init

Author: eidam

.gitignore

@@ -0,0 +1,2 @@
+dist/
+node_modules/

.prettierrc

@@ -0,0 +1,7 @@
+{
+    "singleQuote": true,
+    "semi": false,
+    "trailingComma": "all",
+    "tabWidth": 2,
+    "printWidth": 80
+}

config.yml

@@ -0,0 +1,27 @@
+cf_account_id: fbbebdb1eed350f2a05f517e1d80915f
+cf_access_team: eidam
+cf_access_aud: d27389ecd9bdc9c651bdadea01b6d9f835269f94fa3be1a9f9a4a5c755a1a0f9
+
+jwt_ttl: 600 # TTL of the generated JWT tokens, in seconds
+
+clients: 
+  - name: "My test app"
+    client_id: clientId1 # should not be guessable, you can get for example uuidv4 from https://uuid.rocks/plain
+    client_secret_key: SECRET_SOMETHING_SOMETHING # should be set with'wragler secret put SECRET_SOMETHING_SOMETHING' (could be also uuid)
+    redirect_uris:
+      - https://oidcdebugger.com/debug
+      - https://openidconnect.net/callback
+      - https://psteniusubi.github.io/oidc-tester/authorization-code-flow.html
+    cors_origins:
+      - https://psteniusubi.github.io
+  
+  - name: "My test app 2"
+    client_id: clientId2 # should not be guessable, you can get for example uuidv4 from https://uuid.rocks/plain
+    client_secret_key: SECRET_CLIENT_ID_2 # should be set with'wragler secret put SECRET_SOMETHING_SOMETHING' (could be also uuid)
+    redirect_uris:
+      - https://vault.eidam.dev/ui/vault/auth/oidc/oidc/callback
+      - http://10.142.0.16:8200/ui/vault/auth/oidc/oidc/callback
+      - http://localhost:8250/oidc/callback
+      - http://127.0.0.1:8250/oidc/callback
+    cors_origins:
+      - https://psteniusubi.github.io

package.json

@@ -0,0 +1,32 @@
+{
+  "name": "access-workers-oidc",
+  "author": "Adam Janis <[email protected]>",
+  "version": "1.0.0",
+  "type": "module",
+  "private": true,
+  "module": "./dist/main.mjs",
+  "scripts": {
+    "build": "rollup -c",
+    "dev": "miniflare --modules --watch",
+    "deploy": "wrangler publish",
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "format": "prettier --write '**/*.{js,mjs,css,json,md}'"
+  },
+  "license": "MIT",
+  "devDependencies": {
+    "@rollup/plugin-alias": "^3.1.5",
+    "@rollup/plugin-commonjs": "^17.0.0",
+    "@rollup/plugin-node-resolve": "^11.1.0",
+    "@rollup/plugin-typescript": "^8.2.5",
+    "prettier": "^1.19.1",
+    "rollup": "^2.36.1",
+    "rollup-plugin-yaml": "^2.0.0"
+  },
+  "dependencies": {
+    "itty-router": "^2.1.9",
+    "jwt-decode": "^3.1.2",
+    "miniflare": "^1.3.3",
+    "rfc4648": "^1.5.0",
+    "uuid": "^8.3.2"
+  }
+}

rollup.config.js

@@ -0,0 +1,17 @@
+// plugin-node-resolve and plugin-commonjs are required for a rollup bundled project
+// to resolve dependencies from node_modules. See the documentation for these plugins
+// for more details.
+import { nodeResolve } from '@rollup/plugin-node-resolve'
+import commonjs from '@rollup/plugin-commonjs'
+import yaml from 'rollup-plugin-yaml'
+
+export default {
+  input: 'src/main.mjs',
+  output: {
+    exports: 'named',
+    format: 'es',
+    file: 'dist/main.mjs',
+    sourcemap: false,
+  },
+  plugins: [yaml(), commonjs(), nodeResolve({ browser: true })],
+}

