-configuration";
}

// The config could be coming from core where we didn't add the well-known previously
config.oidcDiscoveryEndpoint = normaliseOIDCEndpointToIncludeWellKnown(config.oidcDiscoveryEndpoint);

return config;
};

Expand Down
4 changes: 4 additions & 0 deletions lib/ts/recipe/thirdparty/providers/google.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
*/
import { ProviderInput, TypeProvider } from "../types";
import NewProvider from "./custom";
import { normaliseOIDCEndpointToIncludeWellKnown } from "./utils";

export default function Google(input: ProviderInput): TypeProvider {
if (input.config.name === undefined) {
Expand Down Expand Up @@ -41,6 +42,9 @@ export default function Google(input: ProviderInput): TypeProvider {
config.scope = ["openid", "email"];
}

// The config could be coming from core where we didn't add the well-known previously
config.oidcDiscoveryEndpoint = normaliseOIDCEndpointToIncludeWellKnown(config.oidcDiscoveryEndpoint!);

return config;
};

Expand Down
4 changes: 4 additions & 0 deletions lib/ts/recipe/thirdparty/providers/okta.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import NormalisedURLDomain from "../../../normalisedURLDomain";
import NormalisedURLPath from "../../../normalisedURLPath";
import { ProviderInput, TypeProvider } from "../types";
import NewProvider from "./custom";
import { normaliseOIDCEndpointToIncludeWellKnown } from "./utils";

export default function Okta(input: ProviderInput): TypeProvider {
if (input.config.name === undefined) {
Expand All @@ -40,6 +41,9 @@ export default function Okta(input: ProviderInput): TypeProvider {
config.oidcDiscoveryEndpoint = oidcDomain.getAsStringDangerous() + oidcPath.getAsStringDangerous();
}

// The config could be coming from core where we didn't add the well-known previously
config.oidcDiscoveryEndpoint = normaliseOIDCEndpointToIncludeWellKnown(config.oidcDiscoveryEndpoint);

if (config.scope === undefined) {
config.scope = ["openid", "email"];
}
Expand Down
17 changes: 17 additions & 0 deletions lib/ts/recipe/thirdparty/providers/utils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -139,3 +139,20 @@ export async function discoverOIDCEndpoints(config: ProviderConfigForClientType)
}
}
}

export function normaliseOIDCEndpointToIncludeWellKnown(url: string): string {
// we call this only for built-in providers that use OIDC. We no longer generically add well-known in the custom provider
if (url.endsWith("/.well-known/openid-configuration") === true) {
return url;
}

const normalisedDomain = new NormalisedURLDomain(url);
const normalisedPath = new NormalisedURLPath(url);
const normalisedWellKnownPath = new NormalisedURLPath("/.well-known/openid-configuration");

return (
normalisedDomain.getAsStringDangerous() +
normalisedPath.getAsStringDangerous() +
normalisedWellKnownPath.getAsStringDangerous()
);
}

0 comments on commit 452b249

Please sign in to comment.