Implement OpenID Connect

apps/web/app/api/(oauth)/auth.ts

@@ -7,11 +7,15 @@
 import { scryptSync, timingSafeEqual } from 'crypto';
 import { after } from 'next/server';
 
+export type RequestAuthentication =
+ | { method: 'none' }
+ | { method: 'client_secret_basic' | 'client_secret_post', client_secret: string }
+
 export function assertRequestAuthentication(
   client: Client & { secrets: ClientSecret[] },
   headers: Headers,
   params: Record<string, string | undefined>
-): void {
+): RequestAuthentication {
   const authHeader = headers.get('Authorization');
 
   const authorizationMethods: Record<AuthenticationMethod, boolean> = {
@@ -26,7 +30,7 @@
   // no authentication provided
   if(usedAuthentication.length === 0) {
     assert(client.type === ClientType.Public, OAuth2ErrorCode.invalid_request, 'Missing authorization for confidential client');
-    return;
+    return { method: 'none' };
   }
 
   // if authentication was provided, this needs to be a confidential client
@@ -64,8 +68,12 @@
         where: { id: clientSecret.id },
         data: { usedAt: new Date() }
       }));
+
+      return { method, client_secret };
     }
   }
+
+  return { method: 'none' };
 }
 
 function isValidClientSecret(clientSecret: string, saltedHash: string | null): boolean {

apps/web/app/api/(oauth)/token/openid.ts

@@ -0,0 +1,56 @@
+import { createSigner } from 'fast-jwt';
+import { RequestAuthentication } from '../auth';
+import { getBaseUrlFromHeaders } from '@/lib/url';
+import { ACCESS_TOKEN_EXPIRATION } from './token';
+import { db } from '@/lib/db';
+import { assert } from '@/lib/oauth/assert';
+import { OAuth2ErrorCode } from '@/lib/oauth/error';
+
+type IdTokenOptions = {
+  clientId: string,
+  requestAuthentication: RequestAuthentication
+  userId: string,
+  nonce: string,
+}
+export async function createIdToken({ userId, clientId, requestAuthentication, nonce }: IdTokenOptions) {
+  const { origin: issuer } = await getBaseUrlFromHeaders();
+  const issuedAt = toTimestamp(new Date());
+
+  const user = await db.user.findUnique({
+    where: { id: userId },
+    select: {
+      // get latest created session to use as auth_time
+      sessions: {
+        select: { createdAt: true },
+        orderBy: { createdAt: 'desc' },
+        take: 1
+      }
+    }
+  });
+  assert(user, OAuth2ErrorCode.server_error, 'user not found');
+
+  const idToken = {
+    iss: issuer,
+    sub: userId,
+    aud: [clientId],
+    exp: issuedAt + ACCESS_TOKEN_EXPIRATION,
+    iat: issuedAt,
+    auth_time: toTimestamp(user.sessions[0].createdAt),
+    nonce: nonce
+  };
+
+  // if the token request was authenticated using a client secret
+  // use the client secret as symmetric key to sign the JWT
+  if(requestAuthentication.method === 'client_secret_basic' || requestAuthentication.method === 'client_secret_post') {
+    const jwt = createSigner({
+      algorithm: 'HS256',
+      key: requestAuthentication.client_secret
+    })(idToken);
+
+    return jwt;
+  }
+}
+
+function toTimestamp(date: Date): number {
+  return Math.floor(date.valueOf() / 1000);
+}

apps/web/app/api/(oauth)/token/token.ts

@@ -3,13 +3,14 @@ import { db } from '@/lib/db';
 import { assert } from '@/lib/oauth/assert';
 import { OAuth2Error, OAuth2ErrorCode } from '@/lib/oauth/error';
 import { generateAccessToken, generateRefreshToken } from '@/lib/token';
-import { TokenResponse } from '@gw2me/client';
+import { Scope, TokenResponse } from '@gw2me/client';
 import { ClientType, AuthorizationType } from '@gw2me/database';
 import { createHash } from 'crypto';
 import { assertRequestAuthentication } from '../auth';
+import { createIdToken } from './openid';
 
