const Utils = require('@openeo/js-commons/src/utils');
const AuthProvider = require('./authprovider');
const Environment = require('./env');
const Oidc = require('oidc-client');
/**
* The Authentication Provider for OpenID Connect.
*
* See the openid-connect-popup.html and openid-connect-redirect.html files in
* the `/examples/oidc` folder for usage examples in the browser.
*
* If you want to implement OIDC in a non-browser environment, you can override
* the OidcProvider or AuthProvider classes with custom behavior.
* In this case you must provide a function that creates your new class to the
* `Connection.setOidcProviderFactory()` method.
*
* @augments AuthProvider
* @see Connection#setOidcProviderFactory
*/
class OidcProvider extends AuthProvider {
/**
* Checks whether the required OIDC client library `openid-client-js` is available.
*
* @static
* @returns {boolean}
*/
static isSupported() {
return Utils.isObject(Oidc) && Boolean(Oidc.UserManager);
}
/**
* Finishes the OpenID Connect sign in (authentication) workflow.
*
* Must be called in the page that OpenID Connect redirects to after logging in.
*
* Supported only in Browser environments.
*
* @async
* @static
* @param {OidcProvider} provider - A OIDC provider to assign the user to.
* @param {object.<string, *>} [options={}] - Object with additional options.
* @returns {Promise<?Oidc.User>} For uiMethod = 'redirect' only: OIDC User
* @throws {Error}
* @see https://github.com/IdentityModel/oidc-client-js/wiki#other-optional-settings
*/
static async signinCallback(provider = null, options = {}) {
let url = Environment.getUrl();
if (!provider) {
// No provider options available, try to detect response mode from URL
provider = new OidcProvider(null, {});
provider.setGrant(url.includes('?') ? 'authorization_code+pkce' : 'implicit');
}
let providerOptions = provider.getOptions(options);
let oidc = new Oidc.UserManager(providerOptions);
return await oidc.signinCallback(url);
}
/**
* Creates a new OidcProvider instance to authenticate using OpenID Connect.
*
* @param {Connection} connection - A Connection object representing an established connection to an openEO back-end.
* @param {OidcProviderMeta} options - OpenID Connect Provider details as returned by the API.
*/
constructor(connection, options) {
super("oidc", connection, options);
this.manager = null;
this.listeners = {};
/**
* The authenticated OIDC user.
*
* @type {Oidc.User}
*/
this.user = null;
/**
* The client ID to use for authentication.
*
* @type {string | null}
*/
this.clientId = null;
/**
* The grant type (flow) to use for this provider.
*
* Either "authorization_code+pkce" (default) or "implicit"
*
* @type {string}
*/
this.grant = "authorization_code+pkce"; // Set this before calling detectDefaultClient
/**
* The issuer, i.e. the link to the identity provider.
*
* @type {string}
*/
this.issuer = options.issuer || "";
/**
* The scopes to be requested.
*
* @type {Array.<string>}
*/
this.scopes = Array.isArray(options.scopes) && options.scopes.length > 0 ? options.scopes : ['openid'];
/**
* The scope that is used to request a refresh token.
*
* @type {string}
*/
this.refreshTokenScope = "offline_access";
/**
* Any additional links.
*
*
* @type {Array.<Link>}
*/
this.links = Array.isArray(options.links) ? options.links : [];
/**
* The default clients made available by the back-end.
*
* @type {Array.<OidcClient>}
*/
this.defaultClients = Array.isArray(options.default_clients) ? options.default_clients : [];
/**
* The detected default Client.
*
* @type {OidcClient}
*/
this.defaultClient = this.detectDefaultClient();
}
/**
* Adds a listener to one of the following events:
*
* - AccessTokenExpiring: Raised prior to the access token expiring.
* - AccessTokenExpired: Raised after the access token has expired.
* - SilentRenewError: Raised when the automatic silent renew has failed.
*
* @param {string} event
* @param {Function} callback
* @param {string} [scope="default"]
*/
addListener(event, callback, scope = 'default') {
this.manager.events[`add${event}`](callback);
this.listeners[`${scope}:${event}`] = callback;
}
/**
* Removes the listener for the given event that has been set with addListener.
*
* @param {string} event
* @param {string} [scope="default"]
* @see OidcProvider#addListener
*/
removeListener(event, scope = 'default') {
this.manager.events[`remove${event}`](this.listeners[event]);
delete this.listeners[`${scope}:${event}`];
}
/**
* Authenticate with OpenID Connect (OIDC).
*
* Supported only in Browser environments.
*
* @async
* @param {object.<string, *>} [options={}] - Object with authentication options.
* @param {boolean} [requestRefreshToken=false] - If set to `true`, adds a scope to request a refresh token.
