first-party client 처리

src/model/model.ts

@@ -9,6 +9,7 @@ import * as Bunyan from 'bunyan'
 import { ControllableError } from './errors'
 import Config from '../config'
 import Transaction from './transaction'
+import OAuth from './oauth'
 
 const PSQL_SERIALIZATION_FAILURE = '40001'
 const PSQL_DEADLOCK_DETECTED = '40P01'
@@ -22,6 +23,7 @@ export default class Model {
   public readonly permissions: Permissions
   public readonly shells: Shells
   public readonly hosts: Hosts
+  public readonly oauth: OAuth
 
   private readonly pgConfig: pg.PoolConfig
   private readonly pgPool: pg.Pool
@@ -36,6 +38,7 @@ export default class Model {
     this.permissions = new Permissions(this)
     this.shells = new Shells(this)
     this.hosts = new Hosts(this)
+    this.oauth = new OAuth()
   }
 
   /**

src/model/oauth.ts

@@ -0,0 +1,27 @@
+// @ts-expect-error: https://github.com/microsoft/TypeScript/issues/49721
+import type { AllClientMetadata } from 'oidc-provider'
+
+import { NoSuchEntryError } from './errors'
+import Transaction from './transaction'
+
+export default class OAuth {
+  public async getClientById(tr: Transaction, id: string): Promise<AllClientMetadata> {
+    const client = await tr.query('SELECT client_id, client_secret, client_name FROM oauth_client WHERE client_id = $1', [id])
+    const redirectUri = await tr.query('SELECT redirect_uri FROM oauth_client_redirect_uris WHERE client_id = $1', [id])
+    if (client.rows.length !== 1) {
+      throw new NoSuchEntryError()
+    }
+
+    return {
+      client_id: client.rows[0].client_id,
+      client_secret: client.rows[0].client_secret,
+      client_name: client.rows[0].client_name,
+      redirect_uris: redirectUri.rows.map(row => row.redirect_uri),
+    }
+  }
+
+  public async isFirstParty(tr: Transaction, id: string): Promise<boolean> {
+    const result = await tr.query('SELECT first_party FROM oauth_client WHERE client_id = $1', [id])
+    return Boolean(result.rows[0]?.first_party)
+  }
+}

src/oidc/adapter.ts

@@ -3,7 +3,7 @@ import Redis from 'ioredis'
 import type { Adapter, AdapterPayload } from 'oidc-provider'
 
 import Model from '../model/model'
-import {NoSuchEntryError} from '../model/errors'
+import { NoSuchEntryError } from '../model/errors'
 
 const grantable = new Set([
   'AccessToken',
@@ -86,20 +86,7 @@ export default function AdapterFactory(redisUrl: string, model: Model) {
     async find(id: string): Promise<AdapterPayload | undefined | void> {
       if (this.name === 'Client') {
         try {
-          return model.pgDo(async tr => {
-            const client = await tr.query('select client_id, client_secret, client_name from oauth_client where client_id = $1', [id])
-            const redirectUri = await tr.query('select redirect_uri from oauth_client_redirect_uris where client_id = $1', [id])
-            if (client.rows.length !== 1) {
-              throw new NoSuchEntryError()
-            }
-
-            return {
-              client_id: client.rows[0].client_id,
-              client_secret: client.rows[0].client_secret,
-              client_name: client.rows[0].client_name,
-              redirect_uris: redirectUri.rows.map(row => row.redirect_uri),
-            }
-          })
+          return model.pgDo(tr => model.oauth.getClientById(tr, id))
         } catch (e) {
           if (e instanceof NoSuchEntryError) {
             return undefined

src/oidc/configuration.ts

@@ -5,6 +5,10 @@ import Config from '../config'
 import OIDCAccount from './account'
 import AdapterFactory from './adapter'
 
+const claims = {
+  openid: ['sub', 'groups', 'username'],
+};
+
 export default function createOIDCConfig(model: Model, oidcConfig: Config['oidc']): Configuration {
   let adapter
   if (oidcConfig.redisURL) {
@@ -14,7 +18,6 @@ export default function createOIDCConfig(model: Model, oidcConfig: Config['oidc'
   return {
     adapter,
     findAccount: async (ctx, id) => {
-
       const [groups, username] = await model.pgDo(async tr => {
         const groupSet = await model.users.getUserReachableGroups(tr, Number(id))
         const groupResult = await tr.query('SELECT identifier FROM groups WHERE idx = ANY($1)', [[...groupSet]])
@@ -31,6 +34,47 @@ export default function createOIDCConfig(model: Model, oidcConfig: Config['oidc'
 
       return new OIDCAccount(id, username, groups)
     },
+    async loadExistingGrant(ctx) {
+      if (!ctx.oidc.client || !ctx.oidc.session || !ctx.oidc.result) {
+        return undefined
+      }
+
+      const clientId = ctx.oidc.client.clientId
+      const grantId = ctx.oidc.result.consent?.grantId
+        || ctx.oidc.session.grantIdFor(ctx.oidc.client.clientId)
+
+      if (grantId) {
+        // keep grant expiry aligned with session expiry
+        // to prevent consent prompt being requested when grant expires
+        const grant = await ctx.oidc.provider.Grant.find(grantId)
+
+        // this aligns the Grant ttl with that of the current session
+        // if the same Grant is used for multiple sessions, or is set
+        // to never expire, you probably do not want this in your code
+        if (grant && ctx.oidc.account && (!grant.exp || grant.exp < ctx.oidc.session.exp)) {
+          grant.exp = ctx.oidc.session.exp
+
+          await grant.save()
+        }
+
+        return grant
+      } else {
+        const isFirstParty = await model.pgDo(tr => model.oauth.isFirstParty(tr, clientId))
+        if (isFirstParty) {
+          const grant = new ctx.oidc.provider.Grant({
+            clientId: clientId,
+            accountId: ctx.oidc.session.accountId,
+          })
+
+          grant.addOIDCScope('openid')
+          grant.addOIDCClaims(claims.openid)
+          await grant.save()
+          return grant
+        }
+      }
+
+      return undefined
+    },
     cookies: {
       keys: [oidcConfig.cookieKey]
     },
@@ -44,9 +88,7 @@ export default function createOIDCConfig(model: Model, oidcConfig: Config['oidc'
         return `/oauth/${interaction.uid}`
       },
     },
-    claims: {
-      openid: ['sub', 'groups', 'username'],
-    },
+    claims,
     features: {
       devInteractions: {
         enabled: oidcConfig.devInteractions