feat: support for OpenID auto-discovery via domain, show callback URL in main settings page

Author: julianlam

lib/controllers.js

@@ -1,5 +1,7 @@
 'use strict';
 
+const fetch = require('node-fetch');
+
 const db = require.main.require('./src/database');
 const slugify = require.main.require('./src/slugify');
 const helpers = require.main.require('./src/controllers/helpers');
@@ -16,6 +18,23 @@ Controllers.renderAdminPage = async (req, res) => {
 	});
 };
 
+Controllers.getOpenIdMetadata = async (req, res) => {
+	const { domain } = req.query;
+	if (!domain) {
+		return helpers.formatApiResponse(400, res);
+	}
+
+	try {
+		const url = new URL(`https://${domain}/.well-known/openid-configuration`);
+		const response = await fetch(url);
+		const { authorization_endpoint, token_endpoint, userinfo_endpoint } = await response.json();
+
+		helpers.formatApiResponse(200, res, { authorization_endpoint, token_endpoint, userinfo_endpoint });
+	} catch (e) {
+		helpers.formatApiResponse(400, res, new Error('Invalid domain supplied'));
+	}
+};
+
 Controllers.getStrategy = async (req, res) => {
 	const name = slugify(req.params.name);
 

library.js

@@ -94,6 +94,8 @@ OAuth.addRoutes = async ({ router, middleware }) => {
 		middleware.admin.checkPrivileges,
 	];
 
+	routeHelpers.setupApiRoute(router, 'get', '/oauth2-multiple/discover', middlewares, controllers.getOpenIdMetadata);
+
 	routeHelpers.setupApiRoute(router, 'post', '/oauth2-multiple/strategies', middlewares, controllers.editStrategy);
 	routeHelpers.setupApiRoute(router, 'get', '/oauth2-multiple/strategies/:name', middlewares, controllers.getStrategy);
 	routeHelpers.setupApiRoute(router, 'delete', '/oauth2-multiple/strategies/:name', middlewares, controllers.deleteStrategy);
@@ -115,6 +117,7 @@ OAuth.listStrategies = async () => {
 	strategies.forEach((strategy, idx) => {
 		strategy.name = names[idx];
 		strategy.enabled = strategy.enabled === 'true';
+		strategy.callbackUrl = `${nconf.get('url')}/auth/${names[idx]}/callback`;
 	});
 
 	return strategies;

package.json

@@ -30,6 +30,7 @@
   "dependencies": {
     "async": "^3.2.0",
     "eslint": "8.x",
+    "node-fetch": "^2",
     "passport-oauth": "~1.0.0"
   },
   "nbbpm": {

static/lib/admin.js

@@ -1,7 +1,7 @@
 'use strict';
 
 // import * as settings from 'settings';
-import { confirm } from 'bootbox';
+import { alert, confirm } from 'bootbox';
 import { get, post, del } from 'api';
 import { error } from 'alerts';
 import { render } from 'benchpress';
@@ -25,6 +25,7 @@ export function init() {
 						title,
 						message,
 						callback: handleEditStrategy,
+						onShown: handleAutoDiscovery,
 					});
 
 					break;
@@ -39,6 +40,7 @@ export function init() {
 						title,
 						message,
 						callback: handleEditStrategy,
+						onShown: handleAutoDiscovery,
 					});
 
 					break;
@@ -58,6 +60,19 @@ export function init() {
 							handleDeleteStrategy.call(this, ok, name);
 						},
 					});
+
+					break;
+				}
+
+				case 'callback-help': {
+					alert({
+						title: 'What is the callback URL?',
+						message: `
+							When you create a new OAuth2 client at the provider, you need to specify a callback URL.
+							Each provider is unfamiliar with how individual clients handle the callback.
+							NodeBB provides the following URL for you to enter into that configuration.
+						`,
+					});
 				}
 			}
 		}
@@ -84,6 +99,48 @@ function handleEditStrategy(ok) {
 	return false;
 }
 
+function handleAutoDiscovery() {
+	const modalEl = this;
+
+	const domainEl = modalEl.querySelector('#domain');
+	const successEl = modalEl.querySelector('#discovery-success');
+	const failureEl = modalEl.querySelector('#discovery-failure');
+	const detailsEl = modalEl.querySelector('#details');
+	const idEl = modalEl.querySelector('#id');
+	if (![domainEl, successEl, failureEl, detailsEl].every(Boolean)) {
+		return;
+	}
+
+	domainEl.addEventListener('change', async () => {
+		try {
+			detailsEl.classList.add('opacity-50');
+			successEl.classList.replace('d-flex', 'd-none');
+			failureEl.classList.replace('d-flex', 'd-none');
+			const { authorization_endpoint, token_endpoint, userinfo_endpoint } = await get(`/plugins/oauth2-multiple/discover?domain=${encodeURIComponent(domainEl.value)}`);
+
+			if (authorization_endpoint) {
+				modalEl.querySelector('#authUrl').value = authorization_endpoint;
+			}
+
+			if (token_endpoint) {
+				modalEl.querySelector('#tokenUrl').value = token_endpoint;
+			}
+
+			if (userinfo_endpoint) {
+				modalEl.querySelector('#userRoute').value = userinfo_endpoint;
+			}
+
+			successEl.classList.replace('d-none', 'd-flex');
+		} catch (e) {
+			console.log(e);
+			failureEl.classList.replace('d-none', 'd-flex');
+		} finally {
+			detailsEl.classList.remove('opacity-50');
+			idEl.focus();
+		}
+	});
+}
+
 function handleDeleteStrategy(ok, name) {
 	if (!ok) {
 		return;

