Fix OIDC errors for "Failed to get user information"

2025-09-02 15:14:28 -05:00
parent 26c1cacc9d
commit ea792bf95f
1 changed files with 63 additions and 68 deletions
--- a/src/backend/database/routes/users.ts
+++ b/src/backend/database/routes/users.ts
@@ -12,9 +12,19 @@ import type {Request, Response, NextFunction} from 'express';

 async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: string): Promise<any> {
    try {
-        let jwksUrl: string | null = null;
-
        const normalizedIssuerUrl = issuerUrl.endsWith('/') ? issuerUrl.slice(0, -1) : issuerUrl;
+        const possibleIssuers = [
+            issuerUrl,
+            normalizedIssuerUrl,
+            issuerUrl.replace(/\/application\/o\/[^\/]+$/, ''),
+            normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '')
+        ];
+
+        const jwksUrls = [
+            `${normalizedIssuerUrl}/.well-known/jwks.json`,
+            `${normalizedIssuerUrl}/jwks/`,
+            `${normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '')}/.well-known/jwks.json`
+        ];

        try {
            const discoveryUrl = `${normalizedIssuerUrl}/.well-known/openid-configuration`;
@@ -22,53 +32,33 @@ async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: str
            if (discoveryResponse.ok) {
                const discovery = await discoveryResponse.json() as any;
                if (discovery.jwks_uri) {
-                    jwksUrl = discovery.jwks_uri;
-                } else {
-                    logger.warn('OIDC discovery document does not contain jwks_uri');
+                    jwksUrls.unshift(discovery.jwks_uri);
                }
-            } else {
-                logger.warn(`OIDC discovery failed with status: ${discoveryResponse.status}`);
            }
        } catch (discoveryError) {
-            logger.warn(`OIDC discovery failed: ${discoveryError}`);
+            logger.error(`OIDC discovery failed: ${discoveryError}`);
        }

-        if (!jwksUrl) {
-            jwksUrl = `${normalizedIssuerUrl}/.well-known/jwks.json`;
-        }
+        let jwks: any = null;
+        let jwksUrl: string | null = null;

-        if (!jwksUrl) {
-            const authentikJwksUrl = `${normalizedIssuerUrl}/jwks/`;
+        for (const url of jwksUrls) {
            try {
-                const jwksTestResponse = await fetch(authentikJwksUrl);
-                if (jwksTestResponse.ok) {
-                    jwksUrl = authentikJwksUrl;
+                const response = await fetch(url);
+                if (response.ok) {
+                    jwks = await response.json();
+                    jwksUrl = url;
+                    break;
                }
            } catch (error) {
-                logger.warn(`Authentik JWKS URL also failed: ${error}`);
+                continue;
            }
        }

-        if (!jwksUrl) {
-            const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
-            const rootJwksUrl = `${baseUrl}/.well-known/jwks.json`;
-            try {
-                const jwksTestResponse = await fetch(rootJwksUrl);
-                if (jwksTestResponse.ok) {
-                    jwksUrl = rootJwksUrl;
-                }
-            } catch (error) {
-                logger.warn(`Authentik root JWKS URL also failed: ${error}`);
-            }
+        if (!jwks) {
+            throw new Error('Failed to fetch JWKS from any URL');
        }

-        const jwksResponse = await fetch(jwksUrl);
-        if (!jwksResponse.ok) {
-            throw new Error(`Failed to fetch JWKS from ${jwksUrl}: ${jwksResponse.status}`);
-        }
-
-        const jwks = await jwksResponse.json() as any;
-
        const header = JSON.parse(Buffer.from(idToken.split('.')[0], 'base64').toString());
        const keyId = header.kid;

@@ -81,12 +71,7 @@ async function verifyOIDCToken(idToken: string, issuerUrl: string, clientId: str
        const key = await importJWK(publicKey);

        const {payload} = await jwtVerify(idToken, key, {
-            issuer: [
-                issuerUrl, 
-                normalizedIssuerUrl, 
-                issuerUrl.replace(/\/application\/o\/[^\/]+$/, ''),
-                normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '')
-            ],
+            issuer: possibleIssuers,
            audience: clientId,
        });

@@ -376,54 +361,64 @@ router.get('/oidc/callback', async (req, res) => {

        const tokenData = await tokenResponse.json() as any;

-        let userInfo;
+        let userInfo: any = null;
+        const userInfoUrls = [];
+        
+        const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url;
+        const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
+        
+        userInfoUrls.push(`${baseUrl}/userinfo/`);
+        userInfoUrls.push(`${normalizedIssuerUrl}/userinfo/`);
+        userInfoUrls.push(`${normalizedIssuerUrl}/userinfo`);
+
        if (tokenData.id_token) {
            try {
                userInfo = await verifyOIDCToken(tokenData.id_token, config.issuer_url, config.client_id);
            } catch (error) {
-                logger.error('OIDC token verification failed, falling back to userinfo endpoint', error);
-                if (tokenData.access_token) {
-                    const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url;
-                    const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
-                    const userInfoUrl = `${baseUrl}/userinfo/`;
+                logger.error('OIDC token verification failed, trying userinfo endpoints', error);
+            }
+        }

+        if (!userInfo && tokenData.access_token) {
+            for (const userInfoUrl of userInfoUrls) {
+                try {
                    const userInfoResponse = await fetch(userInfoUrl, {
                        headers: {
                            'Authorization': `Bearer ${tokenData.access_token}`,
-                        },
+                        }
                    });

                    if (userInfoResponse.ok) {
                        userInfo = await userInfoResponse.json();
-                    } else {
-                        logger.error(`Userinfo endpoint failed with status: ${userInfoResponse.status}`);
+                        break;
                    }
+                } catch (error) {
+                    continue;
                }
            }
-        } else if (tokenData.access_token) {
-            const normalizedIssuerUrl = config.issuer_url.endsWith('/') ? config.issuer_url.slice(0, -1) : config.issuer_url;
-            const baseUrl = normalizedIssuerUrl.replace(/\/application\/o\/[^\/]+$/, '');
-            const userInfoUrl = `${baseUrl}/userinfo/`;
-
-            const userInfoResponse = await fetch(userInfoUrl, {
-                headers: {
-                    'Authorization': `Bearer ${tokenData.access_token}`,
-                },
-            });
-
-            if (userInfoResponse.ok) {
-                userInfo = await userInfoResponse.json();
-            } else {
-                logger.error(`Userinfo endpoint failed with status: ${userInfoResponse.status}`);
-            }
        }

        if (!userInfo) {
+            logger.error('Failed to get user information from all sources');
            return res.status(400).json({error: 'Failed to get user information'});
        }

-        const identifier = userInfo[config.identifier_path];
-        const name = userInfo[config.name_path] || identifier;
+        const getNestedValue = (obj: any, path: string): any => {
+            if (!path || !obj) return null;
+            return path.split('.').reduce((current, key) => current?.[key], obj);
+        };
+
+        const identifier = getNestedValue(userInfo, config.identifier_path) || 
+                          userInfo[config.identifier_path] || 
+                          userInfo.sub || 
+                          userInfo.email || 
+                          userInfo.preferred_username;
+        
+        const name = getNestedValue(userInfo, config.name_path) || 
+                    userInfo[config.name_path] || 
+                    userInfo.name || 
+                    userInfo.given_name || 
+                    identifier;

        if (!identifier) {
            logger.error(`Identifier not found at path: ${config.identifier_path}`);