UNPKG

@axa-fr/oidc-client-service-worker

Version:

OpenID Connect & OAuth authentication service worker

github.com/AxaFrance/oidc-client

AxaFrance/oidc-client

280 lines (253 loc) 9.16 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
// code base on https://coolaj86.com/articles/sign-jwt-webcrypto-vanilla-js/ // String (UCS-2) to Uint8Array // // because... JavaScript, Strings, and Buffers // @ts-ignore import { DemonstratingProofOfPossessionConfiguration } from './types'; function strToUint8(str: string) { return new TextEncoder().encode(str); } // Binary String to URL-Safe Base64 // // btoa (Binary-to-Ascii) means "binary string" to base64 // @ts-ignore function binToUrlBase64(bin) { return btoa(bin).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+/g, ''); } // UTF-8 to Binary String // // Because JavaScript has a strange relationship with strings // https://coolaj86.com/articles/base64-unicode-utf-8-javascript-and-you/ // @ts-ignore function utf8ToBinaryString(str) { const escstr = encodeURIComponent(str); // replaces any uri escape sequence, such as %0A, // with binary escape, such as 0x0A // @ts-ignore return escstr.replace(/%([0-9A-F]{2})/g, function (match: string, p1) { return String.fromCharCode(parseInt(p1, 16)); }); } // Uint8Array to URL Safe Base64 // // the shortest distant between two encodings... binary string // @ts-ignore export const uint8ToUrlBase64 = (uint8: Uint8Array) => { let bin = ''; // @ts-ignore uint8.forEach(function (code) { bin += String.fromCharCode(code); }); return binToUrlBase64(bin); }; // UCS-2 String to URL-Safe Base64 // // btoa doesn't work on UTF-8 strings // @ts-ignore function strToUrlBase64(str) { return binToUrlBase64(utf8ToBinaryString(str)); } export const defaultDemonstratingProofOfPossessionConfiguration: DemonstratingProofOfPossessionConfiguration = { importKeyAlgorithm: { name: 'ECDSA', namedCurve: 'P-256', hash: { name: 'ES256' }, }, signAlgorithm: { name: 'ECDSA', hash: { name: 'SHA-256' } }, generateKeyAlgorithm: { name: 'ECDSA', namedCurve: 'P-256', }, digestAlgorithm: { name: 'SHA-256' }, jwtHeaderAlgorithm: 'ES256', }; // @ts-ignore const sign = (w: any) => async ( jwk: any, headers: any, claims: any, demonstratingProofOfPossessionConfiguration: DemonstratingProofOfPossessionConfiguration, jwtHeaderType = 'dpop+jwt', ) => { // Make a shallow copy of the key // (to set ext if it wasn't already set) jwk = Object.assign({}, jwk); // The headers should probably be empty headers.typ = jwtHeaderType; headers.alg = demonstratingProofOfPossessionConfiguration.jwtHeaderAlgorithm; switch (headers.alg) { case 'ES256': //if (!headers.kid) { // alternate: see thumbprint function below headers.jwk = { kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y }; //} break; case 'RS256': headers.jwk = { kty: jwk.kty, n: jwk.n, e: jwk.e, kid: headers.kid }; break; default: throw new Error('Unknown or not implemented JWS algorithm'); } const jws = { // @ts-ignore // JWT "headers" really means JWS "protected headers" protected: strToUrlBase64(JSON.stringify(headers)), // @ts-ignore // JWT "claims" are really a JSON-defined JWS "payload" payload: strToUrlBase64(JSON.stringify(claims)), }; // To import as EC (ECDSA, P-256, SHA-256, ES256) const keyType = demonstratingProofOfPossessionConfiguration.importKeyAlgorithm; // To make re-exportable as JSON (or DER/PEM) const exportable = true; // Import as a private key that isn't black-listed from signing const privileges = ['sign']; // Actually do the import, which comes out as an abstract key type // @ts-ignore const privateKey = await w.crypto.subtle.importKey('jwk', jwk, keyType, exportable, privileges); // Convert UTF-8 to Uint8Array ArrayBuffer // @ts-ignore const data = strToUint8(`${jws.protected}.${jws.payload}`); // The signature and hash should match the bit-entropy of the key // https://tools.ietf.org/html/rfc7518#section-3 const signatureType = demonstratingProofOfPossessionConfiguration.signAlgorithm; const signature = await w.crypto.subtle.sign(signatureType, privateKey, data); // returns an ArrayBuffer containing a JOSE (not X509) signature, // which must be converted to Uint8 to be useful // @ts-ignore jws.signature = uint8ToUrlBase64(new Uint8Array(signature)); // JWT is just a "compressed", "protected" JWS // @ts-ignore return `${jws.protected}.