28-openid-connect/authorizationServer.js

var express = require("express");
var url = require("url");
var bodyParser = require('body-parser');
var randomstring = require("randomstring");
var cons = require('consolidate');
var nosql = require('nosql').load('database.nosql');
var querystring = require('querystring');
var qs = require("qs");
var __ = require('underscore');
__.string = require('underscore.string');
var base64url = require('base64url');
var jose = require('jsrsasign');

var app = express();

app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true })); // support form-encoded bodies (for the token endpoint)

app.engine('html', cons.underscore);
app.set('view engine', 'html');
app.set('views', 'files/authorizationServer');
app.set('json spaces', 4);

// authorization server information
var authServer = {
    authorizationEndpoint: 'http://localhost:9001/authorize',
    tokenEndpoint: 'http://localhost:9001/token'
};

// client information
var clients = [
    {
        "client_id": "oauth-client-1",
        "client_secret": "oauth-client-secret-1",
        "redirect_uris": ["http://localhost:9000/callback"],
        "scope": "openid profile email phone address"
    }
];

var rsaKey = {
    "alg": "RS256",
    "d": "ZXFizvaQ0RzWRbMExStaS_-yVnjtSQ9YslYQF1kkuIoTwFuiEQ2OywBfuyXhTvVQxIiJqPNnUyZR6kXAhyj__wS_Px1EH8zv7BHVt1N5TjJGlubt1dhAFCZQmgz0D-PfmATdf6KLL4HIijGrE8iYOPYIPF_FL8ddaxx5rsziRRnkRMX_fIHxuSQVCe401hSS3QBZOgwVdWEb1JuODT7KUk7xPpMTw5RYCeUoCYTRQ_KO8_NQMURi3GLvbgQGQgk7fmDcug3MwutmWbpe58GoSCkmExUS0U-KEkHtFiC8L6fN2jXh1whPeRCa9eoIK8nsIY05gnLKxXTn5-aPQzSy6Q",
    "e": "AQAB",
    "n": "p8eP5gL1H_H9UNzCuQS-vNRVz3NWxZTHYk1tG9VpkfFjWNKG3MFTNZJ1l5g_COMm2_2i_YhQNH8MJ_nQ4exKMXrWJB4tyVZohovUxfw-eLgu1XQ8oYcVYW8ym6Um-BkqwwWL6CXZ70X81YyIMrnsGTyTV6M8gBPun8g2L8KbDbXR1lDfOOWiZ2ss1CRLrmNM-GRp3Gj-ECG7_3Nx9n_s5to2ZtwJ1GS1maGjrSZ9GRAYLrHhndrL_8ie_9DS2T-ML7QNQtNkg2RvLv4f0dpjRYI23djxVtAylYK4oiT_uEMgSkc4dxwKwGuBxSO0g9JOobgfy0--FUHHYtRi0dOFZw",
    "kty": "RSA",
    "kid": "authserver"
};

var userInfo = {
    "alice": {
        "sub": "9XE3-JI34-00132A",
        "preferred_username": "alice",
        "name": "Alice",
        "email": "alice.wonderland@example.com",
        "email_verified": true
    },

    "bob": {
        "sub": "1ZT5-OE63-57383B",
        "preferred_username": "bob",
        "name": "Bob",
        "email": "bob.loblob@example.net",
        "email_verified": false
    }
};

var getUser = function(username) {
    return userInfo[username];
};

var codes = {};

var requests = {};

var getClient = function(clientId) {
    return __.find(clients, function(client) { return client.client_id == clientId; });
};

var getProtectedResource = function(resourceId) {
    return __.find(protectedResources, function(resource) { return resource.resource_id == resourceId; });
};

app.get('/', function(req, res) {
    res.render('index', {clients: clients, authServer: authServer});
});

app.get("/authorize", function(req, res) {
    var client = getClient(req.query.client_id);

    if (!client) {
        console.log('Unknown client %s', req.query.client_id);
        res.render('error', {error: 'Unknown client'});
        return;
    } else if (!__.contains(client.redirect_uris, req.query.redirect_uri)) {
        console.log('Mismatched redirect URI, expected %s got %s', client.redirect_uris, req.query.redirect_uri);
        res.render('error', {error: 'Invalid redirect URI'});
        return;
    } else {

        var rscope = req.query.scope ? req.query.scope.split(' ') : undefined;
        var cscope = client.scope ? client.scope.split(' ') : undefined;
        if (__.difference(rscope, cscope).length > 0) {
            // client asked for a scope it couldn't have
            var urlParsed = buildUrl(req.query.redirect_uri, {
                error: 'invalid_scope'
            });
            res.redirect(urlParsed);
            return;
        }

        var reqid = randomstring.generate(8);

        requests[reqid] = req.query;

        res.render('approve', {client: client, reqid: reqid, scope: rscope});
        return;
    }
});

app.post('/approve', function(req, res) {
    var reqid = req.body.reqid;
    var query = requests[reqid];
    delete requests[reqid];

    if (!query) {
        // there was no matching saved request, this is an error
        res.render('error', {error: 'No matching authorization request'});
        return;
    }

    if (req.body.approve) {
        if (query.response_type == 'code') {
            // user approved access
            var code = randomstring.generate(8);

            var user = getUser(req.body.user);

            var scope = getScopesFromForm(req.body);

            var client = getClient(query.client_id);
            var cscope = client.scope ? client.scope.split(' ') : undefined;
            if (__.difference(scope, cscope).length > 0) {
                // client asked for a scope it couldn't have
                var urlParsed = buildUrl(query.redirect_uri, {
                    error: 'invalid_scope'
                });
                res.redirect(urlParsed);
                return;
            }

