UNPKG

oidc-client

Version:

OpenID Connect (OIDC) & OAuth2 client library

github.com/IdentityModel/oidc-client-js

IdentityModel/oidc-client-js

154 lines (132 loc) 6.55 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
// Copyright (c) Brock Allen & Dominick Baier. All rights reserved. // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information. import { Log } from './Log.js'; export default function getJoseUtil({ jws, KeyUtil, X509, crypto, hextob64u, b64tohex, AllowedSigningAlgs }) { return class JoseUtil { static parseJwt(jwt) { Log.debug("JoseUtil.parseJwt"); try { var token = jws.JWS.parse(jwt); return { header: token.headerObj, payload: token.payloadObj } } catch (e) { Log.error(e); } } static validateJwt(jwt, key, issuer, audience, clockSkew, now, timeInsensitive) { Log.debug("JoseUtil.validateJwt"); try { if (key.kty === "RSA") { if (key.e && key.n) { key = KeyUtil.getKey(key); } else if (key.x5c && key.x5c.length) { var hex = b64tohex(key.x5c[0]); key = X509.getPublicKeyFromCertHex(hex); } else { Log.error("JoseUtil.validateJwt: RSA key missing key material", key); return Promise.reject(new Error("RSA key missing key material")); } } else if (key.kty === "EC") { if (key.crv && key.x && key.y) { key = KeyUtil.getKey(key); } else { Log.error("JoseUtil.validateJwt: EC key missing key material", key); return Promise.reject(new Error("EC key missing key material")); } } else { Log.error("JoseUtil.validateJwt: Unsupported key type", key && key.kty); return Promise.reject(new Error("Unsupported key type: " + key && key.kty)); } return JoseUtil._validateJwt(jwt, key, issuer, audience, clockSkew, now, timeInsensitive); } catch (e) { Log.error(e && e.message || e); return Promise.reject("JWT validation failed"); } } static validateJwtAttributes(jwt, issuer, audience, clockSkew, now, timeInsensitive) { if (!clockSkew) { clockSkew = 0; } if (!now) { now = parseInt(Date.now() / 1000); } var payload = JoseUtil.parseJwt(jwt).payload; if (!payload.iss) { Log.error("JoseUtil._validateJwt: issuer was not provided"); return Promise.reject(new Error("issuer was not provided")); } if (payload.iss !== issuer) { Log.error("JoseUtil._validateJwt: Invalid issuer in token", payload.iss); return Promise.reject(new Error("Invalid issuer in token: " + payload.iss)); } if (!payload.aud) { Log.error("JoseUtil._validateJwt: aud was not provided"); return Promise.reject(new Error("aud was not provided")); } var validAudience = payload.aud === audience || (Array.isArray(payload.aud) && payload.aud.indexOf(audience) >= 0); if (!validAudience) { Log.error("JoseUtil._validateJwt: Invalid audience in token", payload.aud); return Promise.reject(new Error("Invalid audience in token: " + payload.aud)); } if (payload.azp && payload.azp !== audience) { Log.error("JoseUtil._validateJwt: Invalid azp in token", payload.azp); return Promise.reject(new Error("Invalid azp in token: " + payload.azp)); } if (!timeInsensitive) { var lowerNow = now + clockSkew; var upperNow = now - clockSkew; if (!payload.iat) { Log.error("JoseUtil._validateJwt: iat was not provided"); return Promise.reject(new Error("iat was not provided")); } if (lowerNow < payload.iat) { Log.error("JoseUtil._validateJwt: iat is in the future", payload.iat); return Promise.reject(new Error("iat is in the future: " + payload.iat)); } if (payload.nbf && lowerNow < payload.nbf) { Log.error("JoseUtil._validateJwt: nbf is in the future", payload.nbf); return Promise.reject(new Error("nbf is in the future: " + payload.nbf)); } if (!payload.exp) { Log.error("JoseUtil._validateJwt: exp was not provided"); return Promise.reject(new Error("exp was not provided")); } if (payload.exp < upperNow) { Log.error("JoseUtil._validateJwt: exp is in the past", payload.exp); return Promise.reject(new Error("exp is in the past:" + payload.exp)); } } return Promise.resolve(payload); } static _validateJwt(jwt, key, issuer, audience, clockSkew, now, timeInsensitive) { return JoseUtil.validateJwtAttributes(jwt, issuer, audience, clockSkew, now, timeInsensitive).then(payload => { try { if (!jws.JWS.verify(jwt, key, AllowedSigningAlgs)) { Log.error("JoseUtil._validateJwt: signature validation failed"); return Promise.reject(new Error("signature validation failed")); } return payload; } catch (e) { Log.error(e && e.message || e); return Promise.reject(new Error("signature validation failed")); } }); } static hashString(value, alg) { try { return crypto.Util.hashString(value, alg); } catch (e) { Log.error(e); } } static hexToBase64Url(value) { try { return hextob64u(value); } catch (e) { Log.error(e); } } } }