JSPM

verdaccio-mloeper-openid

0.11.5-rc6
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
    • 0
  • Score
    100M100P100Q11013F
  • License MIT

A UI for OIDC authentication for Verdaccio, a fork of verdaccio-github-oauth-ui

Package Exports

  • verdaccio-mloeper-openid
  • verdaccio-mloeper-openid/dist/server/index.js
  • verdaccio-mloeper-openid/dist/server/index.mjs

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (verdaccio-mloeper-openid) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

verdaccio-openid

npm npm npm npm

About

This is a Verdaccio plugin that offers OIDC OAuth integration for both the browser and the command line.

Compatibility

  • Verdaccio 5, 6
  • Node >=18
  • Browsers which support ES5

Setup

Install

  1. Install globally
npm install -g verdaccio-openid
  1. Install to Verdaccio plugins folder

npm >= 7

mkdir -p ./install-here/
npm install --global-style \
  --bin-links=false --save=false --package-lock=false \
  --omit=dev --omit=optional --omit=peer \
  --prefix ./install-here/ \
  verdaccio-openid@latest
mv ./install-here/node_modules/verdaccio-openid/ /path/to/verdaccio/plugins/

Verdaccio Config

Merge the below options with your existing Verdaccio config:

middlewares:
  openid:
    enabled: true

auth:
  openid:
    provider-host: https://example.com
    # configuration-uri: https://example.com/.well-known/openid-configuration
    # issuer: https://example.com
    # authorization-endpoint: https://example.com/oauth/authorize
    # token-endpoint: https://example.com/oauth/token
    # userinfo-endpoint: https://example.com/oauth/userinfo
    # jwks-uri: https://example.com/oauth/jwks
    # scope: openid email groups
    client-id: CLIENT_ID
    client-secret: CLIENT_SECRET
    username-claim: name
    # groups-claim: groups
    # provider-type: gitlab
    # store-type: file
    # store-config: ./store
    # authorized-groups:
    #  - access
    # group-users:
    #   animal:
    #     - tom
    #     - jack

Now you can use the openid-connect auth in the webUI.

Config Options

openid

Config key Value Type Default Required Example
provider-hostThe host of the OIDC provider
 string Yes https://example.com
configuration-uriThe URI of the OIDC provider configuration
 string No https://example.com/.well-known/openid-configuration
issuerThe issuer of the OIDC provider
 string No https://example.com
authorization-endpointThe authorization endpoint of the OIDC provider
 string No https://example.com/oauth/authorize
token-endpointThe token endpoint of the OIDC provider
 string No https://example.com/oauth/token
userinfo-endpointThe userinfo endpoint of the OIDC provider
 string No https://example.com/oauth/userinfo
jwks-uriThe JWKS URI of the OIDC provider
 string No https://example.com/oauth/jwks
scopeThe scope of the OIDC provider
 string openid No openid email groups
client-idThe client ID of the OIDC provider
 string Yes your-client-id
client-secretThe client secret of the OIDC provider
 string Yes your-client-secret
username-claimThe claim to get the username from the ID token or userinfo endpoint response
 string sub No name
groups-claimThe claim to get the groups from the ID token or userinfo endpoint response
 string No groups
provider-typeThe provider type to get groups from the provider. Supported values: gitlab
 string No gitlab
store-typeThe store type to store the OIDC state and caches.
 "in-memory" | "redis" | "file" in-memory No file
store-configThe store configuration.
 string | object { ttl: 60000 } No ./store
authorized-groupsThe groups that are allowed to login. Use true to ensure the user has at least one group, false means no groups check
 string | string | boolean false No true
group-usersThe custom group users. If set, groups-claim and provider-type take no effect
 object No {"animal": ["Tom", "Jack"]}

store-config

  1. in-memory

When using the in-memory store, the store-config is an object with the following properties:

Config key Description Value Type Default Required Example
ttl The TTL of the OIDC state in milliseconds. number 60000 No 60000
... All options are passed to the @isaacs/ttlcache constructor. any No
  1. redis

When using the redis store, the store-config is a string with the Redis connection string or an object with the following properties:

Config key Description Value Type Default Required Example
ttl The TTL of the OIDC state in milliseconds. number 60000 No 60000
username The username of the Redis connection. string No your-username
password The password of the Redis connection. string No your-password
nodes The nodes of the Redis Cluster connection. (object | string | number)[] No [{ host: 'localhost', port: 6379 }]
... All options are passed to the ioredis constructor. any No

The username and password can be set with the VERDACCIO_OPENID_STORE_CONFIG_USERNAME and VERDACCIO_OPENID_STORE_CONFIG_PASSWORD environment variables. Or you can use your own environment variable names.

Config example:

auth:
  openid:
    store-type: redis
    store-config: redis://your-username:your-password@localhost:6379
auth:
  openid:
    store-type: redis
    store-config:
      ttl: 60000
      username: your-username
      password: your-password
      host: localhost
      port: 6379

When using Redis Cluster, the nodes config is required.

auth:
  openid:
    store-type: redis
    store-config:
      ttl: 60000
      username: your-username
      password: your-password
      nodes:
        - host: localhost
          port: 6379
        - host: localhost
          port: 6380
      redisOptions:
        # ... other ioredis options
  1. file

When using the file store, the store-config is a string with the file path to store the OIDC state or an object with the following properties:

Config key Description Value Type Default Required Example
ttl The TTL of the OIDC state in milliseconds. number 60000 No 60000
dir The directory to store the OIDC state. string No ./store
... All options are passed to the node-persist constructor. any No

Config example:

auth:
  openid:
    store-type: file
    store-config: ./store
auth:
  openid:
    store-type: file
    store-config:
      ttl: 60000
      dir: ./store

Environment Variables

You can set each config with environment variables to avoid storing sensitive information in the config file. Every config can be set with an environment variable name, matching the regex /^[a-zA-Z_][a-zA-Z0-9_]*$/.

auth:
  openid:
    client-id: MY_CLIENT_ID
    client-secret: MY_CLIENT_SECRET

If the config value is not set, the plugin will try to read the value from the environment variable. The default environment variable name is VERDACCIO_OPENID_ followed by the config key in uppercase and snake case.

Config Key Environment Name Value Example
client-id VERDACCIO_OPENID_CLIENT_ID your-client-id
client-secret VERDACCIO_OPENID_CLIENT_SECRET your-client-secret
provider-host VERDACCIO_OPENID_PROVIDER_HOST https://example.com
authorized-groups VERDACCIO_OPENID_AUTHORIZED_GROUPS true
group-users VERDACCIO_OPENID_GROUP_USERS {"group1": ["user1", "user2"], "group2": ["user3", "user4"]}
[key] VERDACCIO_OPENID_[KEY] other config value is the same as above

The environment value can be a string or a JSON string. If it is a JSON string, the plugin will parse it to a JSON object.

Note: The environment variable will take precedence over the config value. That means if the config value is like an environment variable name(matching above regex), and the environment variable is set, the plugin will use the environment variable value.

Dotenv files

You can use a .env file to set the environment variables. The plugin will read the .env file in the HOME directory and the directory where the Verdaccio process is started.

The load order is:

  1. $HOME/.env
  2. $HOME/.env.openid
  3. $PWD/.env
  4. $PWD/.env.openid

Token Expiration

To set the token expiration time, follow the instructions in the Verdaccio docs.

security:
  api:
    jwt:
      sign:
        expiresIn: 7d # npm token expiration
  web:
    sign:
      expiresIn: 7d # webUI token expiration

OpenID Callback URL

Auth with CLI

npx verdaccio-openid@latest --registry http://your-registry.com