Skip to content

Commit

Permalink
Updated per RD review
Browse files Browse the repository at this point in the history
  • Loading branch information
jmelberg-okta committed Aug 7, 2018
1 parent 907641e commit 13ffd77
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 43 deletions.
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,8 @@ tokenManager: {
| `redirectUri` | The url that is redirected to when using `token.getWithRedirect`. This must be pre-registered as part of client registration. If no `redirectUri` is provided, defaults to the current origin. |
| `authorizeUrl` | Specify a custom authorizeUrl to perform the OIDC flow. Defaults to the issuer plus "/v1/authorize". |
| `userinfoUrl` | Specify a custom userinfoUrl. Defaults to the issuer plus "/v1/userinfo". |
| `ignoreSignature` | Disable ID token signature validation. Defaults to `false`. |
| | **Important:** For the Implicit flow, the token signature MUST be validated per [ID token Validation](http://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDTValidation). This option should be used only for browser support and testing purposes. |

##### Example Client

Expand Down Expand Up @@ -251,7 +253,7 @@ var config = {
* [token.refresh](#tokenrefreshtokentorefresh)
* [token.getUserInfo](#tokengetuserinfoaccesstokenobject)
* [token.verify](#tokenverifyidtokenobject)
* [tokenManager](#tokenManager)
* [tokenManager](#tokenmanager)
* [tokenManager.add](#tokenmanageraddkey-token)
* [tokenManager.get](#tokenmanagergetkey)
* [tokenManager.remove](#tokenmanagerremovekey)
Expand Down Expand Up @@ -1477,6 +1479,7 @@ authClient.token.getUserInfo(accessTokenObject)
Verify the validity of an ID token's claims and check the signature on browsers that support web cryptography.
* `idTokenObject` - an ID token returned by this library. note: this is not the raw ID token JWT
* `ignoreSignature` - Optional parameter to disable ID token signature validation.
```javascript
authClient.token.verify(idTokenObject)
Expand Down
14 changes: 2 additions & 12 deletions lib/oauthUtil.js
Original file line number Diff line number Diff line change
Expand Up @@ -114,25 +114,16 @@ function getKey(sdk, issuer, kid) {
});
}

function getDefaultValidationParams(sdk, oauthOptions) {
var defaults = {
clientId: sdk.options.clientId,
issuer: sdk.options.issuer || sdk.options.url,
ignoreSignature: sdk.options.ignoreSignature
};
util.extend(defaults, oauthOptions);
return defaults;
}

function validateClaims(sdk, claims, validationParams) {
var aud = validationParams.clientId;
var iss = validationParams.issuer;
var nonce = validationParams.nonce;

if (!claims || !iss || !aud) {
throw new AuthSdkError('The jwt, iss, and aud arguments are all required');
}

if (validationParams.nonce && claims.nonce !== validationParams.nonce) {
if (nonce && claims.nonce !== nonce) {
throw new AuthSdkError('OAuth flow response nonce doesn\'t match request nonce');
}

Expand Down Expand Up @@ -260,7 +251,6 @@ function hashToObject(hash) {
}

module.exports = {
getDefaultValidationParams: getDefaultValidationParams,
getWellKnown: getWellKnown,
getKey: getKey,
validateClaims: validateClaims,
Expand Down
8 changes: 7 additions & 1 deletion lib/token.js
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,13 @@ function verifyToken(sdk, token, validationParams) {

var jwt = decodeToken(token.idToken);

var validationOptions = oauthUtil.getDefaultValidationParams(sdk, validationParams);
var validationOptions = {
clientId: sdk.options.clientId,
issuer: sdk.options.issuer || sdk.options.url,
ignoreSignature: sdk.options.ignoreSignature
};

util.extend(validationOptions, validationParams);

// Standard claim validation
oauthUtil.validateClaims(sdk, jwt.payload, validationOptions);
Expand Down
29 changes: 0 additions & 29 deletions test/spec/oauthUtil.js
Original file line number Diff line number Diff line change
Expand Up @@ -559,35 +559,6 @@ define(function(require) {

});

describe('getDefaultValidationParams', function () {
var contains = jasmine.objectContaining;
var sdk = new OktaAuth({
url: 'https://auth-js-test.okta.com',
clientId: 'foo',
ignoreSignature: false
});

it('returns params passed in during AuthJS construction', function () {
expect(oauthUtil.getDefaultValidationParams(sdk)).toEqual(contains({
issuer: 'https://auth-js-test.okta.com',
clientId: 'foo',
ignoreSignature: false
}));
});

it('returns passed in options over the params used during AuthJS construction', function () {
var defaultParams = oauthUtil.getDefaultValidationParams(sdk, {
issuer: 'https://auth-js-test.okta.com/oauth2/default',
clientId: 'bar'
});
expect(defaultParams).toEqual(contains({
issuer: 'https://auth-js-test.okta.com/oauth2/default',
clientId: 'bar',
ignoreSignature: false
}));
});
});

describe('validateClaims', function () {
var sdk = new OktaAuth({
url: 'https://auth-js-test.okta.com',
Expand Down

0 comments on commit 13ffd77

Please sign in to comment.