import { getSettings } from '@server/lib/settings';
import type { Request } from 'express';
import * as yup from 'yup';
/** Fetch the oidc configuration blob */
export async function getOIDCWellknownConfiguration(domain: string) {
// remove trailing slash from url if it exists and add /.well-known/openid-configuration path
const wellKnownUrl = new URL(
`https://${domain}`.replace(/\/$/, '') + '/.well-known/openid-configuration'
const wellKnownInfo: WellKnownConfiguration = await fetch(wellKnownUrl, {
headers: new Headers([['Content-Type', 'application/json']]),
}).then((r) => r.json());
return wellKnownInfo;
export async function getOIDCRedirectUrl(req: Request, state: string) {
const settings = getSettings();
const { oidcDomain, oidcClientId } = settings.main;
const wellKnownInfo = await getOIDCWellknownConfiguration(oidcDomain);
const url = new URL(wellKnownInfo.authorization_endpoint);
url.searchParams.set('response_type', 'code');
url.searchParams.set('client_id', oidcClientId);
// Use X-Forwarded-Proto if available, otherwise fall back to req.protocol
const protocol = req.headers['x-forwarded-proto'] || req.protocol;
const callbackUrl = new URL('/api/v1/auth/oidc-callback', `${protocol}://${req.headers.host}`).toString();
url.searchParams.set('redirect_uri', callbackUrl);
url.searchParams.set('scope', 'openid profile email');
url.searchParams.set('state', state);
return url.toString();
export const createJwtSchema = ({
}: {
oidcDomain: string;
oidcClientId: string;
}) => {
return yup.object().shape({
iss: yup
[`https://${oidcDomain}`, `https://${oidcDomain}/`],
`The token iss value doesn't match the oidc_DOMAIN (${oidcDomain})`
.required("The token didn't come with an iss value."),
aud: yup
`The token aud value doesn't match the oidc_CLIENT_ID (${oidcClientId})`,
(value) => {
const audience = Array.isArray(value) ? value : [value];
return audience.includes(oidcClientId);
.required("The token didn't come with an aud value."),
exp: yup
'Token exp value is before current time.',
(value) => {
// Check if 'value' is undefined
if (value === undefined) return false;
return value >= Math.ceil(Date.now() / 1000);
iat: yup
'Token was issued before one day ago and is now invalid.',
(value) => {
// Check if 'value' is undefined
if (value === undefined) return false;
const oneDayAgo = Math.ceil(Number(new Date()) / 1000) - 86400;
return value >= oneDayAgo;
email: yup.string().email().required(),
email_verified: yup.boolean().required(),
export interface WellKnownConfiguration {
issuer: string;
authorization_endpoint: string;
token_endpoint: string;
device_authorization_endpoint: string;
userinfo_endpoint: string;
mfa_challenge_endpoint: string;
jwks_uri: string;
registration_endpoint: string;
revocation_endpoint: string;
scopes_supported: string[];
response_types_supported: string[];
code_challenge_methods_supported: string[];
response_modes_supported: string[];
subject_types_supported: string[];
id_token_signing_alg_values_supported: string[];
token_endpoint_auth_methods_supported: string[];
claims_supported: string[];
request_uri_parameter_supported: boolean;
export interface OIDCJwtPayload {
// Standard OIDC Claims
iss: string; // Issuer Identifier
sub: string; // Subject Identifier
aud: string | string[]; // Audience
exp: number; // Expiration time
iat: number; // Issued at time
auth_time?: number; // Time when the authentication occurred (optional)
nonce?: string; // String value used to associate a Client session with an ID Token (optional)
// Commonly used OIDC Claims
email?: string; // User's email address (optional)
email_verified?: boolean; // Whether the user's email address has been verified (optional)
name?: string; // User's full name (optional)
given_name?: string; // User's given name(s) or first name(s) (optional)
family_name?: string; // User's surname(s) or last name(s) (optional)
preferred_username?: string; // Shorthand name by which the user wishes to be referred to (optional)
locale?: string; // User's locale (optional)
zoneinfo?: string; // User's time zone (optional)
// Other possible custom claims (these depend on your OIDC provider)
// Include any additional fields that your OIDC provider might use
[additionalClaim: string]: unknown;