UNPKG

oidc-provider

Version:

OAuth 2.0 Authorization Server implementation for Node.js with OpenID Connect

github.com/panva/node-oidc-provider

panva/node-oidc-provider

82 lines (66 loc) 2.38 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
import presence from '../helpers/validate_presence.js'; import instance from '../helpers/weak_cache.js'; import getClientAuth from '../shared/client_auth.js'; import { urlencoded as parseBody } from '../shared/selective_body.js'; import rejectDupes from '../shared/reject_dupes.js'; import paramsMiddleware from '../shared/assemble_params.js'; import rejectStructuredTokens from '../shared/reject_structured_tokens.js'; import revoke from '../helpers/revoke.js'; import { checkAttestBinding } from '../helpers/check_attest_binding.js'; import { createTokenFinder } from '../helpers/token_find.js'; const revokeable = new Set(['AccessToken', 'ClientCredentials', 'RefreshToken']); export default function revocationAction(provider) { const { params: authParams, middleware: clientAuth } = getClientAuth(provider); const PARAM_LIST = new Set(['token', 'token_type_hint', ...authParams]); const { grantTypeHandlers, configuration } = instance(provider); const { features: { revocation: { allowedPolicy }, }, } = configuration; const findToken = createTokenFinder(provider, grantTypeHandlers); return [ parseBody, paramsMiddleware.bind(undefined, PARAM_LIST), ...clientAuth, rejectDupes.bind(undefined, {}), async function validateTokenPresence(ctx, next) { presence(ctx, 'token'); await next(); }, rejectStructuredTokens, async function renderTokenResponse(ctx, next) { ctx.status = 200; ctx.body = ''; await next(); }, async function revokeToken(ctx) { const { params } = ctx.oidc; const token = await findToken(params.token, params.token_type_hint); if (!token) return; if (revokeable.has(token.kind)) { ctx.oidc.entity(token.kind, token); } else { return; } if ( token.kind === 'RefreshToken' && ctx.oidc.client.clientId === token.clientId && ctx.oidc.client.clientAuthMethod === 'attest_jwt_client_auth' ) { try { await checkAttestBinding(ctx, token); } catch { return; } } if (!(await allowedPolicy(ctx, ctx.oidc.client, token))) { return; } await token.destroy(); if (token.kind === 'RefreshToken' || token.kind === 'AccessToken') { await revoke(ctx, token.grantId); } }, ]; }