            // save the code and request for later
            codes[code] = { request: query, scope: scope, user: user };

            var urlParsed = buildUrl(query.redirect_uri, {
                code: code,
                state: query.state
            });
            res.redirect(urlParsed);
            return;
        } else {
            // we got a response type we don't understand
            var urlParsed = buildUrl(query.redirect_uri, {
                error: 'unsupported_response_type'
            });
            res.redirect(urlParsed);
            return;
        }
    } else {
        // user denied access
        var urlParsed = buildUrl(query.redirect_uri, {
            error: 'access_denied'
        });
        res.redirect(urlParsed);
        return;
    }
});

app.post("/token", function(request, response) {
    var auth = request.headers['authorization'];
    if (auth) {
        // check the auth header
        var clientCredentials = decodeClientCredentials(auth);
        var clientId = clientCredentials.id;
        var clientSecret = clientCredentials.secret;
    }

    // otherwise, check the post body
    if (request.body.client_id) {
        if (clientId) {
            // if we've already seen the client's credentials in the authorization header, this is an error
            console.log('Client attempted to authenticate with multiple methods');
            response.status(401).json({error: 'invalid_client'});
            return;
        }

        var clientId = request.body.client_id;
        var clientSecret = request.body.client_secret;
    }

    var client = getClient(clientId);
    if (!client) {
        console.log('Unknown client %s', clientId);
        response.status(401).json({error: 'invalid_client'});
        return;
    }

    if (client.client_secret != clientSecret) {
        console.log('Mismatched client secret, expected %s got %s', client.client_secret, clientSecret);
        response.status(401).json({error: 'invalid_client'});
        return;
    }

    if (request.body.grant_type == 'authorization_code') {
        var code = codes[request.body.code];

        if (code) {
            delete codes[request.body.code]; // burn our code, it's been used
            if (code.request.client_id == clientId) {

                var access_token = randomstring.generate();
                nosql.insert({ access_token: access_token, client_id: clientId, scope: code.scope, user: code.user });

                console.log('Issuing access token %s', access_token);
                console.log('with scope %s', code.scope);

                var cscope = null;
                if (code.scope) {
                    cscope = code.scope.join(' ');
                }

                var token_response = { access_token: access_token, token_type: 'Bearer',  scope: cscope };

                if (__.contains(code.scope, "openid") && code.user) {
                    var header = {"typ": "JWT", "alg": rsaKey.alg, "kid": rsaKey.kid};

                    var ipayload = {
                        iss: 'http://localhost:9001/',
                        sub: code.user.sub,
                        aud: client.client_id,
                        iat: Math.floor(Date.now() / 1000),
                        exp: Math.floor(Date.now() / 1000) + (5 * 60)
                    };
                    if (code.request.nonce) {
                        ipayload.nonce = code.request.nonce;
                    }

                    var privateKey = jose.KEYUTIL.getKey(rsaKey);
                    var id_token = jose.jws.JWS.sign(header.alg, JSON.stringify(header), JSON.stringify(ipayload), privateKey);

                    console.log("Issuing ID token as '%s'", id_token);

                    token_response.id_token = id_token;
                }

                response.status(200).json(token_response);
                console.log('Issued tokens for code %s', request.body.code);

                return;
            } else {
                console.log('Client mismatch, expected %s got %s', code.request.client_id, clientId);
                response.status(400).json({error: 'invalid_grant'});
                return;
            }
        } else {
            console.log('Unknown code, %s', request.body.code);
            response.status(400).json({error: 'invalid_grant'});
            return;
        }
    } else {
        console.log('Unknown grant type %s', req.body.grant_type);
        response.status(400).json({error: 'unsupported_grant_type'});
    }
});

var buildUrl = function(base, options, hash) {
    var newUrl = url.parse(base, true);
    delete newUrl.search;
    if (!newUrl.query) {
        newUrl.query = {};
    }
    __.each(options, function(value, key, list) {
        newUrl.query[key] = value;
    });
    if (hash) {
        newUrl.hash = hash;
    }

    return url.format(newUrl);
};

var getScopesFromForm = function(body) {
    return __.filter(__.keys(body), function(s) { return __.string.startsWith(s, 'scope_'); })
                .map(function(s) { return s.slice('scope_'.length); });
};

var decodeClientCredentials = function(auth) {
    var clientCredentials = Buffer.from(auth.slice('basic '.length), 'base64').toString().split(':');
    var clientId = querystring.unescape(clientCredentials[0]);
    var clientSecret = querystring.unescape(clientCredentials[1]);
    return { id: clientId, secret: clientSecret };
};

app.use('/', express.static('files/authorizationServer'));

// clear the database
nosql.clear();

var server = app.listen(9001, 'localhost', function () {
    var host = server.address().address;
    var port = server.address().port;

    console.log('OAuth Authorization Server is listening at http://%s:%s', host, port);
});