OBP-Portal/debug-oauth.cjs at main · OpenBankProject/OBP-Portal · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
#!/usr/bin/env node

/**
 * Debug script for OBP Portal OAuth/OIDC issues
 *
 * This script helps diagnose JWT token validation issues by:
 * 1. Fetching and displaying OIDC configuration
 * 2. Decoding JWT tokens to show claims
 * 3. Checking issuer and JWKS URI consistency
 *
 * Usage:
 * node debug-oauth.js [access_token]
 */

const fetch = require('node-fetch');
const { Buffer } = require('buffer');

// Configuration - update these based on your environment
const CONFIG = {
	OIDC_WELL_KNOWN_URL:
		process.env.OBP_OAUTH_WELL_KNOWN_URL ||
		'http://127.0.0.1:9000/obp-oidc/.well-known/openid-configuration',
	OBP_BASE_URL: process.env.PUBLIC_OBP_BASE_URL || 'http://localhost:8080',
	EXPECTED_ISSUER: process.env.VITE_OIDC_ISSUER || 'http://127.0.0.1:9000'
};

console.log('🔍 OBP OAuth Debug Tool');
console.log('========================\n');

// Utility function to decode JWT without verification
function decodeJWT(token) {
	try {
		const parts = token.split('.');
		if (parts.length !== 3) {
			throw new Error('Invalid JWT format');
		}

		const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());
		const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());

		return { header, payload };
	} catch (error) {
		console.error('❌ Failed to decode JWT:', error.message);
		return null;
	}
}

// Function to fetch and display OIDC configuration
async function checkOIDCConfiguration() {
	console.log('📋 Checking OIDC Configuration');
	console.log('-------------------------------');
	console.log(`Well-known URL: ${CONFIG.OIDC_WELL_KNOWN_URL}`);

	try {
		const response = await fetch(CONFIG.OIDC_WELL_KNOWN_URL);

		if (!response.ok) {
			console.error(`❌ Failed to fetch OIDC config: ${response.status} ${response.statusText}`);
			return null;
		}

		const config = await response.json();

		console.log('✅ OIDC Configuration fetched successfully');
		console.log(`   Issuer: ${config.issuer}`);
		console.log(`   Authorization Endpoint: ${config.authorization_endpoint}`);
		console.log(`   Token Endpoint: ${config.token_endpoint}`);
		console.log(`   JWKS URI: ${config.jwks_uri}`);
		console.log(`   Userinfo Endpoint: ${config.userinfo_endpoint}`);

		// Check if issuer matches expected
		if (config.issuer === CONFIG.EXPECTED_ISSUER) {
			console.log('✅ Issuer matches expected value');
		} else {
			console.log(`⚠️  Issuer mismatch:`);
			console.log(`   Expected: ${CONFIG.EXPECTED_ISSUER}`);
			console.log(`   Actual: ${config.issuer}`);
		}

		console.log('');
		return config;
	} catch (error) {
		console.error('❌ Error fetching OIDC configuration:', error.message);
		return null;
	}
}

// Function to test JWKS endpoint accessibility
async function checkJWKSEndpoint(jwksUri) {
	console.log('🔑 Checking JWKS Endpoint');
	console.log('-------------------------');
	console.log(`JWKS URI: ${jwksUri}`);

	try {
		const response = await fetch(jwksUri);

		if (!response.ok) {
			console.error(`❌ Failed to fetch JWKS: ${response.status} ${response.statusText}`);
			return false;
		}

		const jwks = await response.json();
		console.log(`✅ JWKS endpoint accessible`);
		console.log(`   Number of keys: ${jwks.keys ? jwks.keys.length : 0}`);

		if (jwks.keys && jwks.keys.length > 0) {
			jwks.keys.forEach((key, index) => {
				console.log(
					`   Key ${index + 1}: ${key.kty} (${key.alg || 'no alg specified'}) - ${key.kid || 'no kid'}`
				);
			});
		}

		console.log('');
		return true;
	} catch (error) {
		console.error('❌ Error fetching JWKS:', error.message);
		return false;
	}
}

// Function to analyze JWT token
function analyzeJWT(token, oidcConfig) {
	console.log('🔍 JWT Token Analysis');
	console.log('---------------------');

	const decoded = decodeJWT(token);
	if (!decoded) {
		return;
	}

	const { header, payload } = decoded;

	console.log('📄 Token Header:');
	console.log(`   Algorithm: ${header.alg}`);
	console.log(`   Type: ${header.typ}`);
	console.log(`   Key ID: ${header.kid || 'Not specified'}`);

	console.log('\n📄 Token Payload:');
	console.log(`   Issuer: ${payload.iss}`);
	console.log(`   Subject: ${payload.sub}`);
	console.log(`   Audience: ${Array.isArray(payload.aud) ? payload.aud.join(', ') : payload.aud}`);
	console.log(
		`   Issued At: ${payload.iat ? new Date(payload.iat * 1000).toISOString() : 'Not specified'}`
	);
	console.log(
		`   Expires At: ${payload.exp ? new Date(payload.exp * 1000).toISOString() : 'Not specified'}`
	);
	console.log(`   Client ID: ${payload.client_id || 'Not specified'}`);
	console.log(`   Scope: ${payload.scope || 'Not specified'}`);

	// Check if token is expired
	if (payload.exp) {
		const now = Math.floor(Date.now() / 1000);
		const isExpired = now >= payload.exp;
		console.log(`   Status: ${isExpired ? '❌ EXPIRED' : '✅ Valid'}`);
		if (isExpired) {
			console.log(`   Expired ${Math.floor((now - payload.exp) / 60)} minutes ago`);
		} else {
			console.log(`   Expires in ${Math.floor((payload.exp - now) / 60)} minutes`);
		}
	}

