@sap/xssec
Advanced tools
Comparing version 3.0.10 to 3.1.0
# Change Log | ||
All notable changes to this project will be documented in this file. | ||
## 3.1.0 - 2020-01-10 | ||
- Support for multiple configurations for one security context ([more details here](doc/MultiConfiguration.md)) | ||
- Bugfix: support for additional attributes in token exchange | ||
- Bugfix: authorization now in payload for better XSUAA support | ||
- correct support for azp (clientid) in token payload | ||
- method to identify an XSUAA token | ||
## 3.0.10 - 2020-10-01 | ||
@@ -44,3 +50,3 @@ - The requests to the XSUAA are now available using the requests module also if you do not have a securityContext | ||
- Remove obsolete method requestTokenForClient (use requestToken) | ||
- Remove obsolete method getIdentityZone (getSubaccountId) | ||
- Remove obsolete method getIdentityZone (use getZoneId() instead, or getSubaccountId() for metering purposes) | ||
- Support for audience validation in token | ||
@@ -47,0 +53,0 @@ - remove of SAP_JWT_TRUST_ACL environment variable support (functionality now comes with audience validation); see also [here](https://jam4.sapjam.com/blogs/show/oEdyQO183plBoQdrvcPw2w). |
@@ -58,8 +58,5 @@ 'use strict'; | ||
client_id: serviceCredentials.clientid, | ||
client_secret: serviceCredentials.clientsecret, | ||
assertion: appToken | ||
}, | ||
auth: { | ||
user: serviceCredentials.clientid, | ||
pass: serviceCredentials.clientsecret | ||
}, | ||
timeout: 10*1000 | ||
@@ -72,2 +69,3 @@ }; | ||
if (additionalAttributes !== null) { | ||
var authorities = { "az_attr" : additionalAttributes }; | ||
options.form.authorities = authorities; | ||
@@ -131,3 +129,3 @@ } | ||
var options = { | ||
url: urlWithCorrectSubdomain + '/oauth/token?grant_type=client_credentials&response_type=token', | ||
url: urlWithCorrectSubdomain + '/oauth/token', | ||
headers: { | ||
@@ -138,5 +136,7 @@ 'Accept': 'application/json', | ||
}, | ||
auth: { | ||
user: serviceCredentials.clientid, | ||
pass: serviceCredentials.clientsecret | ||
form: { | ||
grant_type: 'client_credentials', | ||
response_type: 'token', | ||
client_id: serviceCredentials.clientid, | ||
client_secret: serviceCredentials.clientsecret | ||
}, | ||
@@ -143,0 +143,0 @@ timeout: 2 * 1000 |
@@ -79,2 +79,27 @@ 'use strict'; | ||
this.getAudiencesArray = function() { | ||
if(!payload.aud) { | ||
return null; | ||
} | ||
return Array.isArray(payload.aud) ? payload.aud : [payload.aud]; | ||
} | ||
this.getClientId = function() { | ||
var azp = payload.azp; | ||
if(azp) { | ||
return azp; | ||
} | ||
var aud = this.getAudiencesArray(); | ||
if(!aud || aud.length != 1){ | ||
return null; | ||
} | ||
//make sure it's not an empty string | ||
return aud[0] ? aud[0] : payload.cid; | ||
} | ||
this.isTokenIssuedByXSUAA = function() { | ||
return payload.ext_attr ? payload.ext_attr.enhancer === "XSUAA" : false; | ||
} | ||
this.verify = function(getKeyCBOrValue, cb) { | ||
@@ -81,0 +106,0 @@ return jwt.verify(encoded, |
@@ -160,3 +160,3 @@ 'use strict'; | ||
function JwtTokenValidator(verificationKey, config) { | ||
function JwtTokenValidator(verificationKey, configArray) { | ||
var foreignMode = false; | ||
@@ -190,3 +190,3 @@ | ||
if (!decodedToken.cid) { | ||
if(!token.getClientId()) { | ||
return returnError(400, 'Client Id not contained in access token. Giving up!'); | ||
@@ -199,8 +199,19 @@ } | ||
var audienceValidator = new JwtAudienceValidator(config.clientid); | ||
if (config.xsappname) { | ||
