deeplay-io / verdaccio-openid-connect Goto Github PK
View Code? Open in Web Editor NEWVerdaccio authentication plugin for OpenID Connect.
Verdaccio authentication plugin for OpenID Connect.
verdaccio v5.22.0 came with some breaking changes in legacy tokens. Also legacy mode is enabled by default (hmm?).
Note: JWT tokens work well.
Thanks for the plugin and for making it compatible with Verdaccio 6.x! Now I can give it a try 👍
You might want to update the readme regarding:
Hi,
Thanks for your plugin, it works like a charm with CLI. Do you have plan to add support for UI login ?
Hello,
In case Verdaccio is deployed on K8S with multiple pods, OIDC auth is broken. As requests are redirected to different instances, we have randomly unauthorized error whereas we're authenticated with a valid token. It depends if requests went to pod we requested auth or not. I guess something stateful is done somewhere. Do you think it would be possible to have a stateless session ?
We have no issue with htpasswd auth.
I have an error using this plugin -
verdaccio_1 | error--- error loading a plugin openid-connect: TypeError: Cannot set property 'openid-connect' of undefined
verdaccio_1 | at new OidcPlugin (/opt/verdaccio/node_modules/verdaccio-openid-connect/lib/index.js:18:54)
verdaccio_1 | at /opt/verdaccio/build/lib/plugin-loader.js:125:32
verdaccio_1 | at Array.map ()
verdaccio_1 | at loadPlugin (/opt/verdaccio/build/lib/plugin-loader.js:62:37)
verdaccio_1 | at Auth._loadPlugin (/opt/verdaccio/build/lib/auth.js:54:38)
verdaccio_1 | at new Auth (/opt/verdaccio/build/lib/auth.js:44:25)
verdaccio_1 | at defineAPI (/opt/verdaccio/build/api/index.js:43:16)
verdaccio_1 | at _default (/opt/verdaccio/build/api/index.js:127:10)
verdaccio_1 | at processTicksAndRejections (internal/process/task_queues.js:93:5)
It's works perfect when verdaccio is served on hostname but when I use subdirectory it is ignored.
https://host.name/oidc/login/code
Should be:
https://host.name/packages/oidc/login/code
And yes I changed Gitlab config before testing subdirectory.
config.yaml.txt
nginx_verdaccio.conf.txt
Hi! Thanks for this plugin :)
I've noticed that in the Dockerfile you provide, you're using as base image verdaccio 4.10.0; is the plugin also compatible with the latest versions of verdaccio, namely 5.x.x?
Cheers,
Loïc
Trying to configure Verdaccio to use keycloak (docker-compose).
auth: {
'openid-connect': {
publicUrl: 'http://verdaccio:4873',
redisUri: 'redis',
issuer: 'http://keycloak:8080/auth/realms/verdaccia/',
clientId: 'verdaccio',
clientSecret: 'dfbe390e-ea07-4c6d-b287-c0fd6007cddd',
usernameClaim: 'preferred_username'
}
}
Configured keycloak:
"id": "4a26062f-55d0-4ac3-a7b7-749ffce4cf6a",
"clientId": "verdaccio",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "dfbe390e-ea07-4c6d-b287-c0fd6007cddd",
"redirectUris": [
"http://verdaccio:4873/oidc/callback"
]
Started keycloak first, wait to container to be ready (login and check config)
Started verdaccio with redis. Log from verdaccio:
debug--- [local-storage/_sync]: init sync database
debug--- [local-storage/_sync]: folder /verdaccio/storage created succeed
debug--- [local-storage/_sync/writeFileSync]: sync write succeed
debug--- [local-storage/_sync]: init sync database
debug--- [local-storage/_sync]: folder /verdaccio/storage created succeed
debug--- [local-storage/_sync/writeFileSync]: sync write succeed
warn --- Plugin successfully loaded: verdaccio-openid-connect
warn --- Plugin successfully loaded: verdaccio-audit
warn --- Plugin successfully loaded: verdaccio-openid-connect
trace--- local-storage: [get] full list of packages (0) has been fetched
trace--- local-storage: [get] full list of packages (0) has been fetched
warn --- http address - http://0.0.0.0:4873/ - verdaccio/4.11.3
info <-- 172.31.0.1 requested 'GET /'
http <-- 200, user: null(172.31.0.1), req: 'GET /', bytes: 0/562
info <-- 172.31.0.1 requested 'GET /-/verdaccio/packages'
trace--- local-storage: [get] full list of packages (0) has been fetched
