openid-client - npm Package Compare versions

Comparing version 1.0.1 to 1.0.2

CHANGELOG.md

@@ -8,2 +8,3 @@ # openid-client CHANGELOG
 <!-- TOC START min:2 max:2 link:true update:true -->
+  - [Version 1.0.2](#version-102)
   - [Version 1.0.1](#version-101)
@@ -16,2 +17,6 @@ - [Version 1.0.0](#version-100)
 
+## Version 1.0.2
+- [DIFF](https://github.com/panva/node-openid-client/compare/v1.0.1...v1.0.2)
+- fixed signed userinfo response validation in case iss, aud and similar ID Token claims are missing
+
 ## Version 1.0.1
@@ -18,0 +23,0 @@ - [DIFF](https://github.com/panva/node-openid-client/compare/v1.0.0...v1.0.1)

lib/base_client.js

@@ -270,12 +270,20 @@ 'use strict';
 
-  validateIdToken(token, nonce, use) {
+  validateIdToken(token, nonce, intent) {
     let idToken = token;
-    let expectedAlg;
 
-    if (use === 'userinfo') {
-      expectedAlg = this.userinfo_signed_response_alg;
-    } else {
-      expectedAlg = this.id_token_signed_response_alg;
-    }
+    const use = (() => {
+      switch (intent) {
+        case 'id_token':
+        case 'userinfo':
+          return intent;
+        default:
+          return 'id_token';
+      }
+    })();
 
+    const expectedAlg = (() => {
+      if (use === 'userinfo') return this.userinfo_signed_response_alg;
+      return this.id_token_signed_response_alg;
+    })();
+
     const isTokenSet = idToken instanceof TokenSet;
@@ -308,8 +316,15 @@
 
-    ['iss', 'sub', 'aud', 'exp', 'iat'].forEach(verifyPresence);
-    assert.equal(this.issuer.issuer, payloadObject.iss, 'unexpected iss value');
+    if (use === 'id_token') {
+      ['iss', 'sub', 'aud', 'exp', 'iat'].forEach(verifyPresence);
+    }
 
-    assert.equal(typeof payloadObject.iat, 'number', 'iat is not a number');
-    assert(payloadObject.iat <= now, 'id_token issued in the future');
+    if (payloadObject.iss !== undefined) {
+      assert.equal(this.issuer.issuer, payloadObject.iss, 'unexpected iss value');
+    }
 
+    if (payloadObject.iat !== undefined) {
+      assert.equal(typeof payloadObject.iat, 'number', 'iat is not a number');
+      assert(payloadObject.iat <= now, 'id_token issued in the future');
+    }
+
     if (payloadObject.nbf !== undefined) {
@@ -324,9 +339,13 @@ assert.equal(typeof payloadObject.nbf, 'number', 'nbf is not a number');
 
-    assert.equal(typeof payloadObject.exp, 'number', 'exp is not a number');
-    assert(now < payloadObject.exp, 'id_token expired');
+    if (payloadObject.exp !== undefined) {
+      assert.equal(typeof payloadObject.exp, 'number', 'exp is not a number');
+      assert(now < payloadObject.exp, 'id_token expired');
+    }
 
-    if (!Array.isArray(payloadObject.aud)) {
-      payloadObject.aud = [payloadObject.aud];
-    } else if (payloadObject.aud.length > 1 && !payloadObject.azp) {
-      throw new Error('missing required JWT property azp');
+    if (payloadObject.aud !== undefined) {
+      if (!Array.isArray(payloadObject.aud)) {
+        payloadObject.aud = [payloadObject.aud];
+      } else if (payloadObject.aud.length > 1 && !payloadObject.azp) {
+        throw new Error('missing required JWT property azp');
+      }
     }
@@ -338,9 +357,11 @@
 
-    assert(payloadObject.aud.indexOf(this.client_id) !== -1, 'aud is missing the client_id');
+    if (payloadObject.aud !== undefined) {
+      assert(payloadObject.aud.indexOf(this.client_id) !== -1, 'aud is missing the client_id');
+    }
 
-    if (isTokenSet && payloadObject.at_hash) {
+    if (isTokenSet && payloadObject.at_hash !== undefined) {
       assert(tokenHash(payloadObject.at_hash, token.access_token), 'at_hash mismatch');
     }
 
-    if (isTokenSet && payloadObject.c_hash) {
+    if (isTokenSet && payloadObject.c_hash !== undefined) {
       assert(tokenHash(payloadObject.c_hash, token.code), 'c_hash mismatch');
@@ -507,3 +528,3 @@ }
 
-      return got.get(def.endpoint, this.issuer.httpOptions(opts)).then((response) => {
+      return got(def.endpoint, this.issuer.httpOptions(opts)).then((response) => {
         const data = JSON.parse(response.body);
@@ -652,3 +673,3 @@ delete claims._claim_sources[sourceName];
   static fromUri(uri, token) {
-    return got.get(uri, this.issuer.httpOptions({
+    return got(uri, this.issuer.httpOptions({
       headers: { Authorization: bearer(token) },
@@ -655,0 +676,0 @@ })).then(response => new this(JSON.parse(response.body)), gotErrorHandler);

lib/issuer.js

@@ -74,3 +74,3 @@ 'use strict';
       lookupCache.reset();
-      return got.get(this.jwks_uri, this.httpOptions())
+      return got(this.jwks_uri, this.httpOptions())
       .then(response => JSON.parse(response.body), gotErrorHandler)
@@ -114,3 +114,3 @@ .then(jwks => jose.JWK.asKeyStore(jwks))
 
-    return got.get(`https://${host}${WEBFINGER}`, this.httpOptions(opts))
+    return got(`https://${host}${WEBFINGER}`, this.httpOptions(opts))
       .then(response => JSON.parse(response.body))
@@ -140,3 +140,3 @@ .then((body) => {
 
-    return got.get(wellKnownUri, this.httpOptions())
+    return got(wellKnownUri, this.httpOptions())
       .then(response => new this(JSON.parse(response.body)), gotErrorHandler);
@@ -143,0 +143,0 @@ }

package.json

 {
   "name": "openid-client",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js",
@@ -5,0 +5,0 @@ "main": "lib/index.js",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

51317

increased by1.43%

Lines of code

945

increased by2.05%

No dependency changes