Skip to content

SPID/CIE OIDC implementation in Typescript

License

Notifications You must be signed in to change notification settings

Xevolab/spid-cie-oidc-ts

Repository files navigation

SPID/CIE OIDC Service Provider

Integrate with SPID and CIE authentication using the OIDC federation protocol.


Documentation · Releases

Apache 2.0 License

Note

This library is still in development, all feedback is welcome!

Warning

At this moment, SPID does not officially support the OIDC federation protocol.

Let your users to authenticate with SPID and CIE using the OIDC federation protocol in your applications, with a simple and easy-to-use library. And also TypeScript compatible.

Installation

npm install @xevolab/spid-cie-oidc-ts

Usage

Creating a key set

The object passed to the OIDCClient constructor must contain two key sets. These keys are used to:

  • Sign, verify and encrypt the JWTs exchanged with the OIDC provider
  • Sign and verify the OIDC federation manifest
const keys = {
	oidc: {
		sig: {
			public:  "-----BEGIN PUBLIC KEY-----...",
			private: "-----BEGIN RSA PRIVATE KEY-----..."
		},
		enc: {
			public:  "-----BEGIN PUBLIC KEY-----...",
			private: "-----BEGIN RSA PRIVATE KEY-----..."
		},
	},
	federation: {
		sig: {
			public:  "-----BEGIN PUBLIC KEY-----...",
			private: "-----BEGIN RSA PRIVATE KEY-----..."
		}
	}
};

If a specific set of federation sig key is not provided, the library will use the OIDC sig key.

Initializing the Client

import OIDCClient, { devTrustAnchors, prodTrustAnchors } from 'oidc-client-library';

const client = new OIDCClient({
  clientID:  process.env.APP_FULL_URL,
	providers: [{
		id: "cie",
		wellKnown: "https://preproduzione.oidc.idserver.servizicie.interno.gov.it/.well-known/openid-federation"
	}],
	keys,
	callbackURL:  process.env.APP_FULL_URL + "/callback",
	spidLevel: 2,
	attributes: ["given_name", "family_name", "email", "birthdate", "https://attributes.eid.gov.it/fiscal_number"],
	trustAnchors: devTrustAnchors,
	trustMarks: [{
		"id": "",
		"iss": "",
		"trust_mark": "eyJ..."
	}],
	logger: (state, action, payload) => { /* ... */ }
});

Starting the Authentication Flow

const authResponse = client.authorization(providerID);
if (authResponse.ok) {
  // Redirect the user to the URL provided in authResponse.url
}

Handling the Callback

// Grab the state, code, and iss parameters from the callback URL query string
const callbackResponse = await client.callback({ state, code, iss });

if (callbackResponse.ok) {
  // Handle successful authentication
} else {
  // Handle errors
}