src/main.mjs

@@ -0,0 +1,249 @@
+import { Router } from 'itty-router'
+import {
+  getAllowedOrigin,
+  getClientConfig,
+  getClientSecret,
+  getCloudflareAccessGroups,
+  getCorsHeaders,
+  getDoStub,
+  getIssuer,
+  getResponse,
+  verifyCloudflareAccessJwt,
+} from './utils'
+export { OpenIDConnectDurableObject } from './oidc-do.mjs'
+
+const router = Router()
+router.get('/.well-known/openid-configuration', (req, env) =>
+  handleOIDConfig(req, env),
+)
+router.get('/.well-known/jwks.json', (req, env) => handleGetJwks(req, env))
+router.get('/authorize', (req, env) => handleAuthorize(req, env))
+router.post('/token', (req, env) => handleToken(req, env))
+router.get('/userinfo', (req, env) => handleUserInfo(req, env))
+router.post('/userinfo', (req, env) => handleUserInfo(req, env))
+router.options('*', (req, env) => handleOptions(req, env))
+router.all('*', (req, env) => getResponse({ err: 'Bad request' }, 400))
+
+export default {
+  async fetch(request, env) {
+    try {
+      return await handleRequest(request, env)
+    } catch (e) {
+      return new Response(e.message)
+    }
+  },
+
+  async scheduled(controller, env, ctx) {
+    const stub = getDoStub(env)
+
+    ctx.waitUntil(
+      stub.fetch('/jwks', {
+        method: 'PATCH',
+      }),
+    )
+  },
+}
+
+async function handleRequest(req, env) {
+  return router.handle(req, env)
+}
+
+async function handleOIDConfig(req, env) {
+  const corsHeaders = getCorsHeaders(getAllowedOrigin(req, '*'))
+  const issuer = getIssuer(req)
+
+  return getResponse(
+    {
+      issuer: `${issuer}`,
+      authorization_endpoint: `${issuer}/authorize`,
+      token_endpoint: `${issuer}/token`,
+      userinfo_endpoint: `${issuer}/userinfo`,
+      jwks_uri: `${issuer}/.well-known/jwks.json`,
+      response_types_supported: ['id_token', 'code', 'code id_token'],
+      id_token_signing_alg_values_supported: ['RS256'],
+      token_endpoint_auth_methods_supported: [
+        'client_secret_post',
+        //"client_secret_basic"
+      ],
+      claims_supported: [
+        'aud',
+        'email',
+        'exp',
+        'iat',
+        'nbf',
+        'iss',
+        'name',
+        'sub',
+        'country',
+      ],
+      grant_types_supported: ['authorization_code'],
+    },
+    200,
+    corsHeaders,
+  )
+}
+
+async function handleUserInfo(req, env) {
+  const authorization = req.headers.get('Authorization')
+  const corsHeaders = getCorsHeaders(getAllowedOrigin(req, '*'), [
+    'authorization',
+  ])
+
+  if (!authorization || !authorization.startsWith('Bearer '))
+    return getResponse({ err: 'Missing Bearer token' }, 400, corsHeaders)
+  const access_token = authorization.substring(7, authorization.length)
+
+  const identityRes = await fetch(
+    `https://${config.cf_account_team}.cloudflareaccess.com/cdn-cgi/access/get-identity`,
+    {
+      headers: {
+        cookie: `CF_Authorization=${access_token}`,
+      },
+    },
+  )
+  const identity = await identityRes.json()
+
+  if (identity.err) {
+    return getResponse(identity.err, 401, corsHeaders)
+  }
+
+  const userinfo = {
+    sub: identity.user_uuid,
+    name: identity.name,
+    email: identity.email,
+  }
+
+  return getResponse(userinfo, 200, corsHeaders)
+}
+
+async function handleToken(req, env) {
+  const body = await req.text()
+  let formData = new URLSearchParams(body)
+  const {
+    grant_type,
+    client_id,
+    client_secret,
+    redirect_uri,
+    code,
+  } = Object.fromEntries(formData)
+  const corsHeaders = getCorsHeaders(getAllowedOrigin(req, client_id))
+  const clientConfig = getClientConfig(client_id)
+
+  // Authorization request validation
+  if (!client_id || !code || !grant_type)
