Add support for OAuth 2.0 authentication
This commit is contained in:
Simon Ser
@@ -122,6 +122,7 @@ export default class Client extends EventTarget {
|
||||
pass: null,
|
||||
saslPlain: null,
|
||||
saslExternal: false,
|
||||
saslOauthBearer: null,
|
||||
bouncerNetwork: null,
|
||||
ping: 0,
|
||||
eventPlayback: true,
|
||||
@@ -467,6 +468,10 @@ export default class Client extends EventTarget {
|
||||
case "EXTERNAL":
|
||||
initialResp = { command: "AUTHENTICATE", params: [base64.encode("")] };
|
||||
break;
|
||||
case "OAUTHBEARER":
|
||||
let raw = "n,,\x01auth=Bearer " + params.token + "\x01\x01";
|
||||
initialResp = { command: "AUTHENTICATE", params: [base64.encode(raw)] };
|
||||
break;
|
||||
default:
|
||||
throw new Error(`Unknown authentication mechanism '${mechanism}'`);
|
||||
}
|
||||
@@ -658,6 +663,8 @@ export default class Client extends EventTarget {
|
||||
promise = this.authenticate("PLAIN", this.params.saslPlain);
|
||||
} else if (this.params.saslExternal) {
|
||||
promise = this.authenticate("EXTERNAL");
|
||||
} else if (this.params.saslOauthBearer) {
|
||||
promise = this.authenticate("OAUTHBEARER", this.params.saslOauthBearer);
|
||||
}
|
||||
(promise || Promise.resolve()).catch((err) => {
|
||||
this.dispatchError(err);
|
||||
|
||||
109
lib/oauth2.js
Normal file
109
lib/oauth2.js
Normal file
@@ -0,0 +1,109 @@
|
||||
function formatQueryString(params) {
|
||||
let l = [];
|
||||
for (let k in params) {
|
||||
l.push(encodeURIComponent(k) + "=" + encodeURIComponent(params[k]));
|
||||
}
|
||||
return l.join("&");
|
||||
}
|
||||
|
||||
export async function fetchServerMetadata(url) {
|
||||
// TODO: handle path in config.oauth2.url
|
||||
let resp;
|
||||
try {
|
||||
resp = await fetch(url + "/.well-known/oauth-authorization-server");
|
||||
if (!resp.ok) {
|
||||
throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
|
||||
}
|
||||
} catch (err) {
|
||||
console.warn("OAuth 2.0 server doesn't support Authorization Server Metadata (retrying with OpenID Connect Discovery): ", err);
|
||||
resp = await fetch(url + "/.well-known/openid-configuration");
|
||||
if (!resp.ok) {
|
||||
throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
|
||||
}
|
||||
}
|
||||
|
||||
let data = await resp.json();
|
||||
if (!data.issuer) {
|
||||
throw new Error("Missing issuer in response");
|
||||
}
|
||||
if (!data.authorization_endpoint) {
|
||||
throw new Error("Missing authorization_endpoint in response");
|
||||
}
|
||||
if (!data.token_endpoint) {
|
||||
throw new Error("Missing authorization_endpoint in response");
|
||||
}
|
||||
if (!data.response_types_supported.includes("code")) {
|
||||
throw new Error("Server doesn't support authorization code response type");
|
||||
}
|
||||
return data;
|
||||
}
|
||||
|
||||
export function redirectAuthorize({ serverMetadata, clientId, redirectUri, scope }) {
|
||||
// TODO: move fragment to query string in redirect_uri
|
||||
// TODO: use the state param to prevent cross-site request
|
||||
// forgery
|
||||
let params = {
|
||||
response_type: "code",
|
||||
client_id: clientId,
|
||||
redirect_uri: redirectUri,
|
||||
};
|
||||
if (scope) {
|
||||
params.scope = scope;
|
||||
}
|
||||
window.location.assign(serverMetadata.authorization_endpoint + "?" + formatQueryString(params));
|
||||
}
|
||||
|
||||
function buildPostHeaders(clientId, clientSecret) {
|
||||
let headers = {
|
||||
"Content-Type": "application/x-www-form-urlencoded",
|
||||
"Accept": "application/json",
|
||||
};
|
||||
if (clientSecret) {
|
||||
headers["Authorization"] = "Basic " + btoa(encodeURIComponent(clientId) + ":" + encodeURIComponent(clientSecret));
|
||||
}
|
||||
return headers;
|
||||
}
|
||||
|
||||
export async function exchangeCode({ serverMetadata, redirectUri, code, clientId, clientSecret }) {
|
||||
let data = {
|
||||
grant_type: "authorization_code",
|
||||
code,
|
||||
redirect_uri: redirectUri,
|
||||
};
|
||||
if (!clientSecret) {
|
||||
data.client_id = clientId;
|
||||
}
|
||||
|
||||
let resp = await fetch(serverMetadata.token_endpoint, {
|
||||
method: "POST",
|
||||
headers: buildPostHeaders(clientId, clientSecret),
|
||||
body: formatQueryString(data),
|
||||
});
|
||||
|
||||
if (!resp.ok) {
|
||||
throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
|
||||
}
|
||||
data = await resp.json();
|
||||
|
||||
if (data.error) {
|
||||
throw new Error("Authentication failed: " + (data.error_description || data.error));
|
||||
}
|
||||
|
||||
return data;
|
||||
}
|
||||
|
||||
export async function introspectToken({ serverMetadata, token, clientId, clientSecret }) {
|
||||
let resp = await fetch(serverMetadata.introspection_endpoint, {
|
||||
method: "POST",
|
||||
headers: buildPostHeaders(clientId, clientSecret),
|
||||
body: formatQueryString({ token }),
|
||||
});
|
||||
if (!resp.ok) {
|
||||
throw new Error(`HTTP error: ${resp.status} ${resp.statusText}`);
|
||||
}
|
||||
let data = await resp.json();
|
||||
if (!data.active) {
|
||||
throw new Error("Expired token");
|
||||
}
|
||||
return data;
|
||||
}
|
||||
Reference in New Issue
Block a user