deeplay-io / verdaccio-openid-connect Goto Github PK

verdaccio v5.22.0 came with some breaking changes in legacy tokens. Also legacy mode is enabled by default (hmm?).

Note: JWT tokens work well.

It's works perfect when verdaccio is served on hostname but when I use subdirectory it is ignored.

https://host.name/oidc/login/code

Should be:

https://host.name/packages/oidc/login/code

And yes I changed Gitlab config before testing subdirectory.
config.yaml.txt
nginx_verdaccio.conf.txt

Trying to configure Verdaccio to use keycloak (docker-compose).
auth: {
'openid-connect': {
publicUrl: 'http://verdaccio:4873',
redisUri: 'redis',
issuer: 'http://keycloak:8080/auth/realms/verdaccia/',
clientId: 'verdaccio',
clientSecret: 'dfbe390e-ea07-4c6d-b287-c0fd6007cddd',
usernameClaim: 'preferred_username'
}
}
Configured keycloak:
"id": "4a26062f-55d0-4ac3-a7b7-749ffce4cf6a",
"clientId": "verdaccio",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "dfbe390e-ea07-4c6d-b287-c0fd6007cddd",
"redirectUris": [
"http://verdaccio:4873/oidc/callback"
]
Started keycloak first, wait to container to be ready (login and check config)
Started verdaccio with redis. Log from verdaccio:
debug--- [local-storage/_sync]: init sync database
debug--- [local-storage/_sync]: folder /verdaccio/storage created succeed
debug--- [local-storage/_sync/writeFileSync]: sync write succeed
debug--- [local-storage/_sync]: init sync database
debug--- [local-storage/_sync]: folder /verdaccio/storage created succeed
debug--- [local-storage/_sync/writeFileSync]: sync write succeed
warn --- Plugin successfully loaded: verdaccio-openid-connect
warn --- Plugin successfully loaded: verdaccio-audit
warn --- Plugin successfully loaded: verdaccio-openid-connect
trace--- local-storage: [get] full list of packages (0) has been fetched
trace--- local-storage: [get] full list of packages (0) has been fetched
warn --- http address - http://0.0.0.0:4873/ - verdaccio/4.11.3
info <-- 172.31.0.1 requested 'GET /'
http <-- 200, user: null(172.31.0.1), req: 'GET /', bytes: 0/562
info <-- 172.31.0.1 requested 'GET /-/verdaccio/packages'
trace--- local-storage: [get] full list of packages (0) has been fetched
http <-- 304, user: null(172.31.0.1), req: 'GET /-/verdaccio/packages', bytes: 0/0
info <-- 172.31.0.1 requested 'POST /-/verdaccio/login'

Pressed button - did not get redirected to keycloak, input user/pwd - failed. Log from verdaccio:

trace--- authenticating mmamaenko
trace--- authenticating mmamaenko
trace--- authenticating for user mmamaenko failed. Error: bad username/password, access denied
http <-- 401, user: null(172.31.0.1), req: 'POST /-/verdaccio/login', error: bad username/password, access denied
info <-- 172.31.0.1 requested 'POST /-/verdaccio/login'
trace--- authenticating mmamaenko
trace--- authenticating mmamaenko
trace--- authenticating for user mmamaenko failed. Error: bad username/password, access denied
http <-- 401, user: null(172.31.0.1), req: 'POST /-/verdaccio/login', error: bad username/password, access denied

When using keycloak with other openid clients I got redirected to keycloak login page but not this time. What is wrong with my config? I can ping all containers by name and I got response from http://keycloak:8080/auth/realms/verdaccia/.well-known/openid-configuration.

