diff --git a/api/strategies/openIdJwtStrategy.js b/api/strategies/openIdJwtStrategy.js index 94685fc86c..69dc2f1033 100644 --- a/api/strategies/openIdJwtStrategy.js +++ b/api/strategies/openIdJwtStrategy.js @@ -40,13 +40,19 @@ const openIdJwtLogin = (openIdConfig) => { { jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(), secretOrKeyProvider: jwksRsa.passportJwtSecret(jwksRsaOptions), + passReqToCallback: true, // Pass request to callback to access raw token }, /** + * @param {Express.Request} req * @param {import('openid-client').IDToken} payload * @param {import('passport-jwt').VerifyCallback} done */ - async (payload, done) => { + async (req, payload, done) => { try { + // Extract the raw JWT token from the Authorization header + const authHeader = req.headers.authorization; + const rawToken = authHeader?.replace('Bearer ', ''); + const { user, error, migration } = await findOpenIDUser({ findUser, email: payload?.email, @@ -77,6 +83,14 @@ const openIdJwtLogin = (openIdConfig) => { await updateUser(user.id, updateData); } + // Add federated tokens for OIDC placeholder processing + // Use the raw JWT token as the access token + user.federatedTokens = { + access_token: rawToken, + refresh_token: payload.refresh_token, + expires_at: payload.exp, + }; + done(null, user); } else { logger.warn( diff --git a/api/strategies/openidStrategy.js b/api/strategies/openidStrategy.js index ce564fc655..5f71ef09cd 100644 --- a/api/strategies/openidStrategy.js +++ b/api/strategies/openidStrategy.js @@ -491,7 +491,15 @@ async function setupOpenId() { }, ); - done(null, { ...user, tokenset }); + done(null, { + ...user, + tokenset, + federatedTokens: { + access_token: tokenset.access_token, + refresh_token: tokenset.refresh_token, + expires_at: tokenset.expires_at, + }, + }); } catch (err) { logger.error('[openidStrategy] login failed', err); done(err);