Merge pull request #398 from MadAppGang/feature/js_oidc

add fix cookies for oidc
MadAppGang · Mar 15, 2023 · 7e05140 · 7e05140
2 parents 447686f + bb16541
commit 7e05140
Show file tree

Hide file tree

Showing 16 changed files with 180 additions and 7 deletions.
diff --git a/static/web/styles/web-element.css b/static/web/styles/web-element.css
@@ -583,3 +583,7 @@
     margin-bottom: 48px;
   }
 }
+
+.oidc-login__subtitle {
+  margin-top: 12px;
+}
diff --git a/web/api/federated_login.go b/web/api/federated_login.go
@@ -440,6 +440,8 @@ func sessionKey(appId, provider string) string {
 // StoreInSession stores a specified key/value pair in the session.
 func storeInSession(sessionName, key string, value string, req *http.Request, res http.ResponseWriter) error {
 	session, _ := Store.New(req, sessionName)
+	session.Options.SameSite = http.SameSiteNoneMode
+	session.Options.Secure = true
 
 	if err := updateSessionValue(session, key, value); err != nil {
 		return err

diff --git a/web_apps_src/identifo.js/dist/identifo.d.ts b/web_apps_src/identifo.js/dist/identifo.d.ts
@@ -99,6 +99,7 @@ declare enum TFAStatus {
 interface ServerSettingsLoginTypes {
     email: boolean;
     federated: boolean;
+    federated_oidc: boolean;
     phone: boolean;
     username: boolean;
 }
@@ -159,6 +160,7 @@ interface AppSettingsResponse {
     tfaStatus: TFAStatus;
     federatedProviders: FederatedLoginProvider[];
     loginWith: ServerSettingsLoginTypes;
+    federatedOIDCInitURL: string;
 }
 interface User {
     id: string;
@@ -231,6 +233,11 @@ declare class API {
     verifyTFA(code: string, scopes: string[]): Promise<LoginResponse>;
     resendTFA(): Promise<LoginResponse>;
     logout(): Promise<SuccessResponse>;
+    oidcVerify(data: {
+        state: string;
+        code: string;
+        scopes: string[];
+    }): Promise<LoginResponse>;
     invite(email: string, role: string, callbackUrl: string): Promise<InviteResponse>;
     storeToken<T extends TokenResponse>(response: T): T;
 }
@@ -302,6 +309,7 @@ declare enum Routes {
     'PASSWORD_FORGOT_TFA_SELECT' = "password/forgot/tfa/select",
     'CALLBACK' = "callback",
     'LOGIN_PHONE' = "login_phone",
+    'LOGIN_OIDC' = "login_oidc",
     'LOGIN_PHONE_VERIFY' = "login_phone_verify",
     'ERROR' = "error",
     'PASSWORD_FORGOT_SUCCESS' = "password/forgot/success",
@@ -331,6 +339,11 @@ interface StateLogin extends State, StateWithError {
     socialLogin: (provider: FederatedLoginProvider) => Promise<void>;
     passwordForgot: () => Promise<void>;
 }
+interface StateLoginOidc extends State, StateWithError {
+    route: Routes.LOGIN_OIDC;
+    oidcLink: string;
+    verify: (state?: string, code?: string) => Promise<void>;
+}
 interface StateLoginPhone extends State, StateWithError {
     route: Routes.LOGIN_PHONE;
     registrationForbidden: boolean;
@@ -450,7 +463,7 @@ declare const typeToPasswordForgotTFAVerifyRoute: {
     email: Routes;
     sms: Routes;
 };
-declare type States = State | StateTFASetupApp | StateTFASetupEmail | StateTFASetupSMS | StatePasswordReset | StatePasswordForgot | StatePasswordForgotSuccess | StateLoading | StateCallback | StateLogin | StateRegister | StateError;
+declare type States = State | StateTFASetupApp | StateTFASetupEmail | StateTFASetupSMS | StatePasswordReset | StatePasswordForgot | StatePasswordForgotSuccess | StateLoading | StateCallback | StateLogin | StateRegister | StateError | StateLoginOidc;
 
 declare class CDK {
     auth: IdentifoAuth;
@@ -465,6 +478,7 @@ declare class CDK {
     login(): void;
     loginWithPhone(): void;
     loginWithPhoneVerify(phone: string, remember?: boolean): void;
+    loginWithOIDC(): void;
     loginWithPassword(): void;
     register(): void;
     forgotPassword(): void;
@@ -487,4 +501,4 @@ declare class CDK {
     private getLoginTypes;
 }
 
