kuoruan / verdaccio-openid Goto Github PK

View Code? Open in Web Editor NEW

4.0 1.0 0.0 5.41 MB

📦🔐 OpenIDConnect plugin for Verdaccio, fork of n4bb12/verdaccio-github-oauth-ui

Home Page: https://verdaccio.org

License: MIT License

TypeScript 91.06% JavaScript 8.94%

openid-connect verdaccio verdaccio-auth verdaccio-auth-plugin verdaccio-openid

verdaccio-openid's Introduction

verdaccio-openid

About

This is a Verdaccio plugin that offers OIDC OAuth integration for both the browser and the command line.

Compatibility

Verdaccio 5, 6
Node 16, 18
Chrome, Firefox, Firefox ESR, Edge, Safari

Setup

Install

Install globally

npm install -S verdaccio-openid

Install to Verdaccio plugins folder

npm >= 7

mkdir -p ./install-here/
npm install --global-style \
  --bin-links=false --save=false --package-lock=false \
  --omit=dev --omit=optional --omit=peer \
  --prefix ./install-here/ \
  verdaccio-openid@latest
mv ./install-here/node_modules/verdaccio-openid/ /path/to/verdaccio/plugins/

Verdaccio Config

Merge the below options with your existing Verdaccio config:

middlewares:
  openid:
    enabled: true

auth:
  openid:
    provider-host: https://example.com # required, the host of oidc provider
    # configuration-uri: https://example.com/.well-known/openid-configuration # optional
    # issuer: https://example.com # optional, jwt issuer, use 'provider-host' when empty
    # authorization-endpoint: https://example.com/oauth/authorize # optional
    # token-endpoint: https://example.com/oauth/token # optional
    # userinfo-endpoint: https://example.com/oauth/userinfo # optional
    # jwks-uri: https://example.com/oauth/jwks # optional
    # scope: openid email groups # optional. custom scope, default is openid
    client-id: CLIENT_ID # optional, you can set it with environment variable 'VERDACCIO_OPENID_CLIENT_ID'
    client-secret: CLIENT_SECRET # optional, you can set it with environment variable 'VERDACCIO_OPENID_CLIENT_SECRET'
    username-claim: name # optional. username claim in openid, or key to get username in userinfo endpoint response, default is sub
    groups-claim: groups # optional. claim to get groups from
    # provider-type: gitlab # optional. define this to get groups from gitlab api
    # authorized-groups: # optional. user in array is allowed to login. use true to ensure user have at least one group, false means no groups check
    #  - access
    # group-users: # optional. custom the group users. eg. animal group has user tom and jack. if set, 'groups-claim' and 'provider-type' take no effect
    #   animal:
    #     - tom
    #     - jack

Now you can use the openid-connect auth in the webUI.

Environment Variables

Name	Description
`VERDACCIO_OPENID_CLIENT_ID`	OIDC client ID
`VERDACCIO_OPENID_CLIENT_SECRET`	OIDC client secret

Token Expiration

To set the token expiration time, follow the instructions in the Verdaccio docs.

security:
  api:
    jwt:
      sign:
        expiresIn: 7d # npm token expiration
  web:
    sign:
      expiresIn: 7d # webUI token expiration

OpenID Callback URL

Auth with CLI

npx verdaccio-openid@latest --registry http://your-registry.com

verdaccio-openid's People

Contributors

Stargazers

Watchers

verdaccio-openid's Issues

Could not grab groups using the roles property

Hello guys,
I want to implement this library with AzureAD openid endpoint.
I got everything setup correctly and also tested my AzureAD by using https://openidconnect.net/ (an OpenID Connect Playground).

While testing I could see that I get my roles from the user token. The problem now is that in verdaccio I get the following error message:
Could not grab groups using the roles property

This is my config auth part (anonymized):

  auth:
    #htpasswd:
      # Do not change this path if secrets htpasswd is used.
      #file: /verdaccio/storage/htpasswd
      # Maximum amount of users allowed to register, defaults to "+infinity".
      # You can set this to -1 to disable registration.
      #max_users: 1000
    openid:
      provider-host: https://login.microsoftonline.com/bf8.../v2.0
      configuration-uri: https://login.microsoftonline.com/bf8.../v2.0/.well-known/openid-configuration
      #issuer: https://login.microsoftonline.com/bf8.../v2.0
      #authorization-endpoint: https://login.microsoftonline.com/bf8.../oauth2/v2.0/authorize
      #token-endpoint: https://login.microsoftonline.com/bf8.../oauth2/v2.0/token
      #userinfo-endpoint: https://graph.microsoft.com/oidc/userinfo
      #jwks-uri: https://login.microsoftonline.com/bf8.../discovery/v2.0/keys
      client-id: 67...
      client-secret: bN...
      username-claim: name
      scope: openid profile email
      groups-claim: roles
      authorized-group: true

This is my decrypted user token (id_token) I have anonymized the values:

{
 "aud": "67...",
 "iss": "https://login.microsoftonline.com/bf8.../v2.0",
 "iat": 16...,
 "nbf": 16...,
 "exp": 16...,
 "aio": "AW...",
 "email": "[email protected]",
 "name": "myname",
 "oid": "0...",
 "preferred_username": "[email protected]",
 "rh": "0.A....",
 "roles": [
  "access",
  "publish"
 ],
 "sub": "Qki...",
 "tid": "bf...,
 "uti": "fw...",
 "ver": "2.0"
}

I've also checked your source code. I found out that the getGroups Method in AuthProvider.ts tries to get all userinfo by token what is not working for roles i guess.

Also interesting, the username-claim in the config.yaml can access name but not preferred_username

In my tests with https://openidconnect.net/ I tested the exact same scope.
I've also tried to configure all endpoints manually, what is I thinks so not necessary when using the well-known endpoint.

I hope it is just a miss-configuration but since I've tried out everything I am not sure anymore.

Thankful for help.

npm authToken not working after 1 hour

I'm using this plugin to login to verdaccio using Google oauth.

I then click on the gear icon in verdaccio to retrieve the authToken.

Using this token I can then publish and consume packges in my allowed scope. However, after 1 hour the authToken doesn't work and I need to login to verdaccio again to retrieve a token.

I thought this was due to the default verdaccio Web UI session lifetime (1h) but after changing that, I noticed the authToken still expires after 1 hour.

Any idea where this 1h expiration might be coming from?

Absolute urls ignore url_prefix config

When Verdaccio works under a path with url_prefix set for example to /verdaccio, the absolutes url under constant are not mapped correctly.

In config.yaml:
url_prefix: /verdaccio

In PatchHtml.ts#L24 the staticPath is configured in constants.ts#L5 and does not consider the url_prefix configuration, this make the plugin unusable.

Set credentials from env

Hi,

Could it be possible to set credentials from env like OIDC_CLIENT_ID and OIDC_CLIENT_SECRET ?

Best regards,
Guillaume