npm - @axa-fr/oidc-client - Versions diffs - 7.4.0 → 7.5.0 - Mend

@axa-fr/oidc-client 7.4.0 → 7.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/src/jwt.ts ADDED Viewed

@@ -0,0 +1,248 @@
+// code base on https://coolaj86.com/articles/sign-jwt-webcrypto-vanilla-js/
+// String (UCS-2) to Uint8Array
+//
+// because... JavaScript, Strings, and Buffers
+// @ts-ignore
+function strToUint8(str) {
+    return new TextEncoder().encode(str);
+}
+// Binary String to URL-Safe Base64
+//
+// btoa (Binary-to-Ascii) means "binary string" to base64
+// @ts-ignore
+function binToUrlBase64(bin) {
+    return btoa(bin)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+/g, '');
+}
+// UTF-8 to Binary String
+//
+// Because JavaScript has a strange relationship with strings
+// https://coolaj86.com/articles/base64-unicode-utf-8-javascript-and-you/
+// @ts-ignore
+function utf8ToBinaryString(str) {
+    const escstr = encodeURIComponent(str);
+    // replaces any uri escape sequence, such as %0A,
+    // with binary escape, such as 0x0A
+    const binstr = escstr.replace(/%([0-9A-F]{2})/g, function (match, p1) {
+        return String.fromCharCode(parseInt(p1, 16));
+    });
+    return binstr;
+}
+// Uint8Array to URL Safe Base64
+//
+// the shortest distant between two encodings... binary string
+// @ts-ignore
+function uint8ToUrlBase64(uint8) {
+    let bin = '';
+    // @ts-ignore
+    uint8.forEach(function(code) {
+        bin += String.fromCharCode(code);
+    });
+    return binToUrlBase64(bin);
+}
+// UCS-2 String to URL-Safe Base64
+//
+// btoa doesn't work on UTF-8 strings
+// @ts-ignore
+function strToUrlBase64(str) {
+    return binToUrlBase64(utf8ToBinaryString(str));
+}
+export var JWT = {};
+// @ts-ignore
+JWT.sign = (jwk, headers, claims, jwtHeaderType= 'dpop+jwt') => {
+    // Make a shallow copy of the key
+    // (to set ext if it wasn't already set)
+    jwk = Object.assign({}, jwk);
+    // The headers should probably be empty
+    headers.typ = jwtHeaderType;
+    headers.alg = 'ES256';
+    if (!headers.kid) {
+        // alternate: see thumbprint function below
+        headers.jwk = { kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y };
+    }
+    const jws = {
+        // @ts-ignore
+        // JWT "headers" really means JWS "protected headers"
+        protected: strToUrlBase64(JSON.stringify(headers)),
+        // @ts-ignore
+        // JWT "claims" are really a JSON-defined JWS "payload"
+        payload: strToUrlBase64(JSON.stringify(claims))
+    };
+    // To import as EC (ECDSA, P-256, SHA-256, ES256)
+    const keyType = {
+        name: 'ECDSA',
+        namedCurve: 'P-256',
+        hash: {name: 'ES256'}
+    };
+    // To make re-exportable as JSON (or DER/PEM)
+    const exportable = true;
+    // Import as a private key that isn't black-listed from signing
+    const privileges = ['sign'];
+    // Actually do the import, which comes out as an abstract key type
+    // @ts-ignore
+    return window.crypto.subtle
+        // @ts-ignore
+        .importKey('jwk', jwk, keyType, exportable, privileges)
+        .then(function(privateKey) {
+            // Convert UTF-8 to Uint8Array ArrayBuffer
+            // @ts-ignore
+            const data = strToUint8(jws.protected + '.' + jws.payload);
+            // The signature and hash should match the bit-entropy of the key
+            // https://tools.ietf.org/html/rfc7518#section-3
+            const signatureType = {name: 'ECDSA', hash: {name: 'SHA-256'}};
+            return window.crypto.subtle.sign(signatureType, privateKey, data).then(function(signature) {
+                // returns an ArrayBuffer containing a JOSE (not X509) signature,
