@okta/oidc-middleware - npm Package Compare versions

Comparing version 1.0.2 to 2.0.0

CHANGELOG.md

@@ -0,1 +1,26 @@
+# 2.0.0
+
+### Features
+
+- [`a4b54f7`](https://github.com/okta/okta-oidc-js/commit/a4b54f771e19f2eeece46a39ded135550061f2a1) - adds Okta logout capability
+
+- [`a999b95`](https://github.com/okta/okta-oidc-js/commit/a999b959c98bfea2f138281b2f93efb2d2d5fac7) - adds appBaseUrl, removes redirect_uri
+
+- Adds Okta logout capability (informing Okta that the session is ended rather than just locally forgetting the current session) ([#162](https://github.com/okta/okta-oidc-js/issues/162))
+
+### Breaking Changes 
+
+See "Updating" in the README for migration steps
+
+- `redirect_uri` config option is dropped.  The value is either automatically derived from the `appBaseUrl` and the appropriate `routes` option, or explicitly set as `loginRedirectUri`
+- Two new routes are automatically generated and will override manually created routes of the same path.  Unless `routes` is customized, they are `/logout` (POST only) and `/logout/callback`
+- `routes.callback` is renamed to `routes.loginCallback`
+- `routes.callback.defaultRedirect` is renamed to `routes.loginCallback.afterCallback`
+
+# 1.0.2
+
+### Other
+
+- [`2945461`](https://github.com/okta/okta-oidc-js/pull/338/commits/294546166a41173b699579d7d647ba7d5cab0764) - Updates `@okta/configuration-validation` version.
+
 # 1.0.1
@@ -2,0 +27,0 @@

package.json

 {
   "name": "@okta/oidc-middleware",
-  "version": "1.0.2",
+  "version": "2.0.0",
   "description": "OpenId Connect middleware for authorization code flows",
@@ -20,3 +20,4 @@ "repository": "https://github.com/okta/okta-oidc-js",
     "test": "yarn test:unit && yarn test:e2e && yarn test:integration",
-    "test:e2e": "webdriver-manager update --gecko false && protractor test/e2e/conf.js",
+    "pretest:e2e": "./node_modules/.bin/webdriver-manager update --versions.chrome 2.45 --gecko false",
+    "test:e2e": "protractor test/e2e/conf.js",
     "test:integration": "../../scripts/tck.sh",
@@ -30,3 +31,3 @@ "test:unit": "jest test/unit"
   "dependencies": {
-    "@okta/configuration-validation": "^0.1.1",
+    "@okta/configuration-validation": "^0.2.0",
     "body-parser": "^1.18.2",
@@ -38,2 +39,3 @@ "connect-ensure-login": "^0.1.1",
     "negotiator": "^0.6.1",
+    "node-fetch": "^2.3.0",
     "openid-client": "2.1.0",
@@ -40,0 +42,0 @@ "passport": "^0.3.2",

README.md

@@ -14,2 +14,3 @@ [<img src="https://devforum.okta.com/uploads/oktadev/original/1X/bf54a16b5fda189e4ad2706fb57cbb7a1e5b8deb.png" align="right" width="256px"/>](https://devforum.okta.com/)
 * [API reference](#api-reference)
+* [Upgrading](#upgrading)
 * [Contributing](#contributing)
@@ -23,7 +24,8 @@
 
-:heavy_check_mark: The current stable major version series is: 1.x
+:heavy_check_mark: The current stable major version series is: 2.x
 
 | Version | Status                    |
 | ------- | ------------------------- |
-| 1.x     | :heavy_check_mark: Stable |
+| 2.x     | :heavy_check_mark: Stable |
+| 1.x     | :x: Deprecated            |
 | 0.x     | :x: Retired               |
@@ -42,4 +44,6 @@
 
-Installing the Okta Node JS OIDC MIddlware in your project is simple.
+See [Upgrading](#upgrading) for information on updating to the latest version of the library.
 
