first commit

2026-05-06 14:35:49 +09:00
commit 8b3402160f
11 changed files with 824 additions and 0 deletions
--- a/.env.sample
+++ b/.env.sample
@@ -0,0 +1,9 @@
+PORT=4444
+SESSION_SECRET=demo-session-secret
+OIDC_ISSUER_URL=https://sso-test.hmac.kr/oidc
+OIDC_CLIENT_ID=replace-with-server-side-client-id
+OIDC_CLIENT_SECRET=replace-with-client-secret
+OIDC_REDIRECT_URI=http://localhost:4444/callback
+OIDC_CLIENT_AUTH_METHOD=client_secret_basic
+BARON_API_BASE_URL=https://sso-test.hmac.kr
+BARON_SESSION_VALIDATION_ENABLED=false
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
+node_modules
+.env
--- a/12
+++ b/12
@@ -0,0 +1,12 @@
+FROM node:20-alpine
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm install
+
+COPY . .
+
+EXPOSE 4444
+
+CMD ["node", "app.js"]
--- a/README.md
+++ b/README.md
@@ -0,0 +1,89 @@
+# Baron SSO Server-Side App Demo (Express.js)
+
+이 프로젝트는 `baron-sso`의 `server-side-app` RP를 테스트하기 위한 단순한 Express.js 데모입니다.
+
+## 목적
+
+이 데모는 다음을 확인하기 위한 용도입니다.
+
+1. confidential client 기반 OIDC Authorization Code 로그인
+2. RP 로컬 세션 생성 및 유지
+3. `Back-Channel Logout URI` 호출 수신
+4. `logout_token` 검증 후 로컬 세션 즉시 파기
+
+## 사전 준비
+
+1. `baron-sso` 프로젝트가 실행 중이어야 합니다.
+2. `baron_net` 네트워크가 생성되어 있어야 합니다.
+3. devfront에서 `server-side-app` 타입 RP를 생성해야 합니다.
+
+## 권장 RP 설정
+
+예시:
+
+```text
+Type: server-side-app
+Client ID: <생성된 client id>
+Client Secret: <생성된 secret>
+Redirect URI: http://localhost:4444/callback
+Back-Channel Logout URI: http://172.16.x.x:4444/backchannel-logout
+SID Claim Required: off
+```
+
+주의:
+- `Back-Channel Logout URI`는 브라우저 기준이 아니라 Baron backend가 실제로 접근 가능한 주소여야 합니다.
+- Docker 환경에서 `localhost`는 backend 컨테이너 자신을 가리킬 수 있으므로, 필요하면 사설 IP 또는 Docker 서비스명을 사용해야 합니다.
+
+## 실행
+
+```bash
+docker-compose up --build
+```
+
+## 환경 변수
+
+- `PORT`: 기본값 `4444`
+- `SESSION_SECRET`: Express session secret
+- `OIDC_ISSUER_URL`: Baron OIDC issuer URL
+- `OIDC_CLIENT_ID`: server-side-app client id
+- `OIDC_CLIENT_SECRET`: server-side-app client secret
+- `OIDC_REDIRECT_URI`: callback URL
+- `OIDC_CLIENT_AUTH_METHOD`: 기본값 `client_secret_basic`, 필요 시 `client_secret_post`
+- `BARON_API_BASE_URL`: Baron backend/public gateway URL
+- `BARON_BACKCHANNEL_JWKS_URL`: Baron Back-Channel Logout JWKS URL
+- `BARON_SESSION_VALIDATION_ENABLED`: `false`로 두면 Baron 세션 재검증을 끄고 백채널 로그아웃만 단독 검증 가능
+
+## 라우트
+
+```text
+GET  /
+GET  /login
+GET  /callback
+GET  /profile
+GET  /logout
+POST /backchannel-logout
+```
+
+## 동작 방식
+
+1. `/login`에서 state/nonce를 만들고 Baron authorize endpoint로 이동
+2. `/callback`에서 authorization code를 token으로 교환
+3. ID Token의 `sid/sub`를 현재 RP 세션 ID와 매핑
+4. Baron이 `/backchannel-logout`으로 `logout_token` 전송
+5. 데모 앱이 서명 및 claim을 검증
+6. `sid` 또는 `sub`로 대상 세션을 찾아 세션 스토어에서 직접 파기
+
+## 테스트 포인트
+
+정상 동작 시 아래 로그 흐름이 보여야 합니다.
