fix(oidc): use wellknown authorization endpoint

2 years ago · 5886f83bed
parent 3dfc67a32b
commit 5886f83bed
2 changed files with 21 additions and 15 deletions
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@ -11,7 +11,7 @@ import { Router } from 'express';
 import {
  createJwtSchema,
  getOIDCRedirectUrl,
-  type WellKnownConfiguration,
+  getOIDCWellknownConfiguration,
 } from '@server/utils/oidc';
 import { randomBytes } from 'crypto';
 import gravatarUrl from 'gravatar-url';
@ -416,7 +416,7 @@ authRoutes.post('/reset-password/:guid', async (req, res, next) => {

 authRoutes.get('/oidc-login', async (req, res, next) => {
  const state = randomBytes(32).toString('hex');
-  const redirectUrl = getOIDCRedirectUrl(req, state);
+  const redirectUrl = await getOIDCRedirectUrl(req, state);

  res.cookie('oidc-state', state, {
    maxAge: 60000,
@ -462,16 +462,7 @@ authRoutes.get('/oidc-callback', async (req, res, next) => {
      return res.redirect('/login');
    }

-    // Fetch the oidc configuration blob
-    const wellKnownInfo: WellKnownConfiguration = await fetch(
-      new URL(
-        '/.well-known/openid-configuration',
-        `https://${oidcDomain}`
-      ).toString(),
-      {
-        headers: new Headers([['Content-Type', 'application/json']]),
-      }
-    ).then((r) => r.json());
+    const wellKnownInfo = await getOIDCWellknownConfiguration(oidcDomain);

    // Fetch the token data
    const callbackUrl = new URL(
--- a/server/utils/oidc.ts
+++ b/server/utils/oidc.ts
@ -2,12 +2,27 @@ import { getSettings } from '@server/lib/settings';
 import type { Request } from 'express';
 import * as yup from 'yup';

-export function getOIDCRedirectUrl(req: Request, state: string) {
+/** Fetch the oidc configuration blob */
+export async function getOIDCWellknownConfiguration(domain: string) {
+  const wellKnownInfo: WellKnownConfiguration = await fetch(
+    new URL(
+      '/.well-known/openid-configuration',
+      `https://${domain}`
+    ).toString(),
+    {
+      headers: new Headers([['Content-Type', 'application/json']]),
+    }
+  ).then((r) => r.json());
+
+  return wellKnownInfo;
+}
+
+export async function getOIDCRedirectUrl(req: Request, state: string) {
  const settings = getSettings();
  const { oidcDomain, oidcClientId } = settings.main;

-  const url = new URL(`https://${oidcDomain}`);
-  url.pathname = '/authorize';
+  const wellKnownInfo = await getOIDCWellknownConfiguration(oidcDomain);
+  const url = new URL(wellKnownInfo.authorization_endpoint);
  url.searchParams.set('response_type', 'code');
  url.searchParams.set('client_id', oidcClientId);