wiki-v1
wiki-v1 copied to clipboard
requarks
Add scopes to OIDC config
I am using ver 1.0.102 and I can see that it has implemented Open ID Connect with the passport-openidconnect module.
Specifically, I'm reading lines 230 - 255 of the code here.
// OpenID Connect
if (appconfig.auth.oidc && appconfig.auth.oidc.enabled) {
const OIDCStrategy = require('passport-openidconnect').Strategy
passport.use('oidc', new OIDCStrategy({
userInfoURL: appconfig.auth.oidc.userInfoUrl,
authorizationURL: appconfig.auth.oidc.authorizationURL,
tokenURL: appconfig.auth.oidc.tokenURL,
clientID: appconfig.auth.oidc.clientId,
clientSecret: appconfig.auth.oidc.clientSecret,
issuer: appconfig.auth.oidc.issuer,
callbackURL: appconfig.host + '/login/oidc/callback'
}, (iss, sub, profile, jwtClaims, accessToken, refreshToken, params, cb) => {
db.User.processProfile({
id: jwtClaims.sub,
provider: 'oidc',
email: _.get(jwtClaims, appconfig.auth.oidc.emailClaim),
name: _.get(jwtClaims, appconfig.auth.oidc.usernameClaim)
}).then((user) => {
return cb(null, user) || true
}).catch((err) => {
return cb(err, null) || true
})
}
))
}
In the .processProfile method, the OIDC strategy is attempting extracting the email address from the jwtClaims object. However, the request being sent to the openid provider is only adding the 'openid' scope. It does NOT add the 'email' or 'profile' claim to the scopes. My openid provider (Okta) does NOT put the email into the id token unless I request the 'email' scope. But the code above does not provide a way for a developer to add this scope to the request.
Note that the passport-openidconnect module, which is being used by wiki.js, does support adding the scope to the strategy options when the passport strategy is initialized. You can read that source code here, it's line 34.
So I'm simply requesting that you change the code above in the [auth.js file] (https://github.com/Requarks/wiki/blob/73cd6af5b7b3338ff30e9466a8da9074cf9bbfad/server/libs/auth.js) to
// OpenID Connect
if (appconfig.auth.oidc && appconfig.auth.oidc.enabled) {
const OIDCStrategy = require('passport-openidconnect').Strategy
passport.use('oidc', new OIDCStrategy({
userInfoURL: appconfig.auth.oidc.userInfoUrl,
authorizationURL: appconfig.auth.oidc.authorizationURL,
tokenURL: appconfig.auth.oidc.tokenURL,
clientID: appconfig.auth.oidc.clientId,
clientSecret: appconfig.auth.oidc.clientSecret,
issuer: appconfig.auth.oidc.issuer,
/* ADD THE SCOPE OPTION ! */
scope: appconfig.auth.oidc.scope,
callbackURL: appconfig.host + '/login/oidc/callback'
}, (iss, sub, profile, jwtClaims, accessToken, refreshToken, params, cb) => {
db.User.processProfile({
id: jwtClaims.sub,
provider: 'oidc',
email: _.get(jwtClaims, appconfig.auth.oidc.emailClaim),
name: _.get(jwtClaims, appconfig.auth.oidc.usernameClaim)
}).then((user) => {
return cb(null, user) || true
}).catch((err) => {
return cb(err, null) || true
})
}
))
}
And then the in the config.sample.yml file, set the default oidc object to
oidc:
enabled: false
clientId: OPENID_CONNECT_CLIENT_ID
clientSecret: OPENID_CONNECT_CLIENT_SECRET
issuer: OPENID_CONNECT_ISSUER
scope: 'openid'
userInfoUrl: OPENID_CONNECT_USER_INFO_URL
authorizationURL: OPENID_CONNECT_AUTHORIZATION_URL
tokenURL: OPENID_CONNECT_TOKEN_URL
emailClaim: OPENID_CONNECT_EMAIL_CLAIM_PATH
usernameClaim: OPENID_CONNECT_USERNAME_CLAIM_PATH
This will allow developers to modify the scopes as required by their particular OIDC provider.
NOTE: For my personal use of wiki.js, I used the heroku deploy widget. That project has an install script which automagically downloads and installs the latest release of wiki.js from a tar.gz. So for users like me, it is necessary that this release is up to date.