+
+```text
+[로그인 시작]
+[콜백] Authorization Code -> Token 교환 성공
+[세션 매핑] 등록 완료
+[백채널 로그아웃] 요청 수신
+[백채널 로그아웃] 토큰 검증 성공
+[백채널 로그아웃] 세션 파기 완료
+[백채널 로그아웃] 처리 완료
+[프로필] 비로그인 상태로 접근하여 루트로 이동
+```
--- a/app.js
+++ b/app.js
@@ -0,0 +1,314 @@
+require('dotenv').config();
+const express = require('express');
+const session = require('express-session');
+const {
+  discovery,
+  randomNonce,
+  randomState,
+  buildAuthorizationUrl,
+  authorizationCodeGrant,
+  fetchUserInfo,
+  ClientSecretBasic,
+  ClientSecretPost,
+} = require('openid-client');
+const path = require('path');
+const { createBackchannelLogoutManager } = require('./backchannel-logout');
+
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
+const app = express();
+const port = process.env.PORT || 4444;
+
+app.set('view engine', 'ejs');
+app.set('views', path.join(__dirname, 'views'));
+
+app.use(express.urlencoded({ extended: false }));
+
+const sessionStore = new session.MemoryStore();
+const sessionMiddleware = session({
+  store: sessionStore,
+  name: 'baron.server.demo.sid',
+  secret: process.env.SESSION_SECRET || 'demo-session-secret',
+  resave: true,
+  saveUninitialized: true,
+  cookie: {
+    secure: false,
+    httpOnly: true,
+    sameSite: 'lax',
+    maxAge: 30 * 60 * 1000,
+  },
+});
+app.use(sessionMiddleware);
+
+function deriveBaronApiBaseUrl() {
+  const explicit = (process.env.BARON_API_BASE_URL || '').trim();
+  if (explicit) {
+    return explicit.replace(/\/$/, '');
+  }
+
+  const issuerUrl = (process.env.OIDC_ISSUER_URL || 'http://localhost:5000/oidc').trim();
+  return issuerUrl.replace(/\/oidc\/?$/, '');
+}
+
+function deriveBackchannelJwksUrl() {
+  const explicit = (process.env.BARON_BACKCHANNEL_JWKS_URL || '').trim();
+  if (explicit) {
+    return explicit;
+  }
+  return `${deriveBaronApiBaseUrl()}/api/v1/auth/backchannel/jwks.json`;
+}
+
+function createClientAuthentication(method, clientSecret) {
+  switch (method) {
+    case 'client_secret_basic':
+      return ClientSecretBasic(clientSecret);
+    case 'client_secret_post':
+      return ClientSecretPost(clientSecret);
+    default:
+      throw new Error(`Unsupported OIDC client auth method: ${method}`);
+  }
+}
+
+async function validateBaronSession(accessToken) {
+  if (!accessToken) {
+    return { ok: false, reason: 'missing_access_token' };
+  }
+
+  const baseUrl = deriveBaronApiBaseUrl();
+  const response = await fetch(`${baseUrl}/api/v1/user/me`, {
+    method: 'GET',
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      Accept: 'application/json',
+    },
+  });
+
+  if (!response.ok) {
+    const detail = await response.text().catch(() => '');
+    return {
+      ok: false,
+      reason: `baron_validation_failed:${response.status}`,
+      detail,
+    };
+  }
+
+  const profile = await response.json().catch(() => null);
+  return { ok: true, profile };
+}
+
+function destroyDemoSession(req, res, removeSessionBinding) {
+  const sessionId = req.sessionID;
+  console.log('[로컬 로그아웃] 현재 세션 정리 시작', { sessionId });
+  removeSessionBinding(sessionId);
+
+  return new Promise((resolve) => {
+    req.session.destroy(() => {
+      if (res) {
+        res.clearCookie('baron.server.demo.sid');
+      }
+      console.log('[로컬 로그아웃] 현재 세션 정리 완료', { sessionId });
+      resolve();
+    });
+  });
+}
+
+async function setupOIDC() {
+  const issuerUrl = process.env.OIDC_ISSUER_URL || 'http://localhost:5000/oidc';
+  const clientId = process.env.OIDC_CLIENT_ID || 'demo-client';
