mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2025-03-09 15:40:18 +00:00
working generic oidc section
tested with authelia, works for me :)
This commit is contained in:
mstrhakr
parent
48a68197b2
commit
126c1474cc
1 changed files with 9 additions and 56 deletions
65
webserver.js
65
webserver.js
|
|
@ -6241,20 +6241,6 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
|||
}, handleStrategyLogin);
|
||||
}
|
||||
|
||||
|
||||
// passport-openidconnect example code
|
||||
/* var OpenIDConnectStrategy = require('passport-openidconnect');
|
||||
|
||||
passport.use(new OpenIDConnectStrategy({
|
||||
issuer: 'https://server.example.com',
|
||||
authorizationURL: 'https://server.example.com/authorize',
|
||||
tokenURL: 'https://server.example.com/token',
|
||||
userInfoURL: 'https://server.example.com/userinfo',
|
||||
clientID: process.env['CLIENT_ID'],
|
||||
clientSecret: process.env['CLIENT_SECRET'],
|
||||
callbackURL: 'https://client.example.org/cb'
|
||||
|
||||
)); */
|
||||
// Generic OpenID Connect
|
||||
if ((typeof domain.authstrategies.oidc == 'object') && (typeof domain.authstrategies.oidc.clientid == 'string') && (typeof domain.authstrategies.oidc.clientsecret == 'string') && (typeof domain.authstrategies.oidc.issuer == 'string')) {
|
||||
var options = {
|
||||
|
|
@ -6265,55 +6251,22 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
|
|||
issuer: domain.authstrategies.oidc.issuer,
|
||||
tokenURL: domain.authstrategies.oidc.tokenurl,
|
||||
userInfoURL: domain.authstrategies.oidc.userinfourl,
|
||||
scope: [ 'openid email profile' ],
|
||||
scope: [ 'openid profile email' ],
|
||||
responseMode: 'form_post' ,
|
||||
state: true
|
||||
};
|
||||
const OIDCStrategy = require('passport-openidconnect');
|
||||
if (typeof domain.authstrategies.oidc.callbackurl == 'string') { options.callbackURL = domain.authstrategies.oidc.callbackurl; } else { options.callbackURL = url + 'oidc-callback'; }
|
||||
parent.debug('web', 'Adding Generic OIDC SSO with options: ' + JSON.stringify(options));
|
||||
passport.use('oidc-' + domain.id, new OIDCStrategy(options,
|
||||
function (accessToken, refreshtoken, params, profile, done) {
|
||||
var userex = null;
|
||||
try { userex = require('jwt-simple').decode(params.id_token, "", true); } catch (ex) { }
|
||||
parent.debug('web', 'OpenID Connect profile: ' + JSON.stringify(userex));
|
||||
var user = null;
|
||||
if (userex != null) {
|
||||
var user = { sid: '~oidc:' + userex.unique_name, name: userex.name, strategy: 'oidc' };
|
||||
if (typeof userex.email == 'string') { user.email = userex.email; }
|
||||
}
|
||||
return done(null, user);
|
||||
}
|
||||
));
|
||||
/* passport.use('oidc-' + domain.id, new OIDCStrategy.Strategy(options,
|
||||
function (authorization_code, refresh_token, profile, cb) {
|
||||
parent.debug('web', 'OIDC profile: ' + JSON.stringify(profile));
|
||||
var user = { sid: '~oidc:' + profile.id, name: profile.displayName, strategy: 'oidc' };
|
||||
if ((typeof profile.emails == 'object') && (profile.emails[0] != null) && (typeof profile.emails[0].value == 'string')) { user.email = profile.emails[0].value; }
|
||||
passport.use('openidconnect', new OIDCStrategy.Strategy(options,
|
||||
function verify( iss, sub, profile, cb ) {
|
||||
var user = { sid: '~oidc:' + profile.id, name: profile.displayName, email: profile.email, strategy: 'oidc' };
|
||||
parent.debug('AUTH', 'OIDC: Configured user: ' + JSON.stringify(user));
|
||||
return cb(null, user);
|
||||
}
|
||||
)); */
|
||||
obj.app.get(url + 'auth-oidc', function (req, res, next) {
|
||||
var domain = getDomain(req);
|
||||
if (domain.passport == null) { next(); return; }
|
||||
domain.passport.authenticate('oidc-' + domain.id, { scope: 'openid email profile', state: obj.parent.encodeCookie({ 'p': 'azure' }, obj.parent.loginCookieEncryptionKey) })(req, res, next);
|
||||
});
|
||||
obj.app.get(url + 'oidc-callback', function (req, res, next) {
|
||||
var domain = getDomain(req);
|
||||
if (domain.passport == null) { next(); return; }
|
||||
if ((Object.keys(req.session).length == 0) && (req.query.nmr == null)) {
|
||||
// This is an empty session likely due to the 302 redirection, redirect again (this is a bit of a hack).
|
||||
var url = req.url;
|
||||
if (url.indexOf('?') >= 0) { url += '&nmr=1'; } else { url += '?nmr=1'; } // Add this to the URL to prevent redirect loop.
|
||||
res.set('Content-Type', 'text/html');
|
||||
res.end('<html><head><meta http-equiv="refresh" content=0;url="' + url + '"></head><body></body></html>');
|
||||
} else {
|
||||
if (req.query.state != null) {
|
||||
var c = obj.parent.decodeCookie(req.query.state, obj.parent.loginCookieEncryptionKey, 10); // 10 minute timeout
|
||||
if ((c != null) && (c.p == 'oidc')) { domain.passport.authenticate('oidc-' + domain.id, { failureRedirect: '/' })(req, res, next); return; }
|
||||
}
|
||||
next();
|
||||
}
|
||||
}, handleStrategyLogin);
|
||||
));
|
||||
obj.app.get(url + 'auth-oidc', domain.passport.authenticate('openidconnect'));
|
||||
obj.app.get(url + 'oidc-callback', domain.passport.authenticate('openidconnect', { failureRedirect: '/login?failed-auth-attempt', failureFlash: true }), handleStrategyLogin);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue