fix: OIDC finalization and refactoring

client/package-lock.json

@@ -19,6 +19,7 @@
         "jwt-decode": "^3.1.2",
         "lodash": "^4.17.21",
         "node-sass": "^8.0.0",
+        "oidc-client-ts": "^2.3.0",
         "photoswipe": "^5.3.3",
         "prop-types": "^15.8.1",
         "react": "^18.2.0",
@@ -30,7 +31,6 @@
         "react-i18next": "^12.0.0",
         "react-input-mask": "^2.0.4",
         "react-markdown": "^8.0.3",
-        "react-oidc-context": "^2.2.2",
         "react-photoswipe-gallery": "^2.2.2",
         "react-redux": "^8.0.5",
         "react-router-dom": "^6.4.3",
@@ -7193,8 +7193,7 @@
     "node_modules/crypto-js": {
       "version": "4.1.1",
       "resolved": "https://registry.npmjs.org/crypto-js/-/crypto-js-4.1.1.tgz",
-      "integrity": "sha512-o2JlM7ydqd3Qk9CA0L4NL6mTzU2sdx96a+oOfPu8Mkl/PK51vSyoi8/rQ8NknZtk44vq15lmhAj9CIAGwgeWKw==",
+      "integrity": "sha512-o2JlM7ydqd3Qk9CA0L4NL6mTzU2sdx96a+oOfPu8Mkl/PK51vSyoi8/rQ8NknZtk44vq15lmhAj9CIAGwgeWKw=="
-      "peer": true
     },
     "node_modules/crypto-random-string": {
       "version": "2.0.0",
@@ -17043,10 +17042,9 @@
       "integrity": "sha512-PX1wu0AmAdPqOL1mWhqmlOd8kOIZQwGZw6rh7uby9fTc5lhaOWFLX3I6R1hrF9k3zUY40e6igsLGkDXK92LJNg=="
     },
     "node_modules/oidc-client-ts": {
-      "version": "2.2.4",
+      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/oidc-client-ts/-/oidc-client-ts-2.2.4.tgz",
+      "resolved": "https://registry.npmjs.org/oidc-client-ts/-/oidc-client-ts-2.3.0.tgz",
-      "integrity": "sha512-nOZwIomju+AmXObl5Oq5PjrES/qTt8bLsENJCIydVgi9TEWk7SCkOU6X3RNkY7yfySRM1OJJvDKdREZdmnDT2g==",
+      "integrity": "sha512-7RUKU+TJFQo+4X9R50IGJAIDF18uRBaFXyZn4VVCfwmwbSUhKcdDnw4zgeut3uEXkiD3NqURq+d88sDPxjf1FA==",
-      "peer": true,
       "dependencies": {
         "crypto-js": "^4.1.1",
         "jwt-decode": "^3.1.2"
@@ -19296,18 +19294,6 @@
       "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.2.0.tgz",
       "integrity": "sha512-xWGDIW6x921xtzPkhiULtthJHoJvBbF3q26fzloPCK0hsvxtPVelvftw3zjbHWSkR2km9Z+4uxbDDK/6Zw9B8w=="
     },
-    "node_modules/react-oidc-context": {
-      "version": "2.2.2",
-      "resolved": "https://registry.npmjs.org/react-oidc-context/-/react-oidc-context-2.2.2.tgz",
-      "integrity": "sha512-rke8goKuxxQhSAR11h8wVn56m7kEa1mcAfYDlIycsIgmbZOFzKA0Un0y0RodHZ/M/CG6u0JD1I8RKZHqRJjWnA==",
-      "engines": {
-        "node": ">=12.13.0"
-      },
-      "peerDependencies": {
-        "oidc-client-ts": "^2.2.1",
-        "react": ">=16.8.0"
-      }
-    },
     "node_modules/react-onclickoutside": {
       "version": "6.12.2",
       "resolved": "https://registry.npmjs.org/react-onclickoutside/-/react-onclickoutside-6.12.2.tgz",
@@ -28802,8 +28788,7 @@
     "crypto-js": {
       "version": "4.1.1",
       "resolved": "https://registry.npmjs.org/crypto-js/-/crypto-js-4.1.1.tgz",
-      "integrity": "sha512-o2JlM7ydqd3Qk9CA0L4NL6mTzU2sdx96a+oOfPu8Mkl/PK51vSyoi8/rQ8NknZtk44vq15lmhAj9CIAGwgeWKw==",
+      "integrity": "sha512-o2JlM7ydqd3Qk9CA0L4NL6mTzU2sdx96a+oOfPu8Mkl/PK51vSyoi8/rQ8NknZtk44vq15lmhAj9CIAGwgeWKw=="
-      "peer": true
     },
     "crypto-random-string": {
       "version": "2.0.0",
@@ -35972,10 +35957,9 @@
       "integrity": "sha512-PX1wu0AmAdPqOL1mWhqmlOd8kOIZQwGZw6rh7uby9fTc5lhaOWFLX3I6R1hrF9k3zUY40e6igsLGkDXK92LJNg=="
     },
     "oidc-client-ts": {
-      "version": "2.2.4",
+      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/oidc-client-ts/-/oidc-client-ts-2.2.4.tgz",
+      "resolved": "https://registry.npmjs.org/oidc-client-ts/-/oidc-client-ts-2.3.0.tgz",
-      "integrity": "sha512-nOZwIomju+AmXObl5Oq5PjrES/qTt8bLsENJCIydVgi9TEWk7SCkOU6X3RNkY7yfySRM1OJJvDKdREZdmnDT2g==",
+      "integrity": "sha512-7RUKU+TJFQo+4X9R50IGJAIDF18uRBaFXyZn4VVCfwmwbSUhKcdDnw4zgeut3uEXkiD3NqURq+d88sDPxjf1FA==",
-      "peer": true,
       "requires": {
         "crypto-js": "^4.1.1",
         "jwt-decode": "^3.1.2"
@@ -37419,12 +37403,6 @@
         }
       }
     },
-    "react-oidc-context": {
-      "version": "2.2.2",
-      "resolved": "https://registry.npmjs.org/react-oidc-context/-/react-oidc-context-2.2.2.tgz",
-      "integrity": "sha512-rke8goKuxxQhSAR11h8wVn56m7kEa1mcAfYDlIycsIgmbZOFzKA0Un0y0RodHZ/M/CG6u0JD1I8RKZHqRJjWnA==",
-      "requires": {}
-    },
     "react-onclickoutside": {
       "version": "6.12.2",
       "resolved": "https://registry.npmjs.org/react-onclickoutside/-/react-onclickoutside-6.12.2.tgz",

client/package.json

@@ -66,6 +66,7 @@
     "jwt-decode": "^3.1.2",
     "lodash": "^4.17.21",
     "node-sass": "^8.0.0",
+    "oidc-client-ts": "^2.3.0",
     "photoswipe": "^5.3.3",
     "prop-types": "^15.8.1",
     "react": "^18.2.0",
@@ -77,7 +78,6 @@
     "react-i18next": "^12.0.0",
     "react-input-mask": "^2.0.4",
     "react-markdown": "^8.0.3",
-    "react-oidc-context": "^2.2.2",
     "react-photoswipe-gallery": "^2.2.2",
     "react-redux": "^8.0.5",
     "react-router-dom": "^6.4.3",

client/src/actions/core.js

@@ -1,6 +1,7 @@
 import ActionTypes from '../constants/ActionTypes';
 
 const initializeCore = (
+  config,
   user,
   board,
   users,
@@ -20,6 +21,7 @@ const initializeCore = (
 ) => ({
   type: ActionTypes.CORE_INITIALIZE,
   payload: {
+    config,
     user,
     board,
     users,

client/src/actions/login.js

@@ -1,5 +1,12 @@
 import ActionTypes from '../constants/ActionTypes';
 
+const initializeLogin = (config) => ({
+  type: ActionTypes.LOGIN_INITIALIZE,
+  payload: {
+    config,
+  },
+});
+
 const authenticate = (data) => ({
   type: ActionTypes.AUTHENTICATE,
   payload: {
@@ -21,12 +28,33 @@ authenticate.failure = (error) => ({
   },
 });
 