+                // which must be converted to Uint8 to be useful
+                // @ts-ignore
+                jws.signature = uint8ToUrlBase64(new Uint8Array(signature));
+                // JWT is just a "compressed", "protected" JWS
+                // @ts-ignore
+                return jws.protected + '.' + jws.payload + '.' + jws.signature;
+            });
+        });
+};
+const EC = {};
+// @ts-ignore
+EC.generate = function() {
+    const keyType = {
+        name: 'ECDSA',
+        namedCurve: 'P-256'
+    };
+    const exportable = true;
+    const privileges = ['sign', 'verify'];
+    // @ts-ignore
+    return window.crypto.subtle.generateKey(keyType, exportable, privileges).then(function(key) {
+        // returns an abstract and opaque WebCrypto object,
+        // which in most cases you'll want to export as JSON to be able to save
+        return window.crypto.subtle.exportKey('jwk', key.privateKey);
+    });
+};
+// Create a Public Key from a Private Key
+//
+// chops off the private parts
+// @ts-ignore
+EC.neuter = function(jwk) {
+    const copy = Object.assign({}, jwk);
+    delete copy.d;
+    copy.key_ops = ['verify'];
+    return copy;
+};
+export var JWK = {};
+// @ts-ignore
+JWK.thumbprint = function(jwk) {
+    // lexigraphically sorted, no spaces
+    const sortedPub = '{"crv":"CRV","kty":"EC","x":"X","y":"Y"}'
+        .replace('CRV', jwk.crv)
+        .replace('X', jwk.x)
+        .replace('Y', jwk.y);
+    // The hash should match the size of the key,
+    // but we're only dealing with P-256
+    return window.crypto.subtle
+        .digest({ name: 'SHA-256' }, strToUint8(sortedPub))
+        .then(function(hash) {
+            return uint8ToUrlBase64(new Uint8Array(hash));
+        });
+};
+const guid = function () {
+    // RFC4122: The version 4 UUID is meant for generating UUIDs from truly-random or
+    // pseudo-random numbers.
+    // The algorithm is as follows:
+    //     Set the two most significant bits (bits 6 and 7) of the
+    //        clock_seq_hi_and_reserved to zero and one, respectively.
+    //     Set the four most significant bits (bits 12 through 15) of the
+    //        time_hi_and_version field to the 4-bit version number from
+    //        Section 4.1.3. Version4
+    //     Set all the other bits to randomly (or pseudo-randomly) chosen
+    //     values.
+    // UUID                   = time-low "-" time-mid "-"time-high-and-version "-"clock-seq-reserved and low(2hexOctet)"-" node
+    // time-low               = 4hexOctet
+    // time-mid               = 2hexOctet
+    // time-high-and-version  = 2hexOctet
+    // clock-seq-and-reserved = hexOctet:
+    // clock-seq-low          = hexOctet
+    // node                   = 6hexOctet
+    // Format: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
+    // y could be 1000, 1001, 1010, 1011 since most significant two bits needs to be 10
+    // y values are 8, 9, A, B
+    const guidHolder = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx';
+    const hex = '0123456789abcdef';
+    let r = 0;
+    let guidResponse = "";
+    for (let i = 0; i < 36; i++) {
+        if (guidHolder[i] !== '-' && guidHolder[i] !== '4') {
+            // each x and y needs to be random
+            r = Math.random() * 16 | 0;
+        }
+        if (guidHolder[i] === 'x') {
+            guidResponse += hex[r];
+        } else if (guidHolder[i] === 'y') {
+            // clock-seq-and-reserved first hex is filtered and remaining hex values are random
+            r &= 0x3; // bit and with 0011 to set pos 2 to zero ?0??
+            r |= 0x8; // set pos 3 to 1 as 1???