http <-- 304, user: null(172.31.0.1), req: 'GET /-/verdaccio/packages', bytes: 0/0
info <-- 172.31.0.1 requested 'POST /-/verdaccio/login'
Pressed button - did not get redirected to keycloak, input user/pwd - failed. Log from verdaccio:
trace--- authenticating mmamaenko
trace--- authenticating mmamaenko
trace--- authenticating for user mmamaenko failed. Error: bad username/password, access denied
http <-- 401, user: null(172.31.0.1), req: 'POST /-/verdaccio/login', error: bad username/password, access denied
info <-- 172.31.0.1 requested 'POST /-/verdaccio/login'
trace--- authenticating mmamaenko
trace--- authenticating mmamaenko
trace--- authenticating for user mmamaenko failed. Error: bad username/password, access denied
http <-- 401, user: null(172.31.0.1), req: 'POST /-/verdaccio/login', error: bad username/password, access denied
When using keycloak with other openid clients I got redirected to keycloak login page but not this time. What is wrong with my config? I can ping all containers by name and I got response from http://keycloak:8080/auth/realms/verdaccia/.well-known/openid-configuration.
Hi,
We are currently evaluating using the verdaccio-openid-connect plugin, however we do not want to rely on any browser interaction for logging in (not even the very first login), so this process can be automated as much as possible.
It is unclear to me if the NPM client application is suited for such a direct workflow. We thought one chain of actions to implement this would be the following:
~/.npmrc
fileWe could see a login mechanism where the bearer token is received externally (via a different tool) and passed to the npm adduser command as a base64 encoded string in the username.
We would also accept to have a tool external to NPM that performs all the actions described above if the verdaccio-openid-connect plugin would implement the workflow to turn a bearer token into an auth-token to be stored in the ~/.npmrc
file. We would also contribute to this project if we get some hints how to help to implement such a "browserless" login flow.
Best regards,
Max
Hi,
We use verdaccio-openid-connect with keycloak and authentication broke with version v1.3.0 I guess due to #8
Use case to reproduce:
% npm login
npm notice Log in on http://verdaccio.localhost
Logged in on http://verdaccio.localhost
% cat ~/.npmrc
registry=http://verdaccio.localhost/
//verdaccio.localhost/:_authToken="Rv7+MD8qbJZRA+Bjiyz50NyWmlnKt7L7h2HmH6YCKi0="
% npm show somepackage version
npm ERR! code E401
npm ERR! Unable to authenticate, your authentication token seems to be invalid.
npm ERR! To correct this please trying logging in again with:
npm ERR! npm login
npm ERR! A complete log of this run can be found in:
npm ERR! /home/.../.npm/_logs/2022-05-02T14_44_30_468Z-debug-0.log
Server logs are:
JsonWebTokenError: jwt malformed
at Object.module.exports [as verify] (/usr/lib/node_modules/verdaccio-openid-connect/node_modules/jsonwebtoken/verify.js:63:17)
at /usr/lib/node_modules/verdaccio-openid-connect/lib/index.js:186:34
at Layer.handle [as handle_request] (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/layer.js:95:5)
at trim_prefix (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:317:13)
at /usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:284:7
at Function.process_params (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:335:12)
at next (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:275:10) at Function.handle (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:174:3)
at router (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/index.js:47:12) at Layer.handle [as handle_request] (/usr/lib/node_modules/verdaccio/node_modules/express/lib/router/layer.js:95:5)
http <-- 401, user: null(192.168.42.1 via 10.42.134.162), req: 'GET /tslib/-/tslib-1.14.1.tgz', error: authorization required to access package tslib
error--- erro while verify jwt bearer token: jwt malformed
rolling back to version 1.2.0 fixes the issue.
