Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide option to skip idToken signature validation #131

Merged
merged 2 commits into from
Aug 7, 2018

Conversation

jmelberg-okta
Copy link
Contributor

@jmelberg-okta jmelberg-okta commented Jun 26, 2018

Description

Grants developers the ability to disable idToken signature validation for testing purposes and browser support.

This feature will be undocumented, as it isn't compliant via Implicit ID Token Validation

Usage

The ignoreSignature param can be passed in during either client configuration or token validation.

Client configuration

var authClient =  new OktaAuth({
  url: 'https://{yourOktaDomain}',
  ignoreSignature: true
});

// An idToken returned from Okta will not have the signature verified.

Token validation

var validationOptions = {
  ignoreSignature: true
};

authClient.token.verify(idToken, validationOptions)
.then(function() {
  console.log('Token is valid!');
})
.catch(function(err) {
  console.error(err);
});

Resolves

@@ -78,6 +78,10 @@ function OktaAuthBuilder(args) {
this.options.maxClockSkew = args.maxClockSkew;
}

// Give the developer the ability to disable token signature
// validation.
this.options.ignoreSignature = args.ignoreSignature === true ? true : false;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be simplified to !!args.ignoreSignature

@jmelberg-okta jmelberg-okta force-pushed the jm-token-validation branch 6 times, most recently from a0bc65e to f3751dc Compare July 31, 2018 17:23
Copy link
Contributor

@robertjd robertjd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments, LGTM otherwise

lib/oauthUtil.js Outdated
if (!claims || !iss || !aud) {
throw new AuthSdkError('The jwt, iss, and aud arguments are all required');
}

if (nonce && claims.nonce !== nonce) {
if (validationParams.nonce && claims.nonce !== validationParams.nonce) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're going to destrcture aud and iss, let's do the same for nonce

lib/token.js Outdated
@@ -48,12 +48,14 @@ function verifyToken(sdk, token, nonce, ignoreSignature) {

var jwt = decodeToken(token.idToken);

var validationOptions = oauthUtil.getDefaultValidationParams(sdk, validationParams);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this broken out to a function for test purposes? I ask because it feels like it would be more clear to just have the defaults as a literal, and then extend it with the incoming options. Having "get" functions that mutate their arguments never feel great.

@@ -78,6 +78,10 @@ function OktaAuthBuilder(args) {
this.options.maxClockSkew = args.maxClockSkew;
}

// Give the developer the ability to disable token signature
// validation.
this.options.ignoreSignature = !!args.ignoreSignature;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Offline conversation: add this to README

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants