misc: added support for dynamic discovery of OIDC configuration

backend/src/db/migrations/20240617041053_add-oidc-auth.ts

@@ -6,12 +6,14 @@ export async function up(knex: Knex): Promise<void> {
   if (!(await knex.schema.hasTable(TableName.OidcConfig))) {
     await knex.schema.createTable(TableName.OidcConfig, (tb) => {
       tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
-      tb.string("issuer").notNullable();
-      tb.string("authorizationEndpoint").notNullable();
-      tb.string("jwksUri").notNullable();
-      tb.string("tokenEndpoint").notNullable();
-      tb.string("userinfoEndpoint").notNullable();
+      tb.string("discoveryURL");
+      tb.string("issuer");
+      tb.string("authorizationEndpoint");
+      tb.string("jwksUri");
+      tb.string("tokenEndpoint");
+      tb.string("userinfoEndpoint");
       tb.text("encryptedClientId").notNullable();
+      tb.string("configurationType").notNullable();
       tb.string("clientIdIV").notNullable();
       tb.string("clientIdTag").notNullable();
       tb.text("encryptedClientSecret").notNullable();

backend/src/db/schemas/oidc-configs.ts

@@ -9,12 +9,14 @@ import { TImmutableDBKeys } from "./models";
 
 export const OidcConfigsSchema = z.object({
   id: z.string().uuid(),
-  issuer: z.string(),
-  authorizationEndpoint: z.string(),
-  jwksUri: z.string(),
-  tokenEndpoint: z.string(),
-  userinfoEndpoint: z.string(),
+  discoveryURL: z.string().nullable().optional(),
+  issuer: z.string().nullable().optional(),
+  authorizationEndpoint: z.string().nullable().optional(),
+  jwksUri: z.string().nullable().optional(),
+  tokenEndpoint: z.string().nullable().optional(),
+  userinfoEndpoint: z.string().nullable().optional(),
   encryptedClientId: z.string(),
+  configurationType: z.string(),
   clientIdIV: z.string(),
   clientIdTag: z.string(),
   encryptedClientSecret: z.string(),

backend/src/ee/routes/v1/oidc-router.ts

@@ -13,6 +13,7 @@ import { Redis } from "ioredis";
 import { z } from "zod";
 
 import { OidcConfigsSchema } from "@app/db/schemas/oidc-configs";
+import { OIDCConfigurationType } from "@app/ee/services/oidc/oidc-config-types";
 import { getConfig } from "@app/lib/config/env";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -140,6 +141,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           jwksUri: true,
           tokenEndpoint: true,
           userinfoEndpoint: true,
+          configurationType: true,
+          discoveryURL: true,
           isActive: true,
           orgId: true,
           allowedEmailDomains: true
@@ -187,22 +190,25 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
                 .map((id) => id.trim())
                 .join(", ");
             }),
-          issuer: z.string().trim(),
-          authorizationEndpoint: z.string().trim(),
-          jwksUri: z.string().trim(),
-          tokenEndpoint: z.string().trim(),
-          userinfoEndpoint: z.string().trim(),
+          discoveryURL: z.string().trim().optional().default(""),
+          issuer: z.string().trim().optional().default(""),
+          authorizationEndpoint: z.string().trim().optional().default(""),
+          jwksUri: z.string().trim().optional().default(""),
+          tokenEndpoint: z.string().trim().optional().default(""),
+          userinfoEndpoint: z.string().trim().optional().default(""),
           clientId: z.string().trim(),
           clientSecret: z.string().trim(),
           isActive: z.boolean()
         })
         .partial()
-        .merge(z.object({ orgSlug: z.string() })),
+        .merge(z.object({ orgSlug: z.string(), configurationType: z.nativeEnum(OIDCConfigurationType) })),
       response: {
         200: OidcConfigsSchema.pick({
           id: true,
           issuer: true,
           authorizationEndpoint: true,
+          configurationType: true,
+          discoveryURL: true,
           jwksUri: true,
           tokenEndpoint: true,
           userinfoEndpoint: true,
@@ -233,7 +239,6 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
     onRequest: verifyAuth([AuthMode.JWT]),
     schema: {
       body: z.object({
-        issuer: z.string().trim(),
         allowedEmailDomains: z
           .string()
           .trim()
@@ -247,10 +252,13 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
               .map((id) => id.trim())
               .join(", ");
           }),
-        authorizationEndpoint: z.string().trim(),
-        jwksUri: z.string().trim(),
-        tokenEndpoint: z.string().trim(),
-        userinfoEndpoint: z.string().trim(),
+        configurationType: z.nativeEnum(OIDCConfigurationType),
+        issuer: z.string().trim().optional().default(""),
+        discoveryURL: z.string().trim().optional().default(""),
+        authorizationEndpoint: z.string().trim().optional().default(""),
+        jwksUri: z.string().trim().optional().default(""),
+        tokenEndpoint: z.string().trim().optional().default(""),
+        userinfoEndpoint: z.string().trim().optional().default(""),
         clientId: z.string().trim(),
         clientSecret: z.string().trim(),
         isActive: z.boolean(),
@@ -261,6 +269,8 @@ export const registerOidcRouter = async (server: FastifyZodProvider) => {
           id: true,
           issuer: true,
           authorizationEndpoint: true,
+          configurationType: true,
+          discoveryURL: true,
           jwksUri: true,
           tokenEndpoint: true,
           userinfoEndpoint: true,