audienceValidator.configureTrustedClientId(config.xsappname); | ||
var audienceValidator = new JwtAudienceValidator(configArray[0].clientid); | ||
if (configArray[0].xsappname) { | ||
audienceValidator.configureTrustedClientId(configArray[0].xsappname); | ||
} | ||
var valid_result = audienceValidator.validateToken(decodedToken.aud, decodedToken.scope, decodedToken.cid); | ||
for(var i=1;i<configArray.length;++i) { | ||
if(configArray[i]) { | ||
if (configArray[i].clientid) { | ||
audienceValidator.configureTrustedClientId(configArray[i].clientid); | ||
} | ||
if (configArray[i].xsappname) { | ||
audienceValidator.configureTrustedClientId(configArray[i].xsappname); | ||
} | ||
} | ||
} | ||
var valid_result = audienceValidator.validateToken(token.getAudiencesArray(), decodedToken.scope, decodedToken.cid); | ||
if (!valid_result.isValid()) { | ||
@@ -210,3 +221,3 @@ return returnError(401, valid_result.getErrorDescription()); | ||
if(config.clientid !== decodedToken.cid) { | ||
if(configArray[0].clientid !== decodedToken.cid) { | ||
foreignMode = audienceValidator.isForeignMode(); | ||
@@ -213,0 +224,0 @@ } |
@@ -14,2 +14,4 @@ 'use strict'; | ||
const VerificationKey = require('./verificationkey'); | ||
const { isArray } = require('util'); | ||
const { config } = require('process'); | ||
@@ -36,3 +38,9 @@ debugError.log = console.error.bind(console); | ||
function SecurityContext(config) { | ||
function SecurityContext(configParam) { | ||
//make sure the parameter is an array | ||
var configArr = Array.isArray(configParam) ? configParam : [configParam]; | ||
//our main config is always the config at position 0 | ||
var config = configArr[0]; | ||
var userInfo = { | ||
@@ -359,3 +367,3 @@ logonName: '', | ||
clientId = decodedToken.cid; | ||
clientId = tokenInfo.getClientId(); | ||
expirationDate = new Date(decodedToken.exp * 1000); | ||
@@ -420,3 +428,3 @@ grantType = decodedToken.grant_type; | ||
var verificationKey = new VerificationKey(config); | ||
var jwtValidator = new JwtTokenValidator(verificationKey, config); | ||
var jwtValidator = new JwtTokenValidator(verificationKey, configArr); | ||
@@ -423,0 +431,0 @@ //Now validate the tokens |
{ | ||
"name": "@sap/xssec", | ||
"version": "3.0.10", | ||
"version": "3.1.0", | ||
"description": "XS Advanced Container Security API for node.js", | ||
@@ -19,2 +19,5 @@ "main": "./lib", | ||
], | ||
"engines": { | ||
"node": ">=10.0.0" | ||
}, | ||
"devDependencies": { | ||
@@ -25,3 +28,4 @@ "mocha": "^5.1.0", | ||
"jwt-decode": "^2.2.0", | ||
"@sap/xsenv": "^2.2.0" | ||
"@sap/xsenv": "^2.2.0", | ||
"node-forge": "^0.10.0" | ||
}, | ||
@@ -36,2 +40,2 @@ "dependencies": { | ||
} | ||
} | ||
} |
@@ -73,2 +73,4 @@ @sap/xssec: XS Advanced Container Security API for node.js | ||
With version 3.1.0 there is a support for multiple configuration objects for one SecurityContext. For more details have a look [here](doc/MultiConfiguration.md). | ||
### Usage with Passport Strategy | ||
@@ -253,3 +255,3 @@ | ||
* `access token` ... the access token as received from UAA in the "authorization Bearer" HTTP header | ||
* `config` ... a structure with mandatory elements url, clientid and clientsecret or cache configuration | ||
* `config` ... a structure with mandatory elements url, clientid and clientsecret or cache configuration. Since version 3.1.0 it may also be an array of these structures (have a look [here](doc/MultiConfiguration.md)) | ||
* `callback(error, securityContext, tokenInfo)` | ||
@@ -256,0 +258,0 @@ |
92145
1271
383
6