+const authenticateWithOidc = () => ({
+  type: ActionTypes.WITH_OIDC_AUTHENTICATE,
+  payload: {},
+});
+
+authenticateWithOidc.success = (accessToken) => ({
+  type: ActionTypes.WITH_OIDC_AUTHENTICATE__SUCCESS,
+  payload: {
+    accessToken,
+  },
+});
+
+authenticateWithOidc.failure = (error) => ({
+  type: ActionTypes.WITH_OIDC_AUTHENTICATE__FAILURE,
+  payload: {
+    error,
+  },
+});
+
 const clearAuthenticateError = () => ({
   type: ActionTypes.AUTHENTICATE_ERROR_CLEAR,
   payload: {},
 });
 
 export default {
+  initializeLogin,
   authenticate,
+  authenticateWithOidc,
   clearAuthenticateError,
 };

client/src/api/access-tokens.js

@@ -4,14 +4,15 @@ import socket from './socket';
 /* Actions */
 
 const createAccessToken = (data, headers) => http.post('/access-tokens', data, headers);
-const exchangeOidcToken = (accessToken, headers) =>
+
-  http.post('/access-tokens/exchange', { token: accessToken }, headers);
+const exchangeToAccessToken = (data, headers) =>
+  http.post('/access-tokens/exchange', data, headers);
 
 const deleteCurrentAccessToken = (headers) =>
   socket.delete('/access-tokens/me', undefined, headers);
 
 export default {
   createAccessToken,
+  exchangeToAccessToken,
   deleteCurrentAccessToken,
-  exchangeOidcToken,
 };

client/src/api/http.js

@@ -5,9 +5,11 @@ import Config from '../constants/Config';
 const http = {};
 
 // TODO: add all methods
-['POST'].forEach((method) => {
+['GET', 'POST'].forEach((method) => {
   http[method.toLowerCase()] = (url, data, headers) => {
-    const formData = Object.keys(data).reduce((result, key) => {
+    const formData =
+      data &&
+      Object.keys(data).reduce((result, key) => {
         result.append(key, data[key]);
 
         return result;

client/src/api/index.js

@@ -1,5 +1,6 @@
 import http from './http';
 import socket from './socket';
+import root from './root';
 import accessTokens from './access-tokens';
 import users from './users';
 import projects from './projects';
@@ -20,6 +21,7 @@ import notifications from './notifications';
 export { http, socket };
 
 export default {
+  ...root,
   ...accessTokens,
   ...users,
   ...projects,

client/src/api/root.js

@@ -0,0 +1,9 @@
+import http from './http';
+
+/* Actions */
+
+const getConfig = (headers) => http.get('/config', undefined, headers);
+
+export default {
+  getConfig,
+};

client/src/components/Header/Header.jsx

@@ -3,7 +3,6 @@ import PropTypes from 'prop-types';
 import classNames from 'classnames';
 import { Link } from 'react-router-dom';
 import { Button, Icon, Menu } from 'semantic-ui-react';
-import { useAuth } from 'react-oidc-context';
 import { usePopup } from '../../lib/popup';
 
 import Paths from '../../constants/Paths';
@@ -30,7 +29,6 @@ const Header = React.memo(
     onUserSettingsClick,
     onLogout,
   }) => {
-    const auth = useAuth();
     const handleProjectSettingsClick = useCallback(() => {
       if (canEditProject) {
         onProjectSettingsClick();
@@ -40,11 +38,6 @@ const Header = React.memo(
     const NotificationsPopup = usePopup(NotificationsStep, POPUP_PROPS);
     const UserPopup = usePopup(UserStep, POPUP_PROPS);
 
-    const onFullLogout = () => {
-      auth.signoutSilent();
-      onLogout();
-    };
-
     return (
       <div className={styles.wrapper}>
         {!project && (
@@ -95,7 +88,7 @@ const Header = React.memo(
             <UserPopup
               isLogouting={isLogouting}
               onSettingsClick={onUserSettingsClick}
-              onLogout={onFullLogout}
+              onLogout={onLogout}
             >
               <Menu.Item className={classNames(styles.item, styles.itemHoverable)}>
                 {user.name}

client/src/components/Login/Login.jsx

@@ -1,10 +1,9 @@
 import isEmail from 'validator/lib/isEmail';
 import React, { useCallback, useEffect, useMemo, useRef } from 'react';
-import { useAuth } from 'react-oidc-context';
 import PropTypes from 'prop-types';
 import classNames from 'classnames';
 import { useTranslation } from 'react-i18next';
-import { Form, Grid, Header, Message } from 'semantic-ui-react';
+import { Button, Form, Grid, Header, Message } from 'semantic-ui-react';
 import { useDidUpdate, usePrevious, useToggle } from '../../lib/hooks';
 import { Input } from '../../lib/custom-ui';
 
@@ -29,6 +28,21 @@ const createMessage = (error) => {
         type: 'error',
         content: 'common.invalidPassword',
       };
+    case 'Use single sign-on':
+      return {
+        type: 'error',
+        content: 'common.useSingleSignOn',
+      };
+    case 'Email already in use':
+      return {
+        type: 'error',
+        content: 'common.emailAlreadyInUse',
+      };
+    case 'Username already in use':
+      return {
+        type: 'error',
+        content: 'common.usernameAlreadyInUse',
+      };
     case 'Failed to fetch':
       return {
         type: 'warning',
@@ -48,8 +62,16 @@ const createMessage = (error) => {
 };
 
 const Login = React.memo(
-  ({ defaultData, isSubmitting, error, onAuthenticate, onMessageDismiss }) => {
+  ({
-    const auth = useAuth();
+    defaultData,
+    isSubmitting,
+    isSubmittingWithOidc,
+    error,
+    withOidc,
+    onAuthenticate,
+    onAuthenticateWithOidc,
+    onMessageDismiss,
+  }) => {
     const [t] = useTranslation();
     const wasSubmitting = usePrevious(isSubmitting);
 
@@ -170,12 +192,19 @@ const Login = React.memo(
                         content={t('action.logIn')}
                         floated="right"
                         loading={isSubmitting}
-                        disabled={isSubmitting}
+                        disabled={isSubmitting || isSubmittingWithOidc}
                       />
                     </Form>
-                    <Form.Button type="button" onClick={() => auth.signinRedirect()}>
+                    {withOidc && (
-                      Log in with SSO
+                      <Button
-                    </Form.Button>
+                        type="button"
+                        loading={isSubmittingWithOidc}
+                        disabled={isSubmitting || isSubmittingWithOidc}
+                        onClick={onAuthenticateWithOidc}
+                      >
+                        {t('action.logInWithSSO')}
+                      </Button>
+                    )}
                   </div>
                 </div>
               </Grid.Column>
@@ -206,10 +235,15 @@ const Login = React.memo(
 );
 
 Login.propTypes = {
-  defaultData: PropTypes.object.isRequired, // eslint-disable-line react/forbid-prop-types
+  /* eslint-disable react/forbid-prop-types */
+  defaultData: PropTypes.object.isRequired,
+  /* eslint-enable react/forbid-prop-types */
   isSubmitting: PropTypes.bool.isRequired,
+  isSubmittingWithOidc: PropTypes.bool.isRequired,
   error: PropTypes.object, // eslint-disable-line react/forbid-prop-types
+  withOidc: PropTypes.bool.isRequired,
   onAuthenticate: PropTypes.func.isRequired,
+  onAuthenticateWithOidc: PropTypes.func.isRequired,
   onMessageDismiss: PropTypes.func.isRequired,
 };
 

client/src/components/LoginWrapper.jsx

@@ -0,0 +1,19 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+import { Loader } from 'semantic-ui-react';
+
+import LoginContainer from '../containers/LoginContainer';
+
+const LoginWrapper = React.memo(({ isInitializing }) => {
+  if (isInitializing) {
+    return <Loader active size="massive" />;
+  }
+
+  return <LoginContainer />;
+});
+
+LoginWrapper.propTypes = {
+  isInitializing: PropTypes.bool.isRequired,
+};
+
+export default LoginWrapper;

client/src/components/OIDC/OidcLogin.jsx

@@ -1,19 +0,0 @@
-import { useAuth } from 'react-oidc-context';
-import PropTypes from 'prop-types';
-import React from 'react';
-
-let isLoggingIn = true;
-const OidcLogin = React.memo(({ onAuthenticate }) => {
-  const auth = useAuth();
-  if (isLoggingIn && auth.user) {
-    isLoggingIn = false;
-    const { user } = auth;
-    onAuthenticate(user);
-  }
-});
-
-OidcLogin.propTypes = {
-  onAuthenticate: PropTypes.func.isRequired,
-};
-
-export default OidcLogin;

client/src/components/OIDC/index.js

@@ -1,3 +0,0 @@
-import OidcLogin from './OidcLogin';
-
-export default OidcLogin;

client/src/components/Root.jsx

@@ -1,12 +1,11 @@
 import React from 'react';
 import PropTypes from 'prop-types';
-import { AuthProvider } from 'react-oidc-context';
 import { Provider } from 'react-redux';
 import { Route, Routes } from 'react-router-dom';
 import { ReduxRouter } from '../lib/redux-router';
 
 import Paths from '../constants/Paths';
-import LoginContainer from '../containers/LoginContainer';
+import LoginWrapperContainer from '../containers/LoginWrapperContainer';
 import CoreContainer from '../containers/CoreContainer';
 import NotFound from './NotFound';
 
@@ -15,24 +14,14 @@ import 'photoswipe/dist/photoswipe.css';
 import 'easymde/dist/easymde.min.css';
 import '../lib/custom-ui/styles.css';
 import '../styles.module.scss';
-import OidcLoginContainer from '../containers/OidcLoginContainer';
 