-export { APIErrorCodes, ApiError, ApiRequestError, AppSettingsResponse, CDK, ClientToken, CookieStorage as CookieStorageManager, EnableTFAResponse, FederatedLoginProvider, IdentifoAuth, IdentifoConfig, InviteResponse, JWTPayload, LocalStorage as LocalStorageManager, LoginResponse, LoginTypes, Routes, ServerSettingsLoginTypes, SessionStorage as SessionStorageManager, State, StateCallback, StateError, StateLoading, StateLogin, StateLoginPhone, StateLoginPhoneVerify, StateLogout, StatePasswordForgot, StatePasswordForgotSuccess, StatePasswordForgotTFASelect, StatePasswordForgotTFAVerify, StatePasswordReset, StateRegister, StateTFASetupApp, StateTFASetupEmail, StateTFASetupSMS, StateTFASetupSelect, StateTFAVerifyApp, StateTFAVerifyEmailSms, StateTFAVerifySelect, StateWithError, States, SuccessResponse, TFALoginVerifyRoutes, TFARequiredRespopnse, TFAResetVerifyRoutes, TFASetupRoutes, TFAStatus, TFAType, TokenManager, TokenResponse, TokenType, UpdateUser, UrlBuilderInit, UrlFlows, User, typeToPasswordForgotTFAVerifyRoute, typeToSetupRoute, typeToTFAVerifyRoute };
+export { APIErrorCodes, ApiError, ApiRequestError, AppSettingsResponse, CDK, ClientToken, CookieStorage as CookieStorageManager, EnableTFAResponse, FederatedLoginProvider, IdentifoAuth, IdentifoConfig, InviteResponse, JWTPayload, LocalStorage as LocalStorageManager, LoginResponse, LoginTypes, Routes, ServerSettingsLoginTypes, SessionStorage as SessionStorageManager, State, StateCallback, StateError, StateLoading, StateLogin, StateLoginOidc, StateLoginPhone, StateLoginPhoneVerify, StateLogout, StatePasswordForgot, StatePasswordForgotSuccess, StatePasswordForgotTFASelect, StatePasswordForgotTFAVerify, StatePasswordReset, StateRegister, StateTFASetupApp, StateTFASetupEmail, StateTFASetupSMS, StateTFASetupSelect, StateTFAVerifyApp, StateTFAVerifyEmailSms, StateTFAVerifySelect, StateWithError, States, SuccessResponse, TFALoginVerifyRoutes, TFARequiredRespopnse, TFAResetVerifyRoutes, TFASetupRoutes, TFAStatus, TFAType, TokenManager, TokenResponse, TokenType, UpdateUser, UrlBuilderInit, UrlFlows, User, typeToPasswordForgotTFAVerifyRoute, typeToSetupRoute, typeToTFAVerifyRoute };
diff --git a/web_apps_src/identifo.js/dist/identifo.js b/web_apps_src/identifo.js/dist/identifo.js
diff --git a/web_apps_src/identifo.js/dist/identifo.js.map b/web_apps_src/identifo.js/dist/identifo.js.map
diff --git a/web_apps_src/identifo.js/dist/identifo.mjs b/web_apps_src/identifo.js/dist/identifo.mjs
@@ -308,6 +308,12 @@ class API {
       });
     });
   }
+  oidcVerify(data) {
+    return __async$3(this, null, function* () {
+      const url = `/auth/federated/oidc/complete?appId=${this.appId}&state=${data.state}&code=${data.code}`;
+      return this.post(url, { scopes: data.scopes }, { credentials: "include" }).then((r) => this.storeToken(r));
+    });
+  }
   invite(email, role, callbackUrl) {
     return __async$3(this, null, function* () {
       var _a, _b;
@@ -699,6 +705,7 @@ var Routes;
   Routes2["PASSWORD_FORGOT_TFA_SELECT"] = "password/forgot/tfa/select";
   Routes2["CALLBACK"] = "callback";
   Routes2["LOGIN_PHONE"] = "login_phone";
+  Routes2["LOGIN_OIDC"] = "login_oidc";
   Routes2["LOGIN_PHONE_VERIFY"] = "login_phone_verify";
   Routes2["ERROR"] = "error";
   Routes2["PASSWORD_FORGOT_SUCCESS"] = "password/forgot/success";
@@ -855,6 +862,8 @@ class CDK {
         return this.loginWithPhone();
       case (!this.auth.config.loginWith && this.settings.loginWith["email"] || this.auth.config.loginWith === "email" && this.settings.loginWith["email"]):
         return this.loginWithPassword();
+      case (!this.auth.config.loginWith && this.settings.loginWith["federated_oidc"] || this.auth.config.loginWith === "federated_oidc" && this.settings.loginWith["federated_oidc"]):
+        return this.loginWithOIDC();
       default:
         throw "Unsupported login way";
     }
@@ -905,6 +914,19 @@ class CDK {
       })
     });
   }
+  loginWithOIDC() {
+    this.state.next({
+      route: Routes.LOGIN_OIDC,
+      oidcLink: this.settings.federatedOIDCInitURL,
+      error: this.lastError,
+      verify: (state, code) => __async(this, null, function* () {
+        if (!state || !code) {
+          return;
+        }
+        this.auth.api.oidcVerify({ state, code, scopes: [...Array.from(this.scopes)] }).then(this.afterLoginRedirect).catch(this.loginCatchRedirect).catch((e) => this.processError(e));
+      })
+    });
+  }
   loginWithPassword() {
     var _a, _b;
     this.state.next({

