Merge pull request #5 from UseKeyp/dev

Initial release

Author: pi0neerpat

README.md

@@ -5,44 +5,94 @@
   </a>
 </p>
 
-> An OAuth2 provider built using Redwood and oidc-provider
-
-<p align="left">
-<img width="600px" src="oauth-server-redwood-demo.gif"/>
-</p>
+> OAuth2 server with dynamic client registration, built with Oidc-Provider for RedwoodJS
 
 🚧 IN DEVELOPMENT 🚧
 
-"Authority" means that you are providing authentication or authorization as a service for _other apps_. For example "Sign in with MyCompanyApp", as opposed to "Sign in with Google".  If you're just looking to implement an OAuth2 client in your app, check out [`oauth2-client-redwood`](https://github.com/usekeyp/oauth2-client-redwood).
+"Authority" means that you are providing authentication or authorization as a service for _other apps_. For example "Sign in with MyCompanyApp", as opposed to "Sign in with Google".  If you're just looking to implement an OAuth2 client in your app, check out [`oauth2-client-redwood`][oauth2-client-redwood].
 
 ## Demo ⏯️
 
 Hosted demo coming soon
 
 In the example gif above, its important to note that the server is wrapping the user's Discord account with its own account (double authentication). The flow could also just use normal username/password.
-## Developing
+## Usage
+
+1. Create a new function `oauth` and install the package
+
+```bash
+yarn add oauth2-server-redwood serverless-http
+```
+
+```js
+// api/src/functions/oauth.js
+import oauth2Server from 'oauth2-server-redwood'
+import serverless from 'serverless-http'
+
+import { db } from 'src/lib/db'
+
+export const handler = serverless(
+  oauth2Server(db, {
+    SECURE_KEY: process.env.SECURE_KEY,
+    APP_DOMAIN: process.env.APP_DOMAIN,
+    routes: { login: '/login', authorize: '/authorize' },
+    config: {
+      // Define your own OIDC-Provider config (https://github.com/panva/node-oidc-provider)
+      clients: [
+        {
+          client_id: '123',
+          client_secret: 'somesecret',
+          redirect_uris: [
+            'https://jwt.io',
+            'https://oauthdebugger.com/debug',
+            'http://0.0.0.0:8910/redirect/oauth2_server_redwood',
+          ],
+        },
+      ],
+    },
+  })
+)
+```
+
+2. Copy the .env.example to .env and update the values
+
+3. Setup an Nginx proxy. I've included `oauth2-server-redwood.conf` which removes the prefix and serves the endpoint from `localhost/oauth` instead of `localhost/api/oauth`. Oidc-provider does not always adhere to the `/api` path prefix when setting cookie path, or my implementation is incorrect. If you you can help solve this, please let me know!
 
-Here's the user-agent flow for a standard node-oidc-provider. Note ours is slightly modified, since we use our Redwood app UI for the login and consent screens.
+4.  Setup dbAuth and update the graphql schema. Copy the schema here or see [`oauth2-client-redwood`][oauth2-client-redwood].
 
-<img  src="user-agent-flow.png"/>
+```bash
+yarn rw setup auth dbAuth
+```
+
+5. To test, you can use https://oauthdebugger.com/
+
+- Authorize URI: http://localhost/oauth/auth
+- Client ID: 123
+- Scope: openid email profile
+- Use PKCE: true
+
+<img width="400px" src="oauth-debugger.png">
+
+Alternatively, you can test using only Redwood apps. Clone [`oauth2-client-redwood`][oauth2-client-redwood] and update the line in the `.env` file to point to your server:
+
+```
+OAUTH2_SERVER_REDWOOD_API_DOMAIN=http://localhost/oauth
+```
 
 ## Contributing 💡
 
 To run this repo locally:
 
-- Update your .env from `.env.example`.
-- You'll need to setup a nginx proxy, since oidc-provider sometimes ignores the extra `/api` path prefix, and cookie paths are not set properly. I've included `oauth2-server-redwood.conf` which removes the prefix and serves the endpoint from `localhost/oauth` instead of `localhost/api/oauth`. I'm open to other ideas here if you'd like to help!
-- Run `yarn build` in `/packages/oauth2-server
-
+- Clone the repo and follow steps 2 & 3 above
+- Run `yarn build:watch` in `/packages/oauth2-server`
+- Run `yarn rw dev` to start the app
 ## TODO
 
 - [x] Validate rw session tokens during login
-- [ ] Add claims to the user model and fetch in `findAccount`
+- [ ] Upgrade to latest oidc-provider (blocked by lack of support for "require")
+- [ ] Add dbAuth username/password option to make the demo simpler to understand
 - [ ] Show proper scopes for consent page
 - [ ] Improve the UI
-- [ ] Fix redirect bug to /profile
-- [ ] Add dbAuth username/password option to make the demo simpler to understand
-- [ ] Security audit
 ## Resources 🧑‍💻
 
 - OAuth Server libraries: https://oauth.net/code/nodejs/
@@ -58,6 +108,5 @@ Copyright © 2023 Nifty Chess, Inc.<br />
 This project is MIT licensed.
 
