openid-client
Advanced tools
Comparing version 0.2.0 to 0.3.0
Following semver, 1.0.0 will mark the first API stable release and commence of this file, | ||
until then please use the compare views of github for reference. | ||
- https://github.com/panva/node-openid-client/compare/v0.2.0...v0.3.0 | ||
- encrypted userinfo and idtoken response handling | ||
- https://github.com/panva/node-openid-client/compare/v0.1.0...v0.2.0 | ||
- httpOptions configurable on a library level | ||
- signed userinfo response handling |
@@ -86,38 +86,50 @@ 'use strict'; | ||
}) | ||
// .then(tokenset => this.decryptIdToken(tokenset, 'id_token')) | ||
.then(tokenset => this.decryptIdToken(tokenset, 'id_token')) | ||
.then(tokenset => this.validateIdToken(tokenset, toCheck.nonce, 'id_token')); | ||
} | ||
// decryptIdToken(token, use) { | ||
// if ( | ||
// (use === 'userinfo' && !this.userinfo_encrypted_response_alg) || | ||
// !this.id_token_encrypted_response_alg | ||
// ) { | ||
// return token; | ||
// } | ||
// | ||
// let idToken = token; | ||
// | ||
// if (idToken instanceof TokenSet) { | ||
// if (!idToken.id_token) { | ||
// throw new Error('id_token not present in TokenSet'); | ||
// } | ||
// | ||
// idToken = idToken.id_token; | ||
// } | ||
// | ||
// // let expectedAlg; | ||
// // let expectedEnc; | ||
// // | ||
// // if (use === 'userinfo') { | ||
// // expectedAlg = this.userinfo_encrypted_response_alg; | ||
// // expectedEnc = this.userinfo_encrypted_response_enc; | ||
// // } else { | ||
// // expectedAlg = this.id_token_encrypted_response_alg; | ||
// // expectedEnc = this.id_token_encrypted_response_enc; | ||
// // } | ||
// | ||
// return token; | ||
// } | ||
decryptIdToken(token, use) { | ||
if ( | ||
(use === 'userinfo' && !this.userinfo_encrypted_response_alg) || | ||
!this.id_token_encrypted_response_alg | ||
) { | ||
return token; | ||
} | ||
let idToken = token; | ||
if (idToken instanceof TokenSet) { | ||
if (!idToken.id_token) { | ||
throw new Error('id_token not present in TokenSet'); | ||
} | ||
idToken = idToken.id_token; | ||
} | ||
let expectedAlg; | ||
let expectedEnc; | ||
if (use === 'userinfo') { | ||
expectedAlg = this.userinfo_encrypted_response_alg; | ||
expectedEnc = this.userinfo_encrypted_response_enc; | ||
} else { | ||
expectedAlg = this.id_token_encrypted_response_alg; | ||
expectedEnc = this.id_token_encrypted_response_enc; | ||
} | ||
const header = idToken.split('.')[0]; | ||
const headerObject = JSON.parse(base64url.decode(header)); | ||
assert.equal(headerObject.alg, expectedAlg, 'unexpected alg used'); | ||
assert.equal(headerObject.enc, expectedEnc, 'unexpected enc used'); | ||
return jose.JWE.createDecrypt(this.keystore).decrypt(idToken).then(result => { | ||
if (token instanceof TokenSet) { | ||
token.id_token = result.payload.toString('utf8'); | ||
return token; | ||
} | ||
return result.payload.toString('utf8'); | ||
}); | ||
} | ||
validateIdToken(token, nonce, use) { | ||
@@ -198,2 +210,6 @@ let idToken = token; | ||
if (headerObject.alg === 'none') { | ||
return Promise.resolve(token); | ||
} | ||
return (headerObject.alg.startsWith('HS') ? this.joseSecret() : this.issuer.key(headerObject)) | ||
@@ -217,3 +233,5 @@ .then(key => jose.JWS.createVerify(key).verify(idToken)) | ||
refresh_token: String(token), | ||
}).then(tokenset => this.validateIdToken(tokenset)); | ||
}) | ||
.then(tokenset => this.decryptIdToken(tokenset, 'id_token')) | ||
.then(tokenset => this.validateIdToken(tokenset, undefined, 'id_token')); | ||
} | ||
@@ -220,0 +238,0 @@ |
{ | ||
"name": "openid-client", | ||
"version": "0.2.0", | ||
"version": "0.3.0", | ||
"description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js", | ||
@@ -5,0 +5,0 @@ "main": "lib/index.js", |
@@ -190,2 +190,11 @@ # openid-client | ||
receiving [signed and encrypted userinfo][signed-userinfo] responses? decrypt and validate using the | ||
library, then safely decode yourself; additional to `userinfo_signed_response_alg` you must also | ||
have `userinfo_encrypted_response_alg` and `userinfo_encrypted_response_enc` set on the client | ||
```js | ||
client.userinfo(accessToken) | ||
.then(jwt => client.decryptIdToken(jwt, 'userinfo')) | ||
.then(jwt => client.validateIdToken(jwt, null, 'userinfo')); // => resolves with decrypted and validated JWT | ||
``` | ||
### Custom token endpoint grants | ||
@@ -217,4 +226,3 @@ Use when the token endpoint also supports client_credentials or password grants; | ||
### Changing HTTP request defaults | ||
Setting `defaultHttpOptions` on `Issuer` always merges your passed options with the default. The | ||
default being. openid-client uses [got][got-library] for http requests. | ||
Setting `defaultHttpOptions` on `Issuer` always merges your passed options with the default. openid-client uses [got][got-library] for http requests with the following default request options | ||
@@ -256,3 +264,3 @@ ```js | ||
[feature-introspection]: https://tools.ietf.org/html/rfc7662 | ||
[got]: https://github.com/sindresorhus/got | ||
[got-library]: https://github.com/sindresorhus/got | ||
[signed-userinfo]: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse |
34084
649
264