OIDC: persist id token claims (#11691)
* persist idTokenClaims * tests * remove unused cde
This commit is contained in:
parent
1c553eae4e
commit
feb7e9899b
6 changed files with 70 additions and 24 deletions
|
@ -272,7 +272,7 @@ export async function attemptDelegatedAuthLogin(
|
|||
*/
|
||||
async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean> {
|
||||
try {
|
||||
const { accessToken, refreshToken, homeserverUrl, identityServerUrl, clientId, issuer } =
|
||||
const { accessToken, refreshToken, homeserverUrl, identityServerUrl, idTokenClaims, clientId, issuer } =
|
||||
await completeOidcLogin(queryParams);
|
||||
|
||||
const {
|
||||
|
@ -294,7 +294,7 @@ async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean>
|
|||
logger.debug("Logged in via OIDC native flow");
|
||||
await onSuccessfulDelegatedAuthLogin(credentials);
|
||||
// this needs to happen after success handler which clears storages
|
||||
persistOidcAuthenticatedSettings(clientId, issuer);
|
||||
persistOidcAuthenticatedSettings(clientId, issuer, idTokenClaims);
|
||||
return true;
|
||||
} catch (error) {
|
||||
logger.error("Failed to login via OIDC", error);
|
||||
|
|
|
@ -18,6 +18,7 @@ import { completeAuthorizationCodeGrant, generateOidcAuthorizationUrl } from "ma
|
|||
import { QueryDict } from "matrix-js-sdk/src/utils";
|
||||
import { OidcClientConfig } from "matrix-js-sdk/src/matrix";
|
||||
import { randomString } from "matrix-js-sdk/src/randomstring";
|
||||
import { IdTokenClaims } from "oidc-client-ts";
|
||||
|
||||
/**
|
||||
* Start OIDC authorization code flow
|
||||
|
@ -81,6 +82,8 @@ type CompleteOidcLoginResponse = {
|
|||
clientId: string;
|
||||
// issuer used during authentication
|
||||
issuer: string;
|
||||
// claims of the given access token; used during token refresh to validate new tokens
|
||||
idTokenClaims: IdTokenClaims;
|
||||
};
|
||||
/**
|
||||
* Attempt to complete authorization code flow to get an access token
|
||||
|
@ -90,7 +93,7 @@ type CompleteOidcLoginResponse = {
|
|||
*/
|
||||
export const completeOidcLogin = async (queryParams: QueryDict): Promise<CompleteOidcLoginResponse> => {
|
||||
const { code, state } = getCodeAndStateFromQueryParams(queryParams);
|
||||
const { homeserverUrl, tokenResponse, identityServerUrl, oidcClientSettings } =
|
||||
const { homeserverUrl, tokenResponse, idTokenClaims, identityServerUrl, oidcClientSettings } =
|
||||
await completeAuthorizationCodeGrant(code, state);
|
||||
|
||||
return {
|
||||
|
@ -100,5 +103,6 @@ export const completeOidcLogin = async (queryParams: QueryDict): Promise<Complet
|
|||
refreshToken: tokenResponse.refresh_token,
|
||||
clientId: oidcClientSettings.clientId,
|
||||
issuer: oidcClientSettings.issuer,
|
||||
idTokenClaims,
|
||||
};
|
||||
};
|
||||
|
|
|
@ -14,8 +14,11 @@ See the License for the specific language governing permissions and
|
|||
limitations under the License.
