Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 | 1x 1x 1x 1x 1x 1x 1x 1x 1x | import moize from 'moize'
import { Issuer } from 'openid-client'
import { getLogger } from '../../logging/log-util'
const log = getLogger('openid-client-service')
/**
* Return a singleton instance (by means of memomization) of the openid client service.
*/
export const getOpenIdClientService = moize.promise(createOpenIdClientService, {
onCacheAdd: () => log.info('Creating new open id client service'),
})
const authPrivate = process.env.AUTH_PRIVATE
let jwk = {}
Iif (typeof authPrivate != 'undefined') {
jwk = JSON.parse(authPrivate)
}
const jwkSet = { keys: [jwk] }
async function createOpenIdClientService() {
const issuer = await Issuer.discover(
process.env.AUTH_ECAS_WELL_KNOWN as string,
)
const redirectUrl = `${process.env.NEXTAUTH_URL}${process.env.AUTH_REDIRECT_ENDPOINT}`
const openIdClient = await buildClient(issuer, redirectUrl, jwkSet)
return {
authorize: async (
scope: string,
codeChallenge: string,
codeChallengeMethod: string,
state: string,
nonce: string,
) => {
return openIdClient.authorizationUrl({
scope: scope,
code_challenge: codeChallenge,
code_challenge_method: codeChallengeMethod,
response_type: 'code',
state: state,
nonce: nonce,
})
},
callback: async (
params: Partial<{ [key: string]: string | string[] }>,
state: string,
nonce: string,
codeVerifier: string,
jti: string,
expiry: number,
iat: number,
nbf: number,
) => {
return openIdClient.callback(
`${process.env.NEXTAUTH_URL}${process.env.AUTH_REDIRECT_ENDPOINT}`,
params,
{
state: state,
nonce: nonce,
code_verifier: codeVerifier,
},
{
clientAssertionPayload: {
aud: `${process.env.AUTH_CLIENT_ASSERTION_AUD}`,
exp: expiry,
iat: iat,
iss: `${process.env.CLIENT_ID}`,
jti: jti,
nbf: nbf,
sub: `${process.env.CLIENT_ID}`,
},
},
)
},
}
}
export async function buildClient(
issuer: Issuer,
redirectUrl: string,
jwkSet: { keys: OpenIdJoseJWK[] },
) {
return new issuer.Client(
{
client_id: process.env.CLIENT_ID as string,
client_secret: process.env.CLIENT_SECRET as string,
redirect_uris: [redirectUrl],
token_endpoint_auth_method: 'private_key_jwt',
token_endpoint_auth_signing_alg: 'RS256',
introspection_endpoint_auth_method: 'private_key_jwt',
introspection_endpoint_auth_signing_alg: 'RS256',
id_token_encrypted_response_alg: 'RSA-OAEP-256',
id_token_encrypted_response_enc: 'A256GCM',
id_token_signed_response_alg: 'RS512',
},
jwkSet,
)
}
// using the openid-client jose JWK interface
interface OpenIdJoseJWK {
/** JWK "alg" (Algorithm) Parameter. */
'alg'?: string
'crv'?: string
'd'?: string
'dp'?: string
'dq'?: string
'e'?: string
/** JWK "ext" (Extractable) Parameter. */
'ext'?: boolean
'k'?: string
/** JWK "key_ops" (Key Operations) Parameter. */
'key_ops'?: string[]
/** JWK "kid" (Key ID) Parameter. */
'kid'?: string
/** JWK "kty" (Key Type) Parameter. */
'kty'?: string
'n'?: string
'oth'?: Array<{
d?: string
r?: string
t?: string
}>
'p'?: string
'q'?: string
'qi'?: string
/** JWK "use" (Public Key Use) Parameter. */
'use'?: string
'x'?: string
'y'?: string
/** JWK "x5c" (X.509 Certificate Chain) Parameter. */
'x5c'?: string[]
/** JWK "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter. */
'x5t'?: string
/** "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Parameter. */
'x5t#S256'?: string
/** JWK "x5u" (X.509 URL) Parameter. */
'x5u'?: string
[propName: string]: unknown
}
|