payload-auth-plugin/dist/esm/core/protocols/oauth/oidc_authorization.js

Authentication plugin for Payload CMS

// src/core/protocols/oauth/oidc_authorization.ts
import * as oauth from "oauth4webapi";
import { getCallbackURL } from "../../utils/cb.js";
async function OIDCAuthorization(pluginType, request, providerConfig) {
  const callback_url = getCallbackURL(request.payload.config.serverURL, pluginType, providerConfig.id);
  const code_verifier = oauth.generateRandomCodeVerifier();
  const code_challenge = await oauth.calculatePKCECodeChallenge(code_verifier);
  const code_challenge_method = "S256";
  const { client_id, issuer, algorithm, scope, params } = providerConfig;
  const client = {
    client_id
  };
  const issuer_url = new URL(issuer);
  const as = await oauth.discoveryRequest(issuer_url, { algorithm }).then((response) => oauth.processDiscoveryResponse(issuer_url, response));
  const cookies = [];
  const cookieMaxage = new Date(Date.now() + 300 * 1000);
  const authorizationURL = new URL(as.authorization_endpoint);
  authorizationURL.searchParams.set("client_id", client.client_id);
  authorizationURL.searchParams.set("redirect_uri", callback_url.toString());
  authorizationURL.searchParams.set("response_type", "code");
  authorizationURL.searchParams.set("scope", scope);
  authorizationURL.searchParams.set("code_challenge", code_challenge);
  authorizationURL.searchParams.set("code_challenge_method", code_challenge_method);
  if (params) {
    Object.entries(params).map(([key, value]) => {
      authorizationURL.searchParams.set(key, value);
    });
  }
  if (as.code_challenge_methods_supported?.includes("S256") !== true) {
    const nonce = oauth.generateRandomNonce();
    authorizationURL.searchParams.set("nonce", nonce);
    cookies.push(`__session-oauth-nonce=${nonce};Path=/;HttpOnly;SameSite=lax;Expires=${cookieMaxage.toUTCString()}`);
  }
  cookies.push(`__session-code-verifier=${code_verifier};Path=/;HttpOnly;SameSite=lax;Expires=${cookieMaxage.toUTCString()}`);
  const res = new Response(null, {
    status: 302,
    headers: {
      Location: authorizationURL.href
    }
  });
  for (const c of cookies) {
    res.headers.append("Set-Cookie", c);
  }
  return res;
}
export {
  OIDCAuthorization
};