-function Root({ store, history, config }) {
+function Root({ store, history }) {
   return (
-    <AuthProvider
-      authority={config.authority}
-      client_id={config.clientId}
-      redirect_uri={config.redirectUri}
-      scope={config.scopes}
-      onSigninCallback={() => {
-        window.history.replaceState({}, document.title, window.location.pathname);
-      }}
-    >
     <Provider store={store}>
       <ReduxRouter history={history}>
         <Routes>
-            <Route path={Paths.LOGIN} element={<LoginContainer />} />
+          <Route path={Paths.LOGIN} element={<LoginWrapperContainer />} />
-            <Route path={Paths.OIDC_LOGIN} element={<OidcLoginContainer />} />
+          <Route path={Paths.OIDC_CALLBACK} element={<LoginWrapperContainer />} />
           <Route path={Paths.ROOT} element={<CoreContainer />} />
           <Route path={Paths.PROJECTS} element={<CoreContainer />} />
           <Route path={Paths.BOARDS} element={<CoreContainer />} />
@@ -41,14 +30,13 @@ function Root({ store, history, config }) {
         </Routes>
       </ReduxRouter>
     </Provider>
-    </AuthProvider>
   );
 }
+
 Root.propTypes = {
   /* eslint-disable react/forbid-prop-types */
   store: PropTypes.object.isRequired,
   history: PropTypes.object.isRequired,
-  config: PropTypes.object.isRequired,
   /* eslint-enable react/forbid-prop-types */
 };
 

client/src/components/UserSettingsModal/UserSettingsModal.jsx

@@ -16,8 +16,8 @@ const UserSettingsModal = React.memo(
     phone,
     organization,
     language,
-    isLocked,
     subscribeToOwnCards,
+    isLocked,
     isAvatarUpdating,
     usernameUpdateForm,
     emailUpdateForm,
@@ -106,8 +106,8 @@ UserSettingsModal.propTypes = {
   phone: PropTypes.string,
   organization: PropTypes.string,
   language: PropTypes.string,
-  isLocked: PropTypes.bool.isRequired,
   subscribeToOwnCards: PropTypes.bool.isRequired,
+  isLocked: PropTypes.bool.isRequired,
   isAvatarUpdating: PropTypes.bool.isRequired,
   /* eslint-disable react/forbid-prop-types */
   usernameUpdateForm: PropTypes.object.isRequired,

client/src/components/UsersModal/Item/ActionsStep.jsx

@@ -153,12 +153,14 @@ const ActionsStep = React.memo(
                     context: 'title',
                   })}
                 </Menu.Item>
+              </>
+            )}
+            {!user.isLockedAdmin && (
               <Menu.Item className={styles.menuItem} onClick={handleDeleteClick}>
                 {t('action.deleteUser', {
                   context: 'title',
                 })}
               </Menu.Item>
-              </>
             )}
           </Menu>
         </Popup.Content>

client/src/components/UsersModal/Item/Item.jsx

@@ -18,6 +18,7 @@ const Item = React.memo(
     phone,
     isAdmin,
     isLocked,
+    isLockedAdmin,
     emailUpdateForm,
     passwordUpdateForm,
     usernameUpdateForm,
@@ -47,7 +48,7 @@ const Item = React.memo(
         <Table.Cell>{username || '-'}</Table.Cell>
         <Table.Cell>{email}</Table.Cell>
         <Table.Cell>
-          <Radio toggle checked={isAdmin} disabled={isLocked} onChange={handleIsAdminChange} />
+          <Radio toggle checked={isAdmin} disabled={isLockedAdmin} onChange={handleIsAdminChange} />
         </Table.Cell>
         <Table.Cell textAlign="right">
           <ActionsPopup
@@ -59,6 +60,7 @@ const Item = React.memo(
               phone,
               isAdmin,
               isLocked,
+              isLockedAdmin,
               emailUpdateForm,
               passwordUpdateForm,
               usernameUpdateForm,
@@ -91,6 +93,7 @@ Item.propTypes = {
   phone: PropTypes.string,
   isAdmin: PropTypes.bool.isRequired,
   isLocked: PropTypes.bool.isRequired,
+  isLockedAdmin: PropTypes.bool.isRequired,
   /* eslint-disable react/forbid-prop-types */
   emailUpdateForm: PropTypes.object.isRequired,
   passwordUpdateForm: PropTypes.object.isRequired,

client/src/components/UsersModal/UsersModal.jsx

@@ -111,6 +111,7 @@ const UsersModal = React.memo(
                   phone={item.phone}
                   isAdmin={item.isAdmin}
                   isLocked={item.isLocked}
+                  isLockedAdmin={item.isLockedAdmin}
                   emailUpdateForm={item.emailUpdateForm}
                   passwordUpdateForm={item.passwordUpdateForm}
                   usernameUpdateForm={item.usernameUpdateForm}

client/src/constants/ActionTypes.js

@@ -12,9 +12,13 @@ export default {
 
   /* Login */
 
+  LOGIN_INITIALIZE: 'LOGIN_INITIALIZE',
   AUTHENTICATE: 'AUTHENTICATE',
   AUTHENTICATE__SUCCESS: 'AUTHENTICATE__SUCCESS',
   AUTHENTICATE__FAILURE: 'AUTHENTICATE__FAILURE',
+  WITH_OIDC_AUTHENTICATE: 'WITH_OIDC_AUTHENTICATE',
+  WITH_OIDC_AUTHENTICATE__SUCCESS: 'WITH_OIDC_AUTHENTICATE__SUCCESS',
+  WITH_OIDC_AUTHENTICATE__FAILURE: 'WITH_OIDC_AUTHENTICATE__FAILURE',
   AUTHENTICATE_ERROR_CLEAR: 'AUTHENTICATE_ERROR_CLEAR',
 
   /* Core */

client/src/constants/EntryActionTypes.js

@@ -11,11 +11,11 @@ export default {
   /* Login */
 
   AUTHENTICATE: `${PREFIX}/AUTHENTICATE`,
+  WITH_OIDC_AUTHENTICATE: `${PREFIX}/WITH_OIDC_AUTHENTICATE`,
   AUTHENTICATE_ERROR_CLEAR: `${PREFIX}/AUTHENTICATE_ERROR_CLEAR`,
 
   /* Core */
 
-  CORE_INITIALIZE: `${PREFIX}/CORE_INITIALIZE`,
   LOGOUT: `${PREFIX}/LOGOUT`,
 
   /* Modals */

client/src/constants/Paths.js

@@ -2,7 +2,7 @@ import Config from './Config';
 
 const ROOT = `${Config.BASE_PATH}/`;
 const LOGIN = `${Config.BASE_PATH}/login`;
-const OIDC_LOGIN = `${Config.BASE_PATH}/oidclogin`;
+const OIDC_CALLBACK = `${Config.BASE_PATH}/oidc-callback`;
 const PROJECTS = `${Config.BASE_PATH}/projects/:id`;
 const BOARDS = `${Config.BASE_PATH}/boards/:id`;
 const CARDS = `${Config.BASE_PATH}/cards/:id`;
@@ -10,8 +10,8 @@ const CARDS = `${Config.BASE_PATH}/cards/:id`;
 export default {
   ROOT,
   LOGIN,
+  OIDC_CALLBACK,
   PROJECTS,
   BOARDS,
   CARDS,
-  OIDC_LOGIN,
 };

client/src/containers/CoreContainer.js

@@ -4,18 +4,18 @@ import selectors from '../selectors';
 import Core from '../components/Core';
 
 const mapStateToProps = (state) => {
-  const isCoreInitializing = selectors.selectIsCoreInitializing(state);
+  const isInitializing = selectors.selectIsInitializing(state);
   const isSocketDisconnected = selectors.selectIsSocketDisconnected(state);
   const currentModal = selectors.selectCurrentModal(state);
   const currentProject = selectors.selectCurrentProject(state);
   const currentBoard = selectors.selectCurrentBoard(state);
 
   return {
+    isInitializing,
     isSocketDisconnected,
     currentModal,
     currentProject,
     currentBoard,
-    isInitializing: isCoreInitializing,
   };
 };
 

client/src/containers/LoginContainer.js

@@ -1,23 +1,33 @@
 import { bindActionCreators } from 'redux';
 import { connect } from 'react-redux';
 
+import selectors from '../selectors';
 import entryActions from '../entry-actions';
 import Login from '../components/Login';
 
