PrivateCoffee/element-web
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

OIDC: pass id_token via id_token_hint on Manage Account interaction (#12499)

Browse source 
* Store id_token rather than just id_token_claims

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Pass id_token via `id_token_hint` on `Manage Account` interaction

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Fix tests

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

---------

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
This commit is contained in:
Michael Telatynski 2024-05-07 12:27:37 +01:00 committed by GitHub
parent e2310e637c
commit 580bb5537d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 89 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/Lifecycle.ts
View file

@ -289,7 +289,7 @@ export async function attemptDelegatedAuthLogin(
*/ */
async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean> { async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean> {
try { try {
const { accessToken, refreshToken, homeserverUrl, identityServerUrl, idTokenClaims, clientId, issuer } = const { accessToken, refreshToken, homeserverUrl, identityServerUrl, idToken, clientId, issuer } =
await completeOidcLogin(queryParams); await completeOidcLogin(queryParams);
const { const {
@ -311,7 +311,7 @@ async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean>
logger.debug("Logged in via OIDC native flow"); logger.debug("Logged in via OIDC native flow");
await onSuccessfulDelegatedAuthLogin(credentials); await onSuccessfulDelegatedAuthLogin(credentials);
// this needs to happen after success handler which clears storages // this needs to happen after success handler which clears storages
persistOidcAuthenticatedSettings(clientId, issuer, idTokenClaims); persistOidcAuthenticatedSettings(clientId, issuer, idToken);
return true; return true;
} catch (error) { } catch (error) {
logger.error("Failed to login via OIDC", error); logger.error("Failed to login via OIDC", error);

21
src/stores/oidc/OidcClientStore.ts
View file

@ -18,7 +18,11 @@ import { MatrixClient, discoverAndValidateOIDCIssuerWellKnown } from "matrix-js-
import { logger } from "matrix-js-sdk/src/logger"; import { logger } from "matrix-js-sdk/src/logger";
import { OidcClient } from "oidc-client-ts"; import { OidcClient } from "oidc-client-ts";
import { getStoredOidcTokenIssuer, getStoredOidcClientId } from "../../utils/oidc/persistOidcSettings"; import {
getStoredOidcTokenIssuer,
getStoredOidcClientId,
getStoredOidcIdToken,
} from "../../utils/oidc/persistOidcSettings";
import PlatformPeg from "../../PlatformPeg"; import PlatformPeg from "../../PlatformPeg";
/** /**
@ -58,7 +62,7 @@ export class OidcClientStore {
const { accountManagementEndpoint, metadata } = await discoverAndValidateOIDCIssuerWellKnown( const { accountManagementEndpoint, metadata } = await discoverAndValidateOIDCIssuerWellKnown(
authIssuer.issuer, authIssuer.issuer,
); );
this._accountManagementEndpoint = accountManagementEndpoint ?? metadata.issuer; this.setAccountManagementEndpoint(accountManagementEndpoint, metadata.issuer);
} catch (e) { } catch (e) {
console.log("Auth issuer not found", e); console.log("Auth issuer not found", e);
} }
@ -72,6 +76,16 @@ export class OidcClientStore {
return !!this.authenticatedIssuer; return !!this.authenticatedIssuer;
} }
private setAccountManagementEndpoint(endpoint: string | undefined, issuer: string): void {
// if no account endpoint is configured default to the issuer
const url = new URL(endpoint ?? issuer);
const idToken = getStoredOidcIdToken();
if (idToken) {
url.searchParams.set("id_token_hint", idToken);
}
this._accountManagementEndpoint = url.toString();
}
public get accountManagementEndpoint(): string | undefined { public get accountManagementEndpoint(): string | undefined {
return this._accountManagementEndpoint; return this._accountManagementEndpoint;
} }
@ -150,8 +164,7 @@ export class OidcClientStore {
const { accountManagementEndpoint, metadata, signingKeys } = await discoverAndValidateOIDCIssuerWellKnown( const { accountManagementEndpoint, metadata, signingKeys } = await discoverAndValidateOIDCIssuerWellKnown(
this.authenticatedIssuer, this.authenticatedIssuer,
); );
// if no account endpoint is configured default to the issuer this.setAccountManagementEndpoint(accountManagementEndpoint, metadata.issuer);
this._accountManagementEndpoint = accountManagementEndpoint ?? metadata.issuer;
this.oidcClient = new OidcClient({ this.oidcClient = new OidcClient({
...metadata, ...metadata,
authority: metadata.issuer, authority: metadata.issuer,

3
src/utils/oidc/authorize.ts
View file

@ -86,6 +86,8 @@ type CompleteOidcLoginResponse = {
accessToken: string; accessToken: string;
// refreshToken gained from OIDC token issuer, when falsy token cannot be refreshed // refreshToken gained from OIDC token issuer, when falsy token cannot be refreshed
refreshToken?: string; refreshToken?: string;
// idToken gained from OIDC token issuer
idToken: string;
// this client's id as registered with the OIDC issuer // this client's id as registered with the OIDC issuer
clientId: string; clientId: string;
// issuer used during authentication // issuer used during authentication
@ -109,6 +111,7 @@ export const completeOidcLogin = async (queryParams: QueryDict): Promise<Complet
identityServerUrl, identityServerUrl,
accessToken: tokenResponse.access_token, accessToken: tokenResponse.access_token,
refreshToken: tokenResponse.refresh_token, refreshToken: tokenResponse.refresh_token,
idToken: tokenResponse.id_token,
clientId: oidcClientSettings.clientId, clientId: oidcClientSettings.clientId,
issuer: oidcClientSettings.issuer, issuer: oidcClientSettings.issuer,
idTokenClaims, idTokenClaims,

32
src/utils/oidc/persistOidcSettings.ts
View file

@ -15,9 +15,14 @@ limitations under the License.
*/ */
import { IdTokenClaims } from "oidc-client-ts"; import { IdTokenClaims } from "oidc-client-ts";
import { decodeIdToken } from "matrix-js-sdk/src/matrix";
const clientIdStorageKey = "mx_oidc_client_id"; const clientIdStorageKey = "mx_oidc_client_id";
const tokenIssuerStorageKey = "mx_oidc_token_issuer"; const tokenIssuerStorageKey = "mx_oidc_token_issuer";
const idTokenStorageKey = "mx_oidc_id_token";
/**
* @deprecated in favour of using idTokenStorageKey
*/
const idTokenClaimsStorageKey = "mx_oidc_id_token_claims"; const idTokenClaimsStorageKey = "mx_oidc_id_token_claims";
/** /**
@ -25,15 +30,13 @@ const idTokenClaimsStorageKey = "mx_oidc_id_token_claims";
* Only set after successful authentication * Only set after successful authentication
* @param clientId * @param clientId
* @param issuer * @param issuer
* @param idToken
* @param idTokenClaims
*/ */
export const persistOidcAuthenticatedSettings = ( export const persistOidcAuthenticatedSettings = (clientId: string, issuer: string, idToken: string): void => {
clientId: string,
issuer: string,
idTokenClaims: IdTokenClaims,
): void => {
localStorage.setItem(clientIdStorageKey, clientId); localStorage.setItem(clientIdStorageKey, clientId);
localStorage.setItem(tokenIssuerStorageKey, issuer); localStorage.setItem(tokenIssuerStorageKey, issuer);
localStorage.setItem(idTokenClaimsStorageKey, JSON.stringify(idTokenClaims)); localStorage.setItem(idTokenStorageKey, idToken);
}; };
/** /**
@ -59,13 +62,26 @@ export const getStoredOidcClientId = (): string => {
}; };
/** /**
* Retrieve stored id token claims from local storage * Retrieve stored id token claims from stored id token or local storage
* @returns idtokenclaims or undefined * @returns idTokenClaims or undefined
*/ */
export const getStoredOidcIdTokenClaims = (): IdTokenClaims | undefined => { export const getStoredOidcIdTokenClaims = (): IdTokenClaims | undefined => {
const idToken = getStoredOidcIdToken();
if (idToken) {
return decodeIdToken(idToken);
}
const idTokenClaims = localStorage.getItem(idTokenClaimsStorageKey); const idTokenClaims = localStorage.getItem(idTokenClaimsStorageKey);
if (!idTokenClaims) { if (!idTokenClaims) {
return; return;
} }
return JSON.parse(idTokenClaims) as IdTokenClaims; return JSON.parse(idTokenClaims) as IdTokenClaims;
}; };
/**
* Retrieve stored id token from local storage
* @returns idToken or undefined
*/
export const getStoredOidcIdToken = (): string | undefined => {
return localStorage.getItem(idTokenStorageKey) ?? undefined;
};