	// Check issuer consistency
	console.log('\n🔗 Issuer Validation:');
	if (oidcConfig && oidcConfig.issuer) {
		if (payload.iss === oidcConfig.issuer) {
			console.log('✅ Token issuer matches OIDC configuration');
		} else {
			console.log('❌ Token issuer MISMATCH:');
			console.log(`   Token issuer: ${payload.iss}`);
			console.log(`   OIDC issuer: ${oidcConfig.issuer}`);
		}
	}

	if (payload.iss === CONFIG.EXPECTED_ISSUER) {
		console.log('✅ Token issuer matches expected configuration');
	} else {
		console.log('⚠️  Token issuer differs from expected:');
		console.log(`   Token issuer: ${payload.iss}`);
		console.log(`   Expected: ${CONFIG.EXPECTED_ISSUER}`);
	}

	console.log('');
}

// Function to test OBP API endpoint
async function testOBPEndpoint(accessToken) {
	console.log('🏦 Testing OBP API Access');
	console.log('-------------------------');

	const currentUserUrl = `${CONFIG.OBP_BASE_URL}/obp/v5.1.0/users/current`;
	console.log(`Endpoint: ${currentUserUrl}`);

	try {
		const response = await fetch(currentUserUrl, {
			headers: {
				Authorization: `Bearer ${accessToken}`,
				Accept: 'application/json'
			}
		});

		console.log(`Status: ${response.status} ${response.statusText}`);

		if (response.ok) {
			const user = await response.json();
			console.log('✅ Successfully accessed OBP API');
			console.log(`   User ID: ${user.user_id}`);
			console.log(`   Email: ${user.email}`);
			console.log(`   Username: ${user.username || 'N/A'}`);
		} else {
			const errorText = await response.text();
			console.log('❌ OBP API request failed');
			console.log(`   Response: ${errorText}`);

			// Try to parse error details
			try {
				const errorData = JSON.parse(errorText);
				if (errorData.code === 401 && errorData.message.includes('OBP-20208')) {
					console.log('\n💡 This is the JWKS/Issuer mismatch error!');
					console.log('   Possible causes:');
					console.log('   - OBP API server cannot reach the JWKS endpoint');
					console.log('   - Issuer in JWT token differs from OBP configuration');
					console.log('   - JWKS URI in OIDC config differs from OBP configuration');
				}
			} catch (e) {
				// Error text is not JSON
			}
		}

		console.log('');
	} catch (error) {
		console.error('❌ Error testing OBP endpoint:', error.message);
	}
}

// Function to show configuration recommendations
function showRecommendations(oidcConfig, jwtPayload) {
	console.log('💡 Troubleshooting Recommendations');
	console.log('==================================');

	if (!oidcConfig) {
		console.log('1. ❌ OIDC configuration could not be fetched');
		console.log('   - Check if the OIDC provider is running');
		console.log('   - Verify the OBP_OAUTH_WELL_KNOWN_URL is correct');
		console.log('   - Check network connectivity');
		return;
	}

	if (jwtPayload && oidcConfig.issuer !== jwtPayload.iss) {
		console.log('1. ❌ Issuer mismatch detected');
		console.log('   - Update OBP API configuration to expect issuer:', jwtPayload.iss);
		console.log('   - OR update OIDC provider to issue tokens with issuer:', oidcConfig.issuer);
	}

	console.log('2. 🔍 Check OBP API server configuration:');
	console.log(`   - Ensure OBP API can reach: ${oidcConfig.jwks_uri}`);
	console.log(`   - Verify issuer is configured as: ${oidcConfig.issuer}`);
	console.log(`   - Check if JWKS URI is configured as: ${oidcConfig.jwks_uri}`);

	console.log('\n3. 🔧 Network connectivity checks:');
	console.log('   - Test JWKS endpoint from OBP API server:');
	console.log(`     curl ${oidcConfig.jwks_uri}`);
	console.log('   - Check firewall rules between OBP API and OIDC provider');

	console.log('\n4. 📝 Environment variables to verify:');
	console.log('   - OBP_OAUTH_WELL_KNOWN_URL');
	console.log('   - VITE_OIDC_ISSUER');
	console.log('   - PUBLIC_OBP_BASE_URL');

	console.log('\n5. 🔄 If using Docker/containers:');
	console.log('   - Ensure containers can communicate');
	console.log('   - Check if localhost/127.0.0.1 should be container names');
	console.log('   - Verify port mappings');
}

// Main function
async function main() {
	const accessToken = process.argv[2];

	// 1. Check OIDC Configuration
	const oidcConfig = await checkOIDCConfiguration();

	// 2. Check JWKS endpoint if available
	if (oidcConfig && oidcConfig.jwks_uri) {
		await checkJWKSEndpoint(oidcConfig.jwks_uri);
	}

	// 3. Analyze JWT token if provided
	let jwtPayload = null;
	if (accessToken) {
		const decoded = decodeJWT(accessToken);
		if (decoded) {
			jwtPayload = decoded.payload;
			analyzeJWT(accessToken, oidcConfig);

			// 4. Test OBP API access
			await testOBPEndpoint(accessToken);
		}
	} else {
		console.log('ℹ️  No access token provided. Add token as argument to analyze JWT claims.');
		console.log('   Usage: node debug-oauth.js YOUR_ACCESS_TOKEN\n');
	}

	// 5. Show recommendations
	showRecommendations(oidcConfig, jwtPayload);

	console.log('\n🔚 Debug complete');
}

// Handle errors and run
main().catch((error) => {
	console.error('💥 Unexpected error:', error);
	process.exit(1);
});