openid-client - npm Package Compare versions

Comparing version 1.0.2 to 1.1.0

CHANGELOG.md

@@ -8,2 +8,3 @@ # openid-client CHANGELOG
 <!-- TOC START min:2 max:2 link:true update:true -->
+  - [Version 1.1.0](#version-110)
   - [Version 1.0.2](#version-102)
@@ -17,2 +18,7 @@ - [Version 1.0.1](#version-101)
 
+## Version 1.1.0
+- [DIFF](https://github.com/panva/node-openid-client/compare/v1.0.2...v1.1.0)
+- fixed unpacking aggregated claims with alg=none and no iss claim
+- fetching distributed claims now expects a JWT response, previously expected invalid OP responses
+
 ## Version 1.0.2
@@ -19,0 +25,0 @@ - [DIFF](https://github.com/panva/node-openid-client/compare/v1.0.1...v1.0.2)

lib/base_client.js

@@ -56,3 +56,6 @@ 'use strict';
 function getFromJWT(jwt, position, claim) {
-  const parsed = JSON.parse(base64url.decode(jwt.split('.')[position]));
+  assert.equal(typeof jwt, 'string', 'invalid JWT type, expected a string');
+  const parts = jwt.split('.');
+  assert.equal(parts.length, 3, 'invalid JWT format, expected three parts');
+  const parsed = JSON.parse(base64url.decode(parts[position]));
   return typeof claim === 'undefined' ? parsed : parsed[claim];
@@ -73,2 +76,6 @@ }
 
+function getPayload(jwt) {
+  return getFromJWT(jwt, 1);
+}
+
 function assignErrSrc(sourceName) {
@@ -100,2 +107,27 @@ return (err) => {
 
+function claimJWT(jwt) {
+  try {
+    const iss = getIss(jwt);
+    const keyDef = getHeader(jwt);
+    assert(keyDef.alg, 'claim source is missing JWT header alg property');
+
+    if (keyDef.alg === 'none') return Promise.resolve(getPayload(jwt));
+
+    const getKey = (() => {
+      if (!iss || iss === this.issuer.issuer) {
+        return this.issuer.key(keyDef);
+      } else if (issuerRegistry.has(iss)) {
+        return issuerRegistry.get(iss).key(keyDef);
+      }
+      return this.issuer.constructor.discover(iss).then(issuer => issuer.key(keyDef));
+    })();
+
+    return getKey
+      .then(key => jose.JWS.createVerify(key).verify(jwt))
+      .then(result => JSON.parse(result.payload));
+  } catch (error) {
+    return Promise.reject(error);
+  }
+}
+
 class BaseClient {
@@ -527,7 +559,8 @@ constructor(metadata, keystore) {
 
-      return got(def.endpoint, this.issuer.httpOptions(opts)).then((response) => {
-        const data = JSON.parse(response.body);
-        delete claims._claim_sources[sourceName];
-        _.forEach(claims._claim_names, assignClaim(claims, data, sourceName));
-      }, gotErrorHandler).catch(assignErrSrc(sourceName));
+      return got(def.endpoint, this.issuer.httpOptions(opts))
+        .then(response => claimJWT.call(this, response.body), gotErrorHandler)
+        .then((data) => {
+          delete claims._claim_sources[sourceName];
+          _.forEach(claims._claim_names, assignClaim(claims, data, sourceName));
+        }).catch(assignErrSrc(sourceName));
     })).then(() => cleanUpClaims(claims));
@@ -540,25 +573,10 @@ }
     return Promise.all(_.map(aggregatedSources, (def, sourceName) => {
-      let getKey;
-      try {
-        const iss = getIss(def.JWT);
-        const keyDef = getHeader(def.JWT);
+      const decoded = claimJWT.call(this, def.JWT);
 
-        if (issuerRegistry.has(iss)) {
-          getKey = issuerRegistry.get(iss).key(keyDef);
-        } else {
-          getKey = this.issuer.constructor.discover(iss).then(issuer => issuer.key(keyDef));
-        }
-      } catch (error) {
-        getKey = Promise.reject(error);
-      }
-
-      return getKey.then(key => jose.JWS.createVerify(key).verify(def.JWT))
-        .then(result => JSON.parse(result.payload))
-        .then((data) => {
-          delete claims._claim_sources[sourceName];
-          _.forEach(claims._claim_names, assignClaim(claims, data, sourceName));
-        }).catch(assignErrSrc(sourceName));
+      return decoded.then((data) => {
+        delete claims._claim_sources[sourceName];
+        _.forEach(claims._claim_names, assignClaim(claims, data, sourceName));
+      }).catch(assignErrSrc(sourceName));
     })).then(() => cleanUpClaims(claims));
   }
-
   /* eslint-enable no-underscore-dangle */
@@ -565,0 +583,0 @@

package.json

 {
   "name": "openid-client",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js",
@@ -5,0 +5,0 @@ "main": "lib/index.js",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

52163

increased by1.65%

Lines of code

960

increased by1.59%

No dependency changes