Hi,

We use verdaccio-openid-connect with keycloak and authentication broke with version v1.3.0 I guess due to #8

Use case to reproduce:

% npm login
npm notice Log in on http://verdaccio.localhost
Logged in on http://verdaccio.localhost

% cat ~/.npmrc
registry=http://verdaccio.localhost/
//verdaccio.localhost/:_authToken="Rv7+MD8qbJZRA+Bjiyz50NyWmlnKt7L7h2HmH6YCKi0="


% npm show somepackage version
npm ERR! code E401                                                                             
npm ERR! Unable to authenticate, your authentication token seems to be invalid.
npm ERR! To correct this please trying logging in again with:      
npm ERR!     npm login                                                                         
                                                                                               
npm ERR! A complete log of this run can be found in:         
npm ERR!     /home/.../.npm/_logs/2022-05-02T14_44_30_468Z-debug-0.log

Server logs are:

JsonWebTokenError: jwt malformed                                                                                                                                                              
    at Object.module.exports [as verify] (/usr/lib/node_modules/verdaccio-openid-connect/node_modules/jsonwebtoken/verify.js:63:17)
    at /usr/lib/node_modules/verdaccio-openid-connect/lib/index.js:186:34                                                                                                                     
    at Layer.handle [as handle_request] (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:317:13)                                                                                          
    at /usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:284:7                                                                                                         
    at Function.process_params (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:335:12)                                                                              
    at next (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:275:10)                                                                                                     at Function.handle (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:174:3)
    at router (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:47:12)                                                                                                    at Layer.handle [as handle_request] (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/layer.js:95:5)                                                                       
 http <-- 401, user: null(192.168.42.1 via 10.42.134.162), req: 'GET /tslib/-/tslib-1.14.1.tgz', error: authorization required to access package tslib                                        
 error--- erro while verify jwt bearer token: jwt malformed                                                                                                                                   

rolling back to version 1.2.0 fixes the issue.

Thanks!

I have an error using this plugin -

verdaccio_1 | error--- error loading a plugin openid-connect: TypeError: Cannot set property 'openid-connect' of undefined
verdaccio_1 | at new OidcPlugin (/opt/verdaccio/node_modules/verdaccio-openid-connect/lib/index.js:18:54)
verdaccio_1 | at /opt/verdaccio/build/lib/plugin-loader.js:125:32
verdaccio_1 | at Array.map ()
verdaccio_1 | at loadPlugin (/opt/verdaccio/build/lib/plugin-loader.js:62:37)
verdaccio_1 | at Auth._loadPlugin (/opt/verdaccio/build/lib/auth.js:54:38)
verdaccio_1 | at new Auth (/opt/verdaccio/build/lib/auth.js:44:25)
verdaccio_1 | at defineAPI (/opt/verdaccio/build/api/index.js:43:16)
verdaccio_1 | at _default (/opt/verdaccio/build/api/index.js:127:10)
verdaccio_1 | at processTicksAndRejections (internal/process/task_queues.js:93:5)

Hi,

Thanks for your plugin, it works like a charm with CLI. Do you have plan to add support for UI login ?

Hello, the current latest stable version of Verdaccio is 5.21.1, after installing this plugin, running the service fails.

verdaccio  | warn --- config file  - /verdaccio/conf/config.yaml 
verdaccio  | error--- error loading a plugin openid-connect: {} 
verdaccio  | error--- verdaccio-openid-connect doesn't look like a valid plugin 
verdaccio  | fatal--- uncaught exception, please report this
verdaccio  | Error: sanity check has failed, "openid-connect" is not a valid plugin
verdaccio  |     at /usr/local/lib/node_modules/verdaccio/build/lib/plugin-loader.js:164:13
verdaccio  |     at Array.map (<anonymous>)
verdaccio  |     at loadPlugin (/usr/local/lib/node_modules/verdaccio/build/lib/plugin-loader.js:61:37)
verdaccio  |     at Auth._loadPlugin (/usr/local/lib/node_modules/verdaccio/build/lib/auth.js:40:38)
verdaccio  |     at new Auth (/usr/local/lib/node_modules/verdaccio/build/lib/auth.js:32:25)
verdaccio  |     at defineAPI (/usr/local/lib/node_modules/verdaccio/build/api/index.js:35:16)
verdaccio  |     at _default (/usr/local/lib/node_modules/verdaccio/build/api/index.js:112:10)
verdaccio  |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5) 
verdaccio exited with code 255

Thanks for the plugin and for making it compatible with Verdaccio 6.x! Now I can give it a try 👍

You might want to update the readme regarding:

• Compatibility with 6.x
• Ability to use env variables for client_id and secret (again much appreciated)

Hi again!

