Mirrors/audiobookshelf
Mirrors/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2024-12-20 19:06:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2820 from apocer/openid_signing_algorithm

Browse Source 
Add option to set Signing Algorithm for OpenID Authentification
This commit is contained in:
advplyr 2024-04-21 16:07:30 -05:00 committed by GitHub
commit 68418c1d3b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 36 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
client/pages/config/authentication.vue
View File

@ -58,6 +58,9 @@
<ui-text-input-with-label ref="openidClientSecret" v-model="newAuthSettings.authOpenIDClientSecret" :disabled="savingSettings" :label="'Client Secret'" class="mb-2" /> <ui-text-input-with-label ref="openidClientSecret" v-model="newAuthSettings.authOpenIDClientSecret" :disabled="savingSettings" :label="'Client Secret'" class="mb-2" />
<ui-dropdown v-if="openIdSigningAlgorithmsSupportedByIssuer.length" v-model="newAuthSettings.authOpenIDTokenSigningAlgorithm" :items="openIdSigningAlgorithmsSupportedByIssuer" :label="'Signing Algorithm'" :disabled="savingSettings" class="mb-2" />
<ui-text-input-with-label v-else ref="openidTokenSigningAlgorithm" v-model="newAuthSettings.authOpenIDTokenSigningAlgorithm" :disabled="savingSettings" :label="'Signing Algorithm'" class="mb-2" />
<ui-multi-select ref="redirectUris" v-model="newAuthSettings.authOpenIDMobileRedirectURIs" :items="newAuthSettings.authOpenIDMobileRedirectURIs" :label="$strings.LabelMobileRedirectURIs" class="mb-2" :menuDisabled="true" :disabled="savingSettings" /> <ui-multi-select ref="redirectUris" v-model="newAuthSettings.authOpenIDMobileRedirectURIs" :items="newAuthSettings.authOpenIDMobileRedirectURIs" :label="$strings.LabelMobileRedirectURIs" class="mb-2" :menuDisabled="true" :disabled="savingSettings" />
<p class="sm:pl-4 text-sm text-gray-300 mb-2" v-html="$strings.LabelMobileRedirectURIsDescription" /> <p class="sm:pl-4 text-sm text-gray-300 mb-2" v-html="$strings.LabelMobileRedirectURIsDescription" />
@ -138,6 +141,7 @@ export default {
enableOpenIDAuth: false, enableOpenIDAuth: false,
showCustomLoginMessage: false, showCustomLoginMessage: false,
savingSettings: false, savingSettings: false,
openIdSigningAlgorithmsSupportedByIssuer: [],
newAuthSettings: {} newAuthSettings: {}
} }
}, },
@ -178,6 +182,22 @@ export default {
this.newAuthSettings.authOpenIDIssuerURL = this.newAuthSettings.authOpenIDIssuerURL.replace('/.well-known/openid-configuration', '') this.newAuthSettings.authOpenIDIssuerURL = this.newAuthSettings.authOpenIDIssuerURL.replace('/.well-known/openid-configuration', '')
} }
const setSupportedSigningAlgorithms = (algorithms) => {
if (!algorithms?.length || !Array.isArray(algorithms)) {
console.warn('Invalid id_token_signing_alg_values_supported from openid-configuration', algorithms)
this.openIdSigningAlgorithmsSupportedByIssuer = []
return
}
this.openIdSigningAlgorithmsSupportedByIssuer = algorithms
// If a signing algorithm is already selected, then keep it, when it is still supported.
// But if it is not supported, then select one of the supported ones.
let currentAlgorithm = this.newAuthSettings.authOpenIDTokenSigningAlgorithm
if (!algorithms.includes(currentAlgorithm)) {
this.newAuthSettings.authOpenIDTokenSigningAlgorithm = algorithms[0]
}
}
this.$axios this.$axios
.$get(`/auth/openid/config?issuer=${issuerUrl}`) .$get(`/auth/openid/config?issuer=${issuerUrl}`)
.then((data) => { .then((data) => {
@ -187,6 +207,7 @@ export default {
if (data.userinfo_endpoint) this.newAuthSettings.authOpenIDUserInfoURL = data.userinfo_endpoint if (data.userinfo_endpoint) this.newAuthSettings.authOpenIDUserInfoURL = data.userinfo_endpoint
if (data.end_session_endpoint) this.newAuthSettings.authOpenIDLogoutURL = data.end_session_endpoint if (data.end_session_endpoint) this.newAuthSettings.authOpenIDLogoutURL = data.end_session_endpoint
if (data.jwks_uri) this.newAuthSettings.authOpenIDJwksURL = data.jwks_uri if (data.jwks_uri) this.newAuthSettings.authOpenIDJwksURL = data.jwks_uri
if (data.id_token_signing_alg_values_supported) setSupportedSigningAlgorithms(data.id_token_signing_alg_values_supported)
}) })
.catch((error) => { .catch((error) => {
console.error('Failed to receive data', error) console.error('Failed to receive data', error)
@ -224,6 +245,10 @@ export default {
this.$toast.error('Client Secret required') this.$toast.error('Client Secret required')
isValid = false isValid = false
} }
if (!this.newAuthSettings.authOpenIDTokenSigningAlgorithm) {
this.$toast.error('Signing Algorithm required')
isValid = false
}
function isValidRedirectURI(uri) { function isValidRedirectURI(uri) {
// Check for somestring://someother/string // Check for somestring://someother/string

