From a6f3f830a28466aca548fa324f9b8b6eaeafff39 Mon Sep 17 00:00:00 2001 From: Tim van Oostrom Date: Fri, 3 Nov 2023 13:56:35 +0100 Subject: [PATCH 1/2] MIJN-5205 Add ACC env (#1030) --- azure-pipeline-bff.yaml | 4 ++++ azure-pipeline-ui.yaml | 4 ++++ azure-pipelines.yaml | 7 +++++-- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/azure-pipeline-bff.yaml b/azure-pipeline-bff.yaml index 9e41d9492c..26e6afd1a9 100644 --- a/azure-pipeline-bff.yaml +++ b/azure-pipeline-bff.yaml @@ -4,6 +4,7 @@ trigger: include: - ontwikkelen - testen + - main paths: include: - src/server @@ -56,6 +57,9 @@ variables: - ${{ if or(eq(variables['Build.SourceBranchName'], 'testen'), eq(variables['Build.Reason'], 'PullRequest')) }}: - name: dtapName value: t + - ${{ if eq(variables['Build.SourceBranchName'], 'az-acceptance') }}: + - name: dtapName + value: a - ${{ if eq(variables['Build.Reason'], 'PullRequest') }}: - name: btdDeploy value: false diff --git a/azure-pipeline-ui.yaml b/azure-pipeline-ui.yaml index 0dd195e1e7..5316f0197b 100644 --- a/azure-pipeline-ui.yaml +++ b/azure-pipeline-ui.yaml @@ -4,6 +4,7 @@ trigger: include: - ontwikkelen - testen + - main paths: include: - src/client @@ -58,6 +59,9 @@ variables: - ${{ if or(eq(variables['Build.SourceBranchName'], 'testen'), eq(variables['Build.Reason'], 'PullRequest')) }}: - name: dtapName value: t + - ${{ if eq(variables['Build.SourceBranchName'], 'az-acceptance') }}: + - name: dtapName + value: a - ${{ if eq(variables['Build.Reason'], 'PullRequest') }}: - name: btdDeploy value: false diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml index a9a450ee94..f6c6c1d9bd 100644 --- a/azure-pipelines.yaml +++ b/azure-pipelines.yaml @@ -26,8 +26,8 @@ parameters: - none - o - t - # - a - # - p + - a + - p - name: updateAppSettings type: boolean @@ -47,6 +47,9 @@ variables: - ${{ if and(or(eq(variables['Build.SourceBranchName'], 'testen'), eq(variables['Build.Reason'], 'PullRequest')), eq(parameters.dtapName, 'none')) }}: - name: dtapName value: t + - ${{ if and(eq(variables['Build.SourceBranchName'], 'az-acceptance'), eq(parameters.dtapName, 'none')) }}: + - name: dtapName + value: a - ${{ if ne(parameters.dtapName, 'none') }}: - name: dtapName value: ${{ parameters.dtapName }} From dfd164ff72e94b23c6c14f25f7c37fe1de462d69 Mon Sep 17 00:00:00 2001 From: Tim van Oostrom Date: Fri, 3 Nov 2023 15:15:11 +0100 Subject: [PATCH 2/2] Mijn-6997 implement logout hint (#1025) --- package-lock.json | 7 ++++--- package.json | 2 +- src/server/config.ts | 7 +------ src/server/helpers/app.test.ts | 14 ++++++++++++++ src/server/helpers/app.ts | 3 +++ src/server/router-oidc.ts | 35 +++++++++++++++++++++++++++++++++- 6 files changed, 57 insertions(+), 11 deletions(-) diff --git a/package-lock.json b/package-lock.json index 597d412283..a2c76f4240 100644 --- a/package-lock.json +++ b/package-lock.json @@ -62,7 +62,7 @@ "express": "^4.17.3", "express-basic-auth": "^1.2.1", "express-http-proxy": "^1.6.3", - "express-openid-connect": "^2.5.2", + "express-openid-connect": "^2.17.1", "express-rate-limit": "^6.4.0", "flat-cache": "^3.0.4", "focus-trap-react": "^8.8.2", @@ -6318,8 +6318,9 @@ } }, "node_modules/express-openid-connect": { - "version": "2.16.0", - "license": "MIT", + "version": "2.17.1", + "resolved": "https://registry.npmjs.org/express-openid-connect/-/express-openid-connect-2.17.1.tgz", + "integrity": "sha512-5pVK6PNV09x6UN29R9Mer0XF3hwQq2HxiFsjZvLuIQ9ezeTUGbqrefzBOpzciz1S/1WWVaVPDIcj4EBpD8WB3Q==", "dependencies": { "base64url": "^3.0.1", "clone": "^2.1.2", diff --git a/package.json b/package.json index 4117e4b039..9cd3d906e0 100644 --- a/package.json +++ b/package.json @@ -82,7 +82,7 @@ "express": "^4.17.3", "express-basic-auth": "^1.2.1", "express-http-proxy": "^1.6.3", - "express-openid-connect": "^2.5.2", + "express-openid-connect": "^2.17.1", "express-rate-limit": "^6.4.0", "flat-cache": "^3.0.4", "focus-trap-react": "^8.8.2", diff --git a/src/server/config.ts b/src/server/config.ts index 9858dd81cd..ac45cf83c0 100644 --- a/src/server/config.ts +++ b/src/server/config.ts @@ -417,9 +417,8 @@ const oidcConfigBase: ConfigParams = { }, routes: { login: false, - logout: AUTH_LOGOUT, + logout: false, callback: false, - postLogoutRedirect: process.env.MA_FRONTEND_URL, }, afterCallback: (req, res, session) => { const claims = jose.JWT.decode(session.id_token) as { @@ -456,10 +455,6 @@ export const oidcConfigYivi: ConfigParams = { ...oidcConfigBase, clientID: process.env.BFF_OIDC_CLIENT_ID_YIVI, authorizationParams: { prompt: 'login', max_age: 0, response_type: 'code' }, - routes: { - ...oidcConfigBase.routes, - postLogoutRedirect: process.env.BFF_OIDC_YIVI_POST_LOGOUT_REDIRECT, - }, }; // Op 1.13 met ketenmachtiging diff --git a/src/server/helpers/app.test.ts b/src/server/helpers/app.test.ts index ad324d593f..812d25897f 100644 --- a/src/server/helpers/app.test.ts +++ b/src/server/helpers/app.test.ts @@ -90,6 +90,7 @@ describe('server/helpers/app', () => { "authMethod": "eherkenning", "id": "123-eherkenning-321", "profileType": "commercial", + "sid": undefined, }, "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhZTjNwTkRVVXloby10UUIyNWFmcThES0NyeHQyVi1iUzZXOWdSazBjZ2sifQ.eyJ1cm46ZXRvZWdhbmc6MS45OkVudGl0eUNvbmNlcm5lZElEOkt2S25yIjoiMTIzLWVoZXJrZW5uaW5nLTMyMSIsImF1ZCI6InRlc3QxIiwiaWF0IjoxNjUwNjIwMTMzfQ.qF2JLBflk_ajk11jiyrZqcLklB618aSVjnazeDAyljdRJMN_vUUqVZBNLgLI0CBZ_jTYQwbl2OQsizGIdp9_yUadu1FhU4xGHYFBXvtLmdUk049bLccJoFIFYrvJq9yMAUhhRrBLjUUPJN3M8KijF7JKG74QYwyKyL-MzvsvKOqQNLJKUgQ4wUbsY2n9SjPcWGtB6rvkHrbfGGZZmdozIKXWmsQMYP41cEL9E0S15iF78Zko8jaWiV9oUHNqy3CfyZJz-K0dCbPAhs73q_7NqZQF1UoRgw8cQCVpfami521KpS7U6PK6oYlrigF1sHhsN_MuCwVHeOtu_BvBo_IFMQ", } @@ -119,6 +120,7 @@ describe('server/helpers/app', () => { "authMethod": "digid", "id": "000-digid-999", "profileType": "private", + "sid": undefined, }, "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhZTjNwTkRVVXloby10UUIyNWFmcThES0NyeHQyVi1iUzZXOWdSazBjZ2sifQ.eyJzdWIiOiIwMDAtZGlnaWQtOTk5IiwiYXVkIjoidGVzdDIiLCJpYXQiOjE2NTA2MTk4NDV9.QvPW0CYDnHiX77VZVAUmXahrQeJW1D0IrR4GBTyayH83nv3xe-nHnUMsXIchuYozmDwnF36CBsd1mm-C16x0PK1QD6-Fu-2PAekMxKaWpRWcI6ICOgliEVyV6a2B_KI3ZHshjlXxLyh59VL_2NegKZBQWEvTsFazn0fzbPmoKM3SVj19IiLug8Us4n-jYvzD8kplGzvWVujl4-1VYeNvn0vSfBrcSdLtGPJI7fcJafPxJs6gY2mrpwyeQ3Pan7DEEhXOqucjs81x9cwRRf4_JbRkehLKCwxb4u1USSusqTEqGhGQm7JGJlD4nZIdScNG7Xyx9LQcGm0EfnrjXOTGcw", } @@ -133,12 +135,14 @@ describe('server/helpers/app', () => { sub: '-unused-', aud: 'test1', [EH_ATTR_PRIMARY_ID]: 'EHERKENNING-KVK', + sid: 'test', } as TokenData); expect(profile).toStrictEqual({ authMethod: 'eherkenning', profileType: 'commercial', id: 'EHERKENNING-KVK', + sid: 'test', }); } @@ -146,12 +150,14 @@ describe('server/helpers/app', () => { const profile = getAuthProfile({ aud: 'test2', [DIGID_ATTR_PRIMARY]: 