+Installing the Okta Node JS OIDC Middlware in your project is simple.
+
 ```sh
@@ -73,3 +77,3 @@ # npm
   client_secret: '{clientSecret}',
-  redirect_uri: 'http://localhost:3000/authorization-code/callback',
+  appBaseUrl: '{appBaseUrl}',
   scope: 'openid profile'
@@ -84,5 +88,11 @@ });
 app.use(oidc.router);
+
 app.get('/', (req, res) => {
   if (req.userContext) {
-    res.send(`Hello ${req.userContext.userinfo.name}! <a href="logout">Logout</a>`);
+    res.send(`
+      Hello ${req.userContext.userinfo.name}!
+      <form method="POST" action="/logout">
+        <button type="submit">Logout</button>
+      </form>
+    ');
   } else {
@@ -92,14 +102,13 @@ res.send('Please <a href="/login">login</a>');
 });
+
 app.get('/protected', oidc.ensureAuthenticated(), (req, res) => {
   res.send('Top Secret');
 });
-app.get('/logout', (req, res) => {
-  req.logout();
-  res.redirect('/');
-});
+
 oidc.on('ready', () => {
   app.listen(3000, () => console.log('app started'));
 });
+
 oidc.on('error', err => {
-  // An error occurred while setting up OIDC
+  // An error occurred while setting up OIDC, during token revokation, or during post-logout handling
 });
@@ -115,3 +124,4 @@ ```
   * [oidc.on('error', callback)](#oidconerror-callback)
-  * [oidc.ensureAuthenticated({ redirectTo?: '/uri' })](#oidcensureauthenticated-redirectto-uri)
+  * [oidc.ensureAuthenticated({ redirectTo?: '/uri' })](#oidcensureauthenticated-redirectto-uri-)
+  * [oidc.forceLogoutAndRevoke()](#oidcforcelogoutandrevoke)
   * [req.isAuthenticated()](#reqisauthenticated)
@@ -139,3 +149,3 @@ * [req.logout()](#reqlogout)
   client_secret: '{clientSecret}',
-  redirect_uri: '{redirectUri}',
+  appBaseUrl: 'https://{yourdomain}',
   scope: 'openid profile'
@@ -150,6 +160,8 @@ });
 * **client_secret** - A secret provided when you create an OIDC app in your Okta Org
-* **redirect_uri** - The callback for your app. Locally, this is usually `http://localhost:3000/authorization-code/callback`. When deployed, this should be `https://{yourProductionDomain}/authorization-code/callback`.
+* **appBaseUrl** - The base scheme, host, and port (if not 80/443) of your app, not including any path (e.g. http://localhost:3000, not http://localhost:3000/ )  
 
 Optional config:
 
+* **loginRedirectUri** - The URI for your app that Okta will redirect users to after sign in to create the local session.  Locally, this is usually `http://localhost:3000/authorization-code/callback`. When deployed, this should be `https://{yourProductionDomain}/authorization-code/callback`.  This will default to `{appBaseUrl}{routes.loginCallback.path}` if `appBaseUrl` is provided, or the (deprecated) `redirect_uri` if `appBaseUrl` is not provided.  Unless your redirect is to a different application, it is recommended to NOT set this parameter and instead set `appBaseUrl` and (if different than the default of `/authorization-code/callback`) `routes.loginCallback.path`.
+* **logoutRedirectUri** - The URI for your app that Okta will redirect users to after sign out to clean up the local session.  Locally this is usually `http://localhost:3000/logout/callback`.  When deployed, this should be `https://{yourProductionDomain}/logout/callback`.  This will default to `{appBaseUrl}{routes.logoutCallback.path}` if `appBaseUrl` is provided.  Unless your redirect is to a different application, it is recommended to NOT set this parameter and instead set `appBaseUrl` and (if different than the default of `/logout/callback`) `routes.logoutCallback.path`.
 * **response_type** - Defaults to `code`
@@ -175,6 +187,9 @@ * **scope** - Defaults to `openid`, which will only return the `sub` claim. To obtain more information about the user, use `openid profile`. For a list of scopes and claims, please see [Scope-dependent claims](https://developer.okta.com/standards/OIDC/index.html#scope-dependent-claims-not-always-returned) for more information.
 
-It's required in order for `ensureAuthenticated` and `isAuthenticated` to work and adds the following routes:
+The router is required in order for `ensureAuthenticated`, and `isAuthenticated`, and `forceLogoutAndRevoke` to work and adds the following routes:
 
 * `/login` - redirects to the Okta sign-in page by default
 * `/authorization-code/callback` - processes the OIDC response, then attaches userinfo to the session
+* `/logout` - revokes any known Okta access/refresh tokens, then redirects to the Okta logout endpoint which then redirects back to a callback url for logout specified in your Okta settings
+* `/logout/callback` - the default callback url that Okta will redirect back to after the session at Okta is ended
+The paths for these generated routes can be customized using the `routes` config, see [Customizing Routes](#customizing-routes) for details.
 
@@ -193,7 +208,10 @@ #### oidc.on('ready', callback)
 
-This is triggered if an error occurs while ExpressOIDC is trying to start.
+This is triggered if an error occurs
+* while ExpressOIDC is trying to start
+* if an error occurs while calling the Okta `/revoke` service endpoint on the users tokens while logging out
+* if the state value for a logout does not match the current session
 