+  const clientSecret = process.env.OIDC_CLIENT_SECRET || 'demo-secret';
+  const redirectUri = process.env.OIDC_REDIRECT_URI || 'http://localhost:4444/callback';
+  const clientAuthMethod = process.env.OIDC_CLIENT_AUTH_METHOD || 'client_secret_basic';
+  const backchannelJwksUrl = deriveBackchannelJwksUrl();
+  const sessionValidationEnabled =
+    String(process.env.BARON_SESSION_VALIDATION_ENABLED || 'true').toLowerCase() !== 'false';
+  const clientAuthentication = createClientAuthentication(clientAuthMethod, clientSecret);
+  const backchannelLogoutManager = createBackchannelLogoutManager({
+    issuerUrl,
+    clientId,
+    jwksUrl: backchannelJwksUrl,
+    sessionStore,
+    logger: console,
+  });
+
+  console.log(`OIDC Issuer 조회: ${issuerUrl}`);
+  console.log(`백채널 로그아웃 JWKS 주소: ${backchannelJwksUrl}`);
+  const issuer = await discovery(
+    new URL(issuerUrl),
+    clientId,
+    {
+      client_secret: clientSecret,
+      token_endpoint_auth_method: clientAuthMethod,
+    },
+    clientAuthentication,
+  );
+  const authorizationEndpoint =
+    (typeof issuer.serverMetadata === 'function'
+      ? issuer.serverMetadata()?.authorization_endpoint
+      : undefined) ||
+    issuer.authorization_server_metadata?.authorization_endpoint ||
+    issuer.authorization_endpoint ||
+    '(확인 불가)';
+  console.log('[시스템] OIDC 설정 완료', {
+    clientId,
+    redirectUri,
+    clientAuthMethod,
+    authorizationEndpoint,
+    sessionValidationEnabled,
+  });
+
+  if (sessionValidationEnabled) {
+    app.use(async (req, res, next) => {
+      const skipPaths = new Set(['/login', '/callback', '/logout', '/backchannel-logout']);
+      if (skipPaths.has(req.path)) {
+        return next();
+      }
+
+      const accessToken = req.session?.user?.tokenset?.access_token;
+      if (!accessToken) {
+        return next();
+      }
+
+      try {
+        const validation = await validateBaronSession(accessToken);
+        if (validation.ok) {
+          if (validation.profile) {
+            req.session.user.userinfo = validation.profile;
+          }
+          return next();
+        }
+
+        console.warn('[세션 검증] Baron 세션이 유효하지 않아 로컬 세션을 정리합니다.', {
+          path: req.path,
+          reason: validation.reason,
+        });
+        await destroyDemoSession(req, res, backchannelLogoutManager.removeSessionBinding);
+        return res.redirect('/');
+      } catch (error) {
+        console.error('[세션 검증] Baron 세션 확인 실패로 로컬 세션을 정리합니다.', error);
+        await destroyDemoSession(req, res, backchannelLogoutManager.removeSessionBinding);
+        return res.redirect('/');
+      }
+    });
+  } else {
+    console.log('[시스템] Baron 세션 재검증 미들웨어를 비활성화했습니다. 백채널 로그아웃 테스트 전용 모드입니다.');
+  }
+
+  app.get('/', (req, res) => {
+    res.render('index', { user: req.session.user });
+  });
+
+  app.get('/login', (req, res) => {
+    console.log(`\n[로그인 시작] 세션 ID: ${req.sessionID}`);
+
+    if (!req.session.state) {
+      req.session.state = randomState();
+      req.session.nonce = randomNonce();
+      console.log('[로그인] 신규 state/nonce 생성 완료');
+    } else {
+      console.log('[로그인] 기존 state 재사용');
+    }
+
+    req.session.save((err) => {
+      if (err) {
+        return res.status(500).send('Session save failed');
+      }
+
+      const url = buildAuthorizationUrl(issuer, {
+        redirect_uri: redirectUri,
+        scope: 'openid profile email',
+        nonce: req.session.nonce,
+        state: req.session.state,
