openid-client - npm Package Compare versions

Comparing version 3.8.0 to 3.8.1

CHANGELOG.md

@@ -5,2 +5,11 @@ # Change Log
 
+## [3.8.1](https://github.com/panva/node-openid-client/compare/v3.8.0...v3.8.1) (2019-11-07)
+
+
+### Bug Fixes
+
+* use sha512 for Ed25519 and shake256 for Ed448 ID Token _hash claims ([31f7a04](https://github.com/panva/node-openid-client/commit/31f7a040c289e7fd389a0083803f2998bf62b660))
+
+
+
 # [3.8.0](https://github.com/panva/node-openid-client/compare/v3.7.4...v3.8.0) (2019-11-07)
@@ -7,0 +16,0 @@

lib/client.js

@@ -794,2 +794,14 @@ /* eslint-disable max-classes-per-file */
 
+    let key;
+
+    if (header.alg.startsWith('HS')) {
+      key = await this.joseSecret();
+    } else if (header.alg !== 'none') {
+      key = await this.issuer.key(header);
+    }
+
+    if (header.alg !== 'none' && !key) {
+      throw new RPError('could not find a key to validate the signature with');
+    }
+
     if (returnedBy === 'authorization') {
@@ -813,7 +825,7 @@ if (!payload.at_hash && tokenSet.access_token) {
         }
-        if (!tokenHash(payload.s_hash, state, header.alg)) {
-          throw new RPError({
-            printf: ['s_hash mismatch, expected %s, got: %s', tokenHash.generate(state, header.alg), payload.s_hash],
-            jwt: idToken,
-          });
+
+        try {
+          tokenHash.validate({ claim: 's_hash', source: 'state' }, payload.s_hash, state, header.alg, key && key.crv);
+        } catch (err) {
+          throw new RPError({ message: err.message, jwt: idToken });
         }
@@ -824,7 +836,6 @@ }
     if (tokenSet.access_token && payload.at_hash !== undefined) {
-      if (!tokenHash(payload.at_hash, tokenSet.access_token, header.alg)) {
-        throw new RPError({
-          printf: ['at_hash mismatch, expected %s, got: %s', tokenHash.generate(tokenSet.access_token, header.alg), payload.at_hash],
-          jwt: idToken,
-        });
+      try {
+        tokenHash.validate({ claim: 'at_hash', source: 'access_token' }, payload.at_hash, tokenSet.access_token, header.alg, key && key.crv);
+      } catch (err) {
+        throw new RPError({ message: err.message, jwt: idToken });
       }
@@ -834,7 +845,6 @@ }
     if (tokenSet.code && payload.c_hash !== undefined) {
-      if (!tokenHash(payload.c_hash, tokenSet.code, header.alg)) {
-        throw new RPError({
-          printf: ['c_hash mismatch, expected %s, got: %s', tokenHash.generate(tokenSet.code, header.alg), payload.c_hash],
-          jwt: idToken,
-        });
+      try {
+        tokenHash.validate({ claim: 'c_hash', source: 'code' }, payload.c_hash, tokenSet.code, header.alg, key && key.crv);
+      } catch (err) {
+        throw new RPError({ message: err.message, jwt: idToken });
       }
@@ -847,10 +857,2 @@ }
 
-    let key;
-
-    if (header.alg.startsWith('HS')) {
-      key = await this.joseSecret();
-    } else {
-      key = await this.issuer.key(header);
-    }
-
     try {
@@ -857,0 +859,0 @@ jose.JWS.verify(idToken, key);

package.json

 {
   "name": "openid-client",
-  "version": "3.8.0",
+  "version": "3.8.1",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs",
@@ -49,3 +49,3 @@ "keywords": [
     "object-hash": "^2.0.0",
-    "oidc-token-hash": "^3.0.2",
+    "oidc-token-hash": "^4.0.0",
     "p-any": "^2.1.0"
@@ -52,0 +52,0 @@ },

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

143689

increased by0.25%

Dependency changes

• + Addedoidc-token-hash@4.0.0(transitive)

• - Removedoidc-token-hash@3.0.2(transitive)

• Updatedoidc-token-hash@^4.0.0