|
|
|
@ -29,6 +29,9 @@
|
|
|
|
|
* env GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT
|
|
|
|
|
* If set to "true", on logout, there won't be any attempt to call the IdP's end_session_endpoint
|
|
|
|
|
* (the user will remain logged in in the IdP).
|
|
|
|
|
* env GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED
|
|
|
|
|
* If set to "true", the user will be allowed to login even if the email is not verified by the IDP.
|
|
|
|
|
* Defaults to false.
|
|
|
|
|
*
|
|
|
|
|
* This version of OIDCConfig has been tested with Keycloak OIDC IdP following the instructions
|
|
|
|
|
* at:
|
|
|
|
@ -61,6 +64,7 @@ export class OIDCConfig {
|
|
|
|
|
private _namePropertyKey?: string;
|
|
|
|
|
private _emailPropertyKey: string;
|
|
|
|
|
private _skipEndSessionEndpoint: boolean;
|
|
|
|
|
private _ignoreEmailVerified: boolean;
|
|
|
|
|
|
|
|
|
|
public constructor() {
|
|
|
|
|
}
|
|
|
|
@ -95,6 +99,11 @@ export class OIDCConfig {
|
|
|
|
|
defaultValue: false,
|
|
|
|
|
})!;
|
|
|
|
|
|
|
|
|
|
this._ignoreEmailVerified = section.flag('ignoreEmailVerified').readBool({
|
|
|
|
|
envVar: 'GRIST_OIDC_SP_IGNORE_EMAIL_VERIFIED',
|
|
|
|
|
defaultValue: false,
|
|
|
|
|
})!;
|
|
|
|
|
|
|
|
|
|
const issuer = await Issuer.discover(issuerUrl);
|
|
|
|
|
this._redirectUrl = new URL(CALLBACK_URL, spHost).href;
|
|
|
|
|
this._client = new issuer.Client({
|
|
|
|
@ -134,6 +143,11 @@ export class OIDCConfig {
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
const userInfo = await this._client.userinfo(tokenSet);
|
|
|
|
|
|
|
|
|
|
if (!this._ignoreEmailVerified && userInfo.email_verified !== true) {
|
|
|
|
|
throw new Error(`OIDCConfig: email not verified for ${userInfo.email}`);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const profile = this._makeUserProfileFromUserInfo(userInfo);
|
|
|
|
|
log.info(`OIDCConfig: got OIDC response for ${profile.email} (${profile.name}) redirecting to ${targetUrl}`);
|
|
|
|
|
|
|
|
|
@ -204,7 +218,6 @@ export class OIDCConfig {
|
|
|
|
|
return {
|
|
|
|
|
email: String(userInfo[ this._emailPropertyKey ]),
|
|
|
|
|
name: this._extractName(userInfo)
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|