'DIGID-BSN', + sid: 'test2', } as TokenData); expect(profile).toStrictEqual({ authMethod: 'digid', profileType: 'private', id: 'DIGID-BSN', + sid: 'test2', }); } @@ -159,12 +165,14 @@ describe('server/helpers/app', () => { const profile = getAuthProfile({ aud: 'test_x', [DIGID_ATTR_PRIMARY]: 'DIGID-BSN', + sid: 'test2b', } as TokenData); expect(profile).toStrictEqual({ authMethod: 'digid', profileType: 'private', id: 'DIGID-BSN', + sid: 'test2b', }); } @@ -173,12 +181,14 @@ describe('server/helpers/app', () => { sub: '', aud: 'test1', [EH_ATTR_PRIMARY_ID]: 'EH-KVK1', + sid: 'test3', } as TokenData); expect(profile).toStrictEqual({ authMethod: 'eherkenning', profileType: 'commercial', id: 'EH-KVK1', + sid: 'test3', }); } @@ -187,12 +197,14 @@ describe('server/helpers/app', () => { sub: '', aud: 'test1', [EH_ATTR_PRIMARY_ID_LEGACY]: 'EH-KVK1', + sid: 'test4', } as TokenData); expect(profile).toStrictEqual({ authMethod: 'eherkenning', profileType: 'commercial', id: 'EH-KVK1', + sid: 'test4', }); } @@ -202,12 +214,14 @@ describe('server/helpers/app', () => { aud: 'test1', [EH_ATTR_INTERMEDIATE_PRIMARY_ID]: 'EH-KVK1', [EH_ATTR_INTERMEDIATE_SECONDARY_ID]: 'EH-KVK2', + sid: 'test5', } as TokenData); expect(profile).toStrictEqual({ authMethod: 'eherkenning', profileType: 'commercial', id: 'EH-KVK1', + sid: 'test5', }); } }); diff --git a/src/server/helpers/app.ts b/src/server/helpers/app.ts index 03593c48f7..7d6d800c23 100644 --- a/src/server/helpers/app.ts +++ b/src/server/helpers/app.ts @@ -35,6 +35,7 @@ export interface AuthProfile { authMethod: 'eherkenning' | 'digid' | 'yivi'; profileType: ProfileType; id?: string; + sid?: string; // TMA Session ID } export function getAuthProfile(tokenData: TokenData): AuthProfile { @@ -61,6 +62,7 @@ export function getAuthProfile(tokenData: TokenData): AuthProfile { return { id: tokenData[idAttr], + sid: tokenData.sid, authMethod, profileType, }; @@ -192,6 +194,7 @@ export function getOIDCToken(jweCookieString: string): string { export interface TokenData { sub: string; aud: string; + sid: string; [key: string]: any; } diff --git a/src/server/router-oidc.ts b/src/server/router-oidc.ts index af15b21c8d..5d2798b1ea 100644 --- a/src/server/router-oidc.ts +++ b/src/server/router-oidc.ts @@ -1,5 +1,5 @@ import * as Sentry from '@sentry/node'; -import express from 'express'; +import express, { Request, Response } from 'express'; import { attemptSilentLogin, auth } from 'express-openid-connect'; import { FeatureToggle } from '../universal/config'; import { apiSuccessResult } from '../universal/helpers'; @@ -269,3 +269,36 @@ router.get(BffEndpoints.AUTH_LOGOUT, async (req, res) => { return res.redirect(redirectUrl); }); + +function logout(postLogoutRedirectUrl: string) { + return async (req: Request, res: Response) => { + if (!req.oidc.isAuthenticated()) { + return res.redirect(postLogoutRedirectUrl); + } + + const auth = await getAuth(req); + + res.oidc.logout({ + returnTo: postLogoutRedirectUrl, + logoutParams: { + id_token_hint: null, + logout_hint: auth.profile.sid, + }, + }); + }; +} + +router.get( + BffEndpoints.AUTH_LOGOUT_DIGID, + logout(process.env.MA_FRONTEND_URL!) +); + +router.get( + BffEndpoints.AUTH_LOGOUT_EHERKENNING, + logout(process.env.MA_FRONTEND_URL!) +); + +router.get( + BffEndpoints.AUTH_LOGOUT_YIVI, + logout(process.env.BFF_OIDC_YIVI_POST_LOGOUT_REDIRECT!) +);