nodesolidserver / oidc-rp Goto Github PK
View Code? Open in Web Editor NEWOpenID Connect Relying Party client library
License: MIT License
OpenID Connect Relying Party client library
License: MIT License
When I call logout
or logoutRequest
, I will get logged out of the IDP I logged in with, but not out of the RP I logged in to.
Replace the current promise-based control flow (where applicable) with the es7 await
/ async
syntax.
Why would you want to do this as part of Solid? Why not rely on an existing certified OIDC Node library/client e.g. https://github.com/panva/node-openid-client and spend resources to develop/maintain this code on the core project instead?
In AuthenticationResponse
:
validateAcr()
validateAccessTokenHash()
validateAuthorizationCodeHash()
Also implement:
decryptIDToken()
(Low priority, since these do not apply to Solid auth workflows)
This project depends on https://github.com/anvilresearch/json-document which according to its authors is unfinished, unstable and likely unmaintained: anvilresearch/json-document#21 (comment)
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey#Parameters
This way even if some script manages to steal refresh token #4 it will not be able to get the private key, which that token stays bound to.
Currently the create
method in class AuthenticationRequest
overrides the endpoint URL query with FormUrlEncoded.encode(params)
thus removing any existing query parameters in the endpoint
URL.
(This is for Authorization Code workflow only, does not apply to Implicit flow).
axle:oidc-rp justin$ npm audit
...
found 188 vulnerabilities (174 low, 10 moderate, 4 high) in 6415 scanned packages
run `npm audit fix` to fix 188 of them.
This project depends on https://github.com/anvilresearch/webcrypto which is marked as archived, with a note in README.md that the authors strongly recommend against using it directly, and instead encourages creating a fork.
It is still call:
return fetch(uri, {method})
instead of
return fetch(uri, {method, credentials: 'include'})
in the logout()
method.
I wrote many times, that it DOESN'T work without credentials: 'include'
The static AuthenticationResponse.errorResponse
method, as part of the validateResponse
flow, is meant to convert the standard OAuth2 error parameters (error
code, error_description
and error_uri
) into an actual Error object and to throw it.
(The AuthenticationResponse.validateResponse flow is also supposed to handle IDP errors returned to the callback endpoint as the OIDC/OAuth2 error params.)
Action items:
errorResponse
up earlier in the control flow chain -- currently it's called after matchRequest
and validateStateParam
, but it should be called first thing.error
param, so need to add the error_description
and error_uri
params.https://github.com/solid/oidc-rp/blob/dcae9cbb484f2aa9b913bd6e7db8ab8d98373186/src/PoPToken.js#L36
solid-auth-client uses issueFor() to generate a PoPToken. There appears to be no way to pass the max option through issueFor() to issue() to change the default age of the token generated from DEFAULT_MAX_AGE to anything else.
In general, it would probably be good to have a version of issueFor() that takes an option hash and passes the values through to the issue() call.
Enhance the error handling mechanism to use embedded causal chains of VErrors
(see this excellent Joyent blog post on Error Handling in Node.js) and the corresponding https://github.com/joyent/node-verror library.
Also, consider using the Boom package for HTTP error handling (though size is a concern - check to see how much weight these libs will add to the Webpack'd bundle).
(From the discussion at nodeSolidServer/oidc-auth-manager#20).
Since this oidc-rp
library is meant to be isomorphic (be able to be embedded in browser clients and server-side clients), it cannot implement logout()
behavior itself (since the actual steps to log out are dramatically different depending on where this library is embedded).
Instead, implement something like:
/**
* @param options {object}
*
* @param [options.id_token_hint] {string}
* @param [options.post_logout_redirect_uri] {string}
* @param [options.state] {string}
*
* @param session {Session|Storage}
*
* @returns {string} Logout uri (based on the OP's `end_session_endpoint`)
*/
logoutRequest(options, session) {
// ...
}
And it would be the responsibility of calling code (likely a wrapper like oidc-web
) to call rp.logoutRequest()
and take appropriate steps with the resulting URI.
Dear repository maintainer,
On behalf of the Solid Team, thanks for creating resources for the Solid project. We appreciate your efforts!
We want to give all projects the spotlights they deserve, and that's why we have taken the decision to re-envision what the github.com/solid namespace will contain going forward.
Today, it is a mix of documents that are authoritative to Solid (such as specifications and processes), and software code in various stages of completion, some of which date back to when Solid was an MIT project.
Starting May 2022, github.com/solid will be a space for the authoritative documents, as described in the process repository.
For that reason, we kindly ask you to move this repository to a different GitHub organization. This could be your personal GitHub username, or an organization that bundles several of your Solid projects. The choice is entirely yours.
Please let us know what you decide, so we can link to your repositories in the future. Rest assured that the existing link will keep on working; GitHub will redirect it to its new place. If you need any help with the migration, we'll be happy to assist.
Repositories that have not been moved by 1 May 2022 will be moved automatically to https://github.com/solid-contrib/, from where you can still make the decision to move them to another place at a later point in time.
Thanks in advance for your help!
Kind regards,
The Solid Team
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.