static/templates/admin/plugins/sso-oauth2-multiple.tpl

@@ -15,12 +15,13 @@
 						<thead>
 							<th>Name</th>
 							<th>Enabled</th>
+							<th>Callback URL <a href="#" data-action="callback-help"><i class="fa fa-question-circle"></i></a></th>
 							<th><span class="visually-hidden">Actions</span></th>
 						</thead>
 						<tbody>
 							{{{ if !strategies.length }}}
 							<tr>
-								<td colspan="3">
+								<td colspan="4">
 									<div class="alert alert-info text-center mb-0"><em>No OAuth2 endpoints configured.</em></div>
 								</td>
 							</tr>
@@ -31,6 +32,7 @@
 								<td>
 									{{{ if ./enabled }}}&check;{{{ else }}}&cross;{{{ end }}}
 								</td>
+								<td>{./callbackUrl}</td>
 								<td class="text-end">
 									<a href="#" data-action="edit">Edit</a>
 									&nbsp;&nbsp;&nbsp;
@@ -41,7 +43,7 @@
 						</tbody>
 						<tfoot>
 							<tr>
-								<td colspan="3">
+								<td colspan="4">
 									<button type="button" class="btn btn-success btn-sm pull-right" data-action="new"><i class="fa fa-plus"></i> New Endpoint</button>
 								</td>
 							</tr>

static/templates/partials/edit-oauth2-strategy.tpl

@@ -4,8 +4,6 @@
 		<label for="enabled" class="form-check-label">Enabled</label>
 	</div>
 
-	<hr />
-
 	<div class="mb-3">
 		<label class="form-label" for="name">Name</label>
 		<input type="text" id="name" name="name" title="Name" class="form-control" placeholder="Name" value="{./name}" {{{ if ./name }}}readonly{{{ end }}}>
@@ -15,30 +13,46 @@
 	</div>
 
 	<div class="mb-3">
-		<label class="form-label" for="authUrl">Authorization URL</label>
-		<input type="text" id="authUrl" name="authUrl" title="Authorization URL" class="form-control" placeholder="https://..." value="{./authUrl}">
+		<label class="form-label" for="domain">Domain</label>
+		<div class="input-group">
+			<input type="text" id="domain" name="domain" title="domain" class="form-control" placeholder="foo.example.org">
+			<span class="input-group-text text-success d-none" id="discovery-success">&check;</span>
+			<span class="input-group-text text-warning d-none" id="discovery-failure">&cross;</span>
+		</div>
+		<p class="form-text">
+			<strong>Optional</strong> — fill in a domain to automatically discover the URLs if provided by the server.
+		</p>
 	</div>
 
-	<div class="mb-3">
-		<label class="form-label" for="tokenUrl">Token URL</label>
-		<input type="text" id="tokenUrl" name="tokenUrl" title="Token URL" class="form-control" placeholder="https://..." value="{./tokenUrl}">
-	</div>
+	<hr />
 
-	<div class="mb-3">
-		<label class="form-label" for="id">Client ID</label>
-		<input type="text" id="id" name="id" title="Client ID" class="form-control" value="{./id}">
-	</div>
+	<fieldset id="details">
+		<div class="mb-3">
+			<label class="form-label" for="authUrl">Authorization URL</label>
+			<input type="text" id="authUrl" name="authUrl" title="Authorization URL" class="form-control" placeholder="https://..." value="{./authUrl}">
+		</div>
 
-	<div class="mb-3">
-		<label class="form-label" for="secret">Client Secret</label>
-		<input type="text" id="secret" name="secret" title="Client Secret" class="form-control" value="{./secret}">
-	</div>
+		<div class="mb-3">
+			<label class="form-label" for="tokenUrl">Token URL</label>
+			<input type="text" id="tokenUrl" name="tokenUrl" title="Token URL" class="form-control" placeholder="https://..." value="{./tokenUrl}">
+		</div>
 