-const mapStateToProps = ({
+const mapStateToProps = (state) => {
+  const oidcConfig = selectors.selectOidcConfig(state);
+
+  const {
     ui: {
-    authenticateForm: { data: defaultData, isSubmitting, error },
+      authenticateForm: { data: defaultData, isSubmitting, isSubmittingWithOidc, error },
     },
-}) => ({
+  } = state;
+
+  return {
     defaultData,
     isSubmitting,
+    isSubmittingWithOidc,
     error,
-});
+    withOidc: !!oidcConfig,
+  };
+};
 
 const mapDispatchToProps = (dispatch) =>
   bindActionCreators(
     {
       onAuthenticate: entryActions.authenticate,
+      onAuthenticateWithOidc: entryActions.authenticateWithOidc,
       onMessageDismiss: entryActions.clearAuthenticateError,
     },
     dispatch,

client/src/containers/LoginWrapperContainer.js

@@ -0,0 +1,14 @@
+import { connect } from 'react-redux';
+
+import selectors from '../selectors';
+import LoginWrapper from '../components/LoginWrapper';
+
+const mapStateToProps = (state) => {
+  const isInitializing = selectors.selectIsInitializing(state);
+
+  return {
+    isInitializing,
+  };
+};
+
+export default connect(mapStateToProps)(LoginWrapper);

client/src/containers/OidcLoginContainer.js

@@ -1,26 +0,0 @@
-import { bindActionCreators } from 'redux';
-import { connect } from 'react-redux';
-
-import entryActions from '../entry-actions';
-import OidcLogin from '../components/OIDC';
-
-const mapStateToProps = ({
-  ui: {
-    authenticateForm: { data: defaultData, isSubmitting, error },
-  },
-}) => ({
-  defaultData,
-  isSubmitting,
-  error,
-});
-
-const mapDispatchToProps = (dispatch) =>
-  bindActionCreators(
-    {
-      onAuthenticate: entryActions.authenticate,
-      onMessageDismiss: entryActions.clearAuthenticateError,
-    },
-    dispatch,
-  );
-
-export default connect(mapStateToProps, mapDispatchToProps)(OidcLogin);

client/src/containers/UserSettingsModalContainer.js

@@ -14,8 +14,8 @@ const mapStateToProps = (state) => {
     phone,
     organization,
     language,
-    isLocked,
     subscribeToOwnCards,
+    isLocked,
     isAvatarUpdating,
     emailUpdateForm,
     passwordUpdateForm,
@@ -30,8 +30,8 @@ const mapStateToProps = (state) => {
     phone,
     organization,
     language,
-    isLocked,
     subscribeToOwnCards,
+    isLocked,
     isAvatarUpdating,
     emailUpdateForm,
     passwordUpdateForm,

client/src/entry-actions/core.js

@@ -1,16 +1,10 @@
 import EntryActionTypes from '../constants/EntryActionTypes';
 
-const initializeCore = () => ({
-  type: EntryActionTypes.CORE_INITIALIZE,
-  payload: {},
-});
-
 const logout = () => ({
   type: EntryActionTypes.LOGOUT,
   payload: {},
 });
 
 export default {
-  initializeCore,
   logout,
 };

client/src/entry-actions/login.js

@@ -7,6 +7,11 @@ const authenticate = (data) => ({
   },
 });
 
+const authenticateWithOidc = () => ({
+  type: EntryActionTypes.WITH_OIDC_AUTHENTICATE,
+  payload: {},
+});
+
 const clearAuthenticateError = () => ({
   type: EntryActionTypes.AUTHENTICATE_ERROR_CLEAR,
   payload: {},
@@ -14,5 +19,6 @@ const clearAuthenticateError = () => ({
 
 export default {
   authenticate,
+  authenticateWithOidc,
   clearAuthenticateError,
 };

client/src/index.js

@@ -1,15 +1,11 @@
 import React from 'react';
 import ReactDOM from 'react-dom/client';
 
-import Config from './constants/Config';
 import store from './store';
 import history from './history';
 import Root from './components/Root';
+
 import './i18n';
 
-fetch(`${Config.SERVER_BASE_URL}/api/appconfig`).then((response) => {
+const root = ReactDOM.createRoot(document.getElementById('root'));
-  response.json().then((config) => {
+root.render(React.createElement(Root, { store, history }));
-    const root = ReactDOM.createRoot(document.getElementById('root'));
-    root.render(React.createElement(Root, { store, history, config }));
-  });
-});

client/src/locales/en/login.js

@@ -11,10 +11,12 @@ export default {
       projectManagement: 'Project management',
       serverConnectionFailed: 'Server connection failed',
       unknownError: 'Unknown error, try again later',
+      useSingleSignOn: 'Use single sign-on',
     },
 
     action: {
       logIn: 'Log in',
+      logInWithSSO: 'Log in with SSO',
     },
   },
 };

client/src/models/User.js

@@ -43,16 +43,13 @@ export default class extends BaseModel {
     organization: attr(),
     language: attr(),
     subscribeToOwnCards: attr(),
+    isAdmin: attr(),
+    isLocked: attr(),
+    isLockedAdmin: attr(),
+    deletedAt: attr(),
     createdAt: attr({
       getDefault: () => new Date(),
     }),
-    deletedAt: attr(),
-    isAdmin: attr({
-      getDefault: () => false,
-    }),
-    isLocked: attr({
-      getDefault: () => false,
-    }),
     isAvatarUpdating: attr({
       getDefault: () => false,
     }),

client/src/reducers/auth.js

@@ -10,6 +10,7 @@ const initialState = {
 export default (state = initialState, { type, payload }) => {
   switch (type) {
     case ActionTypes.AUTHENTICATE__SUCCESS:
+    case ActionTypes.WITH_OIDC_AUTHENTICATE__SUCCESS:
       return {
         ...state,
         accessToken: payload.accessToken,

client/src/reducers/core.js

@@ -4,7 +4,6 @@ import ActionTypes from '../constants/ActionTypes';
 import ModalTypes from '../constants/ModalTypes';
 
 const initialState = {
-  isInitializing: true,
   isLogouting: false,
   currentModal: null,
 };
@@ -18,11 +17,6 @@ export default (state = initialState, { type, payload }) => {
         ...state,
         currentModal: null,
       };
-    case ActionTypes.CORE_INITIALIZE:
-      return {
-        ...state,
-        isInitializing: false,
-      };
     case ActionTypes.LOGOUT__ACCESS_TOKEN_INVALIDATE:
       return {
         ...state,

client/src/reducers/index.js

@@ -3,6 +3,7 @@ import { combineReducers } from 'redux';
 import router from './router';
 import socket from './socket';
 import orm from './orm';
+import root from './root';
 import auth from './auth';
 import core from './core';
 import ui from './ui';
@@ -11,6 +12,7 @@ export default combineReducers({
   router,
   socket,
   orm,
+  root,
   auth,
   core,
   ui,

client/src/reducers/root.js

@@ -0,0 +1,34 @@
+import ActionTypes from '../constants/ActionTypes';
+
+const initialState = {
+  isInitializing: true,
+  config: null,
+};
+
+// eslint-disable-next-line default-param-last
+export default (state = initialState, { type, payload }) => {
+  switch (type) {
+    case ActionTypes.LOGIN_INITIALIZE:
+      return {
+        ...state,
+        isInitializing: false,
+        config: payload.config,
+      };
+    case ActionTypes.AUTHENTICATE__SUCCESS:
+    case ActionTypes.WITH_OIDC_AUTHENTICATE__SUCCESS:
+      return {
+        ...state,
+        isInitializing: true,
+      };
+    case ActionTypes.CORE_INITIALIZE:
+      return {
+        ...state,
+        isInitializing: false,
+        ...(payload.config && {
+          config: payload.config,
+        }),
+      };
+    default:
+      return state;
+  }
+};

client/src/reducers/ui/authenticate-form.js

@@ -1,4 +1,7 @@
+import { LOCATION_CHANGE_HANDLE } from '../../lib/redux-router';
+
 import ActionTypes from '../../constants/ActionTypes';
+import Paths from '../../constants/Paths';
 
 const initialState = {
   data: {
@@ -6,12 +9,22 @@ const initialState = {
     password: '',
   },
   isSubmitting: false,
+  isSubmittingWithOidc: false,
   error: null,
 };
 