|
||||
*/
|
||||
|
||||
import { IdTokenClaims } from "oidc-client-ts";
|
||||
|
||||
const clientIdStorageKey = "mx_oidc_client_id";
|
||||
const tokenIssuerStorageKey = "mx_oidc_token_issuer";
|
||||
const idTokenClaimsStorageKey = "mx_oidc_id_token_claims";
|
||||
|
||||
/**
|
||||
* Persists oidc clientId and issuer in session storage
|
||||
|
@ -23,9 +26,14 @@ const tokenIssuerStorageKey = "mx_oidc_token_issuer";
|
|||
* @param clientId
|
||||
* @param issuer
|
||||
*/
|
||||
export const persistOidcAuthenticatedSettings = (clientId: string, issuer: string): void => {
|
||||
export const persistOidcAuthenticatedSettings = (
|
||||
clientId: string,
|
||||
issuer: string,
|
||||
idTokenClaims: IdTokenClaims,
|
||||
): void => {
|
||||
sessionStorage.setItem(clientIdStorageKey, clientId);
|
||||
sessionStorage.setItem(tokenIssuerStorageKey, issuer);
|
||||
sessionStorage.setItem(idTokenClaimsStorageKey, JSON.stringify(idTokenClaims));
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
|
@ -924,15 +924,24 @@ describe("<MatrixChat />", () => {
|
|||
};
|
||||
|
||||
beforeEach(() => {
|
||||
mocked(completeAuthorizationCodeGrant).mockClear().mockResolvedValue({
|
||||
oidcClientSettings: {
|
||||
clientId,
|
||||
issuer,
|
||||
},
|
||||
tokenResponse,
|
||||
homeserverUrl,
|
||||
identityServerUrl,
|
||||
});
|
||||
mocked(completeAuthorizationCodeGrant)
|
||||
.mockClear()
|
||||
.mockResolvedValue({
|
||||
oidcClientSettings: {
|
||||
clientId,
|
||||
issuer,
|
||||
},
|
||||
tokenResponse,
|
||||
homeserverUrl,
|
||||
identityServerUrl,
|
||||
idTokenClaims: {
|
||||
aud: "123",
|
||||
iss: issuer,
|
||||
sub: "123",
|
||||
exp: 123,
|
||||
iat: 456,
|
||||
},
|
||||
});
|
||||
|
||||
jest.spyOn(logger, "error").mockClear();
|
||||
});
|
||||
|
|
|
@ -104,15 +104,24 @@ describe("OIDC authorization", () => {
|
|||
};
|
||||
|
||||
beforeEach(() => {
|
||||
mocked(completeAuthorizationCodeGrant).mockClear().mockResolvedValue({
|
||||
oidcClientSettings: {
|
||||
clientId,
|
||||
issuer,
|
||||
},
|
||||
tokenResponse,
|
||||
homeserverUrl,
|
||||
identityServerUrl,
|
||||
});
|
||||
mocked(completeAuthorizationCodeGrant)
|
||||
.mockClear()
|
||||
.mockResolvedValue({
|
||||
oidcClientSettings: {
|
||||
clientId,
|
||||
issuer,
|
||||
},
|
||||
tokenResponse,
|
||||
homeserverUrl,
|
||||
identityServerUrl,
|
||||
idTokenClaims: {
|
||||
aud: "123",
|
||||
iss: issuer,
|
||||
sub: "123",
|
||||
exp: 123,
|
||||
iat: 456,
|
||||
},
|
||||
});
|
||||
});
|
||||
|
||||
it("should throw when query params do not include state and code", async () => {
|
||||
|
@ -137,6 +146,7 @@ describe("OIDC authorization", () => {
|
|||
identityServerUrl,
|
||||
issuer,
|
||||
clientId,
|
||||
idTokenClaims: result.idTokenClaims,
|
||||
});
|
||||
});
|
||||
});
|
||||
|
|
|
@ -14,6 +14,8 @@ See the License for the specific language governing permissions and
|
|||
limitations under the License.
|
||||
*/
|
||||
|
||||
import { IdTokenClaims } from "oidc-client-ts";
|
||||
|
||||
import {
|
||||
getStoredOidcClientId,
|
||||
getStoredOidcTokenIssuer,
|
||||
|
@ -29,12 +31,25 @@ describe("persist OIDC settings", () => {
|
|||
|
||||
const clientId = "test-client-id";
|
||||
const issuer = "https://auth.org/";
|
||||
const idTokenClaims: IdTokenClaims = {
|
||||
// audience is this client
|
||||
aud: "123",
|
||||
// issuer matches
|
||||
iss: issuer,
|
||||
sub: "123",
|
||||
exp: 123,
|
||||
iat: 456,
|
||||
};
|
||||
|
||||
describe("persistOidcAuthenticatedSettings", () => {
|
||||
it("should set clientId and issuer in session storage", () => {
|
||||
persistOidcAuthenticatedSettings(clientId, issuer);
|
||||
persistOidcAuthenticatedSettings(clientId, issuer, idTokenClaims);
|
||||
expect(sessionStorage.setItem).toHaveBeenCalledWith("mx_oidc_client_id", clientId);
|
||||
expect(sessionStorage.setItem).toHaveBeenCalledWith("mx_oidc_token_issuer", issuer);
|
||||
expect(sessionStorage.setItem).toHaveBeenCalledWith(
|
||||
"mx_oidc_id_token_claims",
|
||||
JSON.stringify(idTokenClaims),
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
|
@ -50,7 +65,7 @@ describe("persist OIDC settings", () => {
|
|||
});
|
||||
});
|
||||
|
||||
describe("Name of the group", () => {
|
||||
describe("getStoredOidcClientId()", () => {
|
||||
it("should return clientId from session storage", () => {
|
||||
jest.spyOn(sessionStorage.__proto__, "getItem").mockReturnValue(clientId);
|
||||
expect(getStoredOidcClientId()).toEqual(clientId);
|
||||
|
|
Loading…
Reference in a new issue