.
This commit is contained in:
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"name": "@suitecoffee/oidc",
|
||||
"version": "1.0.0",
|
||||
"type": "module",
|
||||
"main": "src/index.mjs",
|
||||
"exports": {
|
||||
".": "./src/index.mjs"
|
||||
},
|
||||
"dependencies": {
|
||||
"openid-client": "^6.0.0"
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,70 @@
|
||||
// @suitecoffee/oidc/src/index.mjs
|
||||
// OIDC minimal (ESM) — siempre usa discovery vía OIDC_CONFIG_URL
|
||||
|
||||
import { Issuer } from 'openid-client';
|
||||
|
||||
let _cached = null;
|
||||
|
||||
/**
|
||||
* ENV requeridas:
|
||||
* - OIDC_CONFIG_URL -> https://.../.well-known/openid-configuration
|
||||
* - OIDC_CLIENT_ID
|
||||
* - OIDC_CLIENT_SECRET -> opcional (si tu client es confidencial)
|
||||
* - OIDC_REDIRECT_URI
|
||||
*/
|
||||
export async function initOIDCFromEnv() {
|
||||
if (_cached) return _cached;
|
||||
|
||||
const configUrl = process.env.OIDC_CONFIG_URL;
|
||||
const clientId = process.env.OIDC_CLIENT_ID;
|
||||
const clientSecret = process.env.OIDC_CLIENT_SECRET || undefined;
|
||||
const redirectUri = process.env.OIDC_REDIRECT_URI;
|
||||
|
||||
// Discovery directo (assume OK)
|
||||
const issuer = await Issuer.discover(configUrl);
|
||||
|
||||
const client = new issuer.Client({
|
||||
client_id: clientId,
|
||||
client_secret: clientSecret,
|
||||
redirect_uris: [redirectUri],
|
||||
response_types: ['code'],
|
||||
token_endpoint_auth_method: clientSecret ? 'client_secret_post' : 'none',
|
||||
});
|
||||
|
||||
_cached = {
|
||||
issuer,
|
||||
client,
|
||||
|
||||
// Construye la URL de autorización (PKCE)
|
||||
getAuthUrl({ state, nonce, code_challenge, scope = 'openid email profile' }) {
|
||||
return client.authorizationUrl({
|
||||
scope,
|
||||
redirect_uri: redirectUri,
|
||||
code_challenge,
|
||||
code_challenge_method: 'S256',
|
||||
state,
|
||||
nonce,
|
||||
});
|
||||
},
|
||||
|
||||
// Intercambia el authorization code en el callback
|
||||
async handleCallback(req, expected) {
|
||||
const params = client.callbackParams(req);
|
||||
return client.callback(redirectUri, params, expected);
|
||||
},
|
||||
|
||||
// URL de fin de sesión (si el OP la expone)
|
||||
endSessionUrl({ id_token_hint, post_logout_redirect_uri }) {
|
||||
return client.endSessionUrl
|
||||
? client.endSessionUrl({ id_token_hint, post_logout_redirect_uri })
|
||||
: null;
|
||||
},
|
||||
};
|
||||
|
||||
return _cached;
|
||||
}
|
||||
|
||||
export function getOIDC() {
|
||||
if (!_cached) throw new Error('[OIDC] initOIDCFromEnv() no fue llamado aún');
|
||||
return _cached;
|
||||
}
|
||||
Reference in New Issue
Block a user