fix: Lazy initialize OIDC client

2025-07-18 20:59:44 +02:00 · 2024-11-18 10:03:05 +02:00 · 2024-11-18 10:03:05 +02:00 · 88ffa08512
commit 88ffa08512
parent 96956e1268
4 changed files with 58 additions and 23 deletions
--- a/server/api/controllers/access-tokens/exchange-using-oidc.js
+++ b/server/api/controllers/access-tokens/exchange-using-oidc.js
@ -6,6 +6,9 @@ const Errors = {
  INVALID_CODE_OR_NONCE: {
    invalidCodeOrNonce: 'Invalid code or nonce',
  },
+  INVALID_OIDC_CONFIGURATION: {
+    invalidOIDCConfiguration: 'Invalid OIDC configuration',
+  },
  INVALID_USERINFO_CONFIGURATION: {
    invalidUserinfoConfiguration: 'Invalid userinfo configuration',
  },
@ -37,6 +40,9 @@ module.exports = {
  },

  exits: {
+    invalidOIDCConfiguration: {
+      responseType: 'serverError',
+    },
    invalidCodeOrNonce: {
      responseType: 'unauthorized',
    },
@ -63,6 +69,7 @@ module.exports = {
        sails.log.warn(`Invalid code or nonce! (IP: ${remoteAddress})`);
        return Errors.INVALID_CODE_OR_NONCE;
      })
+      .intercept('invalidOIDCConfiguration', () => Errors.INVALID_OIDC_CONFIGURATION)
      .intercept('invalidUserinfoConfiguration', () => Errors.INVALID_USERINFO_CONFIGURATION)
      .intercept('emailAlreadyInUse', () => Errors.EMAIL_ALREADY_IN_USE)
      .intercept('usernameAlreadyInUse', () => Errors.USERNAME_ALREADY_IN_USE)
--- a/server/api/controllers/show-config.js
+++ b/server/api/controllers/show-config.js
@ -1,8 +1,26 @@
+const Errors = {
+  INVALID_OIDC_CONFIGURATION: {
+    invalidOidcConfiguration: 'Invalid OIDC configuration'
+  },
+};
+
 module.exports = {
-  fn() {
+  exits: {
+    invalidOidcConfiguration: {
+      responseType: 'serverError'
+    },
+  },
+
+  async fn() {
    let oidc = null;
    if (sails.hooks.oidc.isActive()) {
-      const oidcClient = sails.hooks.oidc.getClient();
+      let oidcClient;
+      try {
+        oidcClient = await sails.hooks.oidc.getClient();
+      } catch (error) {
+        sails.log.warn(`Error while initializing OIDC client: ${error}`);
+        throw Errors.INVALID_OIDC_CONFIGURATION;
+      }

      const authorizationUrlParams = {
        scope: sails.config.custom.oidcScopes,
--- a/server/api/helpers/users/get-or-create-one-using-oidc.js
+++ b/server/api/helpers/users/get-or-create-one-using-oidc.js
@ -12,6 +12,7 @@ module.exports = {

  exits: {
    invalidCodeOrNonce: {},
+    invalidOIDCConfiguration: {},
    invalidUserinfoConfiguration: {},
    missingValues: {},
    emailAlreadyInUse: {},
@ -19,7 +20,13 @@ module.exports = {
  },

  async fn(inputs) {
-    const client = sails.hooks.oidc.getClient();
+    let client;
+    try {
+      client = await sails.hooks.oidc.getClient();
+    } catch (error) {
+      sails.log.warn(`Error while initializing OIDC client: ${error}`);
+      throw 'invalidOIDCConfiguration';
+    }

    let tokenSet;
    try {
--- a/server/api/hooks/oidc/index.js
+++ b/server/api/hooks/oidc/index.js
@ -15,37 +15,40 @@ module.exports = function defineOidcHook(sails) {
    /**
     * Runs when this Sails app loads/lifts.
     */
-
    async initialize() {
-      if (!sails.config.custom.oidcIssuer) {
+      if (!this.isActive()) {
        return;
      }

      sails.log.info('Initializing custom hook (`oidc`)');
-
-      const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);
-
-      const metadata = {
-        client_id: sails.config.custom.oidcClientId,
-        client_secret: sails.config.custom.oidcClientSecret,
-        redirect_uris: [sails.config.custom.oidcRedirectUri],
-        response_types: ['code'],
-        userinfo_signed_response_alg: sails.config.custom.oidcUserinfoSignedResponseAlg,
-      };
-
-      if (sails.config.custom.oidcIdTokenSignedResponseAlg) {
-        metadata.id_token_signed_response_alg = sails.config.custom.oidcIdTokenSignedResponseAlg;
-      }
-
-      client = new issuer.Client(metadata);
    },

-    getClient() {
+    async getClient() {
+      if (client === null && this.isActive()) {
+        sails.log.info('Initializing OIDC client');
+
+        const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);
+
+        const metadata = {
+          client_id: sails.config.custom.oidcClientId,
+          client_secret: sails.config.custom.oidcClientSecret,
+          redirect_uris: [sails.config.custom.oidcRedirectUri],
+          response_types: ['code'],
+          userinfo_signed_response_alg: sails.config.custom.oidcUserinfoSignedResponseAlg,
+        };
+
+        if (sails.config.custom.oidcIdTokenSignedResponseAlg) {
+          metadata.id_token_signed_response_alg = sails.config.custom.oidcIdTokenSignedResponseAlg;
+        }
+
+        client = new issuer.Client(metadata);
+      }
+
      return client;
    },

    isActive() {
-      return client !== null;
+      return sails.config.custom.oidcIssuer !== undefined;
    },
  };
 };