+            guidResponse += hex[r];
+        } else {
+            guidResponse += guidHolder[i];
+        }
+    }
+    return guidResponse;
+};
+export const generateJwkAsync = () => {
+    // @ts-ignore
+    return EC.generate().then(function(jwk) {
+        // console.info('Private Key:', JSON.stringify(jwk));
+        // @ts-ignore
+        // console.info('Public Key:', JSON.stringify(EC.neuter(jwk)));
+        return jwk;
+    });
+}
+export const generateJwtDemonstratingProofOfPossessionAsync = (jwk, method = 'POST', url: string, extrasClaims={}) => {
+    const claims = {
+        // https://www.rfc-editor.org/rfc/rfc9449.html#name-concept
+        jit: btoa(guid()),
+        htm: method,
+        htu: url,
+        iat: Math.round(Date.now() / 1000),
+        ...extrasClaims,
+    };
+    // @ts-ignore
+    return JWK.thumbprint(jwk).then(function(kid) {
+        // @ts-ignore
+        return JWT.sign(jwk, { /*kid: kid*/ }, claims).then(function(jwt) {
+            // console.info('JWT:', jwt);
+            return jwt;
+        });
+    });
+}
+export default EC;

package/src/login.ts CHANGED Viewed

@@ -1,14 +1,18 @@
-import { generateRandom } from './crypto.js';
-import { eventNames } from './events.js';
-import { initSession } from './initSession.js';
-import { initWorkerAsync } from './initWorker.js';
-import { isTokensOidcValid } from './parseTokens.js';
-import { performAuthorizationRequestAsync, performFirstTokenRequestAsync } from './requests.js';
-import { getParseQueryStringFromLocation } from './route-utils.js';
-import { OidcConfiguration, StringMap } from './types.js';
+import {generateRandom} from './crypto.js';
+import {eventNames} from './events.js';
+import {initSession} from './initSession.js';
+import {initWorkerAsync} from './initWorker.js';
+import {isTokensOidcValid} from './parseTokens.js';
+import {
+    performAuthorizationRequestAsync,
+    performFirstTokenRequestAsync
+} from './requests.js';
+import {getParseQueryStringFromLocation} from './route-utils.js';
+import {OidcConfiguration, StringMap} from './types.js';
+import {generateJwkAsync, generateJwtDemonstratingProofOfPossessionAsync} from "./jwt";
 // eslint-disable-next-line @typescript-eslint/ban-types
-export const defaultLoginAsync = (window, configurationName, configuration:OidcConfiguration, publishEvent :(string, any)=>void, initAsync:Function) => (callbackPath:string = undefined, extras:StringMap = null, isSilentSignin = false, scope:string = undefined) => {
+export const defaultLoginAsync = (window, configurationName:string, configuration:OidcConfiguration, publishEvent :(string, any)=>void, initAsync:Function) => (callbackPath:string = undefined, extras:StringMap = null, isSilentSignin = false, scope:string = undefined) => {
     const originExtras = extras;
     extras = { ...extras };
     const loginLocalAsync = async () => {
@@ -42,14 +46,14 @@ export const defaultLoginAsync = (window, configurationName, configuration:OidcC
             const oidcServerConfiguration = await initAsync(configuration.authority, configuration.authority_configuration);
             let storage;
             if (serviceWorker) {
-                serviceWorker.setLoginParams(configurationName, { callbackPath: url, extras: originExtras });
+                serviceWorker.setLoginParams({ callbackPath: url, extras: originExtras });
                 await serviceWorker.initAsync(oidcServerConfiguration, 'loginAsync', configuration);
                 await serviceWorker.setNonceAsync(nonce);
                 serviceWorker.startKeepAliveServiceWorker();
                 storage = serviceWorker;
             } else {
                 const session = initSession(configurationName, configuration.storage ?? sessionStorage);
-                session.setLoginParams(configurationName, { callbackPath: url, extras: originExtras });
+                session.setLoginParams({ callbackPath: url, extras: originExtras });
                 await session.setNonceAsync(nonce);
                 storage = session;
             }
@@ -91,7 +95,7 @@ export const loginCallbackAsync = (oidc) => async (isSilentSignin = false) => {
             await serviceWorker.initAsync(oidcServerConfiguration, 'loginCallbackAsync', configuration);
             await serviceWorker.setSessionStateAsync(sessionState);
             nonceData = await serviceWorker.getNonceAsync();
-            getLoginParams = serviceWorker.getLoginParams(oidc.configurationName);
+            getLoginParams = serviceWorker.getLoginParams();
             state = await serviceWorker.getStateAsync();
             serviceWorker.startKeepAliveServiceWorker();
             storage = serviceWorker;
@@ -99,7 +103,7 @@ export const loginCallbackAsync = (oidc) => async (isSilentSignin = false) => {
