148 lines
5.4 KiB
JavaScript
148 lines
5.4 KiB
JavaScript
/**
|
|
* Parse Server authentication adapter for Keycloak.
|
|
*
|
|
* @class KeycloakAdapter
|
|
* @param {Object} options - The adapter configuration options.
|
|
* @param {Object} options.config - The Keycloak configuration object, typically loaded from a JSON file.
|
|
* @param {String} options.config.auth-server-url - The Keycloak authentication server URL.
|
|
* @param {String} options.config.realm - The Keycloak realm name.
|
|
* @param {String} options.config.client-id - The Keycloak client ID.
|
|
*
|
|
* @param {Object} authData - The authentication data provided by the client.
|
|
* @param {String} authData.access_token - The Keycloak access token retrieved during client authentication.
|
|
* @param {String} authData.id - The user ID retrieved from Keycloak during client authentication.
|
|
* @param {Array} [authData.roles] - The roles assigned to the user in Keycloak (optional).
|
|
* @param {Array} [authData.groups] - The groups assigned to the user in Keycloak (optional).
|
|
*
|
|
* @description
|
|
* ## Parse Server Configuration
|
|
* To configure Parse Server for Keycloak authentication, use the following structure:
|
|
* ```javascript
|
|
* {
|
|
* "auth": {
|
|
* "keycloak": {
|
|
* "config": require('./auth/keycloak.json')
|
|
* }
|
|
* }
|
|
* }
|
|
* ```
|
|
* Ensure the `keycloak.json` configuration file is generated from Keycloak's setup guide and includes:
|
|
* - `auth-server-url`: The Keycloak authentication server URL.
|
|
* - `realm`: The Keycloak realm name.
|
|
* - `client-id`: The Keycloak client ID.
|
|
*
|
|
* ## Auth Data
|
|
* The adapter requires the following `authData` fields:
|
|
* - `access_token`: The Keycloak access token retrieved during client authentication.
|
|
* - `id`: The user ID retrieved from Keycloak during client authentication.
|
|
* - `roles` (optional): The roles assigned to the user in Keycloak.
|
|
* - `groups` (optional): The groups assigned to the user in Keycloak.
|
|
*
|
|
* ## Auth Payload Example
|
|
* ### Example Auth Data
|
|
* ```json
|
|
* {
|
|
* "keycloak": {
|
|
* "access_token": "an authorized Keycloak access token for the user",
|
|
* "id": "user's Keycloak ID as a string",
|
|
* "roles": ["admin", "user"],
|
|
* "groups": ["group1", "group2"]
|
|
* }
|
|
* }
|
|
* ```
|
|
*
|
|
* ## Notes
|
|
* - Parse Server validates the provided `authData` by making a `userinfo` call to Keycloak and ensures the attributes match those returned by Keycloak.
|
|
*
|
|
* ## Keycloak Configuration
|
|
* To configure Keycloak, copy the JSON configuration file generated from Keycloak's setup guide:
|
|
* - [Keycloak Securing Apps Documentation](https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter)
|
|
*
|
|
* Place the configuration file on your server, for example:
|
|
* - `auth/keycloak.json`
|
|
*
|
|
* For more information on Keycloak authentication, see:
|
|
* - [Securing Apps Documentation](https://www.keycloak.org/docs/latest/securing_apps/)
|
|
* - [Server Administration Documentation](https://www.keycloak.org/docs/latest/server_admin/)
|
|
*/
|
|
|
|
const { Parse } = require('parse/node');
|
|
const httpsRequest = require('./httpsRequest');
|
|
|
|
const arraysEqual = (_arr1, _arr2) => {
|
|
if (!Array.isArray(_arr1) || !Array.isArray(_arr2) || _arr1.length !== _arr2.length) { return false; }
|
|
|
|
var arr1 = _arr1.concat().sort();
|
|
var arr2 = _arr2.concat().sort();
|
|
|
|
for (var i = 0; i < arr1.length; i++) {
|
|
if (arr1[i] !== arr2[i]) { return false; }
|
|
}
|
|
|
|
return true;
|
|
};
|
|
|
|
const handleAuth = async ({ access_token, id, roles, groups } = {}, { config } = {}) => {
|
|
if (!(access_token && id)) {
|
|
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Missing access token and/or User id');
|
|
}
|
|
if (!config || !(config['auth-server-url'] && config['realm'])) {
|
|
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Missing keycloak configuration');
|
|
}
|
|
try {
|
|
const response = await httpsRequest.get({
|
|
host: config['auth-server-url'],
|
|
path: `/realms/${config['realm']}/protocol/openid-connect/userinfo`,
|
|
headers: {
|
|
Authorization: 'Bearer ' + access_token,
|
|
},
|
|
});
|
|
if (
|
|
response &&
|
|
response.data &&
|
|
response.data.sub == id &&
|
|
arraysEqual(response.data.roles, roles) &&
|
|
arraysEqual(response.data.groups, groups)
|
|
) {
|
|
return;
|
|
}
|
|
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid authentication');
|
|
} catch (e) {
|
|
if (e instanceof Parse.Error) {
|
|
throw e;
|
|
}
|
|
const error = JSON.parse(e.text);
|
|
if (error.error_description) {
|
|
throw new Parse.Error(Parse.Error.HOSTING_ERROR, error.error_description);
|
|
} else {
|
|
throw new Parse.Error(
|
|
Parse.Error.HOSTING_ERROR,
|
|
'Could not connect to the authentication server'
|
|
);
|
|
}
|
|
}
|
|
};
|
|
|
|
/*
|
|
@param {Object} authData: the client provided authData
|
|
@param {string} authData.access_token: the access_token retrieved from client authentication in Keycloak
|
|
@param {string} authData.id: the id retrieved from client authentication in Keycloak
|
|
@param {Array} authData.roles: the roles retrieved from client authentication in Keycloak
|
|
@param {Array} authData.groups: the groups retrieved from client authentication in Keycloak
|
|
@param {Object} options: additional options
|
|
@param {Object} options.config: the config object passed during Parse Server instantiation
|
|
*/
|
|
function validateAuthData(authData, options = {}) {
|
|
return handleAuth(authData, options);
|
|
}
|
|
|
|
// Returns a promise that fulfills if this app id is valid.
|
|
function validateAppId() {
|
|
return Promise.resolve();
|
|
}
|
|
|
|
module.exports = {
|
|
validateAppId,
|
|
validateAuthData,
|
|
};
|