/oidc-platform

OpenID Connect Identity Platform

Primary LanguageJavaScriptMIT LicenseMIT

OpenID Connect Identity Platform

The synapse OpenID Connect platform uses node-oidc-provider to provide user authentication for our clients' applications. node-oidc-provider is an OpenID Connect provider library. In order to fully understand the ins and outs of this application, understanding OpenID Connect is a must.

Usage Documentation

Setting up for development

  1. Copy common.template.env as common.env and provide a mailgun key
  2. Set the OIDC_DB_* vars based on what RDBMS you are using.
  3. Run either ./compose-mysql up or ./compose-postgres up. You can also just do docker-compose up which will use postgres.
  4. Create an oauth client by posting to http://localhost:9001/op/reg with the following:
Headers:
{
    "Content-Type": "application/json",
    "Authorization": "Bearer token1", // common.env -> OIDC_INITIAL_ACCESS_TOKEN value
}
Body:
{
    "response_types": ["code id_token token"],
    "grant_types": [
        "authorization_code",
        "implicit",
        "client_credentials"
    ],
    "redirect_uris": ["https://sso-client.test:3000/"],
    "post_logout_redirect_uris": ["https://sso-client.test:3000/logout"]
}
  1. In test-client/src create a copy of config.template.js and call it config.js. Fill in the client_id and client_secret of the client you created in the previous step.
  2. Add sso-client.testfor 127.0.0.1 to your hosts file
  3. npm i and npm start in test-client and test-client/test-server

Session Management

Sessions are persisted by default, a user can manually log out by visiting ${prefix}/session/end. The following query parameters should also be sent: id_token_hint is to allow the client to determine which user is logging out, and post_logout_redirect_uri allows the user to be redirected back to the client app.

Clients

Clients can be registered dynamically with the registration endpoint defined in the OICD provider's Hapi plugin. By default this is ${prefix}/reg. Any of the OpenID Client Metadata can be supplied. The Bearer token for this request is validated against the OIDC_INITIAL_ACCESS_TOKEN environment variable. YOU MUST PROVIDE A STRONG TOKEN in production to prevent unauthorized clients from being added.