openid-client
Advanced tools
Comparing version 1.17.0 to 1.18.0
@@ -31,2 +31,7 @@ # openid-client CHANGELOG | ||
## Version 1.18.0 | ||
- [DIFF](https://github.com/panva/node-openid-client/compare/v1.17.0...v1.18.0) | ||
- added option for the passport strategy to use PKCE | ||
- updated http request library `got` dependency | ||
## Version 1.17.0 | ||
@@ -33,0 +38,0 @@ - [DIFF](https://github.com/panva/node-openid-client/compare/v1.16.0...v1.17.0) |
@@ -7,2 +7,4 @@ 'use strict'; | ||
const uuid = require('uuid'); | ||
const base64url = require('base64url'); | ||
const crypto = require('crypto'); | ||
const url = require('url'); | ||
@@ -45,2 +47,3 @@ const assert = require('assert'); | ||
this._passReqToCallback = opts.passReqToCallback; | ||
this._usePKCE = opts.usePKCE; | ||
this._key = opts.sessionKey || `oidc:${url.parse(this._issuer.issuer).hostname}`; | ||
@@ -50,2 +53,17 @@ this._params = opts.params || {}; | ||
if (this._usePKCE === true) { | ||
const supportedMethods = this._issuer.code_challenge_methods_supported; | ||
assert(Array.isArray(supportedMethods), 'code_challenge_methods_supported is not properly set on issuer'); | ||
assert(supportedMethods.length, 'issuer code_challenge_methods_supported is empty'); | ||
if (supportedMethods.indexOf('S256') !== -1) { | ||
this._usePKCE = 'S256'; | ||
} else if (supportedMethods.indexOf('plain') !== -1) { | ||
this._usePKCE = 'plain'; | ||
} else { | ||
throw new Error('neither S256 or plain code_challenge_method is supported by the issuer'); | ||
} | ||
} else if (typeof this._usePKCE === 'string') { | ||
assert(['plain', 'S256'].indexOf(this._usePKCE) !== -1, `${this._usePKCE} is not valid/implemented PKCE code_challenge_method`); | ||
} | ||
this.name = url.parse(client.issuer.issuer).hostname; | ||
@@ -61,3 +79,5 @@ | ||
try { | ||
if (!req.session) throw new Error('authentication requires session support when using state, max_age or nonce'); | ||
if (!req.session) { | ||
throw new Error('authentication requires session support when using state, max_age or nonce'); | ||
} | ||
const reqParams = client.callbackParams(req); | ||
@@ -69,12 +89,28 @@ const sessionKey = this._key; | ||
// provide options object with extra authentication parameters | ||
const opts = _.defaults({}, options, this._params, { | ||
const params = _.defaults({}, options, this._params, { | ||
state: uuid(), | ||
}); | ||
if (!opts.nonce && opts.response_type.includes('id_token')) { | ||
opts.nonce = uuid(); | ||
if (!params.nonce && params.response_type.includes('id_token')) { | ||
params.nonce = uuid(); | ||
} | ||
req.session[sessionKey] = _.pick(opts, 'nonce', 'state', 'max_age'); | ||
this.redirect(client.authorizationUrl(opts)); | ||
req.session[sessionKey] = _.pick(params, 'nonce', 'state', 'max_age'); | ||
if (this._usePKCE) { | ||
const verifier = uuid(); | ||
req.session[sessionKey].code_verifier = verifier; | ||
switch (this._usePKCE) { // eslint-disable-line default-case | ||
case 'S256': | ||
params.code_challenge = base64url(crypto.createHash('sha256').update(verifier).digest()); | ||
params.code_challenge_method = 'S256'; | ||
break; | ||
case 'plain': | ||
params.code_challenge = verifier; | ||
break; | ||
} | ||
} | ||
this.redirect(client.authorizationUrl(params)); | ||
return; | ||
@@ -89,2 +125,3 @@ } | ||
const nonce = _.get(session, 'nonce'); | ||
const codeVerifier = _.get(session, 'code_verifier'); | ||
