dennii/Termix
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases 22 Wiki Activity

Fix OIDC errors for "Failed to get user information"

Browse Source
This commit is contained in:
LukeGus
2025-09-02 16:55:08 -05:00
parent 2ccc487629
commit 7d0d47ebe1
2 changed files with 68 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
src/backend/database/routes/users.ts
View File

@@ -12,9 +12,19 @@ import type {Request, Response, NextFunction} from 'express';
async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: string): Promise<any> { async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: string): Promise<any> {
try { try {
let jwksUrl: string | null = null;
const normalizedIssuerUrl = issuerUrl.endsWith('/') ? issuerUrl.slice(0, -1) : issuerUrl; const normalizedIssuerUrl = issuerUrl.endsWith('/') ? issuerUrl.slice(0, -1) : issuerUrl;
const possibleIssuers = [
issuerUrl,
normalizedIssuerUrl,
issuerUrl.replace(/\/application\/o\/[^\/]+$/, ''),
normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '')
];
const jwksUrls = [
`${normalizedIssuerUrl}/.well-known/jwks.json`,
`${normalizedIssuerUrl}/jwks/`,
`${normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '')}/.well-known/jwks.json`
];
try { try {
const discoveryUrl = `${normalizedIssuerUrl}/.well-known/openid-configuration`; const discoveryUrl = `${normalizedIssuerUrl}/.well-known/openid-configuration`;
@@ -22,53 +32,33 @@ async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: str
if (discoveryResponse.ok) { if (discoveryResponse.ok) {
const discovery = await discoveryResponse.json() as any; const discovery = await discoveryResponse.json() as any;
if (discovery.jwks_uri) { if (discovery.jwks_uri) {
jwksUrl = discovery.jwks_uri; jwksUrls.unshift(discovery.jwks_uri);
} else {
logger.warn('OIDC discovery document does not contain jwks_uri');
} }
} else {
logger.warn(`OIDC discovery failed with status: ${discoveryResponse.status}`);
} }
} catch (discoveryError) { } catch (discoveryError) {
logger.warn(`OIDC discovery failed: ${discoveryError}`); logger.error(`OIDC discovery failed: ${discoveryError}`);
} }
if (!jwksUrl) { let jwks: any = null;
jwksUrl = `${normalizedIssuerUrl}/.well-known/jwks.json`; let jwksUrl: string | null = null;
}
if (!jwksUrl) { for (const url of jwksUrls) {
const authentikJwksUrl = `${normalizedIssuerUrl}/jwks/`;
try { try {
const jwksTestResponse = await fetch(authentikJwksUrl); const response = await fetch(url);
if (jwksTestResponse.ok) { if (response.ok) {
jwksUrl = authentikJwksUrl; jwks = await response.json();
jwksUrl = url;
break;
} }
} catch (error) { } catch (error) {
logger.warn(`Authentik JWKS URL also failed: ${error}`); continue;
} }
} }
if (!jwksUrl) { if (!jwks) {
const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, ''); throw new Error('Failed to fetch JWKS from any URL');
const rootJwksUrl = `${baseUrl}/.well-known/jwks.json`;
try {
const jwksTestResponse = await fetch(rootJwksUrl);
if (jwksTestResponse.ok) {
jwksUrl = rootJwksUrl;
}
} catch (error) {
logger.warn(`Authentik root JWKS URL also failed: ${error}`);
}
} }
const jwksResponse = await fetch(jwksUrl);
if (!jwksResponse.ok) {
throw new Error(`Failed to fetch JWKS from ${jwksUrl}: ${jwksResponse.status}`);
}
const jwks = await jwksResponse.json() as any;
const header = JSON.parse(Buffer.from(idToken.split('.')[0], 'base64').toString()); const header = JSON.parse(Buffer.from(idToken.split('.')[0], 'base64').toString());
const keyId = header.kid; const keyId = header.kid;
@@ -81,12 +71,7 @@ async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: str
const key = await importJWK(publicKey); const key = await importJWK(publicKey);
const {payload} = await jwtVerify(idToken, key, { const {payload} = await jwtVerify(idToken, key, {
issuer: [ issuer: possibleIssuers,
issuerUrl,
normalizedIssuerUrl,
issuerUrl.replace(/\/application\/o\/[^\/]+$/, ''),
normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '')
],
audience: clientId, audience: clientId,
}); });
@@ -376,54 +361,64 @@ router.get('/oidc/callback', async (req, res) => {
const tokenData = await tokenResponse.json() as any; const tokenData = await tokenResponse.json() as any;
let userInfo; let userInfo: any = null;
const userInfoUrls = [];
const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url;
const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
userInfoUrls.push(`${baseUrl}/userinfo/`);
userInfoUrls.push(`${normalizedIssuerUrl}/userinfo/`);
userInfoUrls.push(`${normalizedIssuerUrl}/userinfo`);
if (tokenData.id_token) { if (tokenData.id_token) {
try { try {
userInfo = await verifyOIDCToken(tokenData.id_token, config.issuer_url, config.client_id); userInfo = await verifyOIDCToken(tokenData.id_token, config.issuer_url, config.client_id);
} catch (error) { } catch (error) {
logger.error('OIDC token verification failed, falling back to userinfo endpoint', error); logger.error('OIDC token verification failed, trying userinfo endpoints', error);
if (tokenData.access_token) { }
const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url; }
const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
const userInfoUrl = `${baseUrl}/userinfo/`;
if (!userInfo && tokenData.access_token) {
for (const userInfoUrl of userInfoUrls) {
try {
const userInfoResponse = await fetch(userInfoUrl, { const userInfoResponse = await fetch(userInfoUrl, {
headers: { headers: {
'Authorization': `Bearer ${tokenData.access_token}`, 'Authorization': `Bearer ${tokenData.access_token}`,
}, }
}); });
if (userInfoResponse.ok) { if (userInfoResponse.ok) {
userInfo = await userInfoResponse.json(); userInfo = await userInfoResponse.json();
} else { break;
logger.error(`Userinfo endpoint failed with status: ${userInfoResponse.status}`);
} }
} catch (error) {
continue;
} }
} }
} else if (tokenData.access_token) {
const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url;
const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
const userInfoUrl = `${baseUrl}/userinfo/`;
const userInfoResponse = await fetch(userInfoUrl, {
headers: {
'Authorization': `Bearer ${tokenData.access_token}`,
},
});
if (userInfoResponse.ok) {
userInfo = await userInfoResponse.json();
} else {
logger.error(`Userinfo endpoint failed with status: ${userInfoResponse.status}`);
}
} }
if (!userInfo) { if (!userInfo) {
logger.error('Failed to get user information from all sources');
return res.status(400).json({error: 'Failed to get user information'}); return res.status(400).json({error: 'Failed to get user information'});
} }
const identifier = userInfo[config.identifier_path]; const getNestedValue = (obj: any, path: string): any => {
const name = userInfo[config.name_path] || identifier; if (!path || !obj) return null;
return path.split('.').reduce((current, key) => current?.[key], obj);
};
const identifier = getNestedValue(userInfo, config.identifier_path) ||
userInfo[config.identifier_path] ||
userInfo.sub ||
userInfo.email ||
userInfo.preferred_username;
const name = getNestedValue(userInfo, config.name_path) ||
userInfo[config.name_path] ||
userInfo.name ||
userInfo.given_name ||
identifier;
if (!identifier) { if (!identifier) {
logger.error(`Identifier not found at path: ${config.identifier_path}`); logger.error(`Identifier not found at path: ${config.identifier_path}`);