 ```javascript
 oidc.on('error', err => {
-  // An error occurred while setting up OIDC
+  // An error occurred 
 });
@@ -212,4 +230,14 @@ ```
 
-The `redirectTo` option can be used to redirect the user to a specific URI on your site, after a successful authentication callback.
+The `redirectTo` option can be used to redirect the user to a specific URI on your site after a successful authentication callback.
 
+#### oidc.forceLogoutAndRevoke()
+
+Use this to define a route that will force a logout of the user from Okta and the local session.  Because logout involves redirecting to Okta and then to the logout callback URI, the body of this route will never directly execute.  It is recommended to not perform logout on GET queries as it is prone to attacks and/or prefetching misadventures.
+
+```javascript
+app.post('/forces-logout', oidc.forceLogoutAndRevoke(), (req, res) => {
+  // Nothing here will execute, after the redirects the user will end up wherever the `routes.logoutCallback.afterCallback` specifies (default `/`)
+});
+```
+
 #### req.isAuthenticated()
@@ -231,6 +259,6 @@
 
-This allows you to end the session.
+This allows you to end the local session while leaving the user logged in to Okta, meaning that if they attempt to reauthenticate to your app they will not be prompted to re-enter their credentials unless their Okta session has expired.  To end the Okta session, POST to the autogenerated `/logout` route or send the user to a route you defined using the `oidc.forceLogoutAndRevoke()` method above.
 
 ```javascript
-app.get('/logout', (req, res) => {
+app.get('/local-logout', (req, res) => {
   req.logout();
@@ -281,3 +309,3 @@ res.redirect('/');
     },
-    callback: {
+    loginCallback: {
       path: '/different/callback',
@@ -287,3 +315,10 @@ handler: (req, res, next) => {
       },
-      defaultRedirect: '/home'
+      afterCallback '/home'
+    },
+    logout: {
+      path: '/different/logout'
+    },
+    logoutCallback: {
+      path: '/different/logout-callback',
+      afterCallback: '/thank-you'
     }
@@ -294,7 +329,10 @@ }
 
-* **`callback.defaultRedirect`** - Where the user is redirected to after a successful authentication callback, if no `returnTo` value was specified by `oidc.ensureAuthenticated()`. Defaults to `/`.
-* **`callback.failureRedirect`** - Where the user is redirected to after authentication failure, defaults to a page which just shows error message.
-* **`callback.handler`** - A function that is called after a successful authentication callback, but before the final redirect within your application. Useful for requirements such as conditional post-authentication redirects, or sending data to logging systems.
-* **`callback.path`** - The URI that this library will host the callback handler on. Defaults to `/authorization-code/callback`
-* **`login.path`** - The URI that redirects the user to the authorize endpoint. Defaults to `/login`.
+* **`loginCallback.afterCallback`** - Where the user is redirected to after a successful authentication callback, if no `redirectTo` value was specified by `oidc.ensureAuthenticated()`. Defaults to `/`.
+* **`loginCallback.failureRedirect`** - Where the user is redirected to after authentication failure. Defaults to a page which just shows error message.
+* **`loginCallback.handler`** - A function that is called after a successful authentication callback, but before the final redirect within your application. Useful for requirements such as conditional post-authentication redirects, or sending data to logging systems.
+* **`loginCallback.path`** - The URI that this library will host the login callback handler on. Defaults to `/authorization-code/callback`.  Must match a value from the Login Redirect Uri list from the Okta console for this application.
+* **`login.path`** - The URI that redirects the user to the Okta authorize endpoint. Defaults to `/login`.
+* **`logout.path`** - The URI that redirects the user to the Okta logout endpoint.  Defaults to `/logout`.
+* **`logoutCallback.afterCallback`** - Where the user is redirected to after a successful logout callback, if no `redirectTo` value was specified by `oidc.forceLogoutAndRevoke()`.  Defaults to `/`.
