UNPKG

@okta/okta-auth-js

Version:

The Okta Auth SDK

github.com/okta/okta-auth-js

okta/okta-auth-js

54 lines (52 loc) 2.49 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
"use strict"; var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault"); exports.validateClaims = validateClaims; var _AuthSdkError = _interopRequireDefault(require("../../errors/AuthSdkError")); /* eslint-disable @typescript-eslint/no-non-null-assertion */ /*! * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved. * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.") * * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0. * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * * See the License for the specific language governing permissions and limitations under the License. * */ /* eslint-disable complexity, max-statements */ function validateClaims(sdk, claims, validationParams) { const aud = validationParams.clientId; const iss = validationParams.issuer; const nonce = validationParams.nonce; const acr = validationParams.acrValues; if (!claims || !iss || !aud) { throw new _AuthSdkError.default('The jwt, iss, and aud arguments are all required'); } if (nonce && claims.nonce !== nonce) { throw new _AuthSdkError.default('OAuth flow response nonce doesn\'t match request nonce'); } const now = Math.floor(Date.now() / 1000); if (claims.iss !== iss) { throw new _AuthSdkError.default('The issuer [' + claims.iss + '] ' + 'does not match [' + iss + ']'); } if (Array.isArray(claims.aud) && claims.aud.indexOf(aud) < 0 || !Array.isArray(claims.aud) && claims.aud !== aud) { throw new _AuthSdkError.default('The audience [' + claims.aud + '] ' + 'does not match [' + aud + ']'); } if (acr && claims.acr !== acr) { throw new _AuthSdkError.default('The acr [' + claims.acr + '] ' + 'does not match acr_values [' + acr + ']'); } if (claims.iat > claims.exp) { throw new _AuthSdkError.default('The JWT expired before it was issued'); } if (!sdk.options.ignoreLifetime) { if (now - sdk.options.maxClockSkew > claims.exp) { throw new _AuthSdkError.default('The JWT expired and is no longer valid'); } if (claims.iat > now + sdk.options.maxClockSkew) { throw new _AuthSdkError.default('The JWT was issued in the future'); } } } //# sourceMappingURL=validateClaims.js.map