登录

const passport = openidPassport(client, params);
app.use(passport.initialize());
app.use(passport.session());
app.get('/login', passport.authenticate('open-id'), (req, res) => {
  res.redirect('/loginSuccess');
});
app.get('/loginSuccess', (req, res) => {
  if (!req.isAuthenticated()) {
      return res.redirect('/login');
    }
  res.json({
    success: true,
    email: req.user.email,
    orgId: req.user.sub
  })
});

登出

登出分为 OP 登出和 RP 登出

OP 登出

通过调用 OP 用户登出 （end_session_endpoint）API ，需要URL查询参数 id_token_hint 和 post_logout_redirect_uri

id_token_hint 值为身份令牌

post_logout_redirect_uri 为 OP 登出后回调 URI

RP 登出

需要 req.logout() 结束 RP 会话，并且废除RP 客户端 acessToken和 refreshToken 。

app.get('/logout', (req, res) => {
  if (!req.user) {
    res.redirect('/login');
  }
  const accessToken = req.user.tokenset.access_token;
  const refreshToken = req.user.tokenset.refresh_token;
  const idToken = req.user.tokenset.id_token;
  const endSessionEndpoint = issuer.end_session_endpoint;
  const redirectUri = client.post_logout_redirect_uris[0];
  req.logout(); // terminate session
  // invalidate tokens
  client.revoke(accessToken, 'access_token');
  client.revoke(refreshToken, 'refresh_token');
  // nodify OP logout
  res.redirect(
    `${endSessionEndpoint}?id_token_hint=${idToken}&post_logout_redirect_uri=${redirectUri}`
  );
});