openid-client
Advanced tools
Comparing version 1.15.0 to 1.16.0
@@ -8,2 +8,4 @@ # openid-client CHANGELOG | ||
<!-- TOC START min:2 max:2 link:true update:true --> | ||
- [Version 1.16.0](#version-1160) | ||
- [Version 1.15.0](#version-1150) | ||
- [Version 1.14.0](#version-1140) | ||
@@ -29,2 +31,7 @@ - [Version 1.13.0](#version-1130) | ||
## Version 1.16.0 | ||
- [DIFF](https://github.com/panva/node-openid-client/compare/v1.15.0...v1.15.1) | ||
- added `s_hash` value validation support for ID Tokens returned by authorization endpoint | ||
- fixed edge cases where valid `_hash` but from invalid sha-length was accepted | ||
## Version 1.15.0 | ||
@@ -31,0 +38,0 @@ - [DIFF](https://github.com/panva/node-openid-client/compare/v1.14.0...v1.15.0) |
@@ -103,4 +103,6 @@ 'use strict'; | ||
assert(authParams.response_type === 'code' || authParams.nonce, | ||
'nonce MUST be provided for implicit and hybrid flows'); | ||
assert( | ||
authParams.response_type === 'code' || authParams.nonce, | ||
'nonce MUST be provided for implicit and hybrid flows' | ||
); | ||
@@ -146,4 +148,6 @@ return authParams; | ||
const deprecatedKeystore = util.deprecate(keystore => keystore, | ||
'passing keystore directly is deprecated, pass an object with keystore property instead'); | ||
const deprecatedKeystore = util.deprecate( | ||
keystore => keystore, | ||
'passing keystore directly is deprecated, pass an object with keystore property instead' | ||
); | ||
@@ -159,4 +163,6 @@ class Client { | ||
if (String(properties.token_endpoint_auth_method).endsWith('_jwt')) { | ||
assert(this.issuer.token_endpoint_auth_signing_alg_values_supported, | ||
'token_endpoint_auth_signing_alg_values_supported must be provided on the issuer'); | ||
assert( | ||
this.issuer.token_endpoint_auth_signing_alg_values_supported, | ||
'token_endpoint_auth_signing_alg_values_supported must be provided on the issuer' | ||
); | ||
} | ||
@@ -170,4 +176,6 @@ | ||
if (String(properties[`${endpoint}_endpoint_auth_method`]).endsWith('_jwt')) { | ||
assert(this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`], | ||
`${endpoint}_endpoint_auth_signing_alg_values_supported must be provided on the issuer`); | ||
assert( | ||
this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`], | ||
`${endpoint}_endpoint_auth_signing_alg_values_supported must be provided on the issuer` | ||
); | ||
} | ||
@@ -236,4 +244,6 @@ }); | ||
assert(isString || isIncomingMessage, | ||
'#callbackParams only accepts string urls, http.IncomingMessage or a lookalike'); | ||
assert( | ||
isString || isIncomingMessage, | ||
'#callbackParams only accepts string urls, http.IncomingMessage or a lookalike' | ||
); | ||
@@ -296,3 +306,3 @@ let uri; | ||
.then(tokenset => this.decryptIdToken(tokenset, 'id_token')) | ||
.then(tokenset => this.validateIdToken(tokenset, toCheck.nonce, 'authorization', toCheck.max_age)); | ||
.then(tokenset => this.validateIdToken(tokenset, toCheck.nonce, 'authorization', toCheck.max_age, toCheck.state)); | ||
} | ||
@@ -405,3 +415,3 @@ | ||
*/ | ||
validateIdToken(tokenSet, nonce, returnedBy, maxAge) { | ||
validateIdToken(tokenSet, nonce, returnedBy, maxAge, state) { | ||
let idToken = tokenSet; | ||
@@ -491,10 +501,15 @@ | ||
assert(payload.c_hash || !tokenSet.code, 'missing required property c_hash'); | ||
if (payload.s_hash) { | ||
assert(state, 'cannot verify s_hash, state not provided'); | ||
assert(tokenHash(payload.s_hash, state, header.alg), 's_hash mismatch'); | ||
} | ||
} | ||
if (tokenSet.access_token && payload.at_hash !== undefined) { | ||
