feat: OpenID Connect scheme (#868)

* WIP - Add support for OpenIDConnect

* WIP - remove client process import from discovery document

* WIP - make oidcmockserver port dynamic

* WIP - add first e2e tests for OIDC scheme

Initial state, login and refresh

* WIP - OIDC - Add logout e2e test

* WIP - OIDC - Remove unused

* WIP - OIDC - get userinfo from ID token

* WIP - OIDC - Refine tests

* WIP - OIDC - Remove unnecessary OIDC mock server config

* WIP - OIDC - Fix callback on demo

* WIP - OIDC - Fix type extensions

* WIP - OIDC - Refine Discovery Document load

* WIP - OIDC - Upgrade to TypeScript v4

* WIP - Introduce jest-puppeteer

* WIP - Refine OIDC tests, add multiple modes, add custom fixture test

* WIP - Refactor e2e test to use jest-puppeteer

* WIP - Rename discovery document to configuration document

* WIP - Validate strategy configuration against Authorization Server configuration

* WIP - Rename scheme name from 'oidc' to 'openIDConnect'

* WIP - OIDC - Fix tests after migration to ts-jest

* WIP - OIDC - Set oidc-provider version to latest

* WIP - OIDC - Ignore ConfigurationDocumentWarning console.warn

* WIP - OIDC - Update CI tests to not build and to run in band

* WIP - OIDC - Remove optional chaining for Node 10 compatibility

* WIP - OIDC - Update jest-puppeteer in yarn.lock

* WIP - OIDC - Use ES modules in tests

* WIP - Lint fix

* WIP - IdToken - Add JwtPayload type to jwtDecode

* WIP - Upgrade oidc-provider

* WIP - OIDC - Wait for navigation to consent-page

* WIP - OIDC - Wait for element

* WIP - OIDC - Fix idToken in handleCallback response, fix types, enhance configuration document validation

* WIP - OIDC - Remove jest-puppeteer in favor of nuxt test utils

* WIP - OIDC - fix getting idToken from refresh token response

* WIP - OIDC - Sync to upstream

* WIP - OIDC - Reactivate node oidc provider logging

* WIP - OIDC - Move ConfigurationDocumentRequestError to own file

* WIP - OIDC - Remove unused comment

* WIP - OIDC - Update @nuxt/test-utils

* WIP - OIDC - Reenable parallel test runs

* WIP - OIDC - Revert 83996b5

* WIP - OIDC - Fix tests

* WIP - OIDC - Use ssr config prop in favor of deprecated mode

* WIP - OIDC - Fix tests by upgrading to @nuxt/test-utils v0.2.0

* WIP - OIDC - Add default scheme options

* WIP - OIDC - Add snippet of information to configuration document

* WIP - OIDC - Shortened default ID token lifetime to 30 minutes

* WIP - OIDC - Documentation

* WIP - OIDC - Run tests parallel

* WIP - OIDC - Fix code examples in docs

Co-authored-by:  Miguel A. Calles <[email protected]>

Co-authored-by: Miguel A. Calles <[email protected]>

Author: mrtnvh

demo/api/oidcmockserver.js

@@ -0,0 +1,59 @@
+const { Provider } = require('oidc-provider')
+const defu = require('defu')
+
+// Suppress oidc-provider logging on test run
+if (process.env.NODE_ENV === 'test') {
+  // eslint-disable-next-line no-console
+  console.warn = () => {
+    /* Do nothing */
+  }
+  // eslint-disable-next-line no-console
+  console.info = () => {
+    /* Do nothing */
+  }
+}
+
+const DEFAULTS = {
+  port: 3000,
+  path: '/oidc',
+  redirect: {
+    callback: '/login'
+  }
+}
+
+const provider = (config) => {
+  const { port, redirect, path } = defu(config, DEFAULTS)
+  const baseUrl = `http://localhost:${port}${path}`
+  const appBaseUrl = `http://localhost:${port}`
+  const redirectUri = `${appBaseUrl}${redirect.callback}`
+
+  return new Provider(baseUrl, {
+    routes: {
+      authorization: '/connect/authorize',
+      token: '/connect/token',
+      userinfo: '/connect/userinfo',
+      end_session: '/connect/endsession'
+    },
+    features: {
+      devInteractions: { enabled: true },
+      revocation: { enabled: true }
+    },
+    scopes: ['openid', 'profile', 'offline_access'],
+    clients: [
+      {
+        client_id: 'oidc_authorization_code_client',
+        client_secret: 'this_is_a_secret',
+        token_endpoint_auth_method: 'none',
+        grant_types: ['authorization_code', 'refresh_token'],
+        response_types: ['code'],
+        redirect_uris: [redirectUri],
+        post_logout_redirect_uris: [appBaseUrl]
+      }
+    ],
+
+    // Force refresh token issueing
+    issueRefreshToken: () => Promise.resolve(true)
+  })
+}
+
+module.exports = (config = {}) => provider(config).callback