+    return getResponse({ err: 'Missing client_id or code or grant_type' }, 400)
+  if (!clientConfig)
+    return getResponse(
+      { err: 'Client configuration not found' },
+      404,
+      corsHeaders,
+    )
+  if (!clientConfig?.redirect_uris.includes(redirect_uri))
+    return getResponse(
+      { err: 'Redirect URIs does not match' },
+      400,
+      corsHeaders,
+    )
+  if (
+    !client_secret ||
+    client_secret !== getClientSecret(clientConfig.client_secret_key, env)
+  )
+    return getResponse({ err: 'Wrong client_secret' }, 400, corsHeaders)
+
+  // Exchange code for id_token and access code
+  const stub = getDoStub(env)
+  const res = await stub.fetch(`/exchange/${code}`)
+  return getResponse(await res.text(), res.status, corsHeaders)
+}
+
+async function handleAuthorize(req, env) {
+  const access_jwt = req.headers.get('cf-access-jwt-assertion')
+  const {
+    client_id,
+    redirect_uri,
+    response_type,
+    state,
+    nonce,
+    justGiveJwt,
+  } = req.query
+  const clientConfig = getClientConfig(client_id)
+
+  // Authorization request validation
+  if (!client_id || !response_type)
+    return getResponse(
+      { err: 'Missing client_id or response_type or scope' },
+      400,
+    )
+  if (!clientConfig)
+    return getResponse({ err: 'Client configuration not found' }, 404)
+  if (!clientConfig?.redirect_uris.includes(redirect_uri))
+    return getResponse({ err: 'Redirect URIs does not match' }, 400)
+
+  // Validate Cloudflare Access JWT token and return decoded data
+  const result = await verifyCloudflareAccessJwt(access_jwt, env)
+  if (!result.success) {
+    return getResponse({ error: result.error }, 400)
+  }
+
+  // Get issuer
+  const issuer = getIssuer(req)
+  // Fetch Cloudflare API and get Cloudflare Access Groups for user email
+  const groups = await getCloudflareAccessGroups(result.payload.email, env)
+  // Construct new JWT payload
+  const payload = {
+    iss: issuer,
+    aud: [client_id],
+    azp: client_id,
+    email: result.payload.email,
+    sub: result.payload.sub,
+    country: result.payload.country,
+    groups,
+    nonce,
+  }
+
+  // Pass the payload to Durable Object and get signed JWT token back
+  // Also generate exchange code in case of 'code' OIDC authorization flow
+  const stub = getDoStub(env)
+  const idTokenRes = await stub.fetch('/sign', {
+    method: 'POST',
+    body: JSON.stringify({
+      payload,
+      access_jwt,
+      generate_exchange_code: response_type.includes('code'),
+    }),
+  })
+  const { id_token, code } = await idTokenRes.json()
+
+  // Prepare the redirect query
+  const redirectSearchParams = new URLSearchParams()
+  if (response_type.includes('code')) redirectSearchParams.set('code', code)
+  if (response_type.includes('id_token'))
+    redirectSearchParams.set('id_token', id_token)
+  if (state) redirectSearchParams.set('state', state)
+  if (nonce) redirectSearchParams.set('nonce', nonce)
+
+  if (justGiveJwt) {
+    return getResponse({ id_token })
+  }
+
+  // Redirect user back to the OIDC client
+  return Response.redirect(`${redirect_uri}?${redirectSearchParams.toString()}`)
+}
+
+// Get current public keys from Durable Object for JWT validation
+async function handleGetJwks(req, env) {
+  const corsHeaders = getCorsHeaders(getAllowedOrigin(req, '*'))
+  const stub = getDoStub(env)
+  const jwksRes = await stub.fetch('/jwks')
+
+  return getResponse(await jwksRes.text(), 200, corsHeaders)
+}
+
+async function handleOptions(req, env) {
+  const { pathname } = new URL(req.url)
+  const corsHeaders = getCorsHeaders(
+    getAllowedOrigin(req, '*'),
+    pathname === '/userinfo' ? ['authorization'] : [],
+  )
+  return getResponse(null, 200, corsHeaders)
+}