forked from baron/baron-sso
fix(auth): separate pkce and headless trusted rp config
This commit is contained in:
Lectom C Han
@@ -72,6 +72,17 @@ function readMetadataString(
|
||||
return typeof value === "string" ? value : "";
|
||||
}
|
||||
|
||||
function readMetadataObject(
|
||||
metadata: Record<string, unknown>,
|
||||
key: string,
|
||||
): Record<string, unknown> | undefined {
|
||||
const value = metadata[key];
|
||||
if (typeof value !== "object" || value === null || Array.isArray(value)) {
|
||||
return undefined;
|
||||
}
|
||||
return value as Record<string, unknown>;
|
||||
}
|
||||
|
||||
function isValidUrl(value: string): boolean {
|
||||
try {
|
||||
const url = new URL(value);
|
||||
@@ -150,15 +161,42 @@ function ClientGeneralPage() {
|
||||
setStatus(client.status);
|
||||
setInitialStatus(client.status);
|
||||
|
||||
const metadata = client.metadata ?? {};
|
||||
if (typeof metadata.description === "string")
|
||||
setDescription(metadata.description);
|
||||
if (typeof metadata.logo_url === "string") setLogoUrl(metadata.logo_url);
|
||||
|
||||
const headlessEnabled = !!metadata.headless_login_enabled;
|
||||
setHeadlessLoginEnabled(headlessEnabled);
|
||||
|
||||
const savedAuthMethod =
|
||||
client.tokenEndpointAuthMethod ||
|
||||
(client.type === "pkce" ? "none" : "client_secret_basic");
|
||||
if (isTokenEndpointAuthMethod(savedAuthMethod)) {
|
||||
setTokenEndpointAuthMethod(savedAuthMethod);
|
||||
const headlessAuthMethod = readMetadataString(
|
||||
metadata,
|
||||
"headless_token_endpoint_auth_method",
|
||||
);
|
||||
const selectedAuthMethod =
|
||||
headlessEnabled && isTokenEndpointAuthMethod(headlessAuthMethod)
|
||||
? headlessAuthMethod
|
||||
: savedAuthMethod;
|
||||
if (isTokenEndpointAuthMethod(selectedAuthMethod)) {
|
||||
setTokenEndpointAuthMethod(selectedAuthMethod);
|
||||
}
|
||||
|
||||
if (client.jwksUri) {
|
||||
const headlessJwksUri = readMetadataString(metadata, "headless_jwks_uri");
|
||||
const headlessJwks = readMetadataObject(metadata, "headless_jwks");
|
||||
if (headlessJwksUri) {
|
||||
setJwksUri(headlessJwksUri);
|
||||
setJwksText("");
|
||||
setJwksSource("uri");
|
||||
} else if (headlessJwks) {
|
||||
setJwksText(JSON.stringify(headlessJwks, null, 2));
|
||||
setJwksUri("");
|
||||
setJwksSource("inline");
|
||||
} else if (client.jwksUri) {
|
||||
setJwksUri(client.jwksUri);
|
||||
setJwksText("");
|
||||
setJwksSource("uri");
|
||||
} else if (client.jwks) {
|
||||
setJwksText(
|
||||
@@ -166,18 +204,16 @@ function ClientGeneralPage() {
|
||||
? client.jwks
|
||||
: JSON.stringify(client.jwks, null, 2),
|
||||
);
|
||||
setJwksUri("");
|
||||
setJwksSource("inline");
|
||||
} else {
|
||||
setJwksUri("");
|
||||
setJwksText("");
|
||||
setJwksSource("inline");
|
||||
}
|
||||
|
||||
const metadata = client.metadata ?? {};
|
||||
if (typeof metadata.description === "string")
|
||||
setDescription(metadata.description);
