05262311

apps/backend/package.json

@@ -12,6 +12,7 @@
     "@types/oidc-provider": "^9.1.0",
     "hono": "^4.7.10",
     "ioredis": "5.4.1",
+    "jose": "^6.0.11",
     "minio": "7.1.3",
     "nanoid": "^5.1.5",
     "node-cron": "^4.0.7",

apps/backend/src/oidc/config.ts

@@ -1,54 +1,37 @@
 import { Configuration } from 'oidc-provider';
 import { RedisAdapter } from './redis-adapter';
 import { prisma } from '@repo/db';
-import { generateKeyPairSync } from 'crypto';
 
-// 自动生成JWKS密钥对（如无环境变量则自动生成，建议持久化到安全存储）
-function getJWKS() {
-    if (process.env.OIDC_JWKS) {
-        return JSON.parse(process.env.OIDC_JWKS);
-    }
-    // 生成RSA密钥对
-    const { publicKey, privateKey } = generateKeyPairSync('rsa', {
-        modulusLength: 2048,
-        publicKeyEncoding: { type: 'spki', format: 'pem' },
-        privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
-    });
-    // 转为JWK格式（这里只做简单转换，生产建议用jose等库）
-    const jwk = require('pem-jwk').pem2jwk(publicKey);
-    jwk.use = 'sig';
-    jwk.alg = 'RS256';
-    // 打印公钥，便于配置到前端或备份
-    console.log('自动生成的OIDC公钥JWK:', JSON.stringify(jwk, null, 2));
-    return [jwk];
-}
-
-// 支持从数据库动态加载clients
 async function getClients() {
     const dbClients = await prisma.oidcClient.findMany?.();
-    if (dbClients && dbClients.length > 0) {
+    const dbClientList = (dbClients && dbClients.length > 0)
-        return dbClients.map(c => ({
+        ? dbClients.map(c => ({
             client_id: c.clientId,
             client_secret: c.clientSecret,
             grant_types: JSON.parse(c.grantTypes),         // string -> string[]
             redirect_uris: JSON.parse(c.redirectUris),     // string -> string[]
             response_types: JSON.parse(c.responseTypes),   // string -> string[]
             scope: c.scope,
-        }));
+        }))
-    }
+        : [];
-    return [
+
-        {
+    // 管理后台client，通过环境变量读取
-            client_id: process.env.OIDC_CLIENT_ID || 'example-client',
+    const adminClient = {
-            client_secret: process.env.OIDC_CLIENT_SECRET || 'example-secret',
+        client_id: process.env.OIDC_CLIENT_ID || 'admin-client',
+        client_secret: process.env.OIDC_CLIENT_SECRET || 'admin-secret',
         grant_types: ['authorization_code', 'refresh_token'],
-            redirect_uris: [process.env.OIDC_REDIRECT_URI || 'http://localhost:3000/callback'],
+        redirect_uris: [process.env.OIDC_REDIRECT_URI || 'http://localhost:3000/admin/callback'],
         response_types: ['code'],
         scope: 'openid email profile',
-        },
+    };
-    ];
+
+    // 检查是否与数据库client_id重复
+    const allClients = [adminClient, ...dbClientList.filter(c => c.client_id !== adminClient.client_id)];
+
+    return allClients;
 }
 
-const OIDC_COOKIE_KEY = process.env.OIDC_COOKIE_KEY || 'default-cookie-key';
+const OIDC_COOKIE_KEY = process.env.OIDC_COOKIE_KEY || 'HrbEPlzByV0CcjFJhl2pjKV2iG8FgQIc';
 
 const config: Configuration = {
     adapter: RedisAdapter,
@@ -67,9 +50,7 @@ const config: Configuration = {
     cookies: {
         keys: [OIDC_COOKIE_KEY],
     },
-    jwks: {
+    jwks: [],
-        keys: getJWKS(),
-    },
     ttl: {
         AccessToken: 3600,
         AuthorizationCode: 600,

pnpm-lock.yaml

@@ -53,6 +53,9 @@ importers:
       ioredis:
         specifier: 5.4.1
         version: 5.4.1
+      jose:
+        specifier: ^6.0.11
+        version: 6.0.11
       minio:
         specifier: 7.1.3
         version: 7.1.3