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -1,7 +1,7 @@
 /* eslint-disable @typescript-eslint/no-unsafe-call */
 import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
-import { Issuer as OpenIdIssuer, Strategy as OpenIdStrategy, TokenSet } from "openid-client";
+import { Issuer, Issuer as OpenIdIssuer, Strategy as OpenIdStrategy, TokenSet } from "openid-client";
 
 import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TableName, TUsers } from "@app/db/schemas";
 import { TOidcConfigsUpdate } from "@app/db/schemas/oidc-configs";
@@ -32,7 +32,13 @@ import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
 import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 
 import { TOidcConfigDALFactory } from "./oidc-config-dal";
-import { TCreateOidcCfgDTO, TGetOidcCfgDTO, TOidcLoginDTO, TUpdateOidcCfgDTO } from "./oidc-config-types";
+import {
+  OIDCConfigurationType,
+  TCreateOidcCfgDTO,
+  TGetOidcCfgDTO,
+  TOidcLoginDTO,
+  TUpdateOidcCfgDTO
+} from "./oidc-config-types";
 
 type TOidcConfigServiceFactoryDep = {
   userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById" | "findById">;
@@ -133,6 +139,8 @@ export const oidcConfigServiceFactory = ({
       id: oidcCfg.id,
       issuer: oidcCfg.issuer,
       authorizationEndpoint: oidcCfg.authorizationEndpoint,
+      configurationType: oidcCfg.configurationType,
+      discoveryURL: oidcCfg.discoveryURL,
       jwksUri: oidcCfg.jwksUri,
       tokenEndpoint: oidcCfg.tokenEndpoint,
       userinfoEndpoint: oidcCfg.userinfoEndpoint,
@@ -313,6 +321,8 @@ export const oidcConfigServiceFactory = ({
   const updateOidcCfg = async ({
     orgSlug,
     allowedEmailDomains,
+    configurationType,
+    discoveryURL,
     actor,
     actorOrgId,
     actorAuthMethod,
@@ -363,6 +373,8 @@ export const oidcConfigServiceFactory = ({
 
     const updateQuery: TOidcConfigsUpdate = {
       allowedEmailDomains,
+      configurationType,
+      discoveryURL,
       issuer,
       authorizationEndpoint,
       tokenEndpoint,
@@ -397,6 +409,8 @@ export const oidcConfigServiceFactory = ({
   const createOidcCfg = async ({
     orgSlug,
     allowedEmailDomains,
+    configurationType,
+    discoveryURL,
     actor,
     actorOrgId,
     actorAuthMethod,
@@ -493,6 +507,8 @@ export const oidcConfigServiceFactory = ({
     const oidcCfg = await oidcConfigDAL.create({
       issuer,
       isActive,
+      configurationType,
+      discoveryURL,
       authorizationEndpoint,
       allowedEmailDomains,
       jwksUri,
@@ -534,15 +550,36 @@ export const oidcConfigServiceFactory = ({
       });
     }
 
-    const openIdIssuer = new OpenIdIssuer({
-      issuer: oidcCfg.issuer,
-      authorization_endpoint: oidcCfg.authorizationEndpoint,
-      jwks_uri: oidcCfg.jwksUri,
-      token_endpoint: oidcCfg.tokenEndpoint,
-      userinfo_endpoint: oidcCfg.userinfoEndpoint
-    });
+    let issuer: Issuer;
+    if (oidcCfg.configurationType === OIDCConfigurationType.DISCOVERY_URL) {
+      if (!oidcCfg.discoveryURL) {
+        throw new BadRequestError({
+          message: "OIDC not configured correctly"
+        });
+      }
+      issuer = await Issuer.discover(oidcCfg.discoveryURL);
+    } else {
+      if (
+        !oidcCfg.issuer ||
+        !oidcCfg.authorizationEndpoint ||
+        !oidcCfg.jwksUri ||
+        !oidcCfg.tokenEndpoint ||
+        !oidcCfg.userinfoEndpoint
+      ) {
+        throw new BadRequestError({
+          message: "OIDC not configured correctly"
+        });
+      }
+      issuer = new OpenIdIssuer({
+        issuer: oidcCfg.issuer,
+        authorization_endpoint: oidcCfg.authorizationEndpoint,
+        jwks_uri: oidcCfg.jwksUri,
+        token_endpoint: oidcCfg.tokenEndpoint,
+        userinfo_endpoint: oidcCfg.userinfoEndpoint
+      });
+    }
 