 [sponsor-keyp]: https://UseKeyp.com
-
-
+[oauth2-client-redwood]: https://github.com/UseKeyp/oauth2-client-redwood
 

api/src/functions/oauth/oauth.js

@@ -1,6 +1,27 @@
-import app from 'oauth2-server-redwood'
+import oauth2Server from 'oauth2-server-redwood'
 import serverless from 'serverless-http'
 
 import { db } from 'src/lib/db'
 
-export const handler = serverless(app({ db }))
+export const handler = serverless(
+  oauth2Server(db, {
+    SECURE_KEY: process.env.SECURE_KEY,
+    APP_DOMAIN: process.env.APP_DOMAIN,
+    routes: { login: '/login', authorize: '/authorize' },
+    config: {
+      // OIDC-Provider config, see https://github.com/panva/node-oidc-provider
+      clients: [
+        {
+          client_id: '123',
+          client_secret: 'somesecret',
+          redirect_uris: [
+            'https://jwt.io',
+            'https://oauthdebugger.com/debug',
+            'http://0.0.0.0:8910/redirect/oauth2_server_redwood',
+            'https://oauth2-client-redwood-eta.vercel.app/redirect/node_oidc',
+          ],
+        },
+      ],
+    },
+  })
+)

oauth-debugger.png

@@ -3,33 +3,20 @@ import getAdapter from './adapter'
 import htmlSafe from './helpers'
 import jwks from './jwks'
 
-export const getConfig = (db) => {
+export const getConfig = (db, settings) => {
   const adapter = getAdapter(db)
   return {
     adapter,
     findAccount: findAccount(db),
-    // clients: [
-    //   {
-    //     client_id: '123',
-    //     client_secret: 'somesecret',
-    //     redirect_uris: [
-    //       'https://jwt.io',
-    //       'http://0.0.0.0:3000/redirect/node_oidc',
-    //       'http://0.0.0.0:8910/redirect/node_oidc',
-    //       'http://localhost:8910/redirect/node_oidc',
-    //       'http://0.0.0.0:8910/redirect/oauth2_server_redwood',
-    //       'https://oauth2-client-redwood-eta.vercel.app/redirect/node_oidc',
-    //     ],
-    //   },
-    // ],
     clientDefaults: {
       grant_types: ['authorization_code'],
       id_token_signed_response_alg: 'RS256',
       response_types: ['code'],
       token_endpoint_auth_method: 'client_secret_post',
     },
+    // TODO: unsure if this config is needed
     // clientAuthMethods: ['client_secret_post'],
-    cookies: { keys: process.env.SECURE_KEY.split(',') },
+    cookies: { keys: settings.SECURE_KEY.split(',') },
     jwks,
     ttl: {
       // Sessions
@@ -67,19 +54,19 @@ export const getConfig = (db) => {
     },
 
     features: {
-      introspection: {
-        enabled: true,
-        introspectionAllowedPolicy: (ctx, client, token) => {
-          return true
-          if (
-            client.clientAuthMethod === 'none' &&
-            token.clientId !== ctx.oidc.client.clientId
-          ) {
-            return false
-          }
-          return true
-        },
-      },
+      // TODO: enable introspection for API server
+      // introspection: {
+      //   enabled: true,
+      //   introspectionAllowedPolicy: (ctx, client, token) => {
+      //     if (
+      //       client.clientAuthMethod === 'none' &&
+      //       token.clientId !== ctx.oidc.client.clientId
+      //     ) {
+      //       return false
+      //     }
+      //     return true
+      //   },
+      // },
       devInteractions: { enabled: false },
     },
     renderError: async (ctx, out, error) => {
@@ -103,5 +90,6 @@ export const getConfig = (db) => {
         </body>
         </html>`
     },
+    ...settings.config,
   }
 }

packages/oauth2-server/src/config.js

@@ -11,12 +11,12 @@ import { dbAuthSession } from './shared'
 // const cors = require('cors')
 const Provider = require('oidc-provider')
 
-const app = ({ db }) => {
-  assert(process.env.SECURE_KEY, 'process.env.SECURE_KEY missing')
+const app = (db, settings) => {
+  assert(settings.SECURE_KEY, 'settings.SECURE_KEY missing')
   assert.equal(
-    process.env.SECURE_KEY.split(',').length,
+    settings.SECURE_KEY.split(',').length,
     2,
-    'process.env.SECURE_KEY format invalid'
+    'settings.SECURE_KEY format invalid'
   )
 
   const authenticate = async (req) => {
@@ -32,8 +32,8 @@ const app = ({ db }) => {
   }
 
   const oidc = new Provider(
-    `${process.env.APP_DOMAIN}/api/oauth`,
-    getConfig(db)
+    `${settings.APP_DOMAIN}/api/oauth`,
+    getConfig(db, settings)
   )
   oidc.proxy = true
 
@@ -66,7 +66,7 @@ const app = ({ db }) => {
           req.apiGateway?.event?.queryStringParameters?.login_provider
         if (prompt.name === 'login') {
           if (provider) {
-            const response = await fetch(`${process.env.APP_DOMAIN}/api/auth`, {
+            const response = await fetch(`${settings.APP_DOMAIN}/api/auth`, {
               method: 'POST',
               headers: { 'Content-Type': 'application/json' },
               body: JSON.stringify({
@@ -78,9 +78,10 @@ const app = ({ db }) => {
             if (!response.url) throw "Error during sign up. Couldn't fetch url."
             return res.redirect(response.url)
           }
-          return res.redirect(`/signin?uid=${uid}`)
+          return res.redirect(`${settings.routes.login}?uid=${uid}`)
         }
-        return res.redirect(`/authorize?uid=${uid}`)
+        // Interaction is not logging in, so we must be authorizing
+        return res.redirect(`${settings.routes.authorize}?uid=${uid}`)
       } catch (err) {
         return next(err)
       }
@@ -232,4 +233,4 @@ const app = ({ db }) => {
   return expressApp
 }
 
-export default ({ db }) => app({ db })
+export default (...args) => app(...args)

packages/oauth2-server/src/index.js

@@ -11,9 +11,9 @@ const Routes = () => {
           <Route path="/authorize" page={AuthorizePage} name="authorize" />
           <Route path="/" page={HomePage} name="home" />
           <Route path="/redirect/{type}" page={RedirectPage} name="redirect" />
-          <Route path="/signin" page={SignInPage} name="signin" />
+          <Route path="/login" page={LoginPage} name="login" />
           <Route notfound page={NotFoundPage} />
-          <Private unauthenticated="signin">
+          <Private unauthenticated="login">
             <Route path="/profile" page={ProfilePage} name="profile" />
           </Private>
         </Set>

web/src/Routes.js

@@ -16,7 +16,7 @@ const DefaultLayout = ({ children, background }) => {
                 {isAuthenticated ? (
                   <button onClick={logOut}>Log Out</button>
                 ) : (
-                  <Link to={routes.signin()}>Sign In</Link>
+                  <Link to={routes.login()}>Sign In</Link>
                 )}
               </div>
             </header>

web/src/layouts/DefaultLayout/DefaultLayout.js

@@ -97,7 +97,7 @@ const LoginPortal = () => {
   )
 }
 
-const SignInPage = () => {
+const LoginPage = () => {
   return (
     <>
       <MetaTags title="Sign In" description="Join to start collecting." />
@@ -106,4 +106,4 @@ const SignInPage = () => {
   )
 }
 
-export default SignInPage
+export default LoginPage

web/src/pages/SignInPage/SignInPage.js renamed to web/src/pages/LoginPage/LoginPage.js

@@ -0,0 +1,7 @@
+import LoginPage from './LoginPage'
+
+export const generated = () => {
+  return <LoginPage />
+}
+
+export default { title: 'Pages/LoginPage' }

web/src/pages/LoginPage/LoginPage.stories.js

@@ -1,11 +1,11 @@
 import { render } from '@redwoodjs/testing'
 
-import SignInPage from './SignInPage'
+import LoginPage from './LoginPage'
 
-describe('SignInPage', () => {
+describe('LoginPage', () => {
   it('renders successfully', () => {
     expect(() => {
-      render(<SignInPage />)
+      render(<LoginPage />)
     }).not.toThrow()
   })
 })