 // eslint-disable-next-line default-param-last
 export default (state = initialState, { type, payload }) => {
   switch (type) {
+    case LOCATION_CHANGE_HANDLE:
+      if (payload.location.pathname === Paths.OIDC_CALLBACK) {
+        return {
+          ...state,
+          isSubmittingWithOidc: true,
+        };
+      }
+
+      return state;
     case ActionTypes.AUTHENTICATE:
       return {
         ...state,
@@ -22,6 +35,7 @@ export default (state = initialState, { type, payload }) => {
         isSubmitting: true,
       };
     case ActionTypes.AUTHENTICATE__SUCCESS:
+    case ActionTypes.WITH_OIDC_AUTHENTICATE__SUCCESS:
       return initialState;
     case ActionTypes.AUTHENTICATE__FAILURE:
       return {
@@ -29,6 +43,12 @@ export default (state = initialState, { type, payload }) => {
         isSubmitting: false,
         error: payload.error,
       };
+    case ActionTypes.WITH_OIDC_AUTHENTICATE__FAILURE:
+      return {
+        ...state,
+        isSubmittingWithOidc: false,
+        error: payload.error,
+      };
     case ActionTypes.AUTHENTICATE_ERROR_CLEAR:
       return {
         ...state,

client/src/sagas/core/services/core.js

@@ -1,13 +1,22 @@
-import { call, put, take } from 'redux-saga/effects';
+import { apply, call, put, select, take } from 'redux-saga/effects';
 
 import request from '../request';
 import requests from '../requests';
+import selectors from '../../../selectors';
 import actions from '../../../actions';
 import api from '../../../api';
 import i18n from '../../../i18n';
+import { createOidcManager } from '../../../utils/oidc-manager';
 import { removeAccessToken } from '../../../utils/access-token-storage';
 
 export function* initializeCore() {
+  const currentConfig = yield select(selectors.selectConfig); // TODO: add boolean selector?
+
+  let config;
+  if (!currentConfig) {
+    ({ item: config } = yield call(api.getConfig)); // TODO: handle error
+  }
+
   const {
     user,
     board,
@@ -32,6 +41,7 @@ export function* initializeCore() {
 
   yield put(
     actions.initializeCore(
+      config,
       user,
       board,
       users,
@@ -74,6 +84,16 @@ export function* logout(invalidateAccessToken = true) {
     } catch (error) {} // eslint-disable-line no-empty
   }
 
+  const oidcConfig = yield select(selectors.selectOidcConfig);
+
+  if (oidcConfig) {
+    const oidcManager = createOidcManager(oidcConfig);
+
+    try {
+      yield apply(oidcManager, oidcManager.logout);
+    } catch (error) {} // eslint-disable-line no-empty
+  }
+
   yield put(actions.logout());
   yield take();
 }

client/src/sagas/core/services/router.js

@@ -33,15 +33,16 @@ export function* handleLocationChange() {
 
   switch (pathsMatch.pattern.path) {
     case Paths.LOGIN:
+    case Paths.OIDC_CALLBACK:
       yield call(goToRoot);
 
-      break;
+      return;
     default:
   }
 
-  const isCoreInitializing = yield select(selectors.selectIsCoreInitializing);
+  const isInitializing = yield select(selectors.selectIsInitializing);
 
-  if (isCoreInitializing) {
+  if (isInitializing) {
     yield take(ActionTypes.CORE_INITIALIZE);
   }
 

client/src/sagas/core/watchers/core.js

@@ -4,8 +4,5 @@ import services from '../services';
 import EntryActionTypes from '../../../constants/EntryActionTypes';
 
 export default function* coreWatchers() {
-  yield all([
+  yield all([takeEvery(EntryActionTypes.LOGOUT, () => services.logout())]);
-    takeEvery(EntryActionTypes.CORE_INITIALIZE, () => services.initializeCore()),
-    takeEvery(EntryActionTypes.LOGOUT, () => services.logout()),
-  ]);
 }

client/src/sagas/login/index.js

@@ -7,7 +7,9 @@ import ActionTypes from '../../constants/ActionTypes';
 export default function* loginSaga() {
   const watcherTasks = yield all(watchers.map((watcher) => fork(watcher)));
 
-  yield take(ActionTypes.AUTHENTICATE__SUCCESS);
+  yield fork(services.initializeLogin);
+
+  yield take([ActionTypes.AUTHENTICATE__SUCCESS, ActionTypes.WITH_OIDC_AUTHENTICATE__SUCCESS]);
 
   yield cancel(watcherTasks);
   yield call(services.goToRoot);

client/src/sagas/login/services/login.js

@@ -1,19 +1,25 @@
-import { call, put } from 'redux-saga/effects';
+import { apply, call, put, select } from 'redux-saga/effects';
+import { replace } from '../../../lib/redux-router';
 
+import selectors from '../../../selectors';
 import actions from '../../../actions';
 import api from '../../../api';
+import { createOidcManager } from '../../../utils/oidc-manager';
 import { setAccessToken } from '../../../utils/access-token-storage';
+import Paths from '../../../constants/Paths';
+
+export function* initializeLogin() {
+  const { item: config } = yield call(api.getConfig); // TODO: handle error
+
+  yield put(actions.initializeLogin(config));
+}
 
 export function* authenticate(data) {
   yield put(actions.authenticate(data));
 
-  let accessToken = data.access_token;
+  let accessToken;
   try {
-    if (accessToken) {
-      ({ item: accessToken } = yield call(api.exchangeOidcToken, accessToken));
-    } else {
     ({ item: accessToken } = yield call(api.createAccessToken, data));
-    }
   } catch (error) {
     yield put(actions.authenticate.failure(error));
     return;
@@ -23,11 +29,50 @@ export function* authenticate(data) {
   yield put(actions.authenticate.success(accessToken));
 }
 
+export function* authenticateWithOidc() {
+  const oidcConfig = yield select(selectors.selectOidcConfig);
+  const oidcManager = createOidcManager(oidcConfig);
+
+  yield apply(oidcManager, oidcManager.login);
+}
+
+export function* authenticateWithOidcCallback() {
+  const oidcConfig = yield select(selectors.selectOidcConfig);
+  const oidcManager = createOidcManager(oidcConfig);
+
+  let oidcToken;
+  try {
+    ({ access_token: oidcToken } = yield apply(oidcManager, oidcManager.loginCallback));
+  } catch (error) {
+    yield put(actions.authenticateWithOidc.failure(error));
+  }
+
+  yield put(replace(Paths.LOGIN));
+
+  if (oidcToken) {
+    let accessToken;
+    try {
+      ({ item: accessToken } = yield call(api.exchangeToAccessToken, {
+        token: oidcToken,
+      }));
+    } catch (error) {
+      yield put(actions.authenticateWithOidc.failure(error));
+      return;
+    }
+
+    yield call(setAccessToken, accessToken);
+    yield put(actions.authenticateWithOidc.success(accessToken));
+  }
+}
+
 export function* clearAuthenticateError() {
   yield put(actions.clearAuthenticateError());
 }
 
 export default {
+  initializeLogin,
   authenticate,
+  authenticateWithOidc,
+  authenticateWithOidcCallback,
   clearAuthenticateError,
 };

client/src/sagas/login/services/router.js

@@ -1,7 +1,9 @@
-import { call, put, select } from 'redux-saga/effects';
+import { call, put, select, take } from 'redux-saga/effects';
 import { push } from '../../../lib/redux-router';
 
+import { authenticateWithOidcCallback } from './login';
 import selectors from '../../../selectors';
+import ActionTypes from '../../../constants/ActionTypes';
 import Paths from '../../../constants/Paths';
 
 export function* goToLogin() {
@@ -27,6 +29,19 @@ export function* handleLocationChange() {
       yield call(goToLogin);
 
       break;
+    case Paths.OIDC_CALLBACK: {
+      const isInitializing = yield select(selectors.selectIsInitializing);
+
+      if (isInitializing) {
+        yield take(ActionTypes.LOGIN_INITIALIZE);
+      }
+
+      // TODO: check if OIDC is enabled
+
+      yield call(authenticateWithOidcCallback);
+
+      break;
+    }
     default:
   }
 }

client/src/sagas/login/watchers/login.js

@@ -8,6 +8,7 @@ export default function* loginWatchers() {
     takeEvery(EntryActionTypes.AUTHENTICATE, ({ payload: { data } }) =>
       services.authenticate(data),
     ),
+    takeEvery(EntryActionTypes.WITH_OIDC_AUTHENTICATE, () => services.authenticateWithOidc()),
     takeEvery(EntryActionTypes.AUTHENTICATE_ERROR_CLEAR, () => services.clearAuthenticateError()),
   ]);
 }

client/src/selectors/core.js

@@ -6,8 +6,6 @@ import Config from '../constants/Config';
 
 export const selectAccessToken = ({ auth: { accessToken } }) => accessToken;
 
