nodesolidserver / oidc-rp Goto Github PK

When I call logout or logoutRequest, I will get logged out of the IDP I logged in with, but not out of the RP I logged in to.

Replace the current promise-based control flow (where applicable) with the es7 await / async syntax.

Why would you want to do this as part of Solid? Why not rely on an existing certified OIDC Node library/client e.g. https://github.com/panva/node-openid-client and spend resources to develop/maintain this code on the core project instead?

In AuthenticationResponse:

• validateAcr()
• validateAccessTokenHash()
• validateAuthorizationCodeHash()

Also implement:

• decryptIDToken()

(Low priority, since these do not apply to Solid auth workflows)

This project depends on https://github.com/anvilresearch/json-document which according to its authors is unfinished, unstable and likely unmaintained: anvilresearch/json-document#21 (comment)

https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey#Parameters

This way even if some script manages to steal refresh token #4 it will not be able to get the private key, which that token stays bound to.

Currently the create method in class AuthenticationRequest overrides the endpoint URL query with FormUrlEncoded.encode(params) thus removing any existing query parameters in the endpoint URL.

(This is for Authorization Code workflow only, does not apply to Implicit flow).

This project depends on https://github.com/anvilresearch/webcrypto which is marked as archived, with a note in README.md that the authors strongly recommend against using it directly, and instead encourages creating a fork.

It is still call:

    return fetch(uri, {method})

instead of

    return fetch(uri, {method, credentials: 'include'})

in the logout() method.
I wrote many times, that it DOESN'T work without credentials: 'include'

The static AuthenticationResponse.errorResponse method, as part of the validateResponse flow, is meant to convert the standard OAuth2 error parameters (error code, error_description and error_uri) into an actual Error object and to throw it.

(The AuthenticationResponse.validateResponse flow is also supposed to handle IDP errors returned to the callback endpoint as the OIDC/OAuth2 error params.)

Action items:

• Move errorResponse up earlier in the control flow chain -- currently it's called after matchRequest and validateStateParam, but it should be called first thing.
• Currently it only uses the OAuth2 error param, so need to add the error_description and error_uri params.
• Consider using HttpError or something OAuth2-specific.

I don't know how critical this issue is, but yarn (and possibly npm) is giving a warning when installing solid-auth-client which depends on oidc-rp.

https://github.com/solid/oidc-rp/blob/dcae9cbb484f2aa9b913bd6e7db8ab8d98373186/src/PoPToken.js#L36

solid-auth-client uses issueFor() to generate a PoPToken. There appears to be no way to pass the max option through issueFor() to issue() to change the default age of the token generated from DEFAULT_MAX_AGE to anything else.

In general, it would probably be good to have a version of issueFor() that takes an option hash and passes the values through to the issue() call.

Enhance the error handling mechanism to use embedded causal chains of VErrors (see this excellent Joyent blog post on Error Handling in Node.js) and the corresponding https://github.com/joyent/node-verror library.

Also, consider using the Boom package for HTTP error handling (though size is a concern - check to see how much weight these libs will add to the Webpack'd bundle).

(From the discussion at nodeSolidServer/oidc-auth-manager#20).

Since this oidc-rp library is meant to be isomorphic (be able to be embedded in browser clients and server-side clients), it cannot implement logout() behavior itself (since the actual steps to log out are dramatically different depending on where this library is embedded).

Instead, implement something like:

  /**
   * @param options {object}
   * 
   * @param [options.id_token_hint] {string}
   * @param [options.post_logout_redirect_uri] {string}
   * @param [options.state] {string}
   *
   * @param session {Session|Storage}
   * 
   * @returns {string} Logout uri (based on the OP's `end_session_endpoint`)
   */
  logoutRequest(options, session) {
    // ...
  }

And it would be the responsibility of calling code (likely a wrapper like oidc-web) to call rp.logoutRequest() and take appropriate steps with the resulting URI.

Dear repository maintainer,

On behalf of the Solid Team, thanks for creating resources for the Solid project. We appreciate your efforts!

A new vision on the github.com/solid namespace

We want to give all projects the spotlights they deserve, and that's why we have taken the decision to re-envision what the github.com/solid namespace will contain going forward.

Today, it is a mix of documents that are authoritative to Solid (such as specifications and processes), and software code in various stages of completion, some of which date back to when Solid was an MIT project.

Starting May 2022, github.com/solid will be a space for the authoritative documents, as described in the process repository.

Please help us by moving this repository

For that reason, we kindly ask you to move this repository to a different GitHub organization. This could be your personal GitHub username, or an organization that bundles several of your Solid projects. The choice is entirely yours.

Please let us know what you decide, so we can link to your repositories in the future. Rest assured that the existing link will keep on working; GitHub will redirect it to its new place. If you need any help with the migration, we'll be happy to assist.

Repositories that have not been moved by 1 May 2022 will be moved automatically to https://github.com/solid-contrib/, from where you can still make the decision to move them to another place at a later point in time.

Thanks in advance for your help!

Kind regards,

The Solid Team