@okta-dfuhriman/okta-auth-js
Version:
The Okta Auth SDK
64 lines (52 loc) • 2.31 kB
text/typescript
/* eslint-disable @typescript-eslint/no-non-null-assertion */
/*!
* Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
* The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
*
* You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*
* See the License for the specific language governing permissions and limitations under the License.
*
*/
/* eslint-disable complexity, max-statements */
import AuthSdkError from '../../errors/AuthSdkError';
import { OktaAuthOAuthInterface, TokenVerifyParams, UserClaims } from '../../oidc/types';
export function validateClaims(sdk: OktaAuthOAuthInterface, claims: UserClaims, validationParams: TokenVerifyParams) {
const aud = validationParams.clientId;
const iss = validationParams.issuer;
const nonce = validationParams.nonce;
const acr = validationParams.acrValues;
if (!claims || !iss || !aud) {
throw new AuthSdkError('The jwt, iss, and aud arguments are all required');
}
if (nonce && claims.nonce !== nonce) {
throw new AuthSdkError('OAuth flow response nonce doesn\'t match request nonce');
}
const now = Math.floor(Date.now()/1000);
if (claims.iss !== iss) {
throw new AuthSdkError('The issuer [' + claims.iss + '] ' +
'does not match [' + iss + ']');
}
if (claims.aud !== aud) {
throw new AuthSdkError('The audience [' + claims.aud + '] ' +
'does not match [' + aud + ']');
}
if (acr && claims.acr !== acr) {
throw new AuthSdkError('The acr [' + claims.acr + '] ' +
'does not match acr_values [' + acr + ']');
}
if (claims.iat! > claims.exp!) {
throw new AuthSdkError('The JWT expired before it was issued');
}
if (!sdk.options.ignoreLifetime) {
if ((now - sdk.options.maxClockSkew!) > claims.exp!) {
throw new AuthSdkError('The JWT expired and is no longer valid');
}
if (claims.iat! > (now + sdk.options.maxClockSkew!)) {
throw new AuthSdkError('The JWT was issued in the future');
}
}
}