+        response_type: 'code',
+      });
+
+      console.log('[로그인] Baron 인증 화면으로 이동', { url: url.href });
+      res.redirect(url.href);
+    });
+  });
+
+  app.get('/callback', async (req, res) => {
+    console.log(`\n[콜백 시작] 세션 ID: ${req.sessionID}`);
+    console.log('[콜백] URL state / 세션 state', {
+      urlState: req.query.state,
+      sessionState: req.session.state,
+    });
+
+    if (!req.session.state) {
+      if (req.session.user) {
+        return res.redirect('/profile');
+      }
+
+      return res.status(400).render('error', {
+        message: 'Session Data Missing',
+        detail: '세션 정보가 유실되었습니다. 브라우저가 쿠키를 차단했는지 확인하세요.',
+      });
+    }
+
+    try {
+      const currentUrl = new URL(req.url, `http://${req.headers.host}`);
+      const tokenset = await authorizationCodeGrant(
+        issuer,
+        currentUrl,
+        {
+          expectedNonce: req.session.nonce,
+          expectedState: req.session.state,
+        },
+      );
+
+      console.log('[콜백] Authorization Code -> Token 교환 성공');
+
+      const tokenClaims = tokenset.claims();
+      const userinfo = await fetchUserInfo(
+        issuer,
+        tokenset.access_token,
+        tokenClaims.sub,
+      ).catch(() => tokenClaims);
+
+      req.session.user = { tokenset, userinfo };
+      backchannelLogoutManager.registerSessionBinding(req.sessionID, tokenClaims);
+
+      delete req.session.state;
+      delete req.session.nonce;
+
+      console.log('[콜백] 사용자 세션 생성 완료', {
+        sessionId: req.sessionID,
+        sid: tokenClaims.sid || '(없음)',
+        sub: tokenClaims.sub || '(없음)',
+      });
+
+      req.session.save(() => res.redirect('/profile'));
+    } catch (err) {
+      console.error('[콜백] 인증 처리 실패', err);
+      res.status(500).render('error', {
+        message: 'Authentication Failed',
+        detail: err.message,
+      });
+    }
+  });
+
+  app.post('/backchannel-logout', backchannelLogoutManager.handleBackchannelLogout);
+
+  app.get('/profile', (req, res) => {
+    if (!req.session.user) {
+      console.log('[프로필] 비로그인 상태로 접근하여 루트로 이동');
+      return res.redirect('/');
+    }
+    console.log('[프로필] 로그인 세션으로 접근', { sessionId: req.sessionID });
+    res.render('profile', { user: req.session.user });
+  });
+
+  app.get('/logout', (req, res) => {
+    destroyDemoSession(req, res, backchannelLogoutManager.removeSessionBinding).then(() => {
+      res.redirect('/');
+    });
+  });
+
+  app.listen(port, '0.0.0.0', () => {
+    console.log(`[시스템] 데모 앱이 실행 중입니다. http://localhost:${port}`);
+  });
+}
+
+setupOIDC().catch((err) => {
+  console.error('[시스템] OIDC 초기화 실패', err);
+  process.exit(1);
+});
--- a/backchannel-logout.js
+++ b/backchannel-logout.js
@@ -0,0 +1,274 @@
+const { createRemoteJWKSet, jwtVerify } = require('jose');
+
+const BACKCHANNEL_LOGOUT_EVENT_URI =
+  'http://schemas.openid.net/event/backchannel-logout';
+const LOGOUT_TOKEN_REPLAY_TTL_MS = 10 * 60 * 1000;
+
+function createBackchannelLogoutManager(options) {
+  const {
+    issuerUrl,
+    clientId,
+    jwksUrl,
+    sessionStore,
+    logger = console,
+  } = options;
+
+  if (!issuerUrl) {
+    throw new Error('issuerUrl is required');
+  }
+  if (!clientId) {
+    throw new Error('clientId is required');
+  }
+  if (!jwksUrl) {
+    throw new Error('jwksUrl is required');
+  }
+  if (!sessionStore || typeof sessionStore.destroy !== 'function') {
+    throw new Error('sessionStore.destroy is required');
+  }
+
