UNPKG

@strongnguyen/oidc-provider

Version:

OAuth 2.0 Authorization Server implementation for Node.js with OpenID Connect

github.com/strongnguyen29/node-oidc-provider.git

strongnguyen29/node-oidc-provider

129 lines (97 loc) 3.81 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
/* eslint-disable camelcase, max-len */ const errors = require('../../errors'); const get = require('../../_/get'); const instance = require('../../weak_cache'); const Prompt = require('../prompt'); const Check = require('../check'); module.exports = () => new Prompt( { name: 'login', requestable: true }, (ctx) => { const { oidc } = ctx; return { ...(oidc.params.max_age === undefined ? undefined : { max_age: oidc.params.max_age }), ...(oidc.params.login_hint === undefined ? undefined : { login_hint: oidc.params.login_hint }), ...(oidc.params.id_token_hint === undefined ? undefined : { id_token_hint: oidc.params.id_token_hint }), }; }, new Check('no_session', 'End-User authentication is required', (ctx) => { const { oidc } = ctx; if (oidc.session.accountId) { return Check.NO_NEED_TO_PROMPT; } return Check.REQUEST_PROMPT; }), new Check('max_age', 'End-User authentication could not be obtained', (ctx) => { const { oidc } = ctx; if (oidc.params.max_age === undefined) { return Check.NO_NEED_TO_PROMPT; } if (!oidc.session.accountId) { return Check.REQUEST_PROMPT; } if (oidc.session.past(oidc.params.max_age) && (!ctx.oidc.result || !ctx.oidc.result.login)) { return Check.REQUEST_PROMPT; } return Check.NO_NEED_TO_PROMPT; }), new Check('id_token_hint', 'id_token_hint and authenticated subject do not match', async (ctx) => { const { oidc } = ctx; if (oidc.entities.IdTokenHint === undefined) { return Check.NO_NEED_TO_PROMPT; } const { payload } = oidc.entities.IdTokenHint; let sub = oidc.session.accountId; if (sub === undefined) { return Check.REQUEST_PROMPT; } if (oidc.client.subjectType === 'pairwise') { sub = await instance(oidc.provider).configuration('pairwiseIdentifier')(ctx, sub, oidc.client); } if (payload.sub !== sub) { return Check.REQUEST_PROMPT; } return Check.NO_NEED_TO_PROMPT; }), new Check('claims_id_token_sub_value', 'requested subject could not be obtained', async (ctx) => { const { oidc } = ctx; if (!oidc.claims.id_token || !oidc.claims.id_token.sub || !('value' in oidc.claims.id_token.sub)) { return Check.NO_NEED_TO_PROMPT; } let sub = oidc.session.accountId; if (sub === undefined) { return Check.REQUEST_PROMPT; } if (oidc.client.subjectType === 'pairwise') { sub = await instance(oidc.provider).configuration('pairwiseIdentifier')(ctx, sub, oidc.client); } if (oidc.claims.id_token.sub.value !== sub) { return Check.REQUEST_PROMPT; } return Check.NO_NEED_TO_PROMPT; }, ({ oidc }) => ({ sub: oidc.claims.id_token.sub })), new Check('essential_acrs', 'none of the requested ACRs could not be obtained', (ctx) => { const { oidc } = ctx; const request = get(oidc.claims, 'id_token.acr', {}); if (!request || !request.essential || !request.values) { return Check.NO_NEED_TO_PROMPT; } if (!Array.isArray(oidc.claims.id_token.acr.values)) { throw new errors.InvalidRequest('invalid claims.id_token.acr.values type'); } if (request.values.includes(oidc.acr)) { return Check.NO_NEED_TO_PROMPT; } return Check.REQUEST_PROMPT; }, ({ oidc }) => ({ acr: oidc.claims.id_token.acr })), new Check('essential_acr', 'requested ACR could not be obtained', (ctx) => { const { oidc } = ctx; const request = get(oidc.claims, 'id_token.acr', {}); if (!request || !request.essential || !request.value) { return Check.NO_NEED_TO_PROMPT; } if (request.value === oidc.acr) { return Check.NO_NEED_TO_PROMPT; } return Check.REQUEST_PROMPT; }, ({ oidc }) => ({ acr: oidc.claims.id_token.acr })), );