angular-simple-oidc

import { TokenHelperService } from './token-helper.service'; import { TokenCryptoService } from './token-crypto.service'; import { DecodedIdentityToken, TokenValidationConfig } from './models'; import { JWTKeys, DiscoveryDocument } from './models'; /** * Implements Identity and Access tokens validations according to the * Open ID Connect specification. * https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation * Inspiration taken from https://github.com/damienbod/angular-auth-oidc-client */ export declare class TokenValidationService { protected readonly tokenHelper: TokenHelperService; protected readonly tokenCrypto: TokenCryptoService; constructor(tokenHelper: TokenHelperService, tokenCrypto: TokenCryptoService); validateIdToken(thisClientId: string, idToken: string, decodedIdToken: DecodedIdentityToken, nonce: string, discoveryDocument: DiscoveryDocument, jwtKeys: JWTKeys, tokenValidationConfig?: TokenValidationConfig): void; /** * The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) * MUST exactly match the value of the iss (issuer) Claim. */ validateIdTokenIssuer(idToken: DecodedIdentityToken, discoveryDocumentIssuer: string): void; /** * Access Token Validation * Hash the octets of the ASCII representation of the access_token with the hash algorithm specified in JWA * for the alg Header Parameter of the ID Token's JOSE Header. * For instance, if the alg is RS256, the hash algorithm used is SHA-256. * Take the left- most half of the hash and base64url- encode it. * The value of at_hash in the ID Token MUST match the value produced in the previous step * if at_hash is present in the ID Token */ validateAccessToken(accessToken: string, idTokenAtHash: string): void; /** * The Client MUST validate that the aud (audience) Claim contains * its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, * or if it contains additional audiences not trusted by the Client */ validateIdTokenAud(idToken: DecodedIdentityToken, thisClientId: string): void; /** * The Client MUST validate the signature of the ID Token according to JWS using the algorithm * specified in the alg Header Parameter of the JOSE Header. * The Client MUST use the keys provided by the Issuer. * The alg value SHOULD be RS256. * Validation of tokens using other signing algorithms is described in the * OpenID Connect Core 1.0 specification. */ validateIdTokenSignature(idToken: string, jwtKeys: JWTKeys): void; /** * The current time MUST be before the time represented by the exp Claim * (possibly allowing for some small leeway to account for clock skew) */ validateIdTokenExpiration(idToken: DecodedIdentityToken, offsetSeconds?: number): void; /** * The iat Claim can be used to reject tokens that were issued too far away from the current time, * limiting the amount of time that nonces need to be stored to prevent attacks. * The acceptable range is Client specific. */ validateIdTokenIssuedAt(idToken: DecodedIdentityToken, config?: TokenValidationConfig): void; /** * The value of the nonce Claim MUST be checked to verify that it is the same value as the one * that was sent in the Authentication Request. * The Client SHOULD check the nonce value for replay attacks. * The precise method for detecting replay attacks is Client specific. */ validateIdTokenNonce(idToken: DecodedIdentityToken, localNonce: string): void; /** * iss * REQUIRED. Issuer Identifier for the Issuer of the response. * The iss value is a case-sensitive URL using the https scheme that contains scheme, host, * and optionally, port number and path components and no query or fragment components. * * sub * REQUIRED. Subject Identifier.Locally unique and never reassigned identifier within the Issuer for the End- User, * which is intended to be consumed by the Client, e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. * It MUST NOT exceed 255 ASCII characters in length.The sub value is a case-sensitive string. * * aud * REQUIRED. Audience(s) that this ID Token is intended for. * It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. * It MAY also contain identifiers for other audiences.In the general case, the aud value is an array of case-sensitive strings. * In the common special case when there is one audience, the aud value MAY be a single case-sensitive string. * * exp * REQUIRED. Expiration time on or after which the ID Token MUST NOT be accepted for processing. * The processing of this parameter requires that the current date/ time MUST be before * the expiration date/ time listed in the value. * Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew. * Its value is a JSON [RFC7159] number representing the number of seconds from 1970- 01 - 01T00: 00:00Z * as measured in UTC until the date/ time. * See RFC 3339 [RFC3339] for details regarding date/ times in general and UTC in particular. * * iat * REQUIRED. Time at which the JWT was issued. Its value is a JSON number representing the number of seconds * from 1970- 01 - 01T00: 00:00Z as measured * in UTC until the date/ time. */ validateIdTokenRequiredFields(idToken: DecodedIdentityToken): void; /** * Validates that an expected token numeric field is a number on runtime. */ validateTokenNumericClaim<T extends DecodedIdentityToken>(idToken: T, claim: keyof T): void; /** * Makes sure that the format of the identity token is correct. * It needs to be a non-empty string and contain three dots */ validateIdTokenFormat(idToken: string): void; /** * Validates the local state against the * returned state from the IDP to make sure it matches */ validateAuthorizeCallbackState(localState: string, state: string): void; validateAuthorizeCallbackFormat(code: string, state: string, error: string, href: string): void; }