-export const selectIsCoreInitializing = ({ core: { isInitializing } }) => isInitializing;
-
 export const selectIsLogouting = ({ core: { isLogouting } }) => isLogouting;
 
 const nextPosition = (items, index, excludedId) => {
@@ -115,7 +113,6 @@ export const selectNextTaskPosition = createSelector(
 
 export default {
   selectAccessToken,
-  selectIsCoreInitializing,
   selectIsLogouting,
   selectNextBoardPosition,
   selectNextLabelPosition,

client/src/selectors/index.js

@@ -1,5 +1,6 @@
 import router from './router';
 import socket from './socket';
+import root from './root';
 import core from './core';
 import modals from './modals';
 import users from './users';
@@ -16,6 +17,7 @@ import attachments from './attachments';
 export default {
   ...router,
   ...socket,
+  ...root,
   ...core,
   ...modals,
   ...users,

client/src/selectors/root.js

@@ -0,0 +1,11 @@
+export const selectIsInitializing = ({ root: { isInitializing } }) => isInitializing;
+
+export const selectConfig = ({ root: { config } }) => config;
+
+export const selectOidcConfig = (state) => selectConfig(state).oidc;
+
+export default {
+  selectIsInitializing,
+  selectConfig,
+  selectOidcConfig,
+};

client/src/utils/oidc-manager.js

@@ -0,0 +1,27 @@
+import { UserManager } from 'oidc-client-ts';
+
+export default class OidcManager {
+  constructor(config) {
+    this.userManager = new UserManager({
+      ...config,
+      authority: config.issuer,
+      client_id: config.clientId,
+      redirect_uri: config.redirectUri,
+      scope: config.scopes,
+    });
+  }
+
+  login() {
+    return this.userManager.signinRedirect();
+  }
+
+  loginCallback() {
+    return this.userManager.signinRedirectCallback();
+  }
+
+  logout() {
+    return this.userManager.signoutSilent();
+  }
+}
+
+export const createOidcManager = (config) => new OidcManager(config);

docker-compose.yml

@@ -37,6 +37,16 @@ services:
 
       # Configure knex to accept SSL certificates
       # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
+
+      # - OIDC_ISSUER=
+      # - OIDC_CLIENT_ID=
+      # - OIDC_REDIRECT_URI=http://localhost:3000/oidc-callback
+      # - OIDC_SCOPES=openid email profile
+      # - OIDC_JWKS_URI=
+      # - OIDC_AUDIENCE=
+      # - OIDC_ADMIN_ROLES=admin
+      # - OIDC_ROLES_ATTRIBUTE=groups
+      # - OIDC_SKIP_USER_INFO=true
     depends_on:
       - postgres
 

server/.env.sample

@@ -24,6 +24,16 @@ DEFAULT_ADMIN_USERNAME=demo
 # Configure knex to accept SSL certificates
 # KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
 
+# OIDC_ISSUER=
+# OIDC_CLIENT_ID=
+# OIDC_REDIRECT_URI=http://localhost:1337/oidc-callback
+# OIDC_SCOPES=openid email profile
+# OIDC_JWKS_URI=
+# OIDC_AUDIENCE=
+# OIDC_ADMIN_ROLES=admin
+# OIDC_ROLES_ATTRIBUTE=groups
+# OIDC_SKIP_USER_INFO=true
+
 ## Do not edit this
 
 TZ=UTC

server/api/controllers/access-tokens/create.js

@@ -10,6 +10,9 @@ const Errors = {
   INVALID_PASSWORD: {
     invalidPassword: 'Invalid password',
   },
+  USE_SINGLE_SIGN_ON: {
+    useSingleSignOn: 'Use single sign-on',
+  },
 };
 
 const emailOrUsernameValidator = (value) =>
@@ -37,6 +40,9 @@ module.exports = {
     invalidPassword: {
       responseType: 'unauthorized',
     },
+    useSingleSignOn: {
+      responseType: 'forbidden',
+    },
   },
 
   async fn(inputs) {
@@ -44,6 +50,10 @@ module.exports = {
 
     const user = await sails.helpers.users.getOneByEmailOrUsername(inputs.emailOrUsername);
 
+    if (user.isSso) {
+      throw Errors.USE_SINGLE_SIGN_ON;
+    }
+
     if (!user) {
       sails.log.warn(
         `Invalid email or username: "${inputs.emailOrUsername}"! (IP: ${remoteAddress})`,

server/api/controllers/access-tokens/exchange.js

@@ -1,88 +1,20 @@
-const jwt = require('jsonwebtoken');
-const jwksClient = require('jwks-rsa');
-const openidClient = require('openid-client');
 const { getRemoteAddress } = require('../../../utils/remoteAddress');
 
 const Errors = {
   INVALID_TOKEN: {
-    invalidToken: 'Access Token is invalid',
+    invalidToken: 'Invalid token',
+  },
+  EMAIL_ALREADY_IN_USE: {
+    emailAlreadyInUse: 'Email already in use',
+  },
+  USERNAME_ALREADY_IN_USE: {
+    usernameAlreadyInUse: 'Username already in use',
   },
   MISSING_VALUES: {
-    missingValues:
+    missingValues: 'Unable to retrieve required values (email, name)',
-      'Unable to retrieve required values. Verify the access token or UserInfo endpoint has email, username and name claims',
   },
 };
 
-const jwks = jwksClient({
-  jwksUri: sails.config.custom.oidcJwksUri,
-  requestHeaders: {}, // Optional
-  timeout: 30000, // Defaults to 30s
-});
-
-const getJwtVerificationOptions = () => {
-  const options = {};
-  if (sails.config.custom.oidcIssuer) {
-    options.issuer = sails.config.custom.oidcIssuer;
-  }
-  if (sails.config.custom.oidcAudience) {
-    options.audience = sails.config.custom.oidcAudience;
-  }
-  return options;
-};
-
-const validateAndDecodeToken = async (accessToken, options) => {
-  const keys = await jwks.getSigningKeys();
-  let validToken = {};
-
-  const isTokenValid = keys.some((signingKey) => {
-    try {
-      const key = signingKey.getPublicKey();
-      validToken = jwt.verify(accessToken, key, options);
-      return 'true';
-    } catch (error) {
-      sails.log.error(error);
-    }
-    return false;
-  });
-
-  if (!isTokenValid) {
-    const tokenForLogging = jwt.decode(accessToken);
-    const remoteAddress = getRemoteAddress(this.req);
-
-    sails.log.warn(
-      `invalid token: sub: "${tokenForLogging.sub}" issuer: "${tokenForLogging.iss}" audience: "${tokenForLogging.aud}" exp: ${tokenForLogging.exp} (IP: ${remoteAddress})`,
-    );
-    throw Errors.INVALID_TOKEN;
-  }
-  return validToken;
-};
-
-const getUserInfo = async (accessToken, options) => {
-  if (sails.config.custom.oidcSkipUserInfo) {
-    return {};
-  }
-  const issuer = await openidClient.Issuer.discover(options.issuer);
-  const oidcClient = new issuer.Client({
-    client_id: 'irrelevant',
-  });
-  const userInfo = await oidcClient.userinfo(accessToken);
-  return userInfo;
-};
-const mergeUserData = (validToken, userInfo) => {
-  const oidcUser = { ...validToken, ...userInfo };
-  return oidcUser;
-};
-const getOrCreateUser = async (newUser) => {
-  const user = await User.findOne({
-    where: {
-      username: newUser.username,
-    },
-  });
-  if (user) {
-    return user;
-  }
-  return User.create(newUser).fetch();
-};
 module.exports = {
   inputs: {
     token: {
@@ -95,83 +27,41 @@ module.exports = {
     invalidToken: {
       responseType: 'unauthorized',
     },
+    emailAlreadyInUse: {
+      responseType: 'conflict',
+    },
+    usernameAlreadyInUse: {
+      responseType: 'conflict',
+    },
     missingValues: {
-      responseType: 'unauthorized',
+      responseType: 'unprocessableEntity',
     },
   },
 
   async fn(inputs) {
-    const options = getJwtVerificationOptions();
-    const validToken = await validateAndDecodeToken(inputs.token, options);
-    const userInfo = await getUserInfo(inputs.token, options);
-    const oidcUser = mergeUserData(validToken, userInfo);
-
-    const now = new Date();
-    let isAdmin = false;
-    if (sails.config.custom.oidcAdminRoles.includes('*')) isAdmin = true;
-    else if (Array.isArray(oidcUser[sails.config.custom.oidcRolesAttribute])) {
-      const userRoles = new Set(oidcUser[sails.config.custom.oidcRolesAttribute]);
-      isAdmin = sails.config.custom.oidcAdminRoles.findIndex((role) => userRoles.has(role)) > -1;
-    }
-
-    const newUser = {
-      email: oidcUser.email,
-      isAdmin,
-      name: oidcUser.name,
-      username: oidcUser.preferred_username,
-      subscribeToOwnCards: false,
-      createdAt: now,
-      updatedAt: now,
-      locked: true,
-    };
-
-    if (!newUser.email || !newUser.username || !newUser.name) {
-      sails.log.error(Errors.MISSING_VALUES.missingValues);
-      throw Errors.MISSING_VALUES;
-    }
-
-    const identityProviderUser = await IdentityProviderUser.findOne({
-      where: {
-        issuer: oidcUser.iss,
-        sub: oidcUser.sub,
-      },
-    }).populate('userId');
-
-    let user = identityProviderUser ? identityProviderUser.userId : {};
-    if (!identityProviderUser) {
-      user = await getOrCreateUser(newUser);
-      await IdentityProviderUser.create({
-        issuer: oidcUser.iss,
-        sub: oidcUser.sub,
-        userId: user.id,
-      });
-    }
-
-    const controlledFields = ['email', 'password', 'isAdmin', 'name', 'username'];
-    const updateFields = {};
-    controlledFields.forEach((field) => {
-      if (user[field] !== newUser[field]) {
-        updateFields[field] = newUser[field];
-      }
-    });
-
-    if (Object.keys(updateFields).length > 0) {
-      updateFields.updatedAt = now;
-      await User.updateOne({ id: user.id }).set(updateFields);
-    }
-
-    const plankaToken = sails.helpers.utils.createToken(user.id);
-
     const remoteAddress = getRemoteAddress(this.req);
+
+    const user = await sails.helpers.users
+      .getOrCreateOneByOidcToken(inputs.token)
+      .intercept('invalidToken', () => {
+        sails.log.warn(`Invalid token! (IP: ${remoteAddress})`);
+        return Errors.INVALID_TOKEN;
+      })
+      .intercept('emailAlreadyInUse', () => Errors.EMAIL_ALREADY_IN_USE)
+      .intercept('usernameAlreadyInUse', () => Errors.USERNAME_ALREADY_IN_USE)
+      .intercept('missingValues', () => Errors.MISSING_VALUES);
+
+    const accessToken = sails.helpers.utils.createToken(user.id);
+
     await Session.create({
-      accessToken: plankaToken,
+      accessToken,
       remoteAddress,
       userId: user.id,
       userAgent: this.req.headers['user-agent'],
     });
 