diff --git a/web_apps_src/identifo.js/dist/identifo.mjs.map b/web_apps_src/identifo.js/dist/identifo.mjs.map
diff --git a/web_apps_src/identifo.js/package.json b/web_apps_src/identifo.js/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@identifo/identifo-auth-js",
-  "version": "3.3.4",
+  "version": "3.3.9",
   "description": "Library for web-auth through Identifo",
   "main": "./dist/identifo.js",
   "module": "./dist/identifo.mjs",

diff --git a/web_apps_src/identifo.js/src/api/api.ts b/web_apps_src/identifo.js/src/api/api.ts
@@ -298,6 +298,13 @@ export class API {
     });
   }
 
+  async oidcVerify(data: { state: string; code: string; scopes: string[] }): Promise<LoginResponse> {
+    const url = `/auth/federated/oidc/complete?appId=${this.appId}&state=${data.state}&code=${data.code}`;
+    return this.post<LoginResponse>(url, { scopes: data.scopes }, { credentials: 'include' }).then((r) =>
+      this.storeToken(r),
+    );
+  }
+
   async invite(email: string, role: string, callbackUrl: string): Promise<InviteResponse> {
     if (!this.tokenService.getToken()?.token) {
       throw new Error('No token in token service.');

diff --git a/web_apps_src/identifo.js/src/api/model.ts b/web_apps_src/identifo.js/src/api/model.ts
@@ -20,6 +20,7 @@ export enum TFAStatus {
 export interface ServerSettingsLoginTypes {
   email: boolean;
   federated: boolean;
+  federated_oidc: boolean;
   phone: boolean;
   username: boolean;
 }
@@ -87,6 +88,7 @@ export interface AppSettingsResponse {
   tfaStatus: TFAStatus;
   federatedProviders: FederatedLoginProvider[];
   loginWith: ServerSettingsLoginTypes;
+  federatedOIDCInitURL: string;
 }
 
 export interface User {

diff --git a/web_apps_src/identifo.js/src/cdk/cdk.ts b/web_apps_src/identifo.js/src/cdk/cdk.ts
@@ -18,6 +18,7 @@ import {
   State,
   StateCallback,
   StateError,
+  StateLoginOidc,
   StateLogout,
   StatePasswordForgotTFASelect,
   StatePasswordForgotTFAVerify,
@@ -126,6 +127,9 @@ export class CDK {
       case (!this.auth.config.loginWith && this.settings.loginWith['email']) ||
         (this.auth.config.loginWith === 'email' && this.settings.loginWith['email']):
         return this.loginWithPassword();
+      case (!this.auth.config.loginWith && this.settings.loginWith['federated_oidc']) ||
+        (this.auth.config.loginWith === 'federated_oidc' && this.settings.loginWith['federated_oidc']):
+        return this.loginWithOIDC();
       default:
         throw 'Unsupported login way';
     }
@@ -187,6 +191,25 @@ export class CDK {
       },
     } as StateLoginPhoneVerify);
   }
+
+  loginWithOIDC(): void {
+    this.state.next({
+      route: Routes.LOGIN_OIDC,
+      oidcLink: this.settings.federatedOIDCInitURL,
+      error: this.lastError,
+      verify: async (state?: string, code?: string) => {
+        if (!state || !code) {
+          return;
+        }
+        this.auth.api
+          .oidcVerify({ state, code, scopes: [...Array.from(this.scopes)] })
+          .then(this.afterLoginRedirect)
+          .catch(this.loginCatchRedirect)
+          .catch((e) => this.processError(e));
+      },
+    } as StateLoginOidc);
+  }
+
   loginWithPassword(): void {
     this.state.next({
       route: Routes.LOGIN,

diff --git a/web_apps_src/identifo.js/src/cdk/model.ts b/web_apps_src/identifo.js/src/cdk/model.ts
@@ -27,6 +27,7 @@ export enum Routes {
   'PASSWORD_FORGOT_TFA_SELECT' = 'password/forgot/tfa/select',
   'CALLBACK' = 'callback',
   'LOGIN_PHONE' = 'login_phone',
+  'LOGIN_OIDC' = 'login_oidc',
   'LOGIN_PHONE_VERIFY' = 'login_phone_verify',
   'ERROR' = 'error',
   'PASSWORD_FORGOT_SUCCESS' = 'password/forgot/success',
@@ -73,6 +74,12 @@ export interface StateLogin extends State, StateWithError {
   passwordForgot: () => Promise<void>;
 }
 
