*️⃣ feat: Reuse OpenID Auth Tokens (#7397)

* feat: integrate OpenID Connect support with token reuse - Added `jwks-rsa` and `new-openid-client` dependencies for OpenID Connect functionality. - Implemented OpenID token refresh logic in `AuthController`. - Enhanced `LogoutController` to handle OpenID logout and session termination. - Updated JWT authentication middleware to support OpenID token provider. - Modified OAuth routes to accommodate OpenID authentication and token management. - Created `setOpenIDAuthTokens` function to manage OpenID tokens in cookies. - Upgraded OpenID strategy with user info fetching and token exchange protocol. - Introduced `openIdJwtLogin` strategy for handling OpenID JWT tokens. - Added caching mechanism for exchanged OpenID tokens. - Updated configuration to include OpenID exchanged tokens cache key. - updated .env.example to include the new env variables needed for the feature. * fix: update return type in downloadImage documentation for clarity and fixed openIdJwtLogin env variables * fix: update Jest configuration and tests for OpenID strategy integration * fix: update OpenID strategy to include callback URL in setup * fix: fix optionalJwtAuth middleware to support OpenID token reuse and improve currentUrl method in CustomOpenIDStrategy to override the dynamic host issue related to proxy (e.g. cloudfront) * fix: fixed code formatting * Fix: Add mocks for openid-client and passport strategy in Jest configuration to fix unit tests * fix eslint errors: Format mock file openid-client. * ✨ feat: Add PKCE support for OpenID and default handling in strategy setup --------- Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com> Co-authored-by: Ruben Talstra <RubenTalstra1211@outlook.com>
2025-09-21 21:50:49 +02:00 · 2025-05-22 14:19:24 +02:00 · 2025-05-22 14:19:24 +02:00 · bf80cf30b3
commit bf80cf30b3
parent d47d827ed9
24 changed files with 690 additions and 191 deletions
--- a/api/test/mocks/openid-client-passport.js
+++ b/api/test/mocks/openid-client-passport.js
@ -0,0 +1,6 @@
+// api/test/__mocks__/openid-client-passport.js
+const Strategy = jest.fn().mockImplementation((options, verify) => {
+  return { name: 'mocked-openid-passport-strategy', options, verify };
+});
+
+module.exports = { Strategy };
--- a/api/test/mocks/openid-client.js
+++ b/api/test/mocks/openid-client.js
@ -0,0 +1,67 @@
+// api/test/__mocks__/openid-client.js
+module.exports = {
+  Issuer: {
+    discover: jest.fn().mockResolvedValue({
+      Client: jest.fn().mockImplementation(() => ({
+        authorizationUrl: jest.fn().mockReturnValue('mock_auth_url'),
+        callback: jest.fn().mockResolvedValue({
+          access_token: 'mock_access_token',
+          id_token: 'mock_id_token',
+          claims: () => ({
+            sub: 'mock_sub',
+            email: 'mock@example.com',
+          }),
+        }),
+        userinfo: jest.fn().mockResolvedValue({
+          sub: 'mock_sub',
+          email: 'mock@example.com',
+        }),
+      })),
+    }),
+  },
+  Strategy: jest.fn().mockImplementation((options, verify) => {
+    // Store verify to call it if needed, or just mock the strategy behavior
+    return { name: 'openid-mock-strategy' };
+  }),
+  custom: {
+    setHttpOptionsDefaults: jest.fn(),
+  },
+  // Add any other exports from openid-client that are used directly
+  // For example, if your code uses `client.Issuer.discover`, then mock `Issuer`
+  // If it uses `new Strategy()`, then mock `Strategy`
+  // Based on openidStrategy.js, it uses:
+  // const client = require('openid-client'); -> client.discovery, client.fetchUserInfo, client.genericGrantRequest
+  // const { Strategy: OpenIDStrategy } = require('openid-client/passport');
+  // So the mock needs to cover these.
+  // The provided mock in openidStrategy.spec.js is a good reference.
+
+  // Simpler mock based on the spec file:
+  discovery: jest.fn().mockResolvedValue({
+    clientId: 'fake_client_id',
+    clientSecret: 'fake_client_secret',
+    issuer: 'https://fake-issuer.com',
+    Client: jest.fn().mockImplementation(() => ({
+      authorizationUrl: jest.fn().mockReturnValue('mock_auth_url'),
+      callback: jest.fn().mockResolvedValue({
+        access_token: 'mock_access_token',
+        id_token: 'mock_id_token',
+        claims: () => ({
+          sub: 'mock_sub',
+          email: 'mock@example.com',
+        }),
+      }),
+      userinfo: jest.fn().mockResolvedValue({
+        sub: 'mock_sub',
+        email: 'mock@example.com',
+      }),
+      grant: jest.fn().mockResolvedValue({ access_token: 'mock_grant_token' }), // For genericGrantRequest
+    })),
+  }),
+  fetchUserInfo: jest.fn().mockResolvedValue({
+    preferred_username: 'preferred_username',
+  }),
+  genericGrantRequest: jest
+    .fn()
+    .mockResolvedValue({ access_token: 'mock_grant_access_token', expires_in: 3600 }),
+  customFetch: Symbol('customFetch'),
+};