* @returns {Promise<void>}
* @throws {Error}
* @see https://github.com/IdentityModel/oidc-client-js/wiki#other-optional-settings
* @see {OidcProvider#refreshTokenScope}
*/
async login(options = {}, requestRefreshToken = false) {
if (!this.issuer || typeof this.issuer !== 'string') {
throw new Error("No Issuer URL available for OpenID Connect");
}
this.manager = new Oidc.UserManager(this.getOptions(options, requestRefreshToken));
this.addListener('UserLoaded', async () => this.setUser(await this.manager.getUser()), 'js-client');
this.addListener('AccessTokenExpired', () => this.setUser(null), 'js-client');
if (OidcProvider.uiMethod === 'popup') {
await this.manager.signinPopup();
}
else {
await this.manager.signinRedirect();
}
}
/**
* Logout from the established session.
*
* @async
*/
async logout() {
if (this.manager !== null) {
try {
if (OidcProvider.uiMethod === 'popup') {
await this.manager.signoutPopup();
}
else {
await this.manager.signoutRedirect({
post_logout_redirect_uri: Environment.getUrl()
});
}
} catch (error) {
console.warn(error);
}
super.logout();
this.removeListener('UserLoaded', 'js-client');
this.removeListener('AccessTokenExpired', 'js-client');
this.manager = null;
this.setUser(null);
}
}
/**
* Returns the options for the OIDC client library.
*
* Options can be overridden by custom options via the options parameter.
*
* @protected
* @param {object.<string, *>} options
* @param {boolean} [requestRefreshToken=false] - If set to `true`, adds a scope to request a refresh token.
* @returns {object.<string, *>}
* @see {OidcProvider#refreshTokenScope}
*/
getOptions(options = {}, requestRefreshToken = false) {
let response_type = this.getResponseType();
let scope = this.scopes.slice(0);
if (requestRefreshToken && !scope.includes(this.refreshTokenScope)) {
scope.push(this.refreshTokenScope);
}
return Object.assign({
client_id: this.clientId,
redirect_uri: OidcProvider.redirectUrl,
authority: this.issuer.replace('/.well-known/openid-configuration', ''),
scope: scope.join(' '),
validateSubOnSilentRenew: true,
response_type,
response_mode: response_type.includes('code') ? 'query' : 'fragment'
}, options);
}
/**
* Get the response_type based on the grant type.
*
* @protected
* @returns {string}
* @throws {Error}
*/
getResponseType() {
switch(this.grant) {
case 'authorization_code+pkce':
return 'code';
case 'implicit':
return 'token id_token';
default:
throw new Error('Grant Type not supported');
}
}
/**
* Sets the grant type (flow) used for OIDC authentication.
*
* @param {string} grant - Grant Type
* @throws {Error}
*/
setGrant(grant) { //
switch(grant) {
case 'authorization_code+pkce':
case 'implicit':
this.grant = grant;
break;
default:
throw new Error('Grant Type not supported');
}
}
/**
* Sets the Client ID for OIDC authentication.
*
* This may override a detected default client ID.
*
* @param {string | null} clientId
*/
setClientId(clientId) {
this.clientId = clientId;
}
/**
* Sets the OIDC User.
*
* @see https://github.com/IdentityModel/oidc-client-js/wiki#user
* @param {Oidc.User | null} user - The OIDC User. Passing `null` resets OIDC authentication details.
*/
setUser(user) {
if (!user) {
this.user = null;
this.setToken(null);
}
else {
this.user = user;
this.setToken(user.access_token);
}
}
/**
* Detects the default OIDC client ID for the given redirect URL.
*
* Sets the grant and client ID accordingly.
*
* @returns {OidcClient | null}
* @see OidcProvider#setGrant
* @see OidcProvider#setClientId
*/
detectDefaultClient() {
for(let grant of OidcProvider.grants) {
let defaultClient = this.defaultClients.find(client => Boolean(client.grant_types.includes(grant) && Array.isArray(client.redirect_urls) && client.redirect_urls.find(url => url.startsWith(OidcProvider.redirectUrl))));
if (defaultClient) {
this.setGrant(grant);
this.setClientId(defaultClient.id);
this.defaultClient = defaultClient;
return defaultClient;
}
}
return null;
}
}
/**
* The global "UI" method to use to open the login URL, either "redirect" (default) or "popup".
*
* @type {string}
*/
OidcProvider.uiMethod = 'redirect';
/**
* The global redirect URL to use.
*
* By default uses the location of the browser, but removes fragment, query and
* trailing slash.
* The fragment conflicts with the fragment appended by the Implicit Flow and
* the query conflicts with the query appended by the Authorization Code Flow.
* The trailing slash is removed for consistency.
*
* @type {string}
*/
OidcProvider.redirectUrl = Environment.getUrl().split('#')[0].split('?')[0].replace(/\/$/, '');
/**
* The supported OpenID Connect grants (flows).
*
* The grants are given as defined in openEO API, e.g. `implicit` and/or `authorization_code+pkce`
* If not defined there, consult the OpenID Connect Discovery documentation.
*
* Lists the grants by priority so that the first grant is the default grant.
* The default grant type since client version 2.0.0 is 'authorization_code+pkce'.
*
* @type {Array.<string>}
*/
OidcProvider.grants = [
'authorization_code+pkce',
'implicit'
];
module.exports = OidcProvider;