     return {
-      item: plankaToken,
+      item: accessToken,
     };
   },
 };

server/api/controllers/appconfig/index.js

@@ -1,11 +0,0 @@
-module.exports = {
-  async fn() {
-    const config = {
-      authority: sails.config.custom.oidcIssuer,
-      clientId: sails.config.custom.oidcClientId,
-      redirectUri: sails.config.custom.oidcredirectUri,
-      scopes: sails.config.custom.oidcScopes,
-    };
-    return config;
-  },
-};

server/api/controllers/show-config.js

@@ -0,0 +1,16 @@
+module.exports = {
+  fn() {
+    return {
+      item: {
+        oidc: sails.config.custom.oidcIssuer
+          ? {
+              issuer: sails.config.custom.oidcIssuer,
+              clientId: sails.config.custom.oidcClientId,
+              redirectUri: sails.config.custom.oidcRedirectUri,
+              scopes: sails.config.custom.oidcScopes,
+            }
+          : null,
+      },
+    };
+  },
+};

server/api/controllers/users/delete.js

@@ -1,4 +1,7 @@
 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
   USER_NOT_FOUND: {
     userNotFound: 'User not found',
   },
@@ -14,6 +17,9 @@ module.exports = {
   },
 
   exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
     userNotFound: {
       responseType: 'notFound',
     },
@@ -27,7 +33,7 @@ module.exports = {
     }
 
     if (user.email === sails.config.custom.defaultAdminEmail) {
-      throw Errors.USER_NOT_FOUND; // Forbidden
+      throw Errors.NOT_ENOUGH_RIGHTS;
     }
 
     user = await sails.helpers.users.deleteOne.with({

server/api/controllers/users/update-email.js

@@ -1,6 +1,9 @@
 const bcrypt = require('bcrypt');
 
 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
   USER_NOT_FOUND: {
     userNotFound: 'User not found',
   },
@@ -31,6 +34,9 @@ module.exports = {
   },
 
   exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
     userNotFound: {
       responseType: 'notFound',
     },
@@ -59,8 +65,8 @@ module.exports = {
       throw Errors.USER_NOT_FOUND;
     }
 
-    if (user.email === sails.config.custom.defaultAdminEmail) {
+    if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
-      throw Errors.USER_NOT_FOUND; // Forbidden
+      throw Errors.NOT_ENOUGH_RIGHTS;
     }
 
     if (

server/api/controllers/users/update-password.js

@@ -4,6 +4,9 @@ const zxcvbn = require('zxcvbn');
 const { getRemoteAddress } = require('../../../utils/remoteAddress');
 
 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
   USER_NOT_FOUND: {
     userNotFound: 'User not found',
   },
@@ -33,6 +36,9 @@ module.exports = {
   },
 
   exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
     userNotFound: {
       responseType: 'notFound',
     },
@@ -58,8 +64,8 @@ module.exports = {
       throw Errors.USER_NOT_FOUND;
     }
 
-    if (user.email === sails.config.custom.defaultAdminEmail) {
+    if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
-      throw Errors.USER_NOT_FOUND; // Forbidden
+      throw Errors.NOT_ENOUGH_RIGHTS;
     }
 
     if (

server/api/controllers/users/update-username.js

@@ -1,6 +1,9 @@
 const bcrypt = require('bcrypt');
 
 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
   USER_NOT_FOUND: {
     userNotFound: 'User not found',
   },
@@ -33,6 +36,9 @@ module.exports = {
   },
 
   exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
     userNotFound: {
       responseType: 'notFound',
     },
@@ -61,8 +67,8 @@ module.exports = {
       throw Errors.USER_NOT_FOUND;
     }
 
-    if (user.email === sails.config.custom.defaultAdminEmail) {
+    if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
-      throw Errors.USER_NOT_FOUND; // Forbidden
+      throw Errors.NOT_ENOUGH_RIGHTS;
     }
 
     if (

server/api/controllers/users/update.js

@@ -72,6 +72,8 @@ module.exports = {
       delete inputs.isAdmin;
       delete inputs.name;
       /* eslint-enable no-param-reassign */
+    } else if (user.isSso) {
+      delete inputs.name; // eslint-disable-line no-param-reassign
     }
 
     const values = {

server/api/helpers/users/create-one.js

@@ -9,7 +9,7 @@ const valuesValidator = (value) => {
     return false;
   }
 
-  if (!_.isString(value.password)) {
+  if (!_.isNil(value.password) && !_.isString(value.password)) {
     return false;
   }
 
@@ -40,6 +40,10 @@ module.exports = {
   async fn(inputs) {
     const { values } = inputs;
 
+    if (values.password) {
+      values.password = bcrypt.hashSync(values.password, 10);
+    }
+
     if (values.username) {
       values.username = values.username.toLowerCase();
     }
@@ -47,7 +51,6 @@ module.exports = {
     const user = await User.create({
       ...values,
       email: values.email.toLowerCase(),
-      password: bcrypt.hashSync(values.password, 10),
     })
       .intercept(
         {

server/api/helpers/users/delete-one.js

@@ -10,6 +10,10 @@ module.exports = {
   },
 
   async fn(inputs) {
+    await IdentityProviderUser.destroy({
+      userId: inputs.record.id,
+    });
+
     await ProjectManager.destroy({
       userId: inputs.record.id,
     });