8
src/ui/Navigation/LeftSidebar.tsx
View File

@@ -355,7 +355,7 @@ export function LeftSidebar({
} }
}; };
const makeUserAdmin = async (e: React.FormEvent) => { const handleMakeUserAdmin = async (e: React.FormEvent) => {
e.preventDefault(); e.preventDefault();
if (!newAdminUsername.trim()) return; if (!newAdminUsername.trim()) return;
@@ -380,7 +380,7 @@ export function LeftSidebar({
} }
}; };
const removeAdminStatus = async (username: string) => { const handleRemoveAdminStatus = async (username: string) => {
if (!confirm(`Are you sure you want to remove admin status from ${username}?`)) return; if (!confirm(`Are you sure you want to remove admin status from ${username}?`)) return;
if (!isAdmin) { if (!isAdmin) {
@@ -392,10 +392,11 @@ export function LeftSidebar({
await removeAdminStatus(username); await removeAdminStatus(username);
fetchUsers(); fetchUsers();
} catch (err: any) { } catch (err: any) {
console.error('Failed to remove admin status:', err);
} }
}; };
const deleteUser = async (username: string) => { const handleDeleteUser = async (username: string) => {
if (!confirm(`Are you sure you want to delete user ${username}? This action cannot be undone.`)) return; if (!confirm(`Are you sure you want to delete user ${username}? This action cannot be undone.`)) return;
if (!isAdmin) { if (!isAdmin) {
@@ -407,6 +408,7 @@ export function LeftSidebar({
await deleteUser(username); await deleteUser(username);
fetchUsers(); fetchUsers();
} catch (err: any) { } catch (err: any) {
console.error('Failed to delete user:', err);
} }
}; };