TL;DR
The only way to identify a valid user is using the username?
Let me explain my scenario.
I'm trying to setup OAuth2 authentication agains a working on premise CAS like this:
adminAuth: {
type:"strategy",
strategy: {
name: "oauth2",
label: 'Sign in SSO',
icon:"fa-users",
strategy: require('passport-oauth2').Strategy,
options: {
authorizationURL: 'https://xxxxxx/cas/oauth2.0/authorize',
tokenURL: 'https://xxxxxx/cas/oauth2.0/accessToken',
clientID: "xxxxxxxxxxxxxxx",
clientSecret: "xxxxxxxxxxxx",
callbackURL: "http://localhost/auth/strategy/callback",
verify: function(token, tokenSecret, profile, done) {
done(null, profile)
}
}
},
problem is: the profile
is never returned, I've tried everything but it always returns an empty hash
. It returns access token
though, and with this I can access /profile
which will return information regarding an authenticated user (e.g, it's AD groups) based on its access_token. With that information I will setup it's credentials, either *
or read
.
Before you said I need to do this on the Users
function, I was doing it on the verify, I can get the groups and the correct permissions there, and the problem was that I could never "send" this to the user function.
I'm now trying hit /profile
directly on the user function, but to do that I need that token that I received at the authentication.
I even tried something like this on the verify function
verify: function(token, tokenSecret, profile, done) {
profile.token = token
done(null, profile)
}
and set users function like this:
users: function(profile) {
return new Promise(function(resolve, profile) {
const token = profile.token
const https = require('https');
console.log(token)
https.get("https://xxxxxxxxxxxxxx/cas/oauth2.0/profile?access_token=" + token, (res) => {
var bodyChunks = [];
res.on('data', function(chunk) {
bodyChunks.push(chunk);
}).on('end', function() {
var body = Buffer.concat(bodyChunks);
var data = JSON.parse(body).attributes
console.log(data)
groups = data.memberOf.map(function(val, index){return val.split(',')[0].replace('CN=', '') })
if (groups.include('mygroup')) {
user = {'username': data.cn, 'permissions': '*'}
} else {
user = {'username': data.cn, 'permissions': 'read'}
}
resolve(user);
})
})
});
}
I know the code is pretty ugly, but the real problem here is: token comes as undefined.
So, if I need to do whatever work is needed to validate the user on the users function how am I supposed to send the token? Or the only way to identify a valid user is using the username?
Sorry the long reply, let me know if I should open an different topic.
Best regards,
Marcus Castro