|
|
@ -47,7 +47,9 @@
|
|
|
|
* A JSON object with extra client metadata to pass to openid-client. Optional.
|
|
|
|
* A JSON object with extra client metadata to pass to openid-client. Optional.
|
|
|
|
* Be aware that setting this object may override any other values passed to the openid client.
|
|
|
|
* Be aware that setting this object may override any other values passed to the openid client.
|
|
|
|
* More info: https://github.com/panva/node-openid-client/tree/main/docs#new-clientmetadata-jwks-options
|
|
|
|
* More info: https://github.com/panva/node-openid-client/tree/main/docs#new-clientmetadata-jwks-options
|
|
|
|
*
|
|
|
|
* env GRIST_OIDC_SP_HTTP_TIMEOUT
|
|
|
|
|
|
|
|
* The timeout in milliseconds for HTTP requests to the IdP. The default value is set to 3500 by the
|
|
|
|
|
|
|
|
* openid-client library. See: https://github.com/panva/node-openid-client/blob/main/docs/README.md#customizing-http-requests
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* This version of OIDCConfig has been tested with Keycloak OIDC IdP following the instructions
|
|
|
|
* This version of OIDCConfig has been tested with Keycloak OIDC IdP following the instructions
|
|
|
|
* at:
|
|
|
|
* at:
|
|
|
@ -66,7 +68,7 @@
|
|
|
|
import * as express from 'express';
|
|
|
|
import * as express from 'express';
|
|
|
|
import { GristLoginSystem, GristServer } from './GristServer';
|
|
|
|
import { GristLoginSystem, GristServer } from './GristServer';
|
|
|
|
import {
|
|
|
|
import {
|
|
|
|
Client, ClientMetadata, Issuer, errors as OIDCError, TokenSet, UserinfoResponse
|
|
|
|
Client, ClientMetadata, custom, Issuer, errors as OIDCError, TokenSet, UserinfoResponse
|
|
|
|
} from 'openid-client';
|
|
|
|
} from 'openid-client';
|
|
|
|
import { Sessions } from './Sessions';
|
|
|
|
import { Sessions } from './Sessions';
|
|
|
|
import log from 'app/server/lib/log';
|
|
|
|
import log from 'app/server/lib/log';
|
|
|
@ -137,6 +139,9 @@ export class OIDCConfig {
|
|
|
|
envVar: 'GRIST_OIDC_IDP_CLIENT_SECRET',
|
|
|
|
envVar: 'GRIST_OIDC_IDP_CLIENT_SECRET',
|
|
|
|
censor: true,
|
|
|
|
censor: true,
|
|
|
|
});
|
|
|
|
});
|
|
|
|
|
|
|
|
const httpTimeout = section.flag('httpTimeout').readInt({
|
|
|
|
|
|
|
|
envVar: 'GRIST_OIDC_SP_HTTP_TIMEOUT',
|
|
|
|
|
|
|
|
});
|
|
|
|
this._namePropertyKey = section.flag('namePropertyKey').readString({
|
|
|
|
this._namePropertyKey = section.flag('namePropertyKey').readString({
|
|
|
|
envVar: 'GRIST_OIDC_SP_PROFILE_NAME_ATTR',
|
|
|
|
envVar: 'GRIST_OIDC_SP_PROFILE_NAME_ATTR',
|
|
|
|
});
|
|
|
|
});
|
|
|
@ -173,6 +178,9 @@ export class OIDCConfig {
|
|
|
|
this._protectionManager = new ProtectionsManager(enabledProtections);
|
|
|
|
this._protectionManager = new ProtectionsManager(enabledProtections);
|
|
|
|
|
|
|
|
|
|
|
|
this._redirectUrl = new URL(CALLBACK_URL, spHost).href;
|
|
|
|
this._redirectUrl = new URL(CALLBACK_URL, spHost).href;
|
|
|
|
|
|
|
|
custom.setHttpOptionsDefaults({
|
|
|
|
|
|
|
|
...(httpTimeout !== undefined ? {timeout: httpTimeout} : {}),
|
|
|
|
|
|
|
|
});
|
|
|
|
await this._initClient({ issuerUrl, clientId, clientSecret, extraMetadata });
|
|
|
|
await this._initClient({ issuerUrl, clientId, clientSecret, extraMetadata });
|
|
|
|
|
|
|
|
|
|
|
|
if (this._client.issuer.metadata.end_session_endpoint === undefined &&
|
|
|
|
if (this._client.issuer.metadata.end_session_endpoint === undefined &&
|
|
|
|