+  const sidToSessionIds = new Map();
+  const subToSessionIds = new Map();
+  const sessionIdToBinding = new Map();
+  const processedLogoutTokens = new Map();
+  const jwks = createRemoteJWKSet(new URL(jwksUrl));
+
+  function addSessionBinding(map, key, sessionId) {
+    if (!key) {
+      return;
+    }
+
+    let existing = map.get(key);
+    if (!existing) {
+      existing = new Set();
+      map.set(key, existing);
+    }
+    existing.add(sessionId);
+  }
+
+  function removeSessionBindingFromMap(map, key, sessionId) {
+    if (!key) {
+      return;
+    }
+
+    const existing = map.get(key);
+    if (!existing) {
+      return;
+    }
+
+    existing.delete(sessionId);
+    if (existing.size === 0) {
+      map.delete(key);
+    }
+  }
+
+  function removeSessionBinding(sessionId) {
+    const existing = sessionIdToBinding.get(sessionId);
+    if (!existing) {
+      return;
+    }
+
+    removeSessionBindingFromMap(sidToSessionIds, existing.sid, sessionId);
+    removeSessionBindingFromMap(subToSessionIds, existing.sub, sessionId);
+    sessionIdToBinding.delete(sessionId);
+
+    logger.log('[세션 매핑] 제거 완료', {
+      sessionId,
+      sid: existing.sid || '(없음)',
+      sub: existing.sub || '(없음)',
+    });
+  }
+
+  function registerSessionBinding(sessionId, claims) {
+    const sid = typeof claims?.sid === 'string' ? claims.sid.trim() : '';
+    const sub = typeof claims?.sub === 'string' ? claims.sub.trim() : '';
+
+    removeSessionBinding(sessionId);
+    sessionIdToBinding.set(sessionId, { sid, sub });
+    addSessionBinding(sidToSessionIds, sid, sessionId);
+    addSessionBinding(subToSessionIds, sub, sessionId);
+
+    logger.log('[세션 매핑] 등록 완료', {
+      sessionId,
+      sid: sid || '(없음)',
+      sub: sub || '(없음)',
+      sidSessionCount: sid ? sidToSessionIds.get(sid)?.size || 0 : 0,
+      subSessionCount: sub ? subToSessionIds.get(sub)?.size || 0 : 0,
+    });
+  }
+
+  function getSessionIdsForLogoutClaims(claims) {
+    const targets = new Set();
+    const sid = typeof claims?.sid === 'string' ? claims.sid.trim() : '';
+    const sub = typeof claims?.sub === 'string' ? claims.sub.trim() : '';
+
+    if (sid && sidToSessionIds.has(sid)) {
+      for (const sessionId of sidToSessionIds.get(sid)) {
+        targets.add(sessionId);
+      }
+    }
+
+    if (targets.size === 0 && sub && subToSessionIds.has(sub)) {
+      for (const sessionId of subToSessionIds.get(sub)) {
+        targets.add(sessionId);
+      }
+    }
+
+    return Array.from(targets);
+  }
+
+  function destroySessionById(sessionId) {
+    return new Promise((resolve, reject) => {
+      sessionStore.destroy(sessionId, (err) => {
+        if (err) {
+          reject(err);
+          return;
+        }
+        resolve();
+      });
+    });
+  }
+
+  function cleanupProcessedLogoutTokens(now = Date.now()) {
+    for (const [jti, expiresAt] of processedLogoutTokens.entries()) {
+      if (expiresAt <= now) {
+        processedLogoutTokens.delete(jti);
+      }
+    }
+  }
+
+  function rememberProcessedLogoutToken(jti) {
+    cleanupProcessedLogoutTokens();
+    if (processedLogoutTokens.has(jti)) {
+      return false;
+    }
+    processedLogoutTokens.set(jti, Date.now() + LOGOUT_TOKEN_REPLAY_TTL_MS);
+    return true;
+  }
+
+  async function verifyLogoutToken(logoutToken) {
+    const { payload, protectedHeader } = await jwtVerify(logoutToken, jwks, {
+      issuer: issuerUrl,
+      audience: clientId,
+    });
+
