ember-simple-auth-oidc

![npm version](https://www.npmjs.com/package/ember-simple-auth-oidc)
![Test](https://github.com/adfinis/ember-simple-auth-oidc/actions/workflows/ci.yml)
![Code Style: Prettier](https://github.com/prettier/prettier)
![semantic-release](https://github.com/semantic-release/semantic-release)

A Ember Simple Auth addon which implements the
OpenID Connect Authorization Code Flow.

Installation

- Ember.js v4.12 or above
- Ember CLI v4.12 or above
- Node.js v18 or above
- Ember Simple Auth v6 or above

Note: The addon uses Proxy
in its implementation, if IE browser support is necessary, a polyfill needs to be provided.

``bash $ ember install ember-simple-auth-oidc ember-simple-auth`

If you're upgrading from 3.x to 4.x see the upgrade guide.

`Usage`

To use the oidc authorization code flow the following elements need to be added to the Ember application.

The login / authentication route (for example the Ember Simple Auth default /login) needs to extend from theOIDCAuthenticationRoute, which handles the authentication procedure. In case the user is already authenticated, the transition is aborted.

`js // app/routes/login.js

import OIDCAuthenticationRoute from "ember-simple-auth-oidc/routes/oidc-authentication";

export default class LoginRoute extends OIDCAuthenticationRoute {}`

Authenticated routes need to call session.requireAuthenticationin their respectivebeforeModel, to ensure that unauthenticated transitions are prevented and redirected to the authentication route. It's recommended to await thebeforeModelhook, to make sure authentication is handled before other API calls are triggered (which might lead to401responses, potentially causing redirect loops).

`js // app/routes/protected.js

import Route from "@ember/routing/route"; import { service } from "@ember/service";

export default class ProtectedRoute extends Route { @service session;

async beforeModel(transition) { await this.session.requireAuthentication(transition, "login"); } }`

To include authorization info in all Ember Data requests override headersin the application adapter and includesession.headersalongside any other necessary headers. By extending the application adapter from either of the providedOIDCJSONAPIAdapter or OIDCRESTAdapter, the access_tokenis refreshed before Ember Data requests, if necessary. Both theOIDCJSONAPIAdapterand theOIDCRESTAdapteralso provide default headers with the authorization header included.

`js // app/adapters/application.js

import { service } from "@ember/service"; import OIDCJSONAPIAdapter from "ember-simple-auth-oidc/adapters/oidc-json-api-adapter";

export default class ApplicationAdapter extends OIDCJSONAPIAdapter { @service session;

get headers() { return { ...this.session.headers, "Content-Language": "en-us" }; } }`

ember-simple-auth-oidcalso provides a middleware which handles authorization and unauthorization on the apollo service provided byember-apollo-client. Simply, wrap the http link inapolloMiddleware like so:

`js // app/services/apollo.js

import { service } from "@ember/service"; import ApolloService from "ember-apollo-client/services/apollo"; import { apolloMiddleware } from "ember-simple-auth-oidc";

export default class CustomApolloService extends ApolloService { @service session;

link() { const httpLink = super.link();

return apolloMiddleware(httpLink, this.session); } }`

The provided adapters and the apollo middleware already handle authorization and unauthorized requests properly. If you want the same behaviour for other request services as well, you can use thehandleUnauthorizedfunction and therefreshAuthentication.performmethod on the session. The following snippet shows an example of a custom fetch service with proper authentication handling:

`js import Service, { service } from "@ember/service"; import { handleUnauthorized } from "ember-simple-auth-oidc";

export default class FetchService extends Service { @service session;

async fetch(url) { await this.session.refreshAuthentication.perform();

const response = await fetch(url, { headers: this.session.headers });

if (!response.ok && response.status === 401) { handleUnauthorized(this.session); }

return response; } }`

Ember Simple Auth encourages the manual setup of the session service in the beforeModelof the application route, starting with version 4.1.0. The relevant changes are described in their upgrade to v4 guide.

`$3`

There are two ways to invalidate (logout) the current session:

`js session.invalidate();`

The session invalidatemethod ends the current ember-simple-auth session and therefore performs a logout on the ember application. Note that the session on the authorization server is not invalidated this way and a new token/session can simply be obtained when doing the authentication process again.

`js session.singleLogout();`

The session singleLogoutmethod will invalidate the current ember-simple-auth session and after that call theend-sessionendpoint of the authorization server. This will result in a logout of the ember application and additionally invalidate the session on the authorization server which will logout the user of all applications using this authorization server!

`Configuration`

The addon can be configured in the project's environment.js file with the key ember-simple-auth-oidc.

A minimal configuration includes the following options:

`js // config/environment.js

module.exports = function (environment) { let ENV = { // ... "ember-simple-auth-oidc": { host: "http://authorization.server/openid", clientId: "test", authEndpoint: "/authorize", tokenEndpoint: "/token", userinfoEndpoint: "/userinfo", }, // ... }; return ENV; };`

`$3`

Further there is the possibilty to user the .well-known endpoint of your authentication backend (specified in the OpenID provider configuration chapter. For this to work you must at least provide a valid host configuration value.

To enforce the autodiscovery, but also providing some keys (autodiscovery will overwrite duplicate keys), set forceAutodiscovery: true.

`$3`

Here is a complete list of all possible config options:

host A relative or absolute URI of the authorization server.

clientId The oidc client identifier valid at the authorization server.

authEndpoint Authorization endpoint at the authorization server. This can be a path which will be appended tohost or an absolute URL.

authEndpointParameters ObjectAdditional query parameters (e.g.acr_values or audience) that will be passed on to theauthEndpoint. Default is an empty object.

tokenEndpoint Token endpoint at the authorization server. This can be a path which will be appended tohost or an absolute URL.

endSessionEndpoint (optional) End session endpoint endpoint at the authorization server. This can be a path which will be appended tohost or an absolute URL.

userinfoEndpoint Userinfo endpoint endpoint at the authorization server. This can be a path which will be appended tohost or an absolute URL.

afterLoginUri (optional) A relative or absolute URI to which will be redirected after login or if the user enters the login page while being already authenticated. Default is"/".

afterLogoutUri (optional) A relative or absolute URI to which will be redirected after logout / end session.

scope (optional) The oidc scope value. Default is"openid".

expiresIn (optional) Milliseconds after which the token expires. This is only a fallback value if the authorization server does not return aexpires_in value. Default is 3600000 (1h).

refreshLeeway (optional) Milliseconds before expire time at which the token is refreshed. Default is30000 (30s).

tokenPropertyName (optional) Name of the property which holds the token in a successful authenticate request. Default is"access_token".

authHeaderName (optional) Name of the authentication header holding the token used in requests. Default is"Authorization".

authPrefix (optional) Prefix of the authentication token. Default is"Bearer".

loginHintName (optional) Name of thelogin_hint query paramter which is being forwarded to the authorization server if it is present. This option allows overriding the default name login_hint.

amountOfRetries (optional) Amount of retries should be made if the request to fetch a new token fails. Default is3.

retryTimeout (optional) Timeout in milliseconds between each retry if a token refresh should fail. Default is3000.

enablePkce (optional) Enables PKCE mechanism to provide additional protection during code to token exchanges. Default isfalse.

unauthorizedRequestRedirectTimeout (optional) Debounce timeout for redirection after (multiple)401 responses are received to prevent redirect loops (at the cost of a small delay). Set to 0 to disable debouncing. Default is 1000`.

License

This project is licensed under the LGPL-3.0-or-later license.