General OpenID login plugin development

Tomáš Simon Klapka

I'm trying to create an OpenID auth login and I need help.

According to other SSOs and auth plugins there is a difference that there is no need for admin page with api/app key but before going to /auth/openid there is a form required to specify an OpenID identifier (url) so it POSTs to /auth/openid with open_identifier variable set, which might be different for every user.

I've tried to create an '/auth/openid_form' route and add there a static page with a form (hooked to filter:server.create_routes)

where the form is:

<form action="/auth/openid" method="post">
    <div>
        <label>OpenID identifier:</label>
        <input type="text" name="openid_identifier" size="40" /><br/>
    </div>
    <div>
        <input type="submit" value="Sign In"/>
    </div>
</form>

I can display the form by browsing to /auth/openid_form but when I enter anything I get Error: Forbidden:

Error: Forbidden
    at Object.exports.error (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/utils.js:60:13)
    at Object.handle (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41)
    at next (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/proto.js:190:15)
    at next (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/session.js:313:9)
    at /home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/session.js:337:9
    at /home/nodebb/www/nodebb/node_modules/connect-mongo/lib/connect-mongo.js:220:17
    at /home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/collection/query.js:147:5
    at Cursor.nextObject (/home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/cursor.js:733:5)
    at commandHandler (/home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/cursor.js:713:14)
    at /home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/db.js:1806:9

If I do not fill anything as open_identifier /auth/openid just responds 'Unauthorized' which seems ok to me.

I am not sure if this is CSRF issue with recent changes in express/connect or if I am doing something wrong.

Actually, there is another thing... how to add this form into a strategy so it is asked before using passport.auth? I mean, if I push strategy with URL /auth/openid it works fine but I need the link for OpenID login to go to /auth/openid_form first and not call passport.auth on this route and call passport.auth later on /auth/openid

Tips or any heads up?

julian

Hmm... the "Forbidden" error is definitely a CSRF issue... in StackOverflow, they ask for this during login for OpenID:

Is this what you're trying to create?

Ensure you're passing in a hidden input field with id _csrf in your form.

Tomáš Simon Klapka

@julian thanks. I've fixed the csrf issue.

another issue appeared

I hook the form page on the route /auth/openid_form with action posting to /auth/openid
also I add the strategy with route /auth/openid

If I fill the form on /auth/openid_form, it POSTs to /auth/openid, but it returns 302 and redirects to /404 and logs warn: Route requested but not found: /auth/openid

I've also tested my OpenID provider with passport-openid example from https://github.com/jaredhanson/passport-openid/tree/master/examples/signon to ensure it is not in provider or my understanding of passport-openid. So it must be my misunderstanding of express and nodebb

I'm very confused

See library.js - http://pastebin.com/HX0MNbmM
and hooks:

  "hooks": [
    {
      "hook": "filter:auth.init", "method": "getStrategy", "callbacked": false
    },
    {
      "hook": "filter:server.create_routes", "method": "addOpenIDLoginRoute", "callbacked": true
    }

Or here is my whole source code of nodebb-plugin-openid
(please, It's development prototype. First I'm aiming for working prototype and then I'll revise it to publish it properly)

finid

@Tomáš-Simon-Klapka

When you do finish and release it, I hope it comes bundled with every install.

robotdan

As far as I know there is not an official plugin yet to support OpenID Connect in NodeBB.

If anyone is still looking for a work-able OpenID Connection option, we've built one for production usage but it should work with any OpenID Connect identity provider.

• Supports discovery using the .well-known/openid-configuration URL
• Supports configurable email claim, defaults to email
• Supports Logout URL
• Optionally map roles by a named claim provided in the Userinfo endpoint response
• Documented option to bypass the default login panel

Feel free to open an issue if you find it is missing anything.
https://github.com/FusionAuth/nodebb-plugin-fusionauth-oidc