assert(tokenHash(payload.at_hash, tokenSet.access_token), 'at_hash mismatch'); | ||
assert(tokenHash(payload.at_hash, tokenSet.access_token, header.alg), 'at_hash mismatch'); | ||
} | ||
if (tokenSet.code && payload.c_hash !== undefined) { | ||
assert(tokenHash(payload.c_hash, tokenSet.code), 'c_hash mismatch'); | ||
assert(tokenHash(payload.c_hash, tokenSet.code, header.alg), 'c_hash mismatch'); | ||
} | ||
@@ -755,4 +770,6 @@ | ||
if (!alg) { | ||
alg = _.find(this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`], | ||
signAlg => key.algorithms('sign').indexOf(signAlg) !== -1); | ||
alg = _.find( | ||
this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`], | ||
signAlg => key.algorithms('sign').indexOf(signAlg) !== -1 | ||
); | ||
} | ||
@@ -773,4 +790,6 @@ | ||
alg = _.find(this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`], | ||
signAlg => algz.indexOf(signAlg) !== -1); | ||
alg = _.find( | ||
this.issuer[`${endpoint}_endpoint_auth_signing_alg_values_supported`], | ||
signAlg => algz.indexOf(signAlg) !== -1 | ||
); | ||
} | ||
@@ -798,3 +817,3 @@ | ||
switch (this[`${endpoint}_endpoint_auth_method`] || this.token_endpoint_auth_method) { | ||
case 'none' : | ||
case 'none': | ||
return { | ||
@@ -812,4 +831,4 @@ body: { | ||
}; | ||
case 'private_key_jwt' : | ||
case 'client_secret_jwt' : { | ||
case 'private_key_jwt': | ||
case 'client_secret_jwt': { | ||
const timestamp = now(); | ||
@@ -824,6 +843,8 @@ return this.createSign(endpoint).then(sign => sign.update(JSON.stringify({ | ||
})).final().then((client_assertion) => { // eslint-disable-line camelcase, arrow-body-style | ||
return { body: { | ||
client_assertion, | ||
client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer', | ||
} }; | ||
return { | ||
body: { | ||
client_assertion, | ||
client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer', | ||
}, | ||
}; | ||
})); | ||
@@ -830,0 +851,0 @@ } |
@@ -8,6 +8,8 @@ 'use strict'; | ||
return function expectResponseBody(response) { | ||
assert(response.body, | ||
`expected ${statusCode} ${STATUS_CODES[statusCode]} with body, got ${response.statusCode} ${STATUS_CODES[response.statusCode]} without one`); | ||
assert( | ||
response.body, | ||
`expected ${statusCode} ${STATUS_CODES[statusCode]} with body, got ${response.statusCode} ${STATUS_CODES[response.statusCode]} without one` | ||
); | ||
return response; | ||
}; | ||
}; |
{ | ||
"name": "openid-client", | ||
"version": "1.15.0", | ||
"version": "1.16.0", | ||
"description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js servers, supports passportjs", | ||
@@ -46,5 +46,4 @@ "main": "lib/index.js", | ||
"chai": "^4.0.0", | ||
"co-mocha": "^1.1.3", | ||
"eslint": "^4.3.0", | ||
"eslint-config-airbnb-base": "^11.0.0", | ||
"eslint-config-airbnb-base": "^12.0.0", | ||
"eslint-plugin-import": "^2.0.1", | ||
@@ -56,7 +55,7 @@ "koa": "^2.2.0", | ||
"koa-session": "^5.0.0", | ||
"mocha": "^3.0.0", | ||
"mocha": "^4.0.0", | ||
"nock": "^9.0.14", | ||
"nyc": "^11.0.1", | ||
"readable-mock-req": "^0.2.2", | ||
"sinon": "^3.0.0", | ||
"sinon": "^4.0.0", | ||
"timekeeper": "^2.0.0" | ||
@@ -70,4 +69,4 @@ }, | ||
"lru-cache": "^4.0.1", | ||
"node-jose": "^0.9.4", | ||
"oidc-token-hash": "^1.0.0", | ||
"node-jose": "^0.10.0", | ||
"oidc-token-hash": "^2.0.0", | ||
"uuid": "^3.0.0" | ||
@@ -74,0 +73,0 @@ }, |
77984
15
1412
+ Addednode-jose@0.10.0(transitive)
+ Addedoidc-token-hash@2.0.0(transitive)
- Removednode-jose@0.9.5(transitive)
- Removedoidc-token-hash@1.0.1(transitive)
Updatednode-jose@^0.10.0
Updatedoidc-token-hash@^2.0.0