Set OIDC redirect_uri dynamically if needed (arkime#2950)

* Set OIDC redirect_uri dynamically if needed

Fixes arkime#2949

Signed-off-by: Matt Eaton <[email protected]>

* Update auth.js

Handle undefined redirectURIs

---------

Signed-off-by: Matt Eaton <[email protected]>
Co-authored-by: Andy Wick <[email protected]>

common/auth.js

@@ -197,7 +197,6 @@ class Auth {
       check('discoverURL', 'authDiscoverURL');
       check('clientId', 'authClientId');
       check('clientSecret', 'authClientSecret');
-      check('redirectURIs', 'authRedirectURIs');
       Auth.#strategies = ['oidc'];
       Auth.#passportAuthOptions = { session: true, failureRedirect: `${Auth.#basePath}api/login`, scope: Auth.#authConfig.oidcScope };
       sessionAuth = true;
@@ -539,7 +538,7 @@ class Auth {
       const client = new issuer.Client({
         client_id: Auth.#authConfig.clientId,
         client_secret: Auth.#authConfig.clientSecret,
-        redirect_uris: Auth.#authConfig.redirectURIs.split(','),
+        redirect_uris: Auth.#authConfig.redirectURIs ? Auth.#authConfig.redirectURIs.split(',') : undefined,
         token_endpoint_auth_method: 'client_secret_post'
       });
 
@@ -769,7 +768,12 @@ class Auth {
       req.session.ogurl = Buffer.from(Auth.obj2authNext(req.originalUrl)).toString('base64');
     }
 
-    passport.authenticate(Auth.#strategies, Auth.#passportAuthOptions)(req, res, function (err) {
+    const passportAuthOptionsExtra = {};
+    if (Auth.#strategies.includes('oidc') && (Auth.#authConfig.redirectURIs === undefined || Auth.#authConfig.redirectURIs.split(',').length > 1)) {
+      passportAuthOptionsExtra.redirect_uri = req.protocol + '://' + req.hostname + `${Auth.#basePath}auth/login/callback`;
+    }
+
+    passport.authenticate(Auth.#strategies, { ...Auth.#passportAuthOptions, ...passportAuthOptionsExtra })(req, res, function (err) {
       if (Auth.#basePath !== '/') {
         req.url = req.url.replace(Auth.#basePath, '/');
       }