+* **`logoutCallback.path`** - The URI that this library will host the logout callback handler on.  Defaults to `/logout/callback`.  Must match a value from the Logout Redirect Uri list from the Okta console for this application.
 
@@ -385,4 +423,45 @@ #### Using a Custom Login Page
 
+### Upgrading 
+
+#### from 1.x to 2.x
+
+The 2.x improves support for default options without removing flexibility and adds logout functionality that includes Okta logout and token revocation, not just local session destruction.
+
+Specify the `appBaseUrl` property in your config - this is the base scheme + domain + port for your application that will be used for generating the URIs validated against the Okta settings for your application.
+
+Remove the `redirect_uri` property in your config.
+  * If you are using the Okta default value (appBaseUrl + /authorization-code/callback) it will be given a route by default, no additional configuration required.
+  * If you are NOT using the Okta default value, but are using a route on the same server indicated by your appBaseUrl, you should define your login callback path in your routes.loginCallback.path config (see [the API reference](#expressoidc-api)).
+
+Specify the `appBaseUrl` property in your config - this is the base scheme + domain + port for your application that will be used for generating the URIs validated against the Okta settings for your application.
+
+Remove the `redirect_uri` property in your config.
++  * If you are using the Okta default value (appBaseUrl + /authorization-code/callback) it will be given a route by default, no additional configuration required.
++  * If you are NOT using the Okta default value, but are using a route on the same server indicated by your appBaseUrl, you should define your login callback path in your routes.loginCallback.path config (see [the API reference](#expressoidc-api)).
+
+Any customization previously done to `routes.callback` should now be done to `routes.loginCallback` as the name of that property object has changed.
+
+Any value previously set for `routes.callback.defaultRedirect` should now be done to `routes.loginCallback.afterCallback`.  
+
+##### Straightforward Okta logout for your app
+
+Configure a logout redirect uri for your application in the Okta admin console for your application, if one is not already defined
+  * If you do not, logouts will not return to your application but will end on the Okta site
+  * Okta recommends `{appBaseUrl}/logout/callback`.  Be sure to fully specify the uri for your application
+  * If you chose a different logout redirect uri, specify the path for the local route to create in your routes.logoutCallback.path value (see [the API reference](#expressoidc-api)).
+
+By default the middleware will create a `/logout` (POST only) route.  You should remove any local `/logout` route you have added - if it only destroyed the local session (per the example from the 1.x version of this library) you can simply remove it.  If it did additional post-logout logic, you can change the path of the route and list that path in the route.logoutCallback.afterCallback option (see [the API reference](#expressoidc-api)).
+
+##### Local logout
+
+If you had previously implemented a '/logout' route that called `req.logout()` (performing a local logout for your app) you should remove that route and use the new automatically added `/logout` route.  If you used that route using direct links or GET requests, those will have to become POST requests.  You can create a GET route for /logout, but that as a GET request is open for abuse and/or pre-fetching complications it is not recommended.
+
+If you desire to have a route that performs a local logout while leaving the user logged in to Okta, you can create any route you wish (that does not conflict with automatically created routes) and call `req.logout()` to destroy your local session without altering the status of the user's browser session at Okta.
+
+#### Okta with additional apps
+
+If you had the `redirect_uri` pointing to a different application than this one, replace `redirect_uri` with `loginRedirectUri`, and consider if you need to set `logoutRedirectUri`.
+
