Update /auth/openid endpoints for correct PKCE handling

- Provide error handling for /auth/openid - Add session.mobile inside /auth/openid - Proper PKCE handling for /auth/openid/callback - redirect_uri handling for the token url in /auth/openid/callback Co-authored-by: Denis Arnst <git@sapd.eu>
2025-03-24 00:16:39 +01:00 · 2023-11-11 10:52:05 -06:00 · 2023-11-11 10:52:05 -06:00 · 557ef2ef79
commit 557ef2ef79
parent 237fe84c54
1 changed files with 90 additions and 64 deletions
--- a/server/Auth.js
+++ b/server/Auth.js
@ -306,6 +306,7 @@ class Auth {

    // openid strategy login route (this redirects to the configured openid login provider)
    router.get('/auth/openid', (req, res, next) => {
+      try {
        // helper function from openid-client
        function pick(object, ...paths) {
          const obj = {}
@ -377,11 +378,36 @@ class Auth {

        // Redirect the user agent (browser) to the authorization URL
        res.redirect(authorizationUrl)
+      } catch (error) {
+        Logger.error(`[Auth] Error in /auth/openid route: ${error}`)
+        res.status(500).send('Internal Server Error')
+      }
    })

    // openid strategy callback route (this receives the token from the configured openid login provider)
-    router.get('/auth/openid/callback',
-      passport.authenticate('openid-client'),
+    router.get('/auth/openid/callback', (req, res, next) => {
+      const oidcStrategy = passport._strategy('openid-client')
+      const sessionKey = oidcStrategy._key
+
+      if (!req.session[sessionKey]) {
+        return res.status(400).send('No session')
+      }
+
+      // If the client sends us a code_verifier, we will tell passport to use this to send this in the token request
+      // The code_verifier will be validated by the oauth2 provider by comparing it to the code_challenge in the first request
+      // Crucial for API/Mobile clients
+      if (req.query.code_verifier) {
+        req.session[sessionKey].code_verifier = req.query.code_verifier
+      }
+
+      // While not required by the standard, the passport plugin re-sends the original redirect_uri in the token request
+      // We need to set it correctly, as some SSO providers (e.g. keycloak) check that parameter when it is provided
+      if (req.session[sessionKey].mobile) {
+        return passport.authenticate('openid-client', { redirect_uri: 'audiobookshelf://oauth' })(req, res, next)
+      } else {
+        return passport.authenticate('openid-client')(req, res, next)
+      }
+    },
      // on a successfull login: read the cookies and react like the client requested (callback or json)
      this.handleLoginSuccessBasedOnCookie.bind(this))