server/api/helpers/users/get-or-create-one-by-oidc-token.js

@@ -0,0 +1,159 @@
+const jwt = require('jsonwebtoken');
+const jwksClient = require('jwks-rsa');
+const openidClient = require('openid-client');
+
+const jwks = jwksClient({
+  jwksUri: sails.config.custom.oidcJwksUri,
+});
+
+const verifyOidcToken = async (oidcToken) => {
+  const signingKeys = await jwks.getSigningKeys();
+
+  const options = {
+    issuer: sails.config.custom.oidcIssuer,
+  };
+
+  if (sails.config.custom.oidcAudience) {
+    options.audience = sails.config.custom.oidcAudience;
+  }
+
+  let payload = null;
+  signingKeys.some((signingKey) => {
+    try {
+      const publicKey = signingKey.getPublicKey();
+      payload = jwt.verify(oidcToken, publicKey, options);
+    } catch (error) {
+      sails.log.error(error);
+    }
+
+    return !!payload;
+  });
+
+  return payload;
+};
+
+const getUserInfo = async (oidcToken) => {
+  const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);
+
+  const client = new issuer.Client({
+    client_id: 'irrelevant',
+  });
+
+  return client.userinfo(oidcToken);
+};
+
+module.exports = {
+  inputs: {
+    token: {
+      type: 'string',
+      required: true,
+    },
+  },
+
+  exits: {
+    invalidToken: {},
+    missingValues: {},
+    emailAlreadyInUse: {},
+    usernameAlreadyInUse: {},
+  },
+
+  async fn(inputs) {
+    const oidcUser = await verifyOidcToken(inputs.token);
+
+    if (!oidcUser) {
+      throw 'invalidToken';
+    }
+
+    if (!sails.config.custom.oidcSkipUserInfo) {
+      const userInfo = await getUserInfo(inputs.token);
+      Object.assign(oidcUser, userInfo);
+    }
+
+    if (!oidcUser.email || !oidcUser.name) {
+      throw 'missingValues';
+    }
+
+    let isAdmin = false;
+    if (sails.config.custom.oidcAdminRoles.includes('*')) {
+      isAdmin = true;
+    } else {
+      const roles = oidcUser[sails.config.custom.oidcRolesAttribute];
+
+      if (Array.isArray(roles)) {
+        isAdmin = sails.config.custom.oidcAdminRoles.some((role) => roles.includes(role));
+      }
+    }
+
+    const values = {
+      isAdmin,
+      email: oidcUser.email,
+      isSso: true,
+      name: oidcUser.name,
+      username: oidcUser.preferred_username,
+      subscribeToOwnCards: false,
+    };
+
+    let user;
+    /* eslint-disable no-constant-condition, no-await-in-loop */
+    while (true) {
+      let identityProviderUser = await IdentityProviderUser.findOne({
+        issuer: oidcUser.iss,
+        sub: oidcUser.sub,
+      });
+
+      if (identityProviderUser) {
+        user = await sails.helpers.users.getOne(identityProviderUser.userId);
+      } else {
+        while (true) {
+          user = await sails.helpers.users.getOne({
+            email: values.email,
+          });
+
+          if (!user) {
+            user = await sails.helpers.users
+              .createOne(values)
+              .tolerate('emailAlreadyInUse')
+              .intercept('usernameAlreadyInUse', 'usernameAlreadyInUse');
+          }
+
+          if (user) {
+            break;
+          }
+        }
+
+        identityProviderUser = await IdentityProviderUser.create({
+          userId: user.id,
+          issuer: oidcUser.iss,
+          sub: oidcUser.sub,
+        }).tolerate('E_UNIQUE');
+      }
+
+      if (identityProviderUser) {
+        break;
+      }
+    }
+    /* eslint-enable no-constant-condition, no-await-in-loop */
+
+    const updateFieldKeys = ['email', 'isAdmin', 'isSso', 'name', 'username'];
+
+    const updateValues = updateFieldKeys.reduce((result, fieldKey) => {
+      if (values[fieldKey] === user[fieldKey]) {
+        return result;
+      }
+
+      return {
+        ...result,
+        [fieldKey]: values[fieldKey],
+      };
+    }, {});
+
+    if (Object.keys(updateValues).length > 0) {
+      user = await sails.helpers.users
+        .updateOne(user, updateValues, {}) // FIXME: hack for last parameter
+        .intercept('emailAlreadyInUse', 'emailAlreadyInUse')
+        .intercept('usernameAlreadyInUse', 'usernameAlreadyInUse');
+    }
+
+    return user;
+  },
+};

server/api/models/User.js

@@ -24,6 +24,11 @@ module.exports = {
       defaultsTo: false,
       columnName: 'is_admin',
     },
+    isSso: {
+      type: 'boolean',
+      defaultsTo: false,
+      columnName: 'is_sso',
+    },
     name: {
       type: 'string',
       required: true,
@@ -67,10 +72,6 @@ module.exports = {
       type: 'ref',
       columnName: 'password_changed_at',
     },
-    locked: {
-      type: 'boolean',
-      columnName: 'locked',
-    },
 
     //  ╔═╗╔╦╗╔╗ ╔═╗╔╦╗╔═╗
     //  ║╣ ║║║╠╩╗║╣  ║║╚═╗
@@ -109,12 +110,15 @@ module.exports = {
   tableName: 'user_account',
 
   customToJSON() {
+    const isLockedAdmin = this.email === sails.config.custom.defaultAdminEmail;
+
     return {
-      ..._.omit(this, ['password', 'avatar', 'passwordChangedAt']),
+      ..._.omit(this, ['password', 'isSso', 'avatar', 'passwordChangedAt']),
+      isLockedAdmin,
+      isLocked: this.isSso || isLockedAdmin,
       avatarUrl:
         this.avatar &&
         `${sails.config.custom.userAvatarsUrl}/${this.avatar.dirname}/square-100.${this.avatar.extension}`,
-      isLocked: this.email === sails.config.custom.defaultAdminEmail,
     };
   },
 };

server/config/custom.js

@@ -31,15 +31,15 @@ module.exports.custom = {
   attachmentsPath: path.join(sails.config.appPath, 'private', 'attachments'),
   attachmentsUrl: `${process.env.BASE_URL}/attachments`,
 
-  oidcIssuer: process.env.OIDC_ISSUER,
-  oidcAudience: process.env.OIDC_AUDIENCE,
-  oidcClientId: process.env.OIDC_CLIENT_ID,
-  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
-  oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
-  oidcredirectUri: process.env.OIDC_REDIRECT_URI,
-  oidcJwksUri: process.env.OIDC_JWKS_URI,
-  oidcScopes: process.env.OIDC_SCOPES || 'openid profile email',
-  oidcSkipUserInfo: process.env.OIDC_SKIP_USER_INFO === 'true',
-
   defaultAdminEmail: process.env.DEFAULT_ADMIN_EMAIL,
+
+  oidcIssuer: process.env.OIDC_ISSUER,
+  oidcClientId: process.env.OIDC_CLIENT_ID,
+  oidcRedirectUri: process.env.OIDC_REDIRECT_URI,
+  oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
+  oidcJwksUri: process.env.OIDC_JWKS_URI,
+  oidcAudience: process.env.OIDC_AUDIENCE,
+  oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
+  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
+  oidcSkipUserInfo: process.env.OIDC_SKIP_USER_INFO === 'true',
 };

server/config/policies.js

@@ -23,7 +23,7 @@ module.exports.policies = {
 
   'projects/create': ['is-authenticated', 'is-admin'],
 
+  'show-config': true,
   'access-tokens/create': true,
   'access-tokens/exchange': true,
-  'appconfig/index': true,
 };

server/config/routes.js

@@ -9,7 +9,7 @@
  */
 
 module.exports.routes = {
-  'GET /api/appconfig': 'appconfig/index',
+  'GET /api/config': 'show-config',
 
   'POST /api/access-tokens': 'access-tokens/create',
   'POST /api/access-tokens/exchange': 'access-tokens/exchange',

server/db/migrations/20230809022050_create_identity_provider_user.js

@@ -1,24 +0,0 @@
-module.exports.up = (knex) =>
-  knex.schema.createTable('identity_provider_user', (table) => {
-    /* Columns */
-
-    table.bigInteger('id').primary().defaultTo(knex.raw('next_id()'));
-    table.timestamp('created_at', true);
-    table.timestamp('updated_at', true);
-
-    table
-      .bigInteger('user_id')
-      .notNullable()
-      .references('id')
-      .inTable('user_account')
-      .onDelete('CASCADE');
-
-    table.text('issuer').notNullable();
-    table.text('sub').notNullable();
-
-    /* Indexes */
-
-    table.index('user_id');
-  });
-
-module.exports.down = (knex) => knex.schema.dropTable('identity_provider_user');

server/db/migrations/20230809022050_oidc_with_pkce_flow.js

@@ -0,0 +1,44 @@
+module.exports.up = async (knex) => {
+  await knex.schema.createTable('identity_provider_user', (table) => {
+    /* Columns */
+
+    table.bigInteger('id').primary().defaultTo(knex.raw('next_id()'));
+
+    table.bigInteger('user_id').notNullable();
+
+    table.text('issuer').notNullable();
+    table.text('sub').notNullable();
+
+    table.timestamp('created_at', true);
+    table.timestamp('updated_at', true);
+
+    /* Indexes */
+
+    table.unique(['issuer', 'sub']);
+    table.index('user_id');
+  });
+
+  await knex.schema.table('user_account', (table) => {
+    /* Columns */
+
+    table.boolean('is_sso').notNullable().default(false);
+
+    /* Modifications */
+
+    table.setNullable('password');
+  });
+
+  return knex.schema.alterTable('user_account', (table) => {
+    table.boolean('is_sso').notNullable().alter();
+  });
+};
+
+module.exports.down = async (knex) => {
+  await knex.schema.dropTable('identity_provider_user');
+
+  return knex.schema.table('user_account', (table) => {
+    table.dropColumn('is_sso');
+
+    table.dropNullable('password');
+  });
+};

server/db/migrations/20230809024146_all_null_password_field.js

@@ -1,11 +0,0 @@
-module.exports.up = async (knex) => {
-  return knex.schema.table('user_account', (table) => {
-    table.setNullable('password');
-  });
-};
-
-module.exports.down = async (knex) => {
-  return knex.schema.table('user_account', (table) => {
-    table.dropNullable('password');
-  });
-};

server/db/migrations/20230809025904_add_lock_to_user_account.js

@@ -1,11 +0,0 @@
-module.exports.up = async (knex) => {
-  return knex.schema.table('user_account', (table) => {
-    table.boolean('locked').default(false);
-  });
-};
-
-module.exports.down = async (knex) => {
-  return knex.schema.table('user_account', (table) => {
-    table.dropColumn('locked');
-  });
-};

server/db/seeds/default.js

@@ -3,6 +3,7 @@ const bcrypt = require('bcrypt');
 const buildData = () => {
   const data = {
     isAdmin: true,
+    isSso: false,
   };
 
   if (process.env.DEFAULT_ADMIN_PASSWORD) {