Thanks!
Hello, the current latest stable version of Verdaccio is 5.21.1, after installing this plugin, running the service fails.
verdaccio | warn --- config file - /verdaccio/conf/config.yaml
verdaccio | error--- error loading a plugin openid-connect: {}
verdaccio | error--- verdaccio-openid-connect doesn't look like a valid plugin
verdaccio | fatal--- uncaught exception, please report this
verdaccio | Error: sanity check has failed, "openid-connect" is not a valid plugin
verdaccio | at /usr/local/lib/node_modules/verdaccio/build/lib/plugin-loader.js:164:13
verdaccio | at Array.map (<anonymous>)
verdaccio | at loadPlugin (/usr/local/lib/node_modules/verdaccio/build/lib/plugin-loader.js:61:37)
verdaccio | at Auth._loadPlugin (/usr/local/lib/node_modules/verdaccio/build/lib/auth.js:40:38)
verdaccio | at new Auth (/usr/local/lib/node_modules/verdaccio/build/lib/auth.js:32:25)
verdaccio | at defineAPI (/usr/local/lib/node_modules/verdaccio/build/api/index.js:35:16)
verdaccio | at _default (/usr/local/lib/node_modules/verdaccio/build/api/index.js:112:10)
verdaccio | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
verdaccio exited with code 255
Hi,
first off, thank you for your work!
I am having an issue with tokens expiring. Access-Tokens issued seem to be expiring after 30 days? Or in my case sometimes on server reboot (with redis and persistence configured), which might also just be coincidential with my monthly maintenance.
Npmjs and Verdaccio don't expire auth-tokens on default. It seems reasonable that the oidc access and refresh tokens expire as set by the oidc provider, but I would expect the actual npm auth-tokens to (not) expire and respect config set by verdaccio:
Verdaccio Config - Expiring Tokens
In my use case, I have a build server that I don't want to relogin every month. I double checked my server configs and everyhting seems to be in order. Also 30 days seems arbitrary. My keycloak config is set to expire logins after 1 day, refresh for 2 day and offline access for a week.
Hi again!
Is it possible to configure the plugin via environment variables, instead of via config.yaml
?
We're using verdaccio deployed on a Kubernetes cluster (with the helm chart), and the only way that I found to set the clientSecret
is in the ConfigMap
, which is unsafe.
If we could set it via an environment variable, then it would be possible to set it in a secret and then inject it in the container.
I'm not sure I'm making myself clear, but basically what I'd like to see is a VERDACCIO_OPENID_CLIENT_SECRET
variable, is it currently possible?
I'm using a gitlab instance as openid provider, i'm getting the following error when trying to log in
verdaccio_1 | OPError: invalid_request (Invalid code_verifier parameter. Server does not support pkce.)
verdaccio_1 | at processResponse (/opt/verdaccio/node_modules/openid-client/lib/helpers/process_response.js:45:13)
verdaccio_1 | at Client.grant (/opt/verdaccio/node_modules/openid-client/lib/client.js:1237:26)
verdaccio_1 | at processTicksAndRejections (internal/process/task_queues.js:93:5)
verdaccio_1 | at async Client.callback (/opt/verdaccio/node_modules/openid-client/lib/client.js:460:24)
verdaccio_1 | at async /opt/verdaccio/node_modules/verdaccio-openid-connect/lib/index.js:140:34
Or am I dumb and do i need to install something?
I am trying to use this plugin with Azure AD and when try logging in it launches the browser and post entering the right credentials, it tries to call the oidc callback url which gives "Internal server error" saying "OPError: invalid_client (AADSTS700025: Client is public so neither 'client_assertion' nor 'client_secret' should be presented.
Any hints on what i could be missing?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.