|
||||
if (typeof metadata.logo_url === "string") setLogoUrl(metadata.logo_url);
|
||||
|
||||
setHeadlessLoginEnabled(!!metadata.headless_login_enabled);
|
||||
|
||||
// Fallbacks from metadata if top-level fields are empty
|
||||
if (!client.tokenEndpointAuthMethod) {
|
||||
if (!client.tokenEndpointAuthMethod && !headlessEnabled) {
|
||||
const metaAuth = readMetadataString(
|
||||
metadata,
|
||||
"token_endpoint_auth_method",
|
||||
@@ -187,7 +223,7 @@ function ClientGeneralPage() {
|
||||
}
|
||||
}
|
||||
|
||||
if (!client.jwksUri && !client.jwks) {
|
||||
if (!client.jwksUri && !client.jwks && !headlessEnabled) {
|
||||
const metaJwksUri = readMetadataString(metadata, "jwks_uri");
|
||||
if (metaJwksUri) {
|
||||
setJwksUri(metaJwksUri);
|
||||
@@ -342,11 +378,7 @@ function ClientGeneralPage() {
|
||||
const scopeNames = scopes.map((scope) => scope.name).filter(Boolean);
|
||||
|
||||
let finalJwks: ClientUpsertRequest["jwks"];
|
||||
if (
|
||||
tokenEndpointAuthMethod === "private_key_jwt" &&
|
||||
jwksSource === "inline" &&
|
||||
trimmedJwksText
|
||||
) {
|
||||
if (jwksSource === "inline" && trimmedJwksText) {
|
||||
try {
|
||||
finalJwks = JSON.parse(trimmedJwksText);
|
||||
} catch (e) {
|
||||
@@ -354,23 +386,48 @@ function ClientGeneralPage() {
|
||||
}
|
||||
}
|
||||
|
||||
const effectiveTokenEndpointAuthMethod =
|
||||
clientType === "pkce" && headlessLoginEnabled
|
||||
? "none"
|
||||
: tokenEndpointAuthMethod;
|
||||
|
||||
const payload: ClientUpsertRequest = {
|
||||
name,
|
||||
type: clientType,
|
||||
scopes: scopeNames,
|
||||
tokenEndpointAuthMethod,
|
||||
tokenEndpointAuthMethod: effectiveTokenEndpointAuthMethod,
|
||||
jwksUri:
|
||||
tokenEndpointAuthMethod === "private_key_jwt" && jwksSource === "uri"
|
||||
effectiveTokenEndpointAuthMethod === "private_key_jwt" &&
|
||||
jwksSource === "uri"
|
||||
? trimmedJwksUri
|
||||
: undefined,
|
||||
jwks: finalJwks,
|
||||
jwks:
|
||||
effectiveTokenEndpointAuthMethod === "private_key_jwt"
|
||||
? finalJwks
|
||||
: undefined,
|
||||
metadata: {
|
||||
description,
|
||||
logo_url: logoUrl,
|
||||
structured_scopes: scopes,
|
||||
token_endpoint_auth_method: tokenEndpointAuthMethod,
|
||||
token_endpoint_auth_method: effectiveTokenEndpointAuthMethod,
|
||||
request_object_signing_alg: trimmedRequestObjectSigningAlg,
|
||||
headless_login_enabled: headlessLoginEnabled,
|
||||
headless_token_endpoint_auth_method:
|
||||
clientType === "pkce" && headlessLoginEnabled
|
||||
? tokenEndpointAuthMethod
|
||||
: undefined,
|
||||
headless_jwks_uri:
|
||||
clientType === "pkce" &&
|
||||
headlessLoginEnabled &&
|
||||
jwksSource === "uri"
|
||||
? trimmedJwksUri
|
||||
: undefined,
|
||||
headless_jwks:
|
||||
clientType === "pkce" &&
|
||||
headlessLoginEnabled &&
|
||||
jwksSource === "inline"
|
||||
? finalJwks
|
||||
: undefined,
|
||||
},
|
||||
};
|
||||
|
||||
|
||||
Reference in New Issue
Block a user