 ## Contributing
 
 We're happy to accept contributions and PRs! Please see the [contribution guide](https://github.com/okta/okta-oidc-js/blob/master/CONTRIBUTING.md) to understand how to structure a contribution.

src/connectUtil.js

@@ -19,2 +19,3 @@ /*!
 const bodyParser = require('body-parser');
+const logout = require('./logout');
 
@@ -25,2 +26,3 @@ const connectUtil = module.exports;
 connectUtil.createOIDCRouter = context => {
+  const routes = context.options.routes;
   const oidcRouter = new Router();
@@ -30,12 +32,12 @@ oidcRouter.use(passport.initialize({ userProperty: 'userContext' }));
 
-  const {
-    login: {
-      path:loginPath
-    },
-    callback: {
-      path:callbackPath
-    }
-  } = context.options.routes;
+  const loginPath = routes.login.path;
+  const loginCallbackPath = routes.loginCallback.path;
+  const logoutPath = routes.logout.path;
+  const logoutCallbackPath = routes.logoutCallback.path;
+
   oidcRouter.use(loginPath, bodyParser.urlencoded({ extended: false}), connectUtil.createLoginHandler(context));
-  oidcRouter.use(callbackPath, connectUtil.createCallbackHandler(context));
+  oidcRouter.use(loginCallbackPath, connectUtil.createLoginCallbackHandler(context));
+  oidcRouter.post(logoutPath, connectUtil.createLogoutHandler(context));
+  oidcRouter.use(logoutCallbackPath, connectUtil.createLogoutCallbackHandler(context));
+
   oidcRouter.use((err, req, res, next) => {
@@ -69,3 +71,3 @@ // Cast all errors from the passport strategy as 401 (rather than 500, which would happen if we just call through to next())
           client_id: context.options.client_id,
-          redirect_uri: context.options.redirect_uri,
+          redirect_uri: context.options.loginRedirectUri,
           scope: context.options.scope,
@@ -87,10 +89,13 @@ response_type: 'code',
 
-connectUtil.createCallbackHandler = context => {
-  const customHandler = context.options.routes.callback.handler;
+connectUtil.createLoginCallbackHandler = context => {
+  const routes = context.options.routes;
+  const customHandler = routes.loginCallback.handler;
+
   if (!customHandler) {
     return passport.authenticate('oidc', {
-      successReturnToOrRedirect: context.options.routes.callback.defaultRedirect,
-      failureRedirect: context.options.routes.callback.failureRedirect
+      successReturnToOrRedirect: routes.loginCallback.afterCallback,
+      failureRedirect: routes.loginCallback.failureRedirect
     });
   }
+
   const customHandlerArity = customHandler.length;
@@ -114,1 +119,14 @@ return (req, res, next) => {
 };
+
+connectUtil.createLogoutHandler = context => logout.forceLogoutAndRevoke(context);
+
+connectUtil.createLogoutCallbackHandler = context => {
+  return (req, res) => {
+    if ( req.session[context.options.sessionKey].state !== req.query.state ) {
+      context.emitter.emit('error', { type: 'logoutError', message: `'state' parameter did not match value in session` });
+    } else {
+      req.logout();
+      res.redirect(context.options.routes.logoutCallback.afterCallback);
+    };
+  };
+};

src/ExpressOIDC.js

@@ -14,5 +14,7 @@ /*!
 const EventEmitter = require('events').EventEmitter;
-const _ = require('lodash');
+const merge = require('lodash/merge');
 const oidcUtil = require('./oidcUtil');
 const connectUtil = require('./connectUtil');
+const logout = require('./logout');
+
 const {
@@ -22,2 +24,3 @@ assertIssuer,
   assertClientSecret,
+  assertAppBaseUrl,
   assertRedirectUri
@@ -37,6 +40,8 @@ } = require('@okta/configuration-validation');
    * @param {Object} options
+   * @param {string} options.appBaseUrl The protocol+domain+port of this app
    * @param {string} options.issuer The OpenId Connect issuer
    * @param {string} options.client_id This app's OpenId Connect client id
    * @param {string} options.client_secret This app's OpenId Connect client secret
-   * @param {string} options.redirect_uri The location of the authorization callback
+   * @param {string} options.loginRedirectUri The location of the login authorization callback if not redirecting to this app 
+   * @param {string} options.logoutRedirectUri The location of the logout callback if not redirecting to this app
    * @param {string} [options.scope=openid] The scopes that will determine the claims on the tokens
