From 5886f83bed8881d8900972c021aa234922414b70 Mon Sep 17 00:00:00 2001
From: Jakob Ankarhem <jakob.ankarhem@outlook.com>
Date: Tue, 11 Oct 2022 14:29:04 +0200
Subject: [PATCH] fix(oidc): use wellknown authorization endpoint

---
 server/routes/auth.ts | 15 +++------------
 server/utils/oidc.ts  | 21 ++++++++++++++++++---
 2 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/server/routes/auth.ts b/server/routes/auth.ts
index f0dc9ddc8..013b5b03b 100644
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -11,7 +11,7 @@ import { Router } from 'express';
 import {
   createJwtSchema,
   getOIDCRedirectUrl,
-  type WellKnownConfiguration,
+  getOIDCWellknownConfiguration,
 } from '@server/utils/oidc';
 import { randomBytes } from 'crypto';
 import gravatarUrl from 'gravatar-url';
@@ -416,7 +416,7 @@ authRoutes.post('/reset-password/:guid', async (req, res, next) => {
 
 authRoutes.get('/oidc-login', async (req, res, next) => {
   const state = randomBytes(32).toString('hex');
-  const redirectUrl = getOIDCRedirectUrl(req, state);
+  const redirectUrl = await getOIDCRedirectUrl(req, state);
 
   res.cookie('oidc-state', state, {
     maxAge: 60000,
@@ -462,16 +462,7 @@ authRoutes.get('/oidc-callback', async (req, res, next) => {
       return res.redirect('/login');
     }
 
-    // Fetch the oidc configuration blob
-    const wellKnownInfo: WellKnownConfiguration = await fetch(
-      new URL(
-        '/.well-known/openid-configuration',
-        `https://${oidcDomain}`
-      ).toString(),
-      {
-        headers: new Headers([['Content-Type', 'application/json']]),
-      }
-    ).then((r) => r.json());
+    const wellKnownInfo = await getOIDCWellknownConfiguration(oidcDomain);
 
     // Fetch the token data
     const callbackUrl = new URL(
diff --git a/server/utils/oidc.ts b/server/utils/oidc.ts
index 355f3ee81..346c9a197 100644
--- a/server/utils/oidc.ts
+++ b/server/utils/oidc.ts
@@ -2,12 +2,27 @@ import { getSettings } from '@server/lib/settings';
 import type { Request } from 'express';
 import * as yup from 'yup';
 
-export function getOIDCRedirectUrl(req: Request, state: string) {
+/** Fetch the oidc configuration blob */
+export async function getOIDCWellknownConfiguration(domain: string) {
+  const wellKnownInfo: WellKnownConfiguration = await fetch(
+    new URL(
+      '/.well-known/openid-configuration',
+      `https://${domain}`
+    ).toString(),
+    {
+      headers: new Headers([['Content-Type', 'application/json']]),
+    }
+  ).then((r) => r.json());
+
+  return wellKnownInfo;
+}
+
+export async function getOIDCRedirectUrl(req: Request, state: string) {
   const settings = getSettings();
   const { oidcDomain, oidcClientId } = settings.main;
 
-  const url = new URL(`https://${oidcDomain}`);
-  url.pathname = '/authorize';
+  const wellKnownInfo = await getOIDCWellknownConfiguration(oidcDomain);
+  const url = new URL(wellKnownInfo.authorization_endpoint);
   url.searchParams.set('response_type', 'code');
   url.searchParams.set('client_id', oidcClientId);