Hi,
I’m testing Hashicorp Vault OIDC Provider with passport-auth library and I get an error for authorization endpoint.
Vault use different domain for this endpoint (below discovery URL):
{
“issuer”: “https://vaultdevel.example.com/v1/identity/oidc/provider/oidctest1”,
“jwks_uri”: “https://vaultdevel.example.com/v1/identity/oidc/provider/oidctest1/.well-known/keys”,
“authorization_endpoint”: “https://vaultdevel.example.com/ui/vault/identity/oidc/provider/oidctest1/authorize”,
“token_endpoint”: “https://vaultdevel.example.com/v1/identity/oidc/provider/oidctest1/token”,
“userinfo_endpoint”: “https://vaultdevel.example.com/v1/identity/oidc/provider/oidctest1/userinfo”,
Note “…/ui/vault/…” for “authorization_endpoint” versus others URL with “…/v1/…”
passport-auth0 library use “domain: …”
defined as: “vaultdevel.example.com/v1/identity/oidc/provider/oidctest1”
and try to use domain to reach also “authorization_endpoint” so returning error as this has different URI path.
There is solution specifying “authorization_endpoint” or enabling discovery or other configuration allowing passport-auth0 to get correct “authorization_endpoint” URL ?
Found solution:
passport-auth0 doesn’t seem to use discovery ULRs so with Vault different base path for “authorization_endpoint” return error.
It worked for me using passport-oauth2.
Sample code:
var OAuth2Strategy = require('passport-oauth2');
...
// Configure Passport to use OAuth2
OAuth2Strategy = new OAuth2Strategy(
{
// "passport-oauth2" specific params
authorizationURL: process.env.AUTHORIZATION_ENDPOINT_URL,
tokenURL: process.env.TOKEN_ENDPOINT_URL,
clientID: process.env.CLIENT_ID,
clientSecret: process.env.CLIENT_SECRET,
callbackURL: process.env.CALLBACK_URL
},
(accessToken, refreshToken, params, profile, cb) => {
id_token_parsed = JSON.parse(Buffer.from((params.id_token).split('.')[1], 'base64').toString());
profile.my_id_token_parse = JSON.stringify(id_token_parsed, null, 3)
...
return cb(null, profile);
}
);
passport.use(OAuth2Strategy);
// Allow passport to serialize and deserialize users into sessions
passport.serializeUser((user, cb) => cb(null, user));
passport.deserializeUser((user, cb) => cb(null, user));
...
app.get('/login',
passport.authenticate('oauth2', {
scope: 'openid email profile offline_access'
}),
);
app.get('/callback', (req, res, next) => {
const auth_code = ((req.originalUrl).split('code=')[1]).split('&')[0]
res.cookie('MyAuthCode', auth_code, { maxAge: 900000, httpOnly: true });
passport.authenticate('oauth2', (err, user) => {
if (err) return next(err);
if (!user) return res.redirect('/login');
req.logIn(user, function(err) {
if (err) return next(err);
res.redirect('/profile');
});
})(req, res, next)
});
app.get('/profile', (req, res) => {
const { user } = req.session.passport;
const aCookie = decodeURIComponent(((req.headers.cookie).split('connect\.sid=')[1]).split(';')[0])
var html = `<!DOCTYPE html>
<html><head><meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<style>
table, th, td {
border: 2px solid;
border-color: #96D4D4;
border-collapse: collapse;
border-style: groove;
}
span {
display:block;
width:100%;
word-wrap:break-word;
word-break:break-all;
white-space: normal;
color:blue;
font-family:'Courier New';
font-size: 100%;
}
</style></head><body>
<h1 style="color: #00cc00;">OIDC Informations Table</h1>
<div style="overflow-x: auto;"><span>
<table width="100%">
<tr>
<th>KEYS</th>
<th>VALUES</th>
</tr>
<tr style="height:30px">
<td width="15%"><b>id_token</b></td>
<td width="85%">${user.my_id_token}</td>
</tr>
<tr style="height:30px">
<td width="15%"><b>id_token PARSED</b></td>
<td width="85%"><pre>${user.my_id_token_parse}</pre></td>
</tr>
...
</table></span></div></body></html>`
res.send(html);
...
});