6
server/Auth.js
View File

@ -89,7 +89,8 @@ class Auth {
}).Client }).Client
const openIdClient = new openIdIssuerClient({ const openIdClient = new openIdIssuerClient({
client_id: global.ServerSettings.authOpenIDClientID, client_id: global.ServerSettings.authOpenIDClientID,
client_secret: global.ServerSettings.authOpenIDClientSecret client_secret: global.ServerSettings.authOpenIDClientSecret,
id_token_signed_response_alg: global.ServerSettings.authOpenIDTokenSigningAlgorithm
}) })
passport.use('openid-client', new OpenIDClient.Strategy({ passport.use('openid-client', new OpenIDClient.Strategy({
client: openIdClient, client: openIdClient,
@ -650,7 +651,8 @@ class Auth {
token_endpoint: data.token_endpoint, token_endpoint: data.token_endpoint,
userinfo_endpoint: data.userinfo_endpoint, userinfo_endpoint: data.userinfo_endpoint,
end_session_endpoint: data.end_session_endpoint, end_session_endpoint: data.end_session_endpoint,
jwks_uri: data.jwks_uri jwks_uri: data.jwks_uri,
id_token_signing_alg_values_supported: data.id_token_signing_alg_values_supported
}) })
}).catch((error) => { }).catch((error) => {
Logger.error(`[Auth] Failed to get openid configuration at "${configUrl}"`, error) Logger.error(`[Auth] Failed to get openid configuration at "${configUrl}"`, error)