+    if (payload.nonce !== undefined) {
+      throw new Error('logout_token must not include nonce');
+    }
+
+    if (!payload.events || typeof payload.events !== 'object') {
+      throw new Error('logout_token is missing events claim');
+    }
+
+    if (!(BACKCHANNEL_LOGOUT_EVENT_URI in payload.events)) {
+      throw new Error('logout_token is missing back-channel logout event');
+    }
+
+    const sid = typeof payload.sid === 'string' ? payload.sid.trim() : '';
+    const sub = typeof payload.sub === 'string' ? payload.sub.trim() : '';
+    if (!sid && !sub) {
+      throw new Error('logout_token requires sid or sub');
+    }
+
+    const jti = typeof payload.jti === 'string' ? payload.jti.trim() : '';
+    if (!jti) {
+      throw new Error('logout_token is missing jti');
+    }
+    if (!rememberProcessedLogoutToken(jti)) {
+      throw new Error('logout_token replay detected');
+    }
+
+    logger.log('[백채널 로그아웃] 토큰 검증 성공', {
+      alg: protectedHeader.alg,
+      kid: protectedHeader.kid || '(없음)',
+      iss: payload.iss,
+      aud: payload.aud,
+      sid: sid || '(없음)',
+      sub: sub || '(없음)',
+      jti,
+    });
+
+    return {
+      sid,
+      sub,
+      jti,
+      payload,
+    };
+  }
+
+  async function destroySessionsForLogout(claims) {
+    const sessionIds = getSessionIdsForLogoutClaims(claims);
+    let destroyedCount = 0;
+
+    logger.log('[백채널 로그아웃] 세션 탐색 결과', {
+      sid: claims.sid || '(없음)',
+      sub: claims.sub || '(없음)',
+      matchedSessionIds: sessionIds,
+    });
+
+    for (const sessionId of sessionIds) {
+      removeSessionBinding(sessionId);
+      try {
+        await destroySessionById(sessionId);
+        destroyedCount += 1;
+        logger.log('[백채널 로그아웃] 세션 파기 완료', { sessionId });
+      } catch (error) {
+        logger.error('[백채널 로그아웃] 세션 파기 실패', {
+          sessionId,
+          error: error.message,
+        });
+      }
+    }
+
+    return { sessionIds, destroyedCount };
+  }
+
+  async function handleBackchannelLogout(req, res) {
+    const logoutToken = typeof req.body.logout_token === 'string'
+      ? req.body.logout_token.trim()
+      : '';
+
+    logger.log('\n[백채널 로그아웃] 요청 수신', {
+      hasLogoutToken: logoutToken !== '',
+      contentType: req.headers['content-type'] || '(없음)',
+      userAgent: req.headers['user-agent'] || '(없음)',
+    });
+
+    if (!logoutToken) {
+      logger.warn('[백채널 로그아웃] logout_token 누락');
+      return res.status(400).json({ error: 'logout_token is required' });
+    }
+
+    try {
+      const claims = await verifyLogoutToken(logoutToken);
+      const result = await destroySessionsForLogout(claims);
+
+      logger.log('[백채널 로그아웃] 처리 완료', {
+        sid: claims.sid || '(없음)',
+        sub: claims.sub || '(없음)',
+        destroyedCount: result.destroyedCount,
+        sessionIds: result.sessionIds,
+      });
+
+      return res.status(200).json({
+        success: true,
+        destroyedSessionCount: result.destroyedCount,
+      });
+    } catch (error) {
+      logger.error('[백채널 로그아웃] 검증 또는 세션 정리 실패', error);
+      return res.status(400).json({
+        error: 'invalid logout token',
+        detail: error.message,
+      });
+    }
+  }
+
+  return {
+    registerSessionBinding,
+    removeSessionBinding,
+    handleBackchannelLogout,
+  };
+}
+
+module.exports = {
+  createBackchannelLogoutManager,
+};
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,25 @@
+services:
+  login-demo:
+    build: .