@@ -49,6 +54,6 @@ * @param {string} [options.response_type=code] The OpenId Connect response type
    * @param {string} [options.routes.login.path=/login] Path where the login middleware is hosted
-   * @param {Object} [options.routes.callback]
-   * @param {string} [options.routes.callback.path=/authorization-code] Path where the callback middleware is hosted
-   * @param {string} [options.routes.callback.defaultRedirect=/] Where to redirect if there is no returnTo path defined
-   * @param {Function} [options.routes.callback.handler] This handles responses from the OpenId Connect callback
+   * @param {Object} [options.routes.loginCallback
+   * @param {string} [options.routes.loginCallback.path=/authorization-code] Path where the callback middleware is hosted
+   * @param {string} [options.routes.loginCallback.afterCallback=/] Where to redirect once callback is complete
+   * @param {Function} [options.routes.loginCallback.handler] This handles responses from the OpenId Connect callback
    */
@@ -62,3 +67,5 @@ constructor(options = {}) {
       client_secret,
-      redirect_uri,
+      appBaseUrl,
+      loginRedirectUri,
+      logoutRedirectUri,
       sessionKey
@@ -76,7 +83,7 @@ } = options;
 
-    // Validate the redirect_uri param
-    assertRedirectUri(redirect_uri);
+    // Validate the appBaseUrl param
+    assertAppBaseUrl(appBaseUrl);
 
     // Add defaults to the options
-    options = _.merge({
+    options = merge({
       response_type: 'code',
@@ -88,13 +95,28 @@ scope: 'openid',
         },
-        callback: {
+        loginCallback: {
           path: '/authorization-code/callback',
-          defaultRedirect: '/'
+          afterCallback: '/'
+        },
+        logout: {
+          path: '/logout'
+        },
+        logoutCallback: {
+          path: '/logout/callback',
+          afterCallback: '/'
         }
       },
-      sessionKey: sessionKey || `oidc:${options.issuer}`,
+      sessionKey: sessionKey || `oidc:${issuer}`,
       maxClockSkew: 120
-    }, options)
+    }, options);
 
+    // Build redirect uri unless explicitly set
+    options.loginRedirectUri = loginRedirectUri || `${appBaseUrl}${options.routes.loginCallback.path}`;
+    options.logoutRedirectUri = logoutRedirectUri || `${appBaseUrl}${options.routes.logoutCallback.path}`;
+
+    // Validate the redirect_uri param
+    assertRedirectUri(options.loginRedirectUri);
+
     const context = {
-      options
+      options,
+      emitter: this
     };
@@ -122,2 +144,12 @@
 
+    /**
+     * Perform a logout at the Okta side and revoke the id/access tokens
+     * Will 200 even if user is not logged in
+     *
+     * @instance
+     * @function
+     * @memberof ExpressOIDC
+     */
+    this.forceLogoutAndRevoke = logout.forceLogoutAndRevoke.bind(null, context);
+
     // create client
@@ -128,6 +160,6 @@ oidcUtil.createClient(context)
       oidcUtil.bootstrapPassportStrategy(context);
-      this.emit('ready');
+      context.emitter.emit('ready');
     })
-    .catch(err => this.emit('error', err));
+    .catch(err => context.emitter.emit('error', err));
   }
 };

src/oidcUtil.js

@@ -47,3 +47,3 @@ /*!
     client_secret,
-    redirect_uri,
+    loginRedirectUri: redirect_uri,
     maxClockSkew,
@@ -91,3 +91,3 @@ timeout
   passport.use('oidc', oidcStrategy);
-}
+};
 
@@ -107,2 +107,2 @@ oidcUtil.ensureAuthenticated = (context, options) => {
   };
-}
+};

New alerts

Network access

Supply chain risk

This module accesses the network.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

54314

increased by35.09%

Number of package files

9

increased by12.5%

Lines of code

418

increased by32.28%

Number of lines in readme file

451

increased by21.24%

Worsened metrics

Dependency count

11

increased by10%

Number of medium supply chain risk alerts

1

increased byInfinity%

Dependency changes

• + Addednode-fetch@^2.3.0

• + Added@okta/configuration-validation@0.2.0(transitive)

• + Addednode-fetch@2.7.0(transitive)

• + Addedtr46@0.0.3(transitive)

• + Addedwebidl-conversions@3.0.1(transitive)

• + Addedwhatwg-url@5.0.0(transitive)

• - Removed@okta/configuration-validation@0.1.1(transitive)

• Updated@okta/configuration-validation@^0.2.0