-	<div class="mb-3">
-		<label class="form-label" for="userRoute">User Info URL</label>
-		<input type="text" id="userRoute" name="userRoute" title="User Info URL" class="form-control" placeholder="/userinfo" value="{./userRoute}">
-		<p class="form-text">
-			If a relative path is specified here, we will assume the hostname from the authorization URL.
-		</p>
-	</div>
+		<div class="mb-3">
+			<label class="form-label" for="id">Client ID</label>
+			<input type="text" id="id" name="id" title="Client ID" class="form-control" value="{./id}">
+		</div>
+
+		<div class="mb-3">
+			<label class="form-label" for="secret">Client Secret</label>
+			<input type="text" id="secret" name="secret" title="Client Secret" class="form-control" value="{./secret}">
+		</div>
+
+		<div class="mb-3">
+			<label class="form-label" for="userRoute">User Info URL</label>
+			<input type="text" id="userRoute" name="userRoute" title="User Info URL" class="form-control" placeholder="/userinfo" value="{./userRoute}">
+			<p class="form-text">
+				If a relative path is specified here, we will assume the hostname from the authorization URL.
+			</p>
+		</div>
+	</fieldset>
 </form>

yarn.lock

@@ -633,9 +633,9 @@ esutils@^2.0.2:
   integrity sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==
 
 execa@^7.0.0:
-  version "7.1.1"
-  resolved "https://registry.yarnpkg.com/execa/-/execa-7.1.1.tgz#3eb3c83d239488e7b409d48e8813b76bb55c9c43"
-  integrity sha512-wH0eMf/UXckdUYnO21+HDztteVv05rq2GXksxT4fCGeHkBhw1DROXh40wcjMcRqDOWE7iPJ4n3M7e2+YFP+76Q==
+  version "7.2.0"
+  resolved "https://registry.yarnpkg.com/execa/-/execa-7.2.0.tgz#657e75ba984f42a70f38928cedc87d6f2d4fe4e9"
+  integrity sha512-UduyVP7TLB5IcAQl+OzLyLcS/l32W/GLg+AhHJ+ow40FOk2U3SAllPwR44v4vmdFwIWqpdwxxpQbF1n5ta9seA==
   dependencies:
     cross-spawn "^7.0.3"
     get-stream "^6.0.1"
@@ -1187,6 +1187,13 @@ natural-compare@^1.4.0:
   resolved "https://registry.yarnpkg.com/natural-compare/-/natural-compare-1.4.0.tgz#4abebfeed7541f2c27acfb29bdbbd15c8d5ba4f7"
   integrity sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==
 
+node-fetch@^2:
+  version "2.6.12"
+  resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-2.6.12.tgz#02eb8e22074018e3d5a83016649d04df0e348fba"
+  integrity sha512-C/fGU2E8ToujUivIO0H+tpQ6HWo4eEmchoPIoXtxCrVghxdKq+QOHqEZW7tuP3KlV3bC8FRMO5nMCC7Zm1VP6g==
+  dependencies:
+    whatwg-url "^5.0.0"
+
 normalize-path@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/normalize-path/-/normalize-path-3.0.0.tgz#0dcd69ff23a1c9b11fd0978316644a0388216a65"
@@ -1660,6 +1667,11 @@ to-regex-range@^5.0.1:
   dependencies:
     is-number "^7.0.0"
 
+tr46@~0.0.3:
+  version "0.0.3"
+  resolved "https://registry.yarnpkg.com/tr46/-/tr46-0.0.3.tgz#8184fd347dac9cdc185992f3a6622e14b9d9ab6a"
+  integrity sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==
+
 tsconfig-paths@^3.14.2:
   version "3.14.2"
   resolved "https://registry.yarnpkg.com/tsconfig-paths/-/tsconfig-paths-3.14.2.tgz#6e32f1f79412decd261f92d633a9dc1cfa99f088"
@@ -1671,9 +1683,9 @@ tsconfig-paths@^3.14.2:
     strip-bom "^3.0.0"
 
 tslib@^2.1.0:
-  version "2.6.0"
-  resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.6.0.tgz#b295854684dbda164e181d259a22cd779dcd7bc3"
-  integrity sha512-7At1WUettjcSRHXCyYtTselblcHl9PJFFVKiCAy/bY97+BPZXSQ2wbq0P9s8tK2G7dFQfNnlJnPAiArVBVBsfA==
+  version "2.6.1"
+  resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.6.1.tgz#fd8c9a0ff42590b25703c0acb3de3d3f4ede0410"
+  integrity sha512-t0hLfiEKfMUoqhG+U1oid7Pva4bbDPHYfJNiB7BiIjRkj1pyC++4N3huJfqY6aRH6VTB0rvtzQwjM4K6qpfOig==
 
 type-check@^0.4.0, type-check@~0.4.0:
   version "0.4.0"
@@ -1758,6 +1770,19 @@ utils-merge@1.x.x:
   resolved "https://registry.yarnpkg.com/utils-merge/-/utils-merge-1.0.1.tgz#9f95710f50a267947b2ccc124741c1028427e713"
   integrity sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==
 
+webidl-conversions@^3.0.0:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/webidl-conversions/-/webidl-conversions-3.0.1.tgz#24534275e2a7bc6be7bc86611cc16ae0a5654871"
+  integrity sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==
+
+whatwg-url@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/whatwg-url/-/whatwg-url-5.0.0.tgz#966454e8765462e37644d3626f6742ce8b70965d"
+  integrity sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==
+  dependencies:
+    tr46 "~0.0.3"
+    webidl-conversions "^3.0.0"
+
 which-boxed-primitive@^1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/which-boxed-primitive/-/which-boxed-primitive-1.0.2.tgz#13757bc89b209b049fe5d86430e21cf40a89a8e6"