demo/nuxt.config.ts

@@ -1,10 +1,24 @@
 import { NuxtConfig } from '@nuxt/types'
+import oidcMockServer from './api/oidcmockserver'
 
 export default <NuxtConfig>{
   build: {
     extractCSS: true
   },
-  serverMiddleware: ['~/api/auth', '~/api/oauth2mockserver'],
+  serverMiddleware: [
+    '~/api/auth',
+    '~/api/oauth2mockserver',
+    {
+      path: '/oidc',
+      handler: oidcMockServer({
+        port: 3000,
+        path: '/oidc',
+        redirect: {
+          callback: '/callback'
+        }
+      })
+    }
+  ],
   buildModules: ['@nuxt/typescript-build'],
   modules: ['bootstrap-vue/nuxt', '@nuxtjs/axios', '../src/module'],
   components: true,
@@ -131,6 +145,18 @@ export default <NuxtConfig>{
         responseType: 'code',
         grantType: 'authorization_code',
         clientId: 'test-client'
+      },
+      oidcmock: {
+        scheme: 'openIDConnect',
+        responseType: 'code',
+        scope: ['openid', 'profile', 'offline_access'],
+        grantType: 'authorization_code',
+        clientId: 'oidc_authorization_code_client',
+        logoutRedirectUri: 'http://localhost:3000',
+        endpoints: {
+          configuration:
+            'http://localhost:3000/oidc/.well-known/openid-configuration'
+        }
       }
     }
   }

demo/pages/login.vue

@@ -62,6 +62,16 @@
               Login with oauth2
             </b-btn>
           </div>
+          <div class="mb-2">
+            <b-btn
+              block
+              :style="{ background: '#e0640b' }"
+              class="login-button"
+              @click="$auth.loginWith('oidcmock')"
+            >
+              Login with OpenIDConnect
+            </b-btn>
+          </div>
           <div class="mb-2">
             <b-btn
               block

