0

I've read the documentation for node-oidc-provider up and down, and all of SO and not getting any luck from any search engine, so I ask you, the great SO organism for help.

I am currently trying to set up my own authentication server (as a layer between Azure Ad and all of my apps) like https://auth.<something>.com, so the users requiring AD login, can use my auth server, instead of messing around with AD.

The end game is to provide a dev plattform for the developers, providing API keys and authentication for their applications.

Now, to the question. How do I use node-oidc-provider for this? From the documentation, you set it up like so:

const app = express();
…
const configuration = {
  clients: [
    {
      client_id: 'oidc_client',
      client_secret: 'a_different_secret',
      grant_types: ['authorization_code'],
      response_types: ['code'],
      redirect_uris: []
    }
  ]
…
};

const oidc = new Provider('http://localhost:3000', configuration as any);

app.use('/oidc', oidc.callback());
app.listen(3000);

But the documentation is, in my opinion, not helping with my issue, so I have some questions as well regarding the setup:

  1. in clients, is this a list of providers that my auth server will use? Should I add AD credentials here? Or is this a list of clients that will connect to my auth server?
  2. client_id, is this the ID of my auth server, or is this the ID of a provider's auth server?
  3. client_secret, my secret (and how to I generate this?), or a provider secret, or a consumer client secret?
  4. grant_types and response_types is this what AD supports/what I want from AD, or is this what my server should offer, or what my consumer clients will require?
  5. redirect_uris is confusing for me, and normally this should be something for the consumer client to add in their oidc-client setup, or? If this is a redirect for the auth server to redirect to after authentication, shouldn't this be dynamic, as in, the consumer client should decide where to redirect to? If this is the consumer client redirect after authentication, I will never know what the preferred redirect uri for the consumer clients to use. If this is the AD providers redirect uri, again, I will never know what the client prefer to use as a redirect uri.

Basically, any consumer client that want to use my auth server, should do something like this:


import { Issuer } from 'openid-client';

const authEndpoint = process.env.AUTH_URL; // https://auth.<something>.com
const dpIssuer = new Issuer({
  issuer: `${authEndpoint}/oidc/`,
  authorization_endpoint: `${authEndpoint}/oidc/authorize`,
  token_endpoint: `${authEndpoint}/oidc/token`,
  userinfo_endpoint: `${authEndpoint}/oidc/userInfo`,
  end_session_endpoint: `${authEndpoint}/logout`
});

export const getClient = (applicationUrl = '') => {
  const options = {
    client_id: process.env.CLIENT_ID, // client id provided from my auth server
    client_secret: process.env.CLIENT_SECRET,  // client secret provided from my auth server
    redirect_uris: [`${applicationUrl}/auth/callback`], // whatever redirect uri they want
    response_types: ['code']
  };

  return new dpIssuer.Client(options);
};

And then, for example, in their server setup:

app.get('/auth/login', function (req, res) {
  const authorizationUrl = getClient('http://localhost:8080').authorizationUrl({
    scope: 'email openid profile'
  });
  res.redirect(302, authorizationUrl);
});

How do I achieve this? And please let me know if I have missed anything :)

phun-ky
  • 351
  • 3
  • 12
  • I see now, after struggling with this, that I cannot use `node-oidc-provider` in the way I want. So the question is no longer of value relating to `node-oidc-provider`, but perhaps a different framework.. – phun-ky Apr 25 '23 at 12:49

0 Answers0