UNPKG

@okta-dfuhriman/okta-auth-js

Version:
64 lines (52 loc) 2.31 kB
/* eslint-disable @typescript-eslint/no-non-null-assertion */ /*! * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved. * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.") * * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0. * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * * See the License for the specific language governing permissions and limitations under the License. * */ /* eslint-disable complexity, max-statements */ import AuthSdkError from '../../errors/AuthSdkError'; import { OktaAuthOAuthInterface, TokenVerifyParams, UserClaims } from '../../oidc/types'; export function validateClaims(sdk: OktaAuthOAuthInterface, claims: UserClaims, validationParams: TokenVerifyParams) { const aud = validationParams.clientId; const iss = validationParams.issuer; const nonce = validationParams.nonce; const acr = validationParams.acrValues; if (!claims || !iss || !aud) { throw new AuthSdkError('The jwt, iss, and aud arguments are all required'); } if (nonce && claims.nonce !== nonce) { throw new AuthSdkError('OAuth flow response nonce doesn\'t match request nonce'); } const now = Math.floor(Date.now()/1000); if (claims.iss !== iss) { throw new AuthSdkError('The issuer [' + claims.iss + '] ' + 'does not match [' + iss + ']'); } if (claims.aud !== aud) { throw new AuthSdkError('The audience [' + claims.aud + '] ' + 'does not match [' + aud + ']'); } if (acr && claims.acr !== acr) { throw new AuthSdkError('The acr [' + claims.acr + '] ' + 'does not match acr_values [' + acr + ']'); } if (claims.iat! > claims.exp!) { throw new AuthSdkError('The JWT expired before it was issued'); } if (!sdk.options.ignoreLifetime) { if ((now - sdk.options.maxClockSkew!) > claims.exp!) { throw new AuthSdkError('The JWT expired and is no longer valid'); } if (claims.iat! > (now + sdk.options.maxClockSkew!)) { throw new AuthSdkError('The JWT was issued in the future'); } } }