15
test/Lifecycle-test.ts
View file

@ -657,13 +657,8 @@ describe("Lifecycle", () => {
const issuer = "https://auth.com/"; const issuer = "https://auth.com/";
const delegatedAuthConfig = makeDelegatedAuthConfig(issuer); const delegatedAuthConfig = makeDelegatedAuthConfig(issuer);
const idTokenClaims = { const idToken =
aud: "123", "eyJhbGciOiJSUzI1NiIsImtpZCI6Imh4ZEhXb0Y5bW4ifQ.eyJzdWIiOiIwMUhQUDJGU0JZREU5UDlFTU04REQ3V1pIUiIsImlzcyI6Imh0dHBzOi8vYXV0aC1vaWRjLmxhYi5lbGVtZW50LmRldi8iLCJpYXQiOjE3MTUwNzE5ODUsImF1dGhfdGltZSI6MTcwNzk5MDMxMiwiY19oYXNoIjoidGt5R1RhUjU5aTk3YXoyTU4yMGdidyIsImV4cCI6MTcxNTA3NTU4NSwibm9uY2UiOiJxaXhwM0hFMmVaIiwiYXVkIjoiMDFIWDk0Mlg3QTg3REgxRUs2UDRaNjI4WEciLCJhdF9oYXNoIjoiNFlFUjdPRlVKTmRTeEVHV2hJUDlnZyJ9.HxODneXvSTfWB5Vc4cf7b8GiN2gdwUuTiyVqZuupWske2HkZiJZUt5Lsxg9BW3gz28POkE0Ln17snlkmy02B_AD3DQxKOOxQCzIIARHdfFvZxgGWsMdFcVQZDW7rtXcqgj-SpVaUQ_8acsgxSrz_DF2o0O4tto0PT6wVUiw8KlBmgWTscWPeAWe-39T-8EiQ8Wi16h6oSPcz2NzOQ7eOM_S9fDkOorgcBkRGLl1nrahrPSdWJSGAeruk5mX4YxN714YThFDyEA2t9YmKpjaiSQ2tT-Xkd7tgsZqeirNs2ni9mIiFX3bRX6t2AhUNzA7MaX9ZyizKGa6go3BESO_oDg";
iss: issuer,
sub: "123",
exp: 123,
iat: 456,
};
beforeAll(() => { beforeAll(() => {
fetchMock.get( fetchMock.get(
@ -682,7 +677,7 @@ describe("Lifecycle", () => {
beforeEach(() => { beforeEach(() => {
initSessionStorageMock(); initSessionStorageMock();
// set values in session storage as they would be after a successful oidc authentication // set values in session storage as they would be after a successful oidc authentication
persistOidcAuthenticatedSettings(clientId, issuer, idTokenClaims); persistOidcAuthenticatedSettings(clientId, issuer, idToken);
}); });
it("should not try to create a token refresher without a refresh token", async () => { it("should not try to create a token refresher without a refresh token", async () => {
@ -712,7 +707,7 @@ describe("Lifecycle", () => {
clientId, clientId,
// @ts-ignore set undefined issuer // @ts-ignore set undefined issuer
undefined, undefined,
idTokenClaims, idToken,
); );
await setLoggedIn({ await setLoggedIn({
...credentials, ...credentials,
@ -744,7 +739,7 @@ describe("Lifecycle", () => {
it("should create a client when creating token refresher fails", async () => { it("should create a client when creating token refresher fails", async () => {
// set invalid value in session storage for a malformed oidc authentication // set invalid value in session storage for a malformed oidc authentication
persistOidcAuthenticatedSettings(null as any, issuer, idTokenClaims); persistOidcAuthenticatedSettings(null as any, issuer, idToken);
// succeeded // succeeded
expect( expect(

1
test/components/structures/MatrixChat-test.tsx
View file

@ -284,6 +284,7 @@ describe("<MatrixChat />", () => {
const tokenResponse: BearerTokenResponse = { const tokenResponse: BearerTokenResponse = {
access_token: accessToken, access_token: accessToken,
refresh_token: "def456", refresh_token: "def456",
id_token: "ghi789",
scope: "test", scope: "test",
token_type: "Bearer", token_type: "Bearer",
expires_at: 12345, expires_at: 12345,

2
test/utils/oidc/authorize-test.ts
View file

@ -115,6 +115,7 @@ describe("OIDC authorization", () => {
const tokenResponse: BearerTokenResponse = { const tokenResponse: BearerTokenResponse = {
access_token: "abc123", access_token: "abc123",
refresh_token: "def456", refresh_token: "def456",
id_token: "ghi789",
scope: "test", scope: "test",
token_type: "Bearer", token_type: "Bearer",
expires_at: 12345, expires_at: 12345,
@ -163,6 +164,7 @@ describe("OIDC authorization", () => {
identityServerUrl, identityServerUrl,
issuer, issuer,
clientId, clientId,
idToken: "ghi789",
idTokenClaims: result.idTokenClaims, idTokenClaims: result.idTokenClaims,
}); });
}); });

