openid-client - npm Package Compare versions

Comparing version 1.17.0 to 1.18.0

CHANGELOG.md

@@ -31,2 +31,7 @@ # openid-client CHANGELOG
 
+## Version 1.18.0
+- [DIFF](https://github.com/panva/node-openid-client/compare/v1.17.0...v1.18.0)
+- added option for the passport strategy to use PKCE
+- updated http request library `got` dependency
+
 ## Version 1.17.0
@@ -33,0 +38,0 @@ - [DIFF](https://github.com/panva/node-openid-client/compare/v1.16.0...v1.17.0)

lib/passport_strategy.js

@@ -7,2 +7,4 @@ 'use strict';
 const uuid = require('uuid');
+const base64url = require('base64url');
+const crypto = require('crypto');
 const url = require('url');
@@ -45,2 +47,3 @@ const assert = require('assert');
   this._passReqToCallback = opts.passReqToCallback;
+  this._usePKCE = opts.usePKCE;
   this._key = opts.sessionKey || `oidc:${url.parse(this._issuer.issuer).hostname}`;
@@ -50,2 +53,17 @@ this._params = opts.params || {};
 
+  if (this._usePKCE === true) {
+    const supportedMethods = this._issuer.code_challenge_methods_supported;
+    assert(Array.isArray(supportedMethods), 'code_challenge_methods_supported is not properly set on issuer');
+    assert(supportedMethods.length, 'issuer code_challenge_methods_supported is empty');
+    if (supportedMethods.indexOf('S256') !== -1) {
+      this._usePKCE = 'S256';
+    } else if (supportedMethods.indexOf('plain') !== -1) {
+      this._usePKCE = 'plain';
+    } else {
+      throw new Error('neither S256 or plain code_challenge_method is supported by the issuer');
+    }
+  } else if (typeof this._usePKCE === 'string') {
+    assert(['plain', 'S256'].indexOf(this._usePKCE) !== -1, `${this._usePKCE} is not valid/implemented PKCE code_challenge_method`);
+  }
+
   this.name = url.parse(client.issuer.issuer).hostname;
@@ -61,3 +79,5 @@
   try {
-    if (!req.session) throw new Error('authentication requires session support when using state, max_age or nonce');
+    if (!req.session) {
+      throw new Error('authentication requires session support when using state, max_age or nonce');
+    }
     const reqParams = client.callbackParams(req);
@@ -69,12 +89,28 @@ const sessionKey = this._key;
       // provide options object with extra authentication parameters
-      const opts = _.defaults({}, options, this._params, {
+      const params = _.defaults({}, options, this._params, {
         state: uuid(),
       });
 
-      if (!opts.nonce && opts.response_type.includes('id_token')) {
-        opts.nonce = uuid();
+      if (!params.nonce && params.response_type.includes('id_token')) {
+        params.nonce = uuid();
       }
 
-      req.session[sessionKey] = _.pick(opts, 'nonce', 'state', 'max_age');
-      this.redirect(client.authorizationUrl(opts));
+      req.session[sessionKey] = _.pick(params, 'nonce', 'state', 'max_age');
+
+      if (this._usePKCE) {
+        const verifier = uuid();
+        req.session[sessionKey].code_verifier = verifier;
+
+        switch (this._usePKCE) { // eslint-disable-line default-case
+          case 'S256':
+            params.code_challenge = base64url(crypto.createHash('sha256').update(verifier).digest());
+            params.code_challenge_method = 'S256';
+            break;
+          case 'plain':
+            params.code_challenge = verifier;
+            break;
+        }
+      }
+
+      this.redirect(client.authorizationUrl(params));
       return;
@@ -89,2 +125,3 @@ }
     const nonce = _.get(session, 'nonce');
+    const codeVerifier = _.get(session, 'code_verifier');
 
