Verifying user on each subsequent request?

[jonsage]

Sorry, I'm having trouble following the docs.

I'm building with Astro (https://astro.build) and I've opted for a full serverside rendering site because I need dynamic elements based on the authenticated user.

So, I can follow your Authorization Code Flow example to connect with a custom OIDC provider - but the bit I'm confused by is what instances of what classes should be created and what methods called when. The example code you have in the README is everything in one block so I don't know how to break things up to different pages or whether what I'm doing is "right".

I'm hoping to achieve the following:

1. Sign-in page/endpoint where the user is redirected to the issuer auth URL.
2. Callback page/endpoint where the access_token/id_token returned is somehow stored in a secure server-only cookie.
3. Middleware that runs on every request - this will check for a authenticated user and return 403 or redirect to login or whatever if not present.

The bit I struggle most with is (2) - what typically would be stored in cookie on the callback page? And what is the safest (best practice) way to do this?

The next bit I struggle with is (3) - after pulling the token out of the cookie how do I verify that that the token is still "active"? Is it's existence enough to determine a user is signed-in, because I feel like I should be at least checking the signature of the JWT, any claims and the expiry - but I don't know how to do that with your library

I've put code I have so far below - although it's Astro-flavoured it is still very readable I think.

// signin.astro

import { Issuer, generators } from 'openid-client';

const issuer = await Issuer.discover('https://example.com');

const client = new issuer.Client({
    client_id: 'example',
    client_secret: 'example',
    redirect_uris: ['http://localhost:3000/callback/'],
    response_types: ['code']
});

const code_verifier = generators.codeVerifier();

Astro.cookies.set('verifier', code_verifier, {
    httpOnly: true,
    path: '/'
});

const code_challenge = generators.codeChallenge(code_verifier);

const authorization_url = client.authorizationUrl({
    scope: 'openid email',
    code_challenge,
    code_challenge_method: 'S256',
});

return Astro.redirect(authorization_url);

// callback.astro

import { Issuer, generators } from 'openid-client';

const issuer = await Issuer.discover('https://example.com');

const client = new issuer.Client({
    client_id: 'example',
    client_secret: 'example',
    redirect_uris: ['http://localhost:3000/callback/'],
    response_types: ['code']
});

const cookie_verifier = Astro.cookies.get('verifier');

if (cookie_verifier.value !== undefined) {
    const code_verifier = cookie_verifier.value;
    const params = client.callbackParams(Astro.request.url);
    const tokenSet = await client.callback('http://localhost:3000/callback/', params, { code_verifier });

    Astro.cookies.delete('verifier', {
        path: '/' 
    });

    // (2) AROUND HERE I GET LOST - WHAT SHOULD I STORE?
    if (tokenSet.access_token !== undefined) {
        Astro.cookies.set('token', tokenSet.access_token, {
            httpOnly: true,
            path: '/'
        });

        const userinfo = await client.userinfo(tokenSet.access_token);

        console.log(userinfo);

        console.log(tokenSet.claims());
    }
}

// middleware.ts

import { defineMiddleware, sequence } from "astro/middleware";
import { Issuer, generators } from "openid-client";

const auth = defineMiddleware((context, next) => {

    const auth_token = context.cookies.get('token');

    // (3) HOW DO I VERIFY THE TOKEN AND ACCESS THE CLAIMS?

    // const user = ???    

    // context.locals.user = {
    //     name: user.name,
    //     email: user.email,
    //     role: user.role
    // };

    return next();
});

export const onRequest = sequence(auth);