UNPKG

@strongnguyen/oidc-provider

Version:

OAuth 2.0 Authorization Server implementation for Node.js with OpenID Connect

github.com/strongnguyen29/node-oidc-provider.git

strongnguyen29/node-oidc-provider

53 lines (43 loc) 1.41 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
const { InvalidRequest } = require('../../helpers/errors'); const GATED_CLIENT = Object.entries({ defaultAcrValues: 'default_acr_values', defaultMaxAge: 'default_max_age', requireAuthTime: 'require_auth_time', }); const GATED = [ 'acr_values', 'claims', 'claims_locales', 'id_token_hint', 'max_age', 'nonce', ]; /* * Validates that openid scope is requested when openid specific parameters are provided * * @throws: invalid_request */ module.exports = function checkOpenIdScope(PARAM_LIST, ctx, next) { const present = !!ctx.oidc.params.scope; const openid = present && ctx.oidc.params.scope.split(' ').includes('openid'); if (openid) { return next(); } if (PARAM_LIST.has('response_type') && ctx.oidc.params.response_type.includes('id_token')) { throw new InvalidRequest('openid scope must be requested for this response_type'); } GATED_CLIENT.forEach(([prop, msg]) => { if (ctx.oidc.client[prop]) { throw new InvalidRequest(`openid scope must be requested for clients with ${msg}`); } }); GATED.forEach((param) => { if (ctx.oidc.params[param] !== undefined) { throw new InvalidRequest(`openid scope must be requested when using the ${param} parameter`); } }); if (ctx.oidc.route === 'backchannel_authentication') { throw new InvalidRequest('openid scope must be requested for this request'); } return next(); };