-// 7 days
-const ACCESS_TOKEN_EXPIRATION = 604800;
+/** 7 days in seconds */
+export const ACCESS_TOKEN_EXPIRATION = 604800;
 
 export async function handleTokenRequest(headers: Headers, params: Record<string, string | undefined>): Promise<TokenResponse> {
   // get grant_type
@@ -28,7 +29,7 @@ export async function handleTokenRequest(headers: Headers, params: Record<string
   assert(client, OAuth2ErrorCode.invalid_client, 'Invalid client_id');
 
   // make sure request is authenticated
-  assertRequestAuthentication(client, headers, params);
+  const requestAuthentication = assertRequestAuthentication(client, headers, params);
 
   switch(grant_type) {
     case 'authorization_code': {
@@ -85,13 +86,19 @@ export async function handleTokenRequest(headers: Headers, params: Record<string
         db.authorization.delete({ where: { id: authorization.id }}),
       ]);
 
+      // create id_token
+      const id_token = client.type === 'Confidential' && scope.includes(Scope.OpenID)
+        ? await createIdToken({ userId, clientId, requestAuthentication, nonce: 'TODO' })
+        : undefined;
+
       return {
         access_token: accessAuthorization.token,
         issued_token_type: 'urn:ietf:params:oauth:token-type:access_token',
         token_type: 'Bearer',
         expires_in: ACCESS_TOKEN_EXPIRATION,
         refresh_token: refreshAuthorization?.token,
-        scope: scope.join(' ')
+        scope: scope.join(' '),
+        id_token
       };
     }
 

apps/web/app/dev/docs/access-tokens/page.tsx

@@ -244,6 +244,14 @@ export default function DevDocsAccessTokensPage() {
       <p>
         All clients should verify that this parameter exactly matches to prevent mix-up attacks.
       </p>
+
+      <Headline id="oidc">OpenID Connect</Headline>
+      <p>
+        gw2.me supports <ExternalLink href="https://openid.net/">OpenID Connect Core 1.0</ExternalLink>.
+        To request an OpenID Connect <Code inline>id_token</Code>, the scope <Code inline>openid</Code> has to be included in the authorization request.
+        The <Code inline>id_token</Code> will be part of the token response and is signed using the <Code inline>HS256</Code> algorithm with the <Code inline>client_secret</Code> as key.
+      </p>
+      <p>OpenID Connect is only supported for confidential clients at this time. Dynamic registration is not supported.</p>
     </PageLayout>
   );
 }

apps/web/app/dev/docs/scopes/page.tsx

@@ -3,6 +3,7 @@ import { PageLayout } from '@/components/Layout/PageLayout';
 import { PageTitle } from '@/components/Layout/PageTitle';
 import { Table } from '@gw2treasures/ui/components/Table/Table';
 import styles from '../layout.module.css';
+import Link from 'next/link';
 
 export default function DevDocsScopePage() {
   return (
@@ -22,12 +23,16 @@ export default function DevDocsScopePage() {
         <tbody>
           <tr>
             <td><Code inline>identify</Code></td>
-            <td>Get the username from /api/user</td>
+            <td>Get the username in /api/user</td>
           </tr>
           <tr>
             <td><Code inline>email</Code></td>
             <td>Include the email in /api/user</td>
           </tr>
+          <tr>
+            <td><Code inline>openid</Code></td>
+            <td>Include an <Code inline>id_token</Code> in token response (see <Link href="/dev/docs/access-tokens#oidc">OpenID Connect</Link>)</td>
+          </tr>
           <tr>
             <td><Code inline>accounts</Code></td>
             <td>Get the list of accounts from /api/accounts. This scope is always implied when any <Code inline>gw2:*</Code> scope is included.</td>

apps/web/next-env.d.ts

@@ -2,4 +2,4 @@
 /// <reference types="next/image-types/global" />
 
 // NOTE: This file should not be edited
-// see https://nextjs.org/docs/app/building-your-application/configuring/typescript for more information.
+// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

packages/client/src/client.ts

@@ -32,6 +32,7 @@ export interface TokenResponse {
   expires_in: number,
   refresh_token?: string,
   scope: string,
+  id_token?: string,
 }
 
 export class Gw2MeClient {

packages/client/src/types.ts

@@ -2,6 +2,8 @@ export enum Scope {
   Identify = 'identify',
   Email = 'email',
 
+  OpenID = 'openid',
+
   Accounts = 'accounts',
   Accounts_Verified = 'accounts.verified',
   Accounts_DisplayName = 'accounts.displayName',