openid-client
Advanced tools
Comparing version 0.2.0 to 0.3.0
| Following semver, 1.0.0 will mark the first API stable release and commence of this file, | ||
| until then please use the compare views of github for reference. | ||
| - https://github.com/panva/node-openid-client/compare/v0.2.0...v0.3.0 | ||
| - encrypted userinfo and idtoken response handling | ||
| - https://github.com/panva/node-openid-client/compare/v0.1.0...v0.2.0 | ||
| - httpOptions configurable on a library level | ||
| - signed userinfo response handling |
@@ -86,38 +86,50 @@ 'use strict'; | ||
| }) | ||
| // .then(tokenset => this.decryptIdToken(tokenset, 'id_token')) | ||
| .then(tokenset => this.decryptIdToken(tokenset, 'id_token')) | ||
| .then(tokenset => this.validateIdToken(tokenset, toCheck.nonce, 'id_token')); | ||
| } | ||
| // decryptIdToken(token, use) { | ||
| // if ( | ||
| // (use === 'userinfo' && !this.userinfo_encrypted_response_alg) || | ||
| // !this.id_token_encrypted_response_alg | ||
| // ) { | ||
| // return token; | ||
| // } | ||
| // | ||
| // let idToken = token; | ||
| // | ||
| // if (idToken instanceof TokenSet) { | ||
| // if (!idToken.id_token) { | ||
| // throw new Error('id_token not present in TokenSet'); | ||
| // } | ||
| // | ||
| // idToken = idToken.id_token; | ||
| // } | ||
| // | ||
| // // let expectedAlg; | ||
| // // let expectedEnc; | ||
| // // | ||
| // // if (use === 'userinfo') { | ||
| // // expectedAlg = this.userinfo_encrypted_response_alg; | ||
| // // expectedEnc = this.userinfo_encrypted_response_enc; | ||
| // // } else { | ||
| // // expectedAlg = this.id_token_encrypted_response_alg; | ||
| // // expectedEnc = this.id_token_encrypted_response_enc; | ||
| // // } | ||
| // | ||
| // return token; | ||
| // } | ||
| decryptIdToken(token, use) { | ||
| if ( | ||
| (use === 'userinfo' && !this.userinfo_encrypted_response_alg) || | ||
| !this.id_token_encrypted_response_alg | ||
| ) { | ||
| return token; | ||
| } | ||
| let idToken = token; | ||
| if (idToken instanceof TokenSet) { | ||
| if (!idToken.id_token) { | ||
| throw new Error('id_token not present in TokenSet'); | ||
| } | ||
| idToken = idToken.id_token; | ||
| } | ||
| let expectedAlg; | ||
| let expectedEnc; | ||
| if (use === 'userinfo') { | ||
| expectedAlg = this.userinfo_encrypted_response_alg; | ||
| expectedEnc = this.userinfo_encrypted_response_enc; | ||
| } else { | ||
| expectedAlg = this.id_token_encrypted_response_alg; | ||
| expectedEnc = this.id_token_encrypted_response_enc; | ||
| } | ||
| const header = idToken.split('.')[0]; | ||
| const headerObject = JSON.parse(base64url.decode(header)); | ||
| assert.equal(headerObject.alg, expectedAlg, 'unexpected alg used'); | ||
| assert.equal(headerObject.enc, expectedEnc, 'unexpected enc used'); | ||
| return jose.JWE.createDecrypt(this.keystore).decrypt(idToken).then(result => { | ||
| if (token instanceof TokenSet) { | ||
| token.id_token = result.payload.toString('utf8'); | ||
| return token; | ||
| } | ||
| return result.payload.toString('utf8'); | ||
| }); | ||
| } | ||
| validateIdToken(token, nonce, use) { | ||
@@ -198,2 +210,6 @@ let idToken = token; | ||
| if (headerObject.alg === 'none') { | ||
| return Promise.resolve(token); | ||
| } | ||
| return (headerObject.alg.startsWith('HS') ? this.joseSecret() : this.issuer.key(headerObject)) | ||
@@ -217,3 +233,5 @@ .then(key => jose.JWS.createVerify(key).verify(idToken)) | ||
| refresh_token: String(token), | ||
| }).then(tokenset => this.validateIdToken(tokenset)); | ||
| }) | ||
| .then(tokenset => this.decryptIdToken(tokenset, 'id_token')) | ||
| .then(tokenset => this.validateIdToken(tokenset, undefined, 'id_token')); | ||
| } | ||
@@ -220,0 +238,0 @@ |
| { | ||
| "name": "openid-client", | ||
| "version": "0.2.0", | ||
| "version": "0.3.0", | ||
| "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js", | ||
@@ -5,0 +5,0 @@ "main": "lib/index.js", |
@@ -190,2 +190,11 @@ # openid-client | ||
| receiving [signed and encrypted userinfo][signed-userinfo] responses? decrypt and validate using the | ||
| library, then safely decode yourself; additional to `userinfo_signed_response_alg` you must also | ||
| have `userinfo_encrypted_response_alg` and `userinfo_encrypted_response_enc` set on the client | ||
| ```js | ||
| client.userinfo(accessToken) | ||
| .then(jwt => client.decryptIdToken(jwt, 'userinfo')) | ||
| .then(jwt => client.validateIdToken(jwt, null, 'userinfo')); // => resolves with decrypted and validated JWT | ||
| ``` | ||
| ### Custom token endpoint grants | ||
@@ -217,4 +226,3 @@ Use when the token endpoint also supports client_credentials or password grants; | ||
| ### Changing HTTP request defaults | ||
| Setting `defaultHttpOptions` on `Issuer` always merges your passed options with the default. The | ||
| default being. openid-client uses [got][got-library] for http requests. | ||
| Setting `defaultHttpOptions` on `Issuer` always merges your passed options with the default. openid-client uses [got][got-library] for http requests with the following default request options | ||
@@ -256,3 +264,3 @@ ```js | ||
| [feature-introspection]: https://tools.ietf.org/html/rfc7662 | ||
| [got]: https://github.com/sindresorhus/got | ||
| [got-library]: https://github.com/sindresorhus/got | ||
| [signed-userinfo]: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse |
No alert changes
Improved metrics
- Total package byte prevSize
- increased by3.63%
34084
- Lines of code
- increased by1.41%
649
- Number of lines in readme file
- increased by3.13%
264
No dependency changes