docs/content/en/schemes/openIDConnect.md

@@ -0,0 +1,189 @@
+---
+title: OpenIDConnect
+description: OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
+position: 23
+category: Schemes
+---
+
+[Source Code](https://github.com/nuxt-community/auth-module/blob/dev/src/schemes/openIDConnect.ts)
+
+As the OpenID Connect is a layer on top of the OAuth 2.0 protocol, this scheme extends the OAuth 2.0 scheme.
+
+Please see the [OAuth2 scheme](./oauth2) for more information.
+
+## Usage
+
+```js
+this.$auth.loginWith('openIDConnect')
+```
+
+Additional arguments can be passed through to the OpenID Connect provider using the `params` key of the second argument:
+
+```js
+this.$auth.loginWith('openIDConnect', { params: { another_post_key: 'value' } })
+```
+
+## Options
+Minimal configuration:
+```js
+auth: {
+  strategies: {
+    oidc: {
+      scheme: 'openIDConnect',
+      clientId: 'CLIENT_ID',
+      endpoints: {
+        configuration: 'https://accounts.google.com/.well-known/openid-configuration',
+      },
+    }
+  }
+}
+```
+
+Default configuration:
+```js
+auth: {
+  strategies: {
+    oidc: {
+      scheme: 'openIDConnect',
+      endpoints: {
+        configuration: 'https://accounts.google.com/.well-known/openid-configuration',
+      },
+      idToken: {
+        property: 'id_token',
+        maxAge: 60 * 60 * 24 * 30,
+        prefix: '_id_token.',
+        expirationPrefix: '_id_token_expiration.'
+      },
+      responseType: 'code',
+      grantType: 'authorization_code',
+      scope: ['openid', 'profile', 'offline_access'],
+      codeChallengeMethod: 'S256',
+    }
+  }
+}
+```
+
+### `endpoints`
+
+Each endpoint is used to make requests using axios. They are basically extending Axios [Request Config](https://github.com/axios/axios#request-config).
+
+#### `configuration`
+
+**REQUIRED** - Endpoint to request the provider's metadata document to automatically set the endpoints. A metadata document that contains most of the OpenID Provider's information, such as the URLs to use and the location of the service's public signing keys. You can find this document by appending the discovery document path (/.well-known/openid-configuration) to the authority URL (https://example.com).
+ 
+Eg. `https://example.com/.well-known/openid-configuration`
+ 
+More info: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
+
+Each endpoint defined in the OAuth2 scheme can also be used in the OpenID Connect scheme configuration. This will override the information provided by the configuration document.
+
+### `clientId`
+
+**REQUIRED** - OpenID Connect client id.
+
+### `scope`
+
+- Default: `['openid', 'profile', 'offline_access']`
+
+OpenID Connect access scopes.
+
+### `token`
+
+Access token
+
+#### `property`
+
+- Default: `access_token`
+
+`property` can be used to specify which field of the response JSON to be used for value. It can be `false` to directly use API response or being more complicated like `auth.access_token`.
+
+#### `type`
+
+- Default: `Bearer`
+
+It will be used in `Authorization` header of axios requests.
+
+#### `maxAge`
+
+- Default: `1800`
+
+Here you set the expiration time of the token, in **seconds**.
+This time will be used if for some reason we couldn't decode the token to get the expiration date.
+
+Should be same as login page or relative path to welcome screen. ([example](https://github.com/nuxt-community/auth-module/blob/dev/examples/demo/pages/callback.vue))
+
+By default is set to 30 minutes.
+
+### `idToken`
+
+The OpenIDConnect scheme will save both the access and ID token. This because to end the user-session at the authorization server, the ID token needs to be part of the logout request via the required parameter `id_token_hint`.
+
+#### `property`
+
+- Default: `id_token`
+
+`property` can be used to specify which field of the response JSON to be used for value. It can be `false` to directly use API response or being more complicated like `auth.id_token`.
+
+#### `maxAge`
+
+- Default: `1800`
+
+Here you set the expiration time of the ID token, in **seconds**.
+This time will be used if for some reason we couldn't decode the ID token to get the expiration date.
+
+By default is set to 30 minutes.
+
+### `refreshToken`
+
+#### `property`
+
+- Default: `refresh_token`
+
+`property` can be used to specify which field of the response JSON to be used for value. It can be `false` to directly use API response or being more complicated like `auth.refresh_token`.
+
+#### `maxAge`
+
+- Default: `60 * 60 * 24 * 30`
+
+Here you set the expiration time of the refresh token, in **seconds**.
+This time will be used if for some reason we couldn't decode the token to get the expiration date.
+
+By default is set to 30 days.
+
+### `responseType`
+
+- Default: `code`
+
+Set to `code` for authorization code flow.
+
+### `grantType`
+
+- Default: `authorization_code`
+
+Set to `authorization_code` for authorization code flow.
+
+### `redirectUri`
+
+Should be same as login page or relative path to welcome screen. ([example](https://github.com/nuxt-community/auth-module/blob/dev/examples/demo/pages/callback.vue))
+
+By default it will be inferred from `redirect.callback` option. (Defaults to `/login`)
+
+### `logoutRedirectUri`
+
+Should be an absolute path to the welcome screen
+
+### `codeChallengeMethod`
+
+By default is 'implicit' which is the current workflow implementation. In order to support PKCE ('pixy') protocol, valid options include 'S256' and 'plain'. ([read more](https://tools.ietf.org/html/rfc7636))
+
+Default: `S256`
+
+### `acrValues`
+
+Provides metadata to supply additional information to the authorization server. ([read more](https://ldapwiki.com/wiki/Acr_values))
+
+### `autoLogout`
+
+- Default: `false`
+
+If the token has expired, it will prevent the token from being refreshed on load the page and force logout the user.

package.json

@@ -53,7 +53,7 @@
     "@babel/preset-typescript": "^7.12.13",
     "@microsoft/api-documenter": "^7.12.7",
     "@microsoft/api-extractor": "^7.13.1",
-    "@nuxt/test-utils": "^0.1.2",
+    "@nuxt/test-utils": "^0.2.0",
     "@nuxt/types": "latest",
     "@nuxt/typescript-build": "latest",
     "@nuxt/typescript-runtime": "latest",
@@ -73,13 +73,13 @@
     "eslint-plugin-prettier": "latest",
     "express": "latest",
     "express-jwt": "latest",
-    "get-port": "latest",
     "jest": "^27.0.1",
     "jiti": "^1.9.1",
     "jsdom": "latest",
     "lodash.get": "latest",
     "nuxt": "^2.14.12",
-    "playwright": "^1.8.0",
+    "oidc-provider": "^6.29.9",
+    "playwright": "^1.8.1",
     "prettier": "latest",
     "siroc": "^0.6.3",
     "standard-version": "latest",

src/inc/configuration-document-request-error.ts

@@ -0,0 +1,6 @@
+export class ConfigurationDocumentRequestError extends Error {
+  constructor() {
+    super('Error loading OpenIDConnect configuration document')
+    this.name = 'ConfigurationDocumentRequestError'
+  }
+}