oidc-provider
Version:
OAuth 2.0 Authorization Server implementation for Node.js with OpenID Connect
56 lines (47 loc) • 2.04 kB
JavaScript
import { STATUS_CODES } from 'node:http';
import instance from './weak_cache.js';
import { InvalidClientMetadata } from './errors.js';
import fetchRequest from './fetch_request.js';
import fetchBodyCheck from './fetch_body_check.js';
export default async function sectorValidate(provider, client) {
if (!instance(provider).configuration.sectorIdentifierUriValidate(client)) {
return;
}
const response = await fetchRequest(provider, new URL(client.sectorIdentifierUri).href, {
method: 'GET',
headers: {
accept: 'application/json',
},
}).catch((err) => {
throw new InvalidClientMetadata('could not load sector_identifier_uri response', err.message);
});
if (response.status !== 200) {
throw new InvalidClientMetadata(`unexpected sector_identifier_uri response status code, expected 200 OK, got ${response.status} ${STATUS_CODES[response.status]}`);
}
let body;
try {
body = (await fetchBodyCheck(provider, 'sector_identifier_uri', response)).toString();
} catch (err) {
throw new InvalidClientMetadata('could not load sector_identifier_uri response', err.message);
}
try {
body = JSON.parse(body);
} catch (err) {
throw new InvalidClientMetadata('failed to parse sector_identifier_uri JSON response', err.message);
}
try {
if (!Array.isArray(body)) throw new Error('sector_identifier_uri must return single JSON array');
if (client.responseTypes.length) {
const match = client.redirectUris.every((uri) => body.includes(uri));
if (!match) throw new Error('all registered redirect_uris must be included in the sector_identifier_uri response');
}
if (
client.grantTypes.includes('urn:openid:params:grant-type:ciba')
|| client.grantTypes.includes('urn:ietf:params:oauth:grant-type:device_code')
) {
if (!body.includes(client.jwksUri)) throw new Error("client's jwks_uri must be included in the sector_identifier_uri response");
}
} catch (err) {
throw new InvalidClientMetadata(err.message);
}
}