@@ -99,3 +136,9 @@ try { | ||
const checks = { state, nonce, max_age: maxAge }; | ||
const checks = { | ||
state, | ||
nonce, | ||
max_age: maxAge, | ||
code_verifier: codeVerifier, | ||
}; | ||
let callback = client.authorizationCallback(opts.redirect_uri, reqParams, checks) | ||
@@ -102,0 +145,0 @@ .then((tokenset) => { |
{ | ||
"name": "openid-client", | ||
"version": "1.17.0", | ||
"version": "1.18.0", | ||
"description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js servers, supports passportjs", | ||
@@ -64,3 +64,3 @@ "main": "lib/index.js", | ||
"create-error-class": "^3.0.2", | ||
"got": "^7.0.0", | ||
"got": "^8.0.0", | ||
"lodash": "^4.13.1", | ||
@@ -67,0 +67,0 @@ "lru-cache": "^4.0.1", |
@@ -381,3 +381,7 @@ # openid-client | ||
passport.use('oidc', new Strategy({ client, [params], [passReqToCallback] }, (tokenset, userinfo, done) => { | ||
const usePKCE = true; // optional, defaults to false, when true the code_challenge_method will be | ||
// resolved from the issuer configuration, instead of true you may provide | ||
// any of the supported values directly, i.e. "S256" (recommended) or "plain" | ||
passport.use('oidc', new Strategy({ client, [params], [passReqToCallback], [usePKCE] }, (tokenset, userinfo, done) => { | ||
console.log('tokenset', tokenset); | ||
@@ -437,3 +441,3 @@ console.log('access_token', tokenset.access_token); | ||
[travis-url]: https://travis-ci.org/panva/node-openid-client | ||
[conformance-image]: https://img.shields.io/travis/panva/openid-client-conformance-tests/master.svg?style=flat-square&maxAge=7200&label=daily%20conformance%20build | ||
[conformance-image]: https://img.shields.io/travis/panva/openid-client-conformance-tests/master.svg?style=flat-square&maxAge=7200&label=conformance%20build | ||
[conformance-url]: https://github.com/panva/openid-client-conformance-tests | ||
@@ -440,0 +444,0 @@ [codecov-image]: https://img.shields.io/codecov/c/github/panva/node-openid-client/master.svg?style=flat-square&maxAge=7200 |
81263
1467
458
+ Added@sindresorhus/is@0.7.0(transitive)
+ Addedcacheable-request@2.1.4(transitive)
+ Addedclone-response@1.0.2(transitive)
+ Addedcore-util-is@1.0.3(transitive)
+ Addeddecode-uri-component@0.2.2(transitive)
+ Addedfrom2@2.3.0(transitive)
+ Addedgot@8.3.2(transitive)
+ Addedhttp-cache-semantics@3.8.1(transitive)
+ Addedinherits@2.0.4(transitive)
+ Addedinto-stream@3.1.0(transitive)
+ Addedisarray@1.0.0(transitive)
+ Addedjson-buffer@3.0.0(transitive)
+ Addedkeyv@3.0.0(transitive)
+ Addedlowercase-keys@1.0.0(transitive)
+ Addednormalize-url@2.0.1(transitive)
+ Addedobject-assign@4.1.1(transitive)
+ Addedp-cancelable@0.4.1(transitive)
+ Addedp-is-promise@1.1.0(transitive)
+ Addedp-timeout@2.0.1(transitive)
+ Addedpify@3.0.0(transitive)
+ Addedprepend-http@2.0.0(transitive)
+ Addedprocess-nextick-args@2.0.1(transitive)
+ Addedquery-string@5.1.1(transitive)
+ Addedreadable-stream@2.3.8(transitive)
+ Addedresponselike@1.0.2(transitive)
+ Addedsafe-buffer@5.1.2(transitive)
+ Addedsort-keys@2.0.0(transitive)
+ Addedstrict-uri-encode@1.1.0(transitive)
+ Addedstring_decoder@1.1.1(transitive)
+ Addedurl-parse-lax@3.0.0(transitive)
+ Addedutil-deprecate@1.0.2(transitive)
- Removedgot@7.1.0(transitive)
- Removedis-stream@1.1.0(transitive)
- Removedp-cancelable@0.3.0(transitive)
- Removedp-timeout@1.2.1(transitive)
- Removedprepend-http@1.0.4(transitive)
- Removedurl-parse-lax@1.0.0(transitive)
Updatedgot@^8.0.0