+    container_name: baron-sso-server-side-demo
+    ports:
+      - "4444:4444"
+    environment:
+      - PORT=4444
+      - SESSION_SECRET=demo-session-secret
+      - OIDC_ISSUER_URL=https://sso-test.hmac.kr/oidc
+      - OIDC_CLIENT_ID=replace-with-server-side-client-id
+      - OIDC_CLIENT_SECRET=replace-with-client-secret
+      - OIDC_REDIRECT_URI=http://localhost:4444/callback
+      - OIDC_CLIENT_AUTH_METHOD=client_secret_basic
+      - BARON_API_BASE_URL=https://sso-test.hmac.kr
+      - BARON_SESSION_VALIDATION_ENABLED=false
+    extra_hosts:
+      - "localhost:host-gateway"
+    networks:
+      - baron_net
+
+networks:
+  baron_net:
+    external: true
+    name: baron_net
--- a/package.json
+++ b/package.json
@@ -0,0 +1,20 @@
+{
+  "name": "baron-sso-server-side-demo",
+  "version": "1.0.0",
+  "description": "Baron SSO server-side app demo",
+  "main": "app.js",
+  "scripts": {
+    "start": "node app.js"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "dotenv": "^17.4.2",
+    "ejs": "^5.0.2",
+    "express": "^5.2.1",
+    "express-session": "^1.19.0",
+    "jose": "^6.1.0",
+    "openid-client": "^6.8.3"
+  }
+}
--- a/views/error.ejs
+++ b/views/error.ejs
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Server-Side Demo Error</title>
+    <style>
+        body { font-family: sans-serif; padding: 2rem; background-color: #f0f2f5; }
+        .container { max-width: 800px; margin: 0 auto; background: white; padding: 2rem; border-radius: 8px; box-shadow: 0 4px 6px rgba(0,0,0,0.1); }
+        .error-box { background: #fff1f0; border: 1px solid #ffa39e; padding: 1rem; border-radius: 4px; color: #cf1322; }
+        pre { background: #f8f9fa; padding: 1rem; border-radius: 4px; overflow-x: auto; margin-top: 1rem; }
+        .btn { display: inline-block; padding: 10px 20px; background-color: #007bff; color: white; text-decoration: none; border-radius: 4px; margin-top: 1rem; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>인증 오류</h1>
+        <div class="error-box">
+            <p><strong>Message:</strong> <%= message %></p>
+            <p><strong>Detail:</strong> <%= detail %></p>
+        </div>
+
+        <p>자세한 내용은 서버 로그를 확인하세요.</p>
+
+        <a href="/" class="btn">홈으로 이동</a>
+    </div>
+</body>
+</html>
--- a/views/index.ejs
+++ b/views/index.ejs
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Baron SSO Server-Side Demo</title>
+    <style>
+        body { font-family: sans-serif; display: flex; flex-direction: column; align-items: center; justify-content: center; height: 100vh; margin: 0; background-color: #f0f2f5; }
+        .container { background: white; padding: 2rem; border-radius: 8px; box-shadow: 0 4px 6px rgba(0,0,0,0.1); text-align: center; }
+        .btn { display: inline-block; padding: 10px 20px; background-color: #007bff; color: white; text-decoration: none; border-radius: 4px; margin-top: 1rem; }
+        .btn:hover { background-color: #0056b3; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>Baron SSO Server-Side Demo</h1>
+        <% if (user) { %>
+            <p>로그인됨: <strong><%= user.userinfo.name || user.userinfo.sub %></strong></p>
+            <a href="/profile" class="btn">프로필 보기</a>
+            <a href="/logout" class="btn" style="background-color: #6c757d;">로그아웃</a>
+        <% } else { %>
+            <p>현재 로그인되지 않았습니다.</p>
+            <a href="/login" class="btn">Baron SSO로 로그인</a>
+        <% } %>
+    </div>
+</body>
+</html>
--- a/views/profile.ejs
+++ b/views/profile.ejs
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Server-Side User Profile</title>
+    <style>
+        body { font-family: sans-serif; padding: 2rem; background-color: #f0f2f5; }
+        .container { max-width: 800px; margin: 0 auto; background: white; padding: 2rem; border-radius: 8px; box-shadow: 0 4px 6px rgba(0,0,0,0.1); }
+        pre { background: #f8f9fa; padding: 1rem; border-radius: 4px; overflow-x: auto; }
+        .btn { display: inline-block; padding: 10px 20px; background-color: #007bff; color: white; text-decoration: none; border-radius: 4px; margin-top: 1rem; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>Server-Side User Profile</h1>
+        <p><strong>Sub:</strong> <%= user.userinfo.sub %></p>
+        <p><strong>Name:</strong> <%= user.userinfo.name || 'N/A' %></p>
+        <p><strong>Email:</strong> <%= user.userinfo.email || 'N/A' %></p>
+
+        <h3>Raw User Info</h3>
+        <pre><%= JSON.stringify(user.userinfo, null, 2) %></pre>
+
+        <h3>Tokens</h3>
+        <pre><%= JSON.stringify(user.tokenset, null, 2) %></pre>
+
+        <a href="/" class="btn">홈으로 이동</a>
+    </div>
+</body>
+</html>