${jws.payload}.${jws.signature}`; }; export const JWT = { sign }; // @ts-ignore const generate = (w: any) => async (generateKeyAlgorithm: RsaHashedKeyGenParams | EcKeyGenParams) => { const keyType = generateKeyAlgorithm; const exportable = true; const privileges = ['sign', 'verify']; // @ts-ignore const key = await w.crypto.subtle.generateKey(keyType, exportable, privileges); // returns an abstract and opaque WebCrypto object, // which in most cases you'll want to export as JSON to be able to save return await w.crypto.subtle.exportKey('jwk', key.privateKey); }; // Create a Public Key from a Private Key // // chops off the private parts // @ts-ignore const neuter = jwk => { const copy = Object.assign({}, jwk); delete copy.d; copy.key_ops = ['verify']; return copy; }; const EC = { generate, neuter, }; // @ts-ignore const thumbprint = (w: any) => async (jwk, digestAlgorithm: AlgorithmIdentifier) => { let sortedPub; // lexigraphically sorted, no spaces switch (jwk.kty) { case 'EC': sortedPub = '{"crv":"CRV","kty":"EC","x":"X","y":"Y"}' .replace('CRV', jwk.crv) .replace('X', jwk.x) .replace('Y', jwk.y); break; case 'RSA': sortedPub = '{"e":"E","kty":"RSA","n":"N"}'.replace('E', jwk.e).replace('N', jwk.n); break; default: throw new Error('Unknown or not implemented JWK type'); } // The hash should match the size of the key, // but we're only dealing with P-256 const hash = await w.crypto.subtle.digest(digestAlgorithm, strToUint8(sortedPub)); return uint8ToUrlBase64(new Uint8Array(hash)); }; export const JWK = { thumbprint }; export const generateJwkAsync = (w: any) => async (generateKeyAlgorithm: RsaHashedKeyGenParams | EcKeyGenParams) => { // @ts-ignore const jwk = await EC.generate(w)(generateKeyAlgorithm); // console.info('Private Key:', JSON.stringify(jwk)); // @ts-ignore // console.info('Public Key:', JSON.stringify(EC.neuter(jwk))); return jwk; }; export const generateJwtDemonstratingProofOfPossessionAsync = (w: any) => (demonstratingProofOfPossessionConfiguration: DemonstratingProofOfPossessionConfiguration) => async (jwk: any, method = 'POST', url: string, extrasClaims = {}) => { const claims = { // https://www.rfc-editor.org/rfc/rfc9449.html#name-concept jti: btoa(guid()), htm: method, htu: url, iat: Math.round(Date.now() / 1000), ...extrasClaims, }; // @ts-ignore const kid = await JWK.thumbprint(w)( jwk, demonstratingProofOfPossessionConfiguration.digestAlgorithm, ); // @ts-ignore const jwt = await JWT.sign(w)( jwk, { kid: kid }, claims, demonstratingProofOfPossessionConfiguration, ); // console.info('JWT:', jwt); return jwt; }; const guid = () => { // RFC4122: The version 4 UUID is meant for generating UUIDs from truly-random or // pseudo-random numbers. // The algorithm is as follows: // Set the two most significant bits (bits 6 and 7) of the // clock_seq_hi_and_reserved to zero and one, respectively. // Set the four most significant bits (bits 12 through 15) of the // time_hi_and_version field to the 4-bit version number from // Section 4.1.3. Version4 // Set all the other bits to randomly (or pseudo-randomly) chosen // values. // UUID = time-low "-" time-mid "-"time-high-and-version "-"clock-seq-reserved and low(2hexOctet)"-" node // time-low = 4hexOctet // time-mid = 2hexOctet // time-high-and-version = 2hexOctet // clock-seq-and-reserved = hexOctet: // clock-seq-low = hexOctet // node = 6hexOctet // Format: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx // y could be 1000, 1001, 1010, 1011 since most significant two bits needs to be 10 // y values are 8, 9, A, B const guidHolder = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'; const hex = '0123456789abcdef'; let r = 0; let guidResponse = ''; for (let i = 0; i < 36; i++) { if (guidHolder[i] !== '-' && guidHolder[i] !== '4') { // each x and y needs to be random r = (Math.random() * 16) | 0; } if (guidHolder[i] === 'x') { guidResponse += hex[r]; } else if (guidHolder[i] === 'y') { // clock-seq-and-reserved first hex is filtered and remaining hex values are random r &= 0x3; // bit and with 0011 to set pos 2 to zero ?0?? r |= 0x8; // set pos 3 to 1 as 1??? guidResponse += hex[r]; } else { guidResponse += guidHolder[i]; } } return guidResponse; };