UNPKG

oidc-provider

Version:

OAuth 2.0 Authorization Server implementation for Node.js with OpenID Connect

github.com/panva/node-oidc-provider

panva/node-oidc-provider

130 lines (103 loc) 3.68 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
import * as crypto from 'node:crypto'; import { jwtVerify, EmbeddedJWK, calculateJwkThumbprint, } from 'jose'; import { InvalidDpopProof, UseDpopNonce } from './errors.js'; import instance from './weak_cache.js'; import epochTime from './epoch_time.js'; import { CHALLENGE_OK_WINDOW } from './challenge.js'; export { CHALLENGE_OK_WINDOW }; const weakMap = new WeakMap(); export default async (ctx, accessToken) => { if (weakMap.has(ctx)) { return weakMap.get(ctx); } const { features: { dPoP: dPoPConfig }, dPoPSigningAlgValues, } = instance(ctx.oidc.provider).configuration; if (!dPoPConfig.enabled) { return undefined; } const proof = ctx.get('DPoP'); if (!proof) { return undefined; } const { DPoPNonces } = instance(ctx.oidc.provider); const requireNonce = dPoPConfig.requireNonce(ctx); if (typeof requireNonce !== 'boolean') { throw new Error('features.dPoP.requireNonce must return a boolean'); } if (requireNonce && !DPoPNonces) { throw new Error('features.dPoP.nonceSecret configuration is missing'); } const nextNonce = DPoPNonces?.nextChallenge(); let payload; let protectedHeader; try { ({ protectedHeader, payload } = await jwtVerify(proof, EmbeddedJWK, { algorithms: dPoPSigningAlgValues, typ: 'dpop+jwt' })); if (typeof payload.iat !== 'number' || !payload.iat) { throw new InvalidDpopProof('DPoP proof must have a iat number property'); } if (typeof payload.jti !== 'string' || !payload.jti) { throw new InvalidDpopProof('DPoP proof must have a jti string property'); } if (payload.nonce !== undefined && typeof payload.nonce !== 'string') { throw new InvalidDpopProof('DPoP proof nonce must be a string'); } if (!payload.nonce) { const now = epochTime(); const diff = Math.abs(now - payload.iat); if (diff > CHALLENGE_OK_WINDOW) { if (nextNonce) { ctx.set('dpop-nonce', nextNonce); throw new UseDpopNonce('DPoP proof iat is not recent enough, use a DPoP nonce instead'); } throw new InvalidDpopProof('DPoP proof iat is not recent enough'); } } else if (!DPoPNonces) { throw new InvalidDpopProof('DPoP nonces are not supported'); } if (payload.htm !== ctx.method) { throw new InvalidDpopProof('DPoP proof htm mismatch'); } { const expected = new URL(ctx.oidc.urlFor(ctx.oidc.route)).href; const actual = URL.parse(payload.htu); if (!actual) return false; actual.hash = ''; actual.search = ''; if (actual?.href !== expected) { throw new InvalidDpopProof('DPoP proof htu mismatch'); } } if (accessToken) { const ath = crypto.hash('sha256', accessToken, 'base64url'); if (payload.ath !== ath) { throw new InvalidDpopProof('DPoP proof ath mismatch'); } } } catch (err) { if (err instanceof InvalidDpopProof || err instanceof UseDpopNonce) { throw err; } throw new InvalidDpopProof('invalid DPoP key binding', err.message); } if (!payload.nonce && requireNonce) { ctx.set('dpop-nonce', nextNonce); throw new UseDpopNonce('nonce is required in the DPoP proof'); } if (payload.nonce && !DPoPNonces.checkChallenge(payload.nonce)) { ctx.set('dpop-nonce', nextNonce); throw new UseDpopNonce('invalid nonce in DPoP proof'); } if (payload.nonce !== nextNonce) { ctx.set('dpop-nonce', nextNonce); } const thumbprint = await calculateJwkThumbprint(protectedHeader.jwk); const result = { thumbprint, jti: payload.jti, iat: payload.iat }; weakMap.set(ctx, result); return result; };