Feature/add OIDC optional tolerance and resource (#496)

* Added optional tolerance for OIDC jwt

* Added optional OIDC resource for authorizationURL

* Refactored open id params with zod

---------

Co-authored-by: Nathan Sarrazin <sarrazin.nathan@gmail.com>

.env

@@ -13,11 +13,21 @@ HF_API_ROOT=https://api-inference.huggingface.co/models
 SERPER_API_KEY=#your serper.dev api key here
 SERPAPI_KEY=#your serpapi key here
 
-# Parameters to enable "Sign in with HF"
+# Parameters to enable open id login
+OPENID_CONFIG=`{
+  "PROVIDER_URL": "",
+  "CLIENT_ID": "",
+  "CLIENT_SECRET": "",
+  "SCOPES": ""
+}`
+
+# /!\ legacy openid settings, prefer the config above
 OPENID_CLIENT_ID=
 OPENID_CLIENT_SECRET=
 OPENID_SCOPES="openid profile" # Add "email" for some providers like Google that do not provide preferred_username
 OPENID_PROVIDER_URL=https://huggingface.co # for Google, use https://accounts.google.com
+OPENID_TOLERANCE=
+OPENID_RESOURCE=
 
 # Parameters to enable a global mTLS context for client fetch requests
 USE_CLIENT_CERTIFICATE=false

README.md

@@ -89,9 +89,14 @@ Chat UI features a powerful Web Search feature. It works by:
 The login feature is disabled by default and users are attributed a unique ID based on their browser. But if you want to use OpenID to authenticate your users, you can add the following to your `.env.local` file:
 
 ```env
-OPENID_PROVIDER_URL=<your OIDC issuer>
-OPENID_CLIENT_ID=<your OIDC client ID>
-OPENID_CLIENT_SECRET=<your OIDC client secret>
+OPENID_CONFIG=`{
+  PROVIDER_URL: "<your OIDC issuer>",
+  CLIENT_ID: "<your OIDC client ID>",
+  CLIENT_SECRET: "<your OIDC client secret>",
+  SCOPES: "openid profile",
+  TOLERANCE: // optional
+  RESOURCE: // optional
+}`
 ```
 
 These variables will enable the openID sign-in modal for users.

src/lib/server/auth.ts

@@ -1,4 +1,4 @@
-import { Issuer, BaseClient, type UserinfoResponse, TokenSet } from "openid-client";
+import { Issuer, BaseClient, type UserinfoResponse, TokenSet, custom } from "openid-client";
 import { addHours, addYears } from "date-fns";
 import {
 	COOKIE_NAME,
@@ -6,6 +6,9 @@ import {
 	OPENID_CLIENT_SECRET,
 	OPENID_PROVIDER_URL,
 	OPENID_SCOPES,
+	OPENID_TOLERANCE,
+	OPENID_RESOURCE,
+	OPENID_CONFIG,
 } from "$env/static/private";
 import { sha256 } from "$lib/utils/sha256";
 import { z } from "zod";
@@ -21,7 +24,24 @@ export interface OIDCUserInfo {
 	userData: UserinfoResponse;
 }
 
-export const requiresUser = !!OPENID_CLIENT_ID && !!OPENID_CLIENT_SECRET;
+const stringWithDefault = (value: string) =>
+	z
+		.string()
+		.default(value)
+		.transform((el) => (el ? el : value));
+
+const OIDConfig = z
+	.object({
+		CLIENT_ID: stringWithDefault(OPENID_CLIENT_ID),
+		CLIENT_SECRET: stringWithDefault(OPENID_CLIENT_SECRET),
+		PROVIDER_URL: stringWithDefault(OPENID_PROVIDER_URL),
+		SCOPES: stringWithDefault(OPENID_SCOPES),
+		TOLERANCE: stringWithDefault(OPENID_TOLERANCE),
+		RESOURCE: stringWithDefault(OPENID_RESOURCE),
+	})
+	.parse(JSON.parse(OPENID_CONFIG));
+
+export const requiresUser = !!OIDConfig.CLIENT_ID && !!OIDConfig.CLIENT_SECRET;
 
 export function refreshSessionCookie(cookies: Cookies, sessionId: string) {
 	cookies.set(COOKIE_NAME, sessionId, {
@@ -58,12 +78,14 @@ export async function generateCsrfToken(sessionId: string, redirectUrl: string):
 }
 
 async function getOIDCClient(settings: OIDCSettings): Promise<BaseClient> {
-	const issuer = await Issuer.discover(OPENID_PROVIDER_URL);
+	const issuer = await Issuer.discover(OIDConfig.PROVIDER_URL);
+
 	return new issuer.Client({
-		client_id: OPENID_CLIENT_ID,
-		client_secret: OPENID_CLIENT_SECRET,
+		client_id: OIDConfig.CLIENT_ID,
+		client_secret: OIDConfig.CLIENT_SECRET,
 		redirect_uris: [settings.redirectURI],
 		response_types: ["code"],
+		[custom.clock_tolerance]: OIDConfig.TOLERANCE || undefined,
 	});
 }
 
@@ -73,12 +95,12 @@ export async function getOIDCAuthorizationUrl(
 ): Promise<string> {
 	const client = await getOIDCClient(settings);
 	const csrfToken = await generateCsrfToken(params.sessionId, settings.redirectURI);
-	const url = client.authorizationUrl({
-		scope: OPENID_SCOPES,
+
+	return client.authorizationUrl({
+		scope: OIDConfig.SCOPES,
 		state: csrfToken,
+		resource: OIDConfig.RESOURCE || undefined,
 	});
-
-	return url;
 }
 
 export async function getOIDCUserData(settings: OIDCSettings, code: string): Promise<OIDCUserInfo> {