dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

Fix OIDC errors for "Failed to get user information"

Browse Source
This commit is contained in:
LukeGus
2025-09-02 16:55:08 -05:00
parent 2ccc487629
commit 7d0d47ebe1
2 changed files with 68 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
src/backend/database/routes/users.ts
View File

@@ -12,9 +12,19 @@ import type {Request, Response, NextFunction} from 'express';
async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: string): Promise<any> {
try {
let jwksUrl: string | null = null;
const normalizedIssuerUrl = issuerUrl.endsWith('/') ? issuerUrl.slice(0, -1) : issuerUrl;
const possibleIssuers = [
issuerUrl,
normalizedIssuerUrl,
issuerUrl.replace(/\/application\/o\/[^\/]+$/, ''),
normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '')
];
const jwksUrls = [
`${normalizedIssuerUrl}/.well-known/jwks.json`,
`${normalizedIssuerUrl}/jwks/`,
`${normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '')}/.well-known/jwks.json`
];
try {
const discoveryUrl = `${normalizedIssuerUrl}/.well-known/openid-configuration`;
@@ -22,53 +32,33 @@ async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: str
if (discoveryResponse.ok) {
const discovery = await discoveryResponse.json() as any;
if (discovery.jwks_uri) {
jwksUrl = discovery.jwks_uri;
} else {
logger.warn('OIDC discovery document does not contain jwks_uri');
jwksUrls.unshift(discovery.jwks_uri);
}
} else {
logger.warn(`OIDC discovery failed with status: ${discoveryResponse.status}`);
}
} catch (discoveryError) {
logger.warn(`OIDC discovery failed: ${discoveryError}`);
logger.error(`OIDC discovery failed: ${discoveryError}`);
}
if (!jwksUrl) {
jwksUrl = `${normalizedIssuerUrl}/.well-known/jwks.json`;
}
let jwks: any = null;
let jwksUrl: string | null = null;
if (!jwksUrl) {
const authentikJwksUrl = `${normalizedIssuerUrl}/jwks/`;
for (const url of jwksUrls) {
try {
const jwksTestResponse = await fetch(authentikJwksUrl);
if (jwksTestResponse.ok) {
jwksUrl = authentikJwksUrl;
const response = await fetch(url);
if (response.ok) {
jwks = await response.json();
jwksUrl = url;
break;
}
} catch (error) {
logger.warn(`Authentik JWKS URL also failed: ${error}`);
continue;
}
}
if (!jwksUrl) {
const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
const rootJwksUrl = `${baseUrl}/.well-known/jwks.json`;
try {
const jwksTestResponse = await fetch(rootJwksUrl);
if (jwksTestResponse.ok) {
jwksUrl = rootJwksUrl;
}
} catch (error) {
logger.warn(`Authentik root JWKS URL also failed: ${error}`);
}
if (!jwks) {
throw new Error('Failed to fetch JWKS from any URL');
}
const jwksResponse = await fetch(jwksUrl);
if (!jwksResponse.ok) {
throw new Error(`Failed to fetch JWKS from ${jwksUrl}: ${jwksResponse.status}`);
}
const jwks = await jwksResponse.json() as any;
const header = JSON.parse(Buffer.from(idToken.split('.')[0], 'base64').toString());
const keyId = header.kid;
@@ -81,12 +71,7 @@ async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: str
const key = await importJWK(publicKey);
const {payload} = await jwtVerify(idToken, key, {
issuer: [
issuerUrl,
normalizedIssuerUrl,
issuerUrl.replace(/\/application\/o\/[^\/]+$/, ''),
normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '')
],
issuer: possibleIssuers,
audience: clientId,
});
@@ -376,54 +361,64 @@ router.get('/oidc/callback', async (req, res) => {
const tokenData = await tokenResponse.json() as any;
let userInfo;
let userInfo: any = null;
const userInfoUrls = [];
const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url;
const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
userInfoUrls.push(`${baseUrl}/userinfo/`);
userInfoUrls.push(`${normalizedIssuerUrl}/userinfo/`);
userInfoUrls.push(`${normalizedIssuerUrl}/userinfo`);
if (tokenData.id_token) {
try {
userInfo = await verifyOIDCToken(tokenData.id_token, config.issuer_url, config.client_id);
} catch (error) {
logger.error('OIDC token verification failed, falling back to userinfo endpoint', error);
if (tokenData.access_token) {
const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url;
const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
const userInfoUrl = `${baseUrl}/userinfo/`;
logger.error('OIDC token verification failed, trying userinfo endpoints', error);
}
}
if (!userInfo && tokenData.access_token) {
for (const userInfoUrl of userInfoUrls) {
try {
const userInfoResponse = await fetch(userInfoUrl, {
headers: {
'Authorization': `Bearer ${tokenData.access_token}`,
},
}
});
if (userInfoResponse.ok) {
userInfo = await userInfoResponse.json();
} else {
logger.error(`Userinfo endpoint failed with status: ${userInfoResponse.status}`);
break;
}
} catch (error) {
continue;
}
}
} else if (tokenData.access_token) {
const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url;
const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
const userInfoUrl = `${baseUrl}/userinfo/`;
const userInfoResponse = await fetch(userInfoUrl, {
headers: {
'Authorization': `Bearer ${tokenData.access_token}`,
},
});
if (userInfoResponse.ok) {
userInfo = await userInfoResponse.json();
} else {
logger.error(`Userinfo endpoint failed with status: ${userInfoResponse.status}`);
}
}
if (!userInfo) {
logger.error('Failed to get user information from all sources');
return res.status(400).json({error: 'Failed to get user information'});
}
const identifier = userInfo[config.identifier_path];
const name = userInfo[config.name_path] || identifier;
const getNestedValue = (obj: any, path: string): any => {
if (!path || !obj) return null;
return path.split('.').reduce((current, key) => current?.[key], obj);
};
const identifier = getNestedValue(userInfo, config.identifier_path) ||
userInfo[config.identifier_path] ||
userInfo.sub ||
userInfo.email ||
userInfo.preferred_username;
const name = getNestedValue(userInfo, config.name_path) ||
userInfo[config.name_path] ||
userInfo.name ||
userInfo.given_name ||
identifier;
if (!identifier) {
logger.error(`Identifier not found at path: ${config.identifier_path}`);

8
src/ui/Navigation/LeftSidebar.tsx
View File

@@ -355,7 +355,7 @@ export function LeftSidebar({
}
};
const makeUserAdmin = async (e: React.FormEvent) => {
const handleMakeUserAdmin = async (e: React.FormEvent) => {
e.preventDefault();
if (!newAdminUsername.trim()) return;
@@ -380,7 +380,7 @@ export function LeftSidebar({
}
};
const removeAdminStatus = async (username: string) => {
const handleRemoveAdminStatus = async (username: string) => {
if (!confirm(`Are you sure you want to remove admin status from ${username}?`)) return;
if (!isAdmin) {
@@ -392,10 +392,11 @@ export function LeftSidebar({
await removeAdminStatus(username);
fetchUsers();
} catch (err: any) {
console.error('Failed to remove admin status:', err);
}
};
const deleteUser = async (username: string) => {
const handleDeleteUser = async (username: string) => {
if (!confirm(`Are you sure you want to delete user ${username}? This action cannot be undone.`)) return;
if (!isAdmin) {
@@ -407,6 +408,7 @@ export function LeftSidebar({
await deleteUser(username);
fetchUsers();
} catch (err: any) {
console.error('Failed to delete user:', err);
}
};