id-token
Version:
OpenID Connect ID Token
105 lines (84 loc) • 4.21 kB
JavaScript
'use strict';
Object.defineProperty(exports, "__esModule", {
value: true
});
var _assert = require('assert');
var _assert2 = _interopRequireDefault(_assert);
var _jsonwebtoken = require('jsonwebtoken');
var _jsonwebtoken2 = _interopRequireDefault(_jsonwebtoken);
var _computeHash = require('./compute-hash');
var _computeHash2 = _interopRequireDefault(_computeHash);
function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
// TODO: We may need to implement more additional valid options:
// http://stackoverflow.com/a/20065554/26754
function isPemRsaKey(pem) {
return typeof pem === 'string' && pem.trimLeft().startsWith('-----BEGIN RSA PRIVATE KEY-----') && pem.trimRight().endsWith('-----END RSA PRIVATE KEY-----') && pem.trim().length > 60;
}
function isNonEmptyString(value) {
return typeof value === 'string' && !!value;
}
function isPositiveInteger(number) {
return typeof number === 'number' && number > 0 && number % 1 === 0;
}
function isArrayOfStrings(array) {
return Array.isArray(array) && array.length > 0 && array.every(isNonEmptyString);
}
function _createJwt(_ref) {
var _ref$claims = _ref.claims;
var claims = _ref$claims === undefined ? {} : _ref$claims;
var _ref$options = _ref.options;
_ref$options = _ref$options === undefined ? {} : _ref$options;
var privatePem = _ref$options.privatePem;
var expiresIn = _ref$options.expiresIn;
var accessToken = _ref$options.accessToken;
var authorizationCode = _ref$options.authorizationCode;
var kid = _ref$options.kid;
// Required parameters
_assert2.default.ok(isPemRsaKey(privatePem), 'option "privatePem" must be a RSA Private Key (PEM)');
// Options
_assert2.default.ok(!accessToken || isNonEmptyString(accessToken), 'option "accessToken" must be a string');
_assert2.default.ok(!authorizationCode || isNonEmptyString(authorizationCode), 'option "authorizationCode" must be a string');
_assert2.default.ok(!kid || isNonEmptyString(kid), 'option "kid" must be a string');
// Required ID Token claims
// http://openid.net/specs/openid-connect-core-1_0.html#IDToken
_assert2.default.ok(isNonEmptyString(claims.iss) && !!claims.iss.trim(), 'claim "iis" required (string)');
_assert2.default.ok(isNonEmptyString(claims.sub) && claims.sub.length <= 255, 'claim "sub" required (string, max 255 ASCII characters)');
_assert2.default.ok(isNonEmptyString(claims.aud) || isArrayOfStrings(claims.aud), 'claim "aud" required (string OR array of strings)');
_assert2.default.ok(isPositiveInteger(claims.exp) || !!expiresIn, 'claim "exp" required (number of seconds from 1970-01-01T00:00:00Z in UTC)');
_assert2.default.ok(!(claims.exp && expiresIn), 'claim "exp" and parameter expiresIn are mutually exclusive');
// Optional ID Token claims
// http://openid.net/specs/openid-connect-core-1_0.html#IDToken
_assert2.default.ok(!claims.iat || isPositiveInteger(claims.iat), 'claim "iat" optional (number of seconds from 1970-01-01T00:00:00Z in UTC)');
_assert2.default.ok(!claims.auth_time || isPositiveInteger(claims.auth_time), 'claim "auth_time" optional (number of seconds from 1970-01-01T00:00:00Z in UTC)');
_assert2.default.ok(!claims.nonce || isNonEmptyString(claims.nonce), 'claim "nonce" optional (string)');
var alg = 'RS256';
if (accessToken) {
claims.at_hash = (0, _computeHash2.default)(alg, accessToken);
}
if (authorizationCode) {
claims.c_hash = (0, _computeHash2.default)(alg, authorizationCode);
}
return _jsonwebtoken2.default.sign(claims, privatePem, {
algorithm: alg,
expiresIn: expiresIn,
noTimestamp: !!claims.iat,
headers: { kid: kid }
});
}
exports.default = {
createJwt: _createJwt,
withDefaults: function withDefaults() {
var defaults = arguments.length <= 0 || arguments[0] === undefined ? {} : arguments[0];
return {
createJwt: function createJwt(_ref2) {
var claims = _ref2.claims;
var options = _ref2.options;
return _createJwt({
claims: Object.assign({}, defaults.claims, claims),
options: Object.assign({}, defaults.options, options)
});
}
};
}
};
//# sourceMappingURL=id-token.js.map