Is it possible to configure the plugin via environment variables, instead of via config.yaml?

We're using verdaccio deployed on a Kubernetes cluster (with the helm chart), and the only way that I found to set the clientSecret is in the ConfigMap, which is unsafe.

If we could set it via an environment variable, then it would be possible to set it in a secret and then inject it in the container.

I'm not sure I'm making myself clear, but basically what I'd like to see is a VERDACCIO_OPENID_CLIENT_SECRET variable, is it currently possible?

Hi,

first off, thank you for your work!

I am having an issue with tokens expiring. Access-Tokens issued seem to be expiring after 30 days? Or in my case sometimes on server reboot (with redis and persistence configured), which might also just be coincidential with my monthly maintenance.

Npmjs and Verdaccio don't expire auth-tokens on default. It seems reasonable that the oidc access and refresh tokens expire as set by the oidc provider, but I would expect the actual npm auth-tokens to (not) expire and respect config set by verdaccio:

Verdaccio Config - Expiring Tokens

In my use case, I have a build server that I don't want to relogin every month. I double checked my server configs and everyhting seems to be in order. Also 30 days seems arbitrary. My keycloak config is set to expire logins after 1 day, refresh for 2 day and offline access for a week.

Hi,

We are currently evaluating using the verdaccio-openid-connect plugin, however we do not want to rely on any browser interaction for logging in (not even the very first login), so this process can be automated as much as possible.

It is unclear to me if the NPM client application is suited for such a direct workflow. We thought one chain of actions to implement this would be the following:

• Getting a bearer token from an OIDC server
• Authenticating at the registry with that bearer token
• Storing the auth-token returned by the registry in the ~/.npmrc file

We could see a login mechanism where the bearer token is received externally (via a different tool) and passed to the npm adduser command as a base64 encoded string in the username.

We would also accept to have a tool external to NPM that performs all the actions described above if the verdaccio-openid-connect plugin would implement the workflow to turn a bearer token into an auth-token to be stored in the ~/.npmrc file. We would also contribute to this project if we get some hints how to help to implement such a "browserless" login flow.

Best regards,
Max

Hello,
In case Verdaccio is deployed on K8S with multiple pods, OIDC auth is broken. As requests are redirected to different instances, we have randomly unauthorized error whereas we're authenticated with a valid token. It depends if requests went to pod we requested auth or not. I guess something stateful is done somewhere. Do you think it would be possible to have a stateless session ?
We have no issue with htpasswd auth.

I am trying to use this plugin with Azure AD and when try logging in it launches the browser and post entering the right credentials, it tries to call the oidc callback url which gives "Internal server error" saying "OPError: invalid_client (AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented.

Any hints on what i could be missing?

Hi! Thanks for this plugin :)

I've noticed that in the Dockerfile you provide, you're using as base image verdaccio 4.10.0; is the plugin also compatible with the latest versions of verdaccio, namely 5.x.x?

Cheers,
Loïc

I'm using a gitlab instance as openid provider, i'm getting the following error when trying to log in

verdaccio_1 | OPError: invalid_request (Invalid code_verifier parameter. Server does not support pkce.)
verdaccio_1 | at processResponse (/opt/verdaccio/node_modules/openid-client/lib/helpers/process_response.js:45:13)
verdaccio_1 | at Client.grant (/opt/verdaccio/node_modules/openid-client/lib/client.js:1237:26)
verdaccio_1 | at processTicksAndRejections (internal/process/task_queues.js:93:5)
verdaccio_1 | at async Client.callback (/opt/verdaccio/node_modules/openid-client/lib/client.js:460:24)
verdaccio_1 | at async /opt/verdaccio/node_modules/verdaccio-openid-connect/lib/index.js:140:34

Or am I dumb and do i need to install something?