9
server/objects/settings/ServerSettings.js
View File

@ -68,13 +68,14 @@ class ServerSettings {
this.authOpenIDLogoutURL = null this.authOpenIDLogoutURL = null
this.authOpenIDClientID = null this.authOpenIDClientID = null
this.authOpenIDClientSecret = null this.authOpenIDClientSecret = null
this.authOpenIDTokenSigningAlgorithm = 'RS256'
this.authOpenIDButtonText = 'Login with OpenId' this.authOpenIDButtonText = 'Login with OpenId'
this.authOpenIDAutoLaunch = false this.authOpenIDAutoLaunch = false
this.authOpenIDAutoRegister = false this.authOpenIDAutoRegister = false
this.authOpenIDMatchExistingBy = null this.authOpenIDMatchExistingBy = null
this.authOpenIDMobileRedirectURIs = ['audiobookshelf://oauth'] this.authOpenIDMobileRedirectURIs = ['audiobookshelf://oauth']
this.authOpenIDGroupClaim = '' this.authOpenIDGroupClaim = ''
this.authOpenIDAdvancedPermsClaim = '' this.authOpenIDAdvancedPermsClaim = ''
if (settings) { if (settings) {
this.construct(settings) this.construct(settings)
@ -127,6 +128,7 @@ class ServerSettings {
this.authOpenIDLogoutURL = settings.authOpenIDLogoutURL || null this.authOpenIDLogoutURL = settings.authOpenIDLogoutURL || null
this.authOpenIDClientID = settings.authOpenIDClientID || null this.authOpenIDClientID = settings.authOpenIDClientID || null
this.authOpenIDClientSecret = settings.authOpenIDClientSecret || null this.authOpenIDClientSecret = settings.authOpenIDClientSecret || null
this.authOpenIDTokenSigningAlgorithm = settings.authOpenIDTokenSigningAlgorithm || 'RS256'
this.authOpenIDButtonText = settings.authOpenIDButtonText || 'Login with OpenId' this.authOpenIDButtonText = settings.authOpenIDButtonText || 'Login with OpenId'
this.authOpenIDAutoLaunch = !!settings.authOpenIDAutoLaunch this.authOpenIDAutoLaunch = !!settings.authOpenIDAutoLaunch
this.authOpenIDAutoRegister = !!settings.authOpenIDAutoRegister this.authOpenIDAutoRegister = !!settings.authOpenIDAutoRegister
@ -217,6 +219,7 @@ class ServerSettings {
authOpenIDLogoutURL: this.authOpenIDLogoutURL, authOpenIDLogoutURL: this.authOpenIDLogoutURL,
authOpenIDClientID: this.authOpenIDClientID, // Do not return to client authOpenIDClientID: this.authOpenIDClientID, // Do not return to client
authOpenIDClientSecret: this.authOpenIDClientSecret, // Do not return to client authOpenIDClientSecret: this.authOpenIDClientSecret, // Do not return to client
authOpenIDTokenSigningAlgorithm: this.authOpenIDTokenSigningAlgorithm,
authOpenIDButtonText: this.authOpenIDButtonText, authOpenIDButtonText: this.authOpenIDButtonText,
authOpenIDAutoLaunch: this.authOpenIDAutoLaunch, authOpenIDAutoLaunch: this.authOpenIDAutoLaunch,
authOpenIDAutoRegister: this.authOpenIDAutoRegister, authOpenIDAutoRegister: this.authOpenIDAutoRegister,
@ -252,7 +255,8 @@ class ServerSettings {
this.authOpenIDUserInfoURL && this.authOpenIDUserInfoURL &&
this.authOpenIDJwksURL && this.authOpenIDJwksURL &&
this.authOpenIDClientID && this.authOpenIDClientID &&
this.authOpenIDClientSecret this.authOpenIDClientSecret &&
this.authOpenIDTokenSigningAlgorithm
} }
get authenticationSettings() { get authenticationSettings() {
@ -267,6 +271,7 @@ class ServerSettings {
authOpenIDLogoutURL: this.authOpenIDLogoutURL, authOpenIDLogoutURL: this.authOpenIDLogoutURL,
authOpenIDClientID: this.authOpenIDClientID, // Do not return to client authOpenIDClientID: this.authOpenIDClientID, // Do not return to client
authOpenIDClientSecret: this.authOpenIDClientSecret, // Do not return to client authOpenIDClientSecret: this.authOpenIDClientSecret, // Do not return to client
authOpenIDTokenSigningAlgorithm: this.authOpenIDTokenSigningAlgorithm,
authOpenIDButtonText: this.authOpenIDButtonText, authOpenIDButtonText: this.authOpenIDButtonText,
authOpenIDAutoLaunch: this.authOpenIDAutoLaunch, authOpenIDAutoLaunch: this.authOpenIDAutoLaunch,
authOpenIDAutoRegister: this.authOpenIDAutoRegister, authOpenIDAutoRegister: this.authOpenIDAutoRegister,