+export interface StateLoginOidc extends State, StateWithError {
+  route: Routes.LOGIN_OIDC;
+  oidcLink: string;
+  verify: (state?: string, code?: string) => Promise<void>;
+}
+
 export interface StateLoginPhone extends State, StateWithError {
   route: Routes.LOGIN_PHONE;
   registrationForbidden: boolean;
@@ -221,4 +228,5 @@ export type States =
   | StateCallback
   | StateLogin
   | StateRegister
-  | StateError;
+  | StateError
+  | StateLoginOidc;
diff --git a/web_apps_src/web-element/package-lock.json b/web_apps_src/web-element/package-lock.json
diff --git a/web_apps_src/web-element/src/components.d.ts b/web_apps_src/web-element/src/components.d.ts
@@ -34,6 +34,8 @@ export namespace Components {
     }
     interface IdentifoFormLogin {
     }
+    interface IdentifoFormLoginOidc {
+    }
     interface IdentifoFormLoginPhone {
     }
     interface IdentifoFormLoginPhoneVerify {
@@ -106,6 +108,12 @@ declare global {
         prototype: HTMLIdentifoFormLoginElement;
         new (): HTMLIdentifoFormLoginElement;
     };
+    interface HTMLIdentifoFormLoginOidcElement extends Components.IdentifoFormLoginOidc, HTMLStencilElement {
+    }
+    var HTMLIdentifoFormLoginOidcElement: {
+        prototype: HTMLIdentifoFormLoginOidcElement;
+        new (): HTMLIdentifoFormLoginOidcElement;
+    };
     interface HTMLIdentifoFormLoginPhoneElement extends Components.IdentifoFormLoginPhone, HTMLStencilElement {
     }
     var HTMLIdentifoFormLoginPhoneElement: {
@@ -181,6 +189,7 @@ declare global {
         "identifo-form-forgot-success": HTMLIdentifoFormForgotSuccessElement;
         "identifo-form-goback": HTMLIdentifoFormGobackElement;
         "identifo-form-login": HTMLIdentifoFormLoginElement;
+        "identifo-form-login-oidc": HTMLIdentifoFormLoginOidcElement;
         "identifo-form-login-phone": HTMLIdentifoFormLoginPhoneElement;
         "identifo-form-login-phone-verify": HTMLIdentifoFormLoginPhoneVerifyElement;
         "identifo-form-login-ways": HTMLIdentifoFormLoginWaysElement;
@@ -224,6 +233,8 @@ declare namespace LocalJSX {
     }
     interface IdentifoFormLogin {
     }
+    interface IdentifoFormLoginOidc {
+    }
     interface IdentifoFormLoginPhone {
     }
     interface IdentifoFormLoginPhoneVerify {
@@ -255,6 +266,7 @@ declare namespace LocalJSX {
         "identifo-form-forgot-success": IdentifoFormForgotSuccess;
         "identifo-form-goback": IdentifoFormGoback;
         "identifo-form-login": IdentifoFormLogin;
+        "identifo-form-login-oidc": IdentifoFormLoginOidc;
         "identifo-form-login-phone": IdentifoFormLoginPhone;
         "identifo-form-login-phone-verify": IdentifoFormLoginPhoneVerify;
         "identifo-form-login-ways": IdentifoFormLoginWays;
@@ -280,6 +292,7 @@ declare module "@stencil/core" {
             "identifo-form-forgot-success": LocalJSX.IdentifoFormForgotSuccess & JSXBase.HTMLAttributes<HTMLIdentifoFormForgotSuccessElement>;
             "identifo-form-goback": LocalJSX.IdentifoFormGoback & JSXBase.HTMLAttributes<HTMLIdentifoFormGobackElement>;
             "identifo-form-login": LocalJSX.IdentifoFormLogin & JSXBase.HTMLAttributes<HTMLIdentifoFormLoginElement>;
+            "identifo-form-login-oidc": LocalJSX.IdentifoFormLoginOidc & JSXBase.HTMLAttributes<HTMLIdentifoFormLoginOidcElement>;
             "identifo-form-login-phone": LocalJSX.IdentifoFormLoginPhone & JSXBase.HTMLAttributes<HTMLIdentifoFormLoginPhoneElement>;
             "identifo-form-login-phone-verify": LocalJSX.IdentifoFormLoginPhoneVerify & JSXBase.HTMLAttributes<HTMLIdentifoFormLoginPhoneVerifyElement>;
             "identifo-form-login-ways": LocalJSX.IdentifoFormLoginWays & JSXBase.HTMLAttributes<HTMLIdentifoFormLoginWaysElement>;