From d5d368cd337d205f2a4e4abc6e16914cde92f95f Mon Sep 17 00:00:00 2001
From: Dan Nicholson <nicholson@endlessm.com>
Date: Sat, 15 Aug 2020 11:32:58 -0600
Subject: [PATCH] feat: fix + enable OIDC auth method (#2282)

* fix: pass userinfo URL in oidc strategy

The userinfo URL from the definition was not being provided to the
passport strategy, which resulted in a type error trying to resolve the
user's profile. Furthermore, the name of the defined URL was
inconsistent with all other authentication method URLs.

* fix: pass all necessary scopes to oidc auth method

When no scopes are provided, passport-openidconnect uses only `openid`,
which does not contain the username or email address. Include `profile`
and `email` to ensure the necessary claims are included.

* fix: update oidc method to call processProfile correctly

Now the profile object and providerKey are passed to processProfile. The
usernameClaim no longer has any use as the email address is the
username.

* fix: mark oidc authentication method as available
---
 .../authentication/oidc/authentication.js     | 25 +++++++++++--------
 .../authentication/oidc/definition.yml        |  8 ++++--
 2 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/server/modules/authentication/oidc/authentication.js b/server/modules/authentication/oidc/authentication.js
index 4f2dc5cd..8c3ed117 100644
--- a/server/modules/authentication/oidc/authentication.js
+++ b/server/modules/authentication/oidc/authentication.js
@@ -17,18 +17,21 @@ module.exports = {
         clientID: conf.clientId,
         clientSecret: conf.clientSecret,
         issuer: conf.issuer,
+        userInfoURL: conf.userInfoURL,
         callbackURL: conf.callbackURL
-      }, (iss, sub, profile, jwtClaims, accessToken, refreshToken, params, cb) => {
-        WIKI.models.users.processProfile({
-          id: jwtClaims.sub,
-          provider: 'oidc',
-          email: _.get(jwtClaims, conf.emailClaim),
-          name: _.get(jwtClaims, conf.usernameClaim)
-        }).then((user) => {
-          return cb(null, user) || true
-        }).catch((err) => {
-          return cb(err, null) || true
-        })
+      }, async (iss, sub, profile, cb) => {
+        try {
+          const user = await WIKI.models.users.processProfile({
+            profile: {
+              ...profile,
+              email: _.get(profile, '_json.' + conf.emailClaim)
+            },
+            providerKey: 'oidc'
+          })
+          cb(null, user)
+        } catch(err) {
+          cb(err, null)
+        }
       })
     )
   }
diff --git a/server/modules/authentication/oidc/definition.yml b/server/modules/authentication/oidc/definition.yml
index f3f7c191..f10c6e81 100644
--- a/server/modules/authentication/oidc/definition.yml
+++ b/server/modules/authentication/oidc/definition.yml
@@ -5,13 +5,17 @@ author: requarks.io
 logo: https://static.requarks.io/logo/oidc.svg
 color: blue-grey darken-2
 website: http://openid.net/connect/
+isAvailable: true
 useForm: false
+scopes:
+  - openid
+  - profile
+  - email
 props:
   clientId: String
   clientSecret: String
   authorizationURL: String
   tokenURL: String
   issuer: String
-  userInfoUrl: String
+  userInfoURL: String
   emailClaim: String
-  usernameClaim: String