-    const client = new openIdIssuer.Client({
+    const client = new issuer.Client({
       client_id: oidcCfg.clientId,
       client_secret: oidcCfg.clientSecret,
       redirect_uris: [`${appCfg.SITE_URL}/api/v1/sso/oidc/callback`]

backend/src/ee/services/oidc/oidc-config-types.ts

@@ -1,5 +1,10 @@
 import { TGenericPermission } from "@app/lib/types";
 
+export enum OIDCConfigurationType {
+  CUSTOM = "custom",
+  DISCOVERY_URL = "discoveryURL"
+}
+
 export type TOidcLoginDTO = {
   externalId: string;
   email: string;
@@ -20,12 +25,14 @@ export type TGetOidcCfgDTO =
     };
 
 export type TCreateOidcCfgDTO = {
-  issuer: string;
-  authorizationEndpoint: string;
-  allowedEmailDomains: string;
-  jwksUri: string;
-  tokenEndpoint: string;
-  userinfoEndpoint: string;
+  issuer?: string;
+  authorizationEndpoint?: string;
+  discoveryURL?: string;
+  configurationType: OIDCConfigurationType;
+  allowedEmailDomains?: string;
+  jwksUri?: string;
+  tokenEndpoint?: string;
+  userinfoEndpoint?: string;
   clientId: string;
   clientSecret: string;
   isActive: boolean;
@@ -36,12 +43,14 @@ export type TUpdateOidcCfgDTO = Partial<{
   issuer: string;
   authorizationEndpoint: string;
   allowedEmailDomains: string;
+  discoveryURL: string;
   jwksUri: string;
   tokenEndpoint: string;
   userinfoEndpoint: string;
   clientId: string;
   clientSecret: string;
   isActive: boolean;
   orgSlug: string;
-}> &
-  TGenericPermission;
+}> & {
+  configurationType: OIDCConfigurationType;
+} & TGenericPermission;

frontend/src/hooks/api/oidcConfig/mutations.tsx

@@ -10,6 +10,8 @@ export const useUpdateOIDCConfig = () => {
     mutationFn: async ({
       issuer,
       authorizationEndpoint,
+      configurationType,
+      discoveryURL,
       jwksUri,
       tokenEndpoint,
       userinfoEndpoint,
@@ -22,18 +24,22 @@ export const useUpdateOIDCConfig = () => {
       allowedEmailDomains?: string;
       issuer?: string;
       authorizationEndpoint?: string;
+      discoveryURL?: string;
       jwksUri?: string;
       tokenEndpoint?: string;
       userinfoEndpoint?: string;
       clientId?: string;
       clientSecret?: string;
       isActive?: boolean;
+      configurationType: string;
       orgSlug: string;
     }) => {
       const { data } = await apiRequest.patch("/api/v1/sso/oidc/config", {
         issuer,
         allowedEmailDomains,
         authorizationEndpoint,
+        discoveryURL,
+        configurationType,
         jwksUri,
         tokenEndpoint,
         userinfoEndpoint,
@@ -56,6 +62,8 @@ export const useCreateOIDCConfig = () => {
   return useMutation({
     mutationFn: async ({
       issuer,
+      configurationType,
+      discoveryURL,
       authorizationEndpoint,
       allowedEmailDomains,
       jwksUri,
@@ -66,11 +74,13 @@ export const useCreateOIDCConfig = () => {
       isActive,
       orgSlug
     }: {
-      issuer: string;
-      authorizationEndpoint: string;
-      jwksUri: string;
-      tokenEndpoint: string;
-      userinfoEndpoint: string;
+      issuer?: string;
+      configurationType: string;
+      discoveryURL?: string;
+      authorizationEndpoint?: string;
+      jwksUri?: string;
+      tokenEndpoint?: string;
+      userinfoEndpoint?: string;
       clientId: string;
       clientSecret: string;
       isActive: boolean;
@@ -79,6 +89,8 @@ export const useCreateOIDCConfig = () => {
     }) => {
       const { data } = await apiRequest.post("/api/v1/sso/oidc/config", {
         issuer,
+        configurationType,
+        discoveryURL,
         authorizationEndpoint,
         allowedEmailDomains,
         jwksUri,

frontend/src/hooks/api/oidcConfig/types.ts

@@ -2,6 +2,8 @@ export type OIDCConfigData = {
   id: string;
   issuer: string;
   authorizationEndpoint: string;
+  configurationType: string;
+  discoveryURL: string;
   jwksUri: string;
   tokenEndpoint: string;
   userinfoEndpoint: string;