openid-client
Advanced tools
Comparing version 3.10.1 to 3.11.0
@@ -5,2 +5,16 @@ # Change Log | ||
# [3.11.0](https://github.com/panva/node-openid-client/compare/v3.10.1...v3.11.0) (2020-01-10) | ||
### Bug Fixes | ||
* **typescript:** allow 'id_token token' as a response type ([61c486c](https://github.com/panva/node-openid-client/commit/61c486c2b800c9299f4eaf3649711c39a6e5ce57)) | ||
### Features | ||
* detect self-issued OP and validate ID Token accordingly ([c5d3158](https://github.com/panva/node-openid-client/commit/c5d315826a767d1479509931eddb5ae6e3b99532)), closes [#220](https://github.com/panva/node-openid-client/issues/220) [#221](https://github.com/panva/node-openid-client/issues/221) | ||
## [3.10.1](https://github.com/panva/node-openid-client/compare/v3.10.0...v3.10.1) (2020-01-07) | ||
@@ -7,0 +21,0 @@ |
@@ -803,2 +803,3 @@ /* eslint-disable max-classes-per-file */ | ||
async validateJWT(jwt, expectedAlg, required = ['iss', 'sub', 'aud', 'exp', 'iat']) { | ||
const isSelfIssued = this.issuer.issuer === 'https://self-issued.me'; | ||
const timestamp = now(); | ||
@@ -823,2 +824,6 @@ let header; | ||
if (isSelfIssued) { | ||
required = [...required, 'sub_jwk']; // eslint-disable-line no-param-reassign | ||
} | ||
required.forEach(verifyPresence.bind(undefined, payload, jwt)); | ||
@@ -912,3 +917,20 @@ | ||
if (header.alg.startsWith('HS')) { | ||
if (isSelfIssued) { | ||
try { | ||
assert(isPlainObject(payload.sub_jwk)); | ||
key = jose.JWK.asKey(payload.sub_jwk); | ||
assert.equal(key.type, 'public'); | ||
} catch (err) { | ||
throw new RPError({ | ||
message: 'failed to use sub_jwk claim as an asymmetric JSON Web Key', | ||
jwt, | ||
}); | ||
} | ||
if (key.thumbprint !== payload.sub) { | ||
throw new RPError({ | ||
message: 'failed to match the subject with sub_jwk', | ||
jwt, | ||
}); | ||
} | ||
} else if (header.alg.startsWith('HS')) { | ||
key = await this.joseSecret(); | ||
@@ -919,3 +941,3 @@ } else if (header.alg !== 'none') { | ||
if (header.alg === 'none') { | ||
if (!key && header.alg === 'none') { | ||
return { protected: header, payload }; | ||
@@ -922,0 +944,0 @@ } |
@@ -317,4 +317,4 @@ /* eslint-disable max-classes-per-file */ | ||
return keys[0]; | ||
}, 'issuer.key is not a private API, it is also deprecated'); | ||
}, 'issuer.key is not only a private API, it is also deprecated'); | ||
module.exports = Issuer; |
{ | ||
"name": "openid-client", | ||
"version": "3.10.1", | ||
"version": "3.11.0", | ||
"description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs", | ||
@@ -37,6 +37,6 @@ "keywords": [ | ||
"scripts": { | ||
"coverage": "nyc mocha", | ||
"coverage": "nyc mocha test/**/*.test.js", | ||
"lint": "eslint lib test && dtslint types", | ||
"lint-fix": "eslint lib test --fix", | ||
"test": "mocha" | ||
"test": "mocha test/**/*.test.js" | ||
}, | ||
@@ -43,0 +43,0 @@ "dependencies": { |
@@ -27,2 +27,3 @@ # openid-client | ||
- private_key_jwt | ||
- Consuming Self-Issued OpenID Provider ID Token response | ||
- [RFC8414 - OAuth 2.0 Authorization Server Metadata][feature-oauth-discovery] and [OpenID Connect Discovery 1.0][feature-discovery] | ||
@@ -29,0 +30,0 @@ - Discovery of OpenID Provider (Issuer) Metadata |
@@ -34,4 +34,3 @@ /// <reference types="node" /> | ||
*/ | ||
export type ResponseType = 'code' | 'id_token' | 'code id_token' | 'code token' | 'code id_token token' | 'none'; | ||
export type ResponseType = 'code' | 'id_token' | 'code id_token' | 'id_token token' | 'code token' | 'code id_token token' | 'none'; | ||
/** | ||
@@ -38,0 +37,0 @@ * @see https://github.com/panva/node-openid-client/blob/master/docs/README.md#client-authentication-methods |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
153302
3027
312