@@ -99,3 +136,9 @@ try {
 
-    const checks = { state, nonce, max_age: maxAge };
+    const checks = {
+      state,
+      nonce,
+      max_age: maxAge,
+      code_verifier: codeVerifier,
+    };
+
     let callback = client.authorizationCallback(opts.redirect_uri, reqParams, checks)
@@ -102,0 +145,0 @@ .then((tokenset) => {

package.json

 {
   "name": "openid-client",
-  "version": "1.17.0",
+  "version": "1.18.0",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js servers, supports passportjs",
@@ -64,3 +64,3 @@ "main": "lib/index.js",
     "create-error-class": "^3.0.2",
-    "got": "^7.0.0",
+    "got": "^8.0.0",
     "lodash": "^4.13.1",
@@ -67,0 +67,0 @@ "lru-cache": "^4.0.1",

README.md

@@ -381,3 +381,7 @@ # openid-client
 
-passport.use('oidc', new Strategy({ client, [params], [passReqToCallback] }, (tokenset, userinfo, done) => {
+const usePKCE = true; // optional, defaults to false, when true the code_challenge_method will be
+                      // resolved from the issuer configuration, instead of true you may provide
+                      // any of the supported values directly, i.e. "S256" (recommended) or "plain"
+
+passport.use('oidc', new Strategy({ client, [params], [passReqToCallback], [usePKCE] }, (tokenset, userinfo, done) => {
   console.log('tokenset', tokenset);
@@ -437,3 +441,3 @@ console.log('access_token', tokenset.access_token);
 [travis-url]: https://travis-ci.org/panva/node-openid-client
-[conformance-image]: https://img.shields.io/travis/panva/openid-client-conformance-tests/master.svg?style=flat-square&maxAge=7200&label=daily%20conformance%20build
+[conformance-image]: https://img.shields.io/travis/panva/openid-client-conformance-tests/master.svg?style=flat-square&maxAge=7200&label=conformance%20build
 [conformance-url]: https://github.com/panva/openid-client-conformance-tests
@@ -440,0 +444,0 @@ [codecov-image]: https://img.shields.io/codecov/c/github/panva/node-openid-client/master.svg?style=flat-square&maxAge=7200

No alert changes

Improved metrics

Total package byte prevSize

81263

increased by2.56%

Lines of code

1467

increased by2.66%

Number of lines in readme file

458

increased by0.88%

Dependency changes

• + Added@sindresorhus/is@0.7.0(transitive)

• + Addedcacheable-request@2.1.4(transitive)

• + Addedclone-response@1.0.2(transitive)

• + Addedcore-util-is@1.0.3(transitive)

• + Addeddecode-uri-component@0.2.2(transitive)

• + Addedfrom2@2.3.0(transitive)

• + Addedgot@8.3.2(transitive)

• + Addedhttp-cache-semantics@3.8.1(transitive)

• + Addedinherits@2.0.4(transitive)

• + Addedinto-stream@3.1.0(transitive)

• + Addedisarray@1.0.0(transitive)

• + Addedjson-buffer@3.0.0(transitive)

• + Addedkeyv@3.0.0(transitive)

• + Addedlowercase-keys@1.0.0(transitive)

• + Addednormalize-url@2.0.1(transitive)

• + Addedobject-assign@4.1.1(transitive)

• + Addedp-cancelable@0.4.1(transitive)

• + Addedp-is-promise@1.1.0(transitive)

• + Addedp-timeout@2.0.1(transitive)

• + Addedpify@3.0.0(transitive)

• + Addedprepend-http@2.0.0(transitive)

• + Addedprocess-nextick-args@2.0.1(transitive)

• + Addedquery-string@5.1.1(transitive)

• + Addedreadable-stream@2.3.8(transitive)

• + Addedresponselike@1.0.2(transitive)

• + Addedsafe-buffer@5.1.2(transitive)

• + Addedsort-keys@2.0.0(transitive)

• + Addedstrict-uri-encode@1.1.0(transitive)

• + Addedstring_decoder@1.1.1(transitive)

• + Addedurl-parse-lax@3.0.0(transitive)

• + Addedutil-deprecate@1.0.2(transitive)

• - Removedgot@7.1.0(transitive)

• - Removedis-stream@1.1.0(transitive)

• - Removedp-cancelable@0.3.0(transitive)

• - Removedp-timeout@1.2.1(transitive)

• - Removedprepend-http@1.0.4(transitive)

• - Removedurl-parse-lax@1.0.0(transitive)

• Updatedgot@^8.0.0