add Azure AD authentication (sqlpad#1040)

baoduy · Steven Hoang · web-flow · commit b4077459a35c · 2021-08-05T00:48:33.000-05:00
* add Azure AD authentication

* add SQLPAD_OIDC_SCOPE variable for OIDC allows to customise the authentication scope and LowerCase email before compare

* fixed checkAllowedDomains issue when comparing email address

* revert gitignore, settings and package-lock.json files

* revert package-lock of client and server

Co-authored-by: Steven Hoang &lt;steven.hoang@traswap.com&gt;
diff --git a/docs/authentication.md b/docs/authentication.md
@@ -133,6 +133,11 @@ SQLPAD_OIDC_LINK_HTML = "Sign in with OpenID"
 
 SQLPAD_OIDC_CLIENT_ID = "actual-client-id"
 SQLPAD_OIDC_CLIENT_SECRET = "actual-client-secret"
+
+# Authentication scope allows to customize the scope depend on the supported provider.
+# Default value is "openid profile email roles"
+SQLPAD_OIDC_SCOPE = "openid profile email roles"
+
 # Issuer endpoint (will vary by provider)
 # As of version 6.4.0 the issuer endpoint is the only URL needed
 # as long as the OIDC provider supplies .well-known endpoints
diff --git a/server/auth-strategies/oidc.js b/server/auth-strategies/oidc.js
@@ -90,7 +90,9 @@ async function enableOidc(config) {
         {
           passReqToCallback: true,
           client,
-          params: { scope: 'openid profile email roles' },
+          params: {
+            scope: config.get('oidcScope') || 'openid profile email roles',
+          },
         },
         openidClientHandler
       )
diff --git a/server/config.dev.env b/server/config.dev.env
@@ -21,6 +21,7 @@ SQLPAD_CONNECTIONS__devdbdriverid123__filename = "./test/fixtures/sales.sqlite"
 # SQLPAD_OIDC_CLIENT_ID = CLIENT_ID
 # SQLPAD_OIDC_CLIENT_SECRET = SECRET
 # SQLPAD_OIDC_ISSUER = "https://dev-350224.okta.com/oauth2/default"
+# SQLPAD_OIDC_SCOPE = "openid profile email roles"
 # If below are provided, the old passport-openidconnect implementation is used
 # If the below are NOT provided, the new openid-client implementation is used 
 # SQLPAD_OIDC_AUTHORIZATION_URL = "https://dev-350224.okta.com/oauth2/default/v1/authorize"
diff --git a/server/lib/check-allowed-domains.js b/server/lib/check-allowed-domains.js
@@ -17,8 +17,10 @@
  */
 module.exports = function checkAllowedDomains(allowedDomains, email) {
   if (allowedDomains) {
-    const domain = email.split('@').pop();
-    const domains = allowedDomains.split(' ').map((domain) => domain.trim());
+    const domain = email.split('@').pop().toLowerCase();
+    const domains = allowedDomains
+      .split(' ')
+      .map((domain) => domain.trim().toLowerCase());
 
     return domains.includes(domain);
   }
diff --git a/server/lib/config/config-items.js b/server/lib/config/config-items.js
@@ -358,6 +358,11 @@ const configItems = [
     envVar: 'SQLPAD_OIDC_LINK_HTML',
     default: 'Sign in with OpenID',
   },
+  {
+    key: 'oidcScope',
+    envVar: 'SQLPAD_OIDC_SCOPE',
+    default: 'openid profile email roles',
+  },
   {
     key: 'webhookEnabled',
     envVar: 'SQLPAD_WEBHOOK_ENABLED',
diff --git a/server/routes/app.js b/server/routes/app.js
@@ -9,6 +9,7 @@ const wrap = require('../lib/wrap');
  */
 async function getApp(req, res) {
   const { config } = req;
+
   const currentUser =
     req.isAuthenticated() && req.user
       ? {

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,9 @@ async function enableOidc(config) {`
`90`	`90`	`{`
`91`	`91`	`passReqToCallback: true,`
`92`	`92`	`client,`
`93`		`- params: { scope: 'openid profile email roles' },`
	`93`	`+ params: {`
	`94`	`+ scope: config.get('oidcScope') \|\| 'openid profile email roles',`
	`95`	`+ },`
`94`	`96`	`},`
`95`	`97`	`openidClientHandler`
`96`	`98`	`)`