44
test/utils/oidc/persistOidcSettings-test.ts
View file

@ -15,14 +15,19 @@ limitations under the License.
*/ */
import { IdTokenClaims } from "oidc-client-ts"; import { IdTokenClaims } from "oidc-client-ts";
import { decodeIdToken } from "matrix-js-sdk/src/matrix";
import { mocked } from "jest-mock";
import { import {
getStoredOidcClientId, getStoredOidcClientId,
getStoredOidcIdToken,
getStoredOidcIdTokenClaims, getStoredOidcIdTokenClaims,
getStoredOidcTokenIssuer, getStoredOidcTokenIssuer,
persistOidcAuthenticatedSettings, persistOidcAuthenticatedSettings,
} from "../../../src/utils/oidc/persistOidcSettings"; } from "../../../src/utils/oidc/persistOidcSettings";
jest.mock("matrix-js-sdk/src/matrix");
describe("persist OIDC settings", () => { describe("persist OIDC settings", () => {
jest.spyOn(Storage.prototype, "getItem"); jest.spyOn(Storage.prototype, "getItem");
jest.spyOn(Storage.prototype, "setItem"); jest.spyOn(Storage.prototype, "setItem");
@ -33,6 +38,7 @@ describe("persist OIDC settings", () => {
const clientId = "test-client-id"; const clientId = "test-client-id";
const issuer = "https://auth.org/"; const issuer = "https://auth.org/";
const idToken = "test-id-token";
const idTokenClaims: IdTokenClaims = { const idTokenClaims: IdTokenClaims = {
// audience is this client // audience is this client
aud: "123", aud: "123",
@ -44,45 +50,65 @@ describe("persist OIDC settings", () => {
}; };
describe("persistOidcAuthenticatedSettings", () => { describe("persistOidcAuthenticatedSettings", () => {
it("should set clientId and issuer in session storage", () => { it("should set clientId and issuer in localStorage", () => {
persistOidcAuthenticatedSettings(clientId, issuer, idTokenClaims); persistOidcAuthenticatedSettings(clientId, issuer, idToken);
expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_client_id", clientId); expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_client_id", clientId);
expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_token_issuer", issuer); expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_token_issuer", issuer);
expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_id_token_claims", JSON.stringify(idTokenClaims)); expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_id_token", idToken);
}); });
}); });
describe("getStoredOidcTokenIssuer()", () => { describe("getStoredOidcTokenIssuer()", () => {
it("should return issuer from session storage", () => { it("should return issuer from localStorage", () => {
localStorage.setItem("mx_oidc_token_issuer", issuer); localStorage.setItem("mx_oidc_token_issuer", issuer);
expect(getStoredOidcTokenIssuer()).toEqual(issuer); expect(getStoredOidcTokenIssuer()).toEqual(issuer);
expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_token_issuer"); expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_token_issuer");
}); });
it("should return undefined when no issuer in session storage", () => { it("should return undefined when no issuer in localStorage", () => {
expect(getStoredOidcTokenIssuer()).toBeUndefined(); expect(getStoredOidcTokenIssuer()).toBeUndefined();
}); });
}); });
describe("getStoredOidcClientId()", () => { describe("getStoredOidcClientId()", () => {
it("should return clientId from session storage", () => { it("should return clientId from localStorage", () => {
localStorage.setItem("mx_oidc_client_id", clientId); localStorage.setItem("mx_oidc_client_id", clientId);
expect(getStoredOidcClientId()).toEqual(clientId); expect(getStoredOidcClientId()).toEqual(clientId);
expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_client_id"); expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_client_id");
}); });
it("should throw when no clientId in session storage", () => { it("should throw when no clientId in localStorage", () => {
expect(() => getStoredOidcClientId()).toThrow("Oidc client id not found in storage"); expect(() => getStoredOidcClientId()).toThrow("Oidc client id not found in storage");
}); });
}); });
describe("getStoredOidcIdToken()", () => {
it("should return token from localStorage", () => {
localStorage.setItem("mx_oidc_id_token", idToken);
expect(getStoredOidcIdToken()).toEqual(idToken);
expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_id_token");
});
it("should return undefined when no token in localStorage", () => {
expect(getStoredOidcIdToken()).toBeUndefined();
});
});
describe("getStoredOidcIdTokenClaims()", () => { describe("getStoredOidcIdTokenClaims()", () => {
it("should return issuer from session storage", () => { it("should return claims from localStorage", () => {
localStorage.setItem("mx_oidc_id_token_claims", JSON.stringify(idTokenClaims)); localStorage.setItem("mx_oidc_id_token_claims", JSON.stringify(idTokenClaims));
expect(getStoredOidcIdTokenClaims()).toEqual(idTokenClaims); expect(getStoredOidcIdTokenClaims()).toEqual(idTokenClaims);
expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_id_token_claims"); expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_id_token_claims");
}); });
it("should return undefined when no issuer in session storage", () => { it("should return claims extracted from id_token in localStorage", () => {
localStorage.setItem("mx_oidc_id_token", idToken);
mocked(decodeIdToken).mockReturnValue(idTokenClaims);
expect(getStoredOidcIdTokenClaims()).toEqual(idTokenClaims);
expect(decodeIdToken).toHaveBeenCalledWith(idToken);
expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_id_token_claims");
});
it("should return undefined when no claims in localStorage", () => {
expect(getStoredOidcIdTokenClaims()).toBeUndefined(); expect(getStoredOidcIdTokenClaims()).toBeUndefined();
}); });
}); });