General OpenID login plugin development
-
I'm trying to create an OpenID auth login and I need help.
According to other SSOs and auth plugins there is a difference that there is no need for admin page with api/app key but before going to /auth/openid there is a form required to specify an OpenID identifier (url) so it POSTs to /auth/openid with open_identifier variable set, which might be different for every user.
I've tried to create an '/auth/openid_form' route and add there a static page with a form (hooked to filter:server.create_routes)
where the form is:
<form action="/auth/openid" method="post"> <div> <label>OpenID identifier:</label> <input type="text" name="openid_identifier" size="40" /><br/> </div> <div> <input type="submit" value="Sign In"/> </div> </form>I can display the form by browsing to /auth/openid_form but when I enter anything I get Error: Forbidden:
Error: Forbidden at Object.exports.error (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/utils.js:60:13) at Object.handle (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/csrf.js:54:41) at next (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/proto.js:190:15) at next (/home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/session.js:313:9) at /home/nodebb/www/nodebb/node_modules/express/node_modules/connect/lib/middleware/session.js:337:9 at /home/nodebb/www/nodebb/node_modules/connect-mongo/lib/connect-mongo.js:220:17 at /home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/collection/query.js:147:5 at Cursor.nextObject (/home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/cursor.js:733:5) at commandHandler (/home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/cursor.js:713:14) at /home/nodebb/www/nodebb/node_modules/mongodb/lib/mongodb/db.js:1806:9If I do not fill anything as open_identifier /auth/openid just responds 'Unauthorized' which seems ok to me.
I am not sure if this is CSRF issue with recent changes in express/connect or if I am doing something wrong.
Actually, there is another thing... how to add this form into a strategy so it is asked before using passport.auth? I mean, if I push strategy with URL /auth/openid it works fine but I need the link for OpenID login to go to /auth/openid_form first and not call passport.auth on this route and call passport.auth later on /auth/openid
Tips or any heads up?
-
Hmm... the "Forbidden" error is definitely a CSRF issue... in StackOverflow, they ask for this during login for OpenID:
Is this what you're trying to create?
Ensure you're passing in a hidden input field with id
_csrfin your form.
-
@julian thanks. I've fixed the csrf issue.
another issue appeared
I hook the form page on the route /auth/openid_form with action posting to /auth/openid
also I add the strategy with route /auth/openidIf I fill the form on /auth/openid_form, it POSTs to /auth/openid, but it returns 302 and redirects to /404 and logs
warn: Route requested but not found: /auth/openidI've also tested my OpenID provider with passport-openid example from https://github.com/jaredhanson/passport-openid/tree/master/examples/signon to ensure it is not in provider or my understanding of passport-openid. So it must be my misunderstanding of express and nodebb
I'm very confused
See library.js - http://pastebin.com/HX0MNbmM
and hooks:"hooks": [ { "hook": "filter:auth.init", "method": "getStrategy", "callbacked": false }, { "hook": "filter:server.create_routes", "method": "addOpenIDLoginRoute", "callbacked": true }Or here is my whole source code of nodebb-plugin-openid
(please, It's development prototype. First I'm aiming for working prototype and then I'll revise it to publish it properly)
-
When you do finish and release it, I hope it comes bundled with every install.
-
As far as I know there is not an official plugin yet to support OpenID Connect in NodeBB.
If anyone is still looking for a work-able OpenID Connection option, we've built one for production usage but it should work with any OpenID Connect identity provider.
- Supports discovery using the
.well-known/openid-configurationURL - Supports configurable email claim, defaults to
email - Supports Logout URL
- Optionally map roles by a named claim provided in the Userinfo endpoint response
- Documented option to bypass the default login panel
Feel free to open an issue if you find it is missing anything.
https://github.com/FusionAuth/nodebb-plugin-fusionauth-oidc
- Supports discovery using the