             const session = initSession(oidc.configurationName, configuration.storage ?? sessionStorage);
             await session.setSessionStateAsync(sessionState);
             nonceData = await session.getNonceAsync();
-            getLoginParams = session.getLoginParams(oidc.configurationName);
+            getLoginParams = session.getLoginParams();
             state = await session.getStateAsync();
             storage = session;
         }
@@ -135,8 +139,25 @@ export const loginCallbackAsync = (oidc) => async (isSilentSignin = false) => {
                 }
             }
         }
+        const url = oidcServerConfiguration.tokenEndpoint;
+        const headersExtras = {};
+        if(configuration.demonstrating_proof_of_possession) {
+            const jwk = await generateJwkAsync();
+            if (serviceWorker) {
+                await serviceWorker.setDemonstratingProofOfPossessionJwkAsync(jwk);
+            } else {
+                const session = initSession(oidc.configurationName, configuration.storage);
+                await session.setDemonstratingProofOfPossessionJwkAsync(jwk);
+            }
+            headersExtras['DPoP'] = await generateJwtDemonstratingProofOfPossessionAsync(jwk, 'POST', url);
+        }
-        const tokenResponse = await performFirstTokenRequestAsync(storage)(oidcServerConfiguration.tokenEndpoint, { ...data, ...extras }, oidc.configuration.token_renew_mode, tokenRequestTimeout);
+        const tokenResponse = await performFirstTokenRequestAsync(storage)(url,
+            { ...data, ...extras },
+            headersExtras,
+            oidc.configuration.token_renew_mode,
+            tokenRequestTimeout);
         if (!tokenResponse.success) {
             throw new Error('Token request failed');
@@ -144,13 +165,8 @@ export const loginCallbackAsync = (oidc) => async (isSilentSignin = false) => {
         let loginParams;
         const formattedTokens = tokenResponse.data.tokens;
-        if (serviceWorker) {
-            await serviceWorker.initAsync(redirectUri, 'syncTokensAsync', configuration);
-            loginParams = serviceWorker.getLoginParams(oidc.configurationName);
-        } else {
-            const session = initSession(oidc.configurationName, configuration.storage);
-            loginParams = session.getLoginParams(oidc.configurationName);
-        }
+        const demonstratingProofOfPossessionNonce = tokenResponse.data.demonstratingProofOfPossessionNonce;
         // @ts-ignore
         if (tokenResponse.data.state !== extras.state) {
             throw new Error('state is not valid');
@@ -159,6 +175,30 @@ export const loginCallbackAsync = (oidc) => async (isSilentSignin = false) => {
         if (!isValid) {
             throw new Error(`Tokens are not OpenID valid, reason: ${reason}`);
         }
+        if(serviceWorker){
+            if(formattedTokens.refreshToken && !formattedTokens.refreshToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) {
+                throw new Error("Refresh token should be hidden by service worker");
+            }
+            if(demonstratingProofOfPossessionNonce && formattedTokens.accessToken && formattedTokens.accessToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) {
+                throw new Error("Demonstration of proof of possession require Access token not hidden by service worker");
+            }
+        }
+        if (serviceWorker) {
+            await serviceWorker.initAsync(redirectUri, 'syncTokensAsync', configuration);
+            loginParams = serviceWorker.getLoginParams();
+            if(demonstratingProofOfPossessionNonce) {
+                await serviceWorker.setDemonstratingProofOfPossessionNonce(demonstratingProofOfPossessionNonce);
+            }
+        } else {
+            const session = initSession(oidc.configurationName, configuration.storage);
+            loginParams = session.getLoginParams();
+            if(demonstratingProofOfPossessionNonce) {
+                await session.setDemonstratingProofOfPossessionNonce(demonstratingProofOfPossessionNonce);
+            }
+        }
         await oidc.startCheckSessionAsync(oidcServerConfiguration.checkSessionIframe, clientId, sessionState, isSilentSignin);
         oidc.publishEvent(eventNames.loginCallbackAsync_end, {});

package/src/oidc.ts CHANGED Viewed

@@ -1,23 +1,20 @@
-import { startCheckSessionAsync as defaultStartCheckSessionAsync } from './checkSession.js';
-import { CheckSessionIFrame } from './checkSessionIFrame.js';
-import { eventNames } from './events.js';
-import { initSession } from './initSession.js';
-import { initWorkerAsync, sleepAsync } from './initWorker.js';
-import { defaultLoginAsync, loginCallbackAsync } from './login.js';
-import { destroyAsync, logoutAsync } from './logout.js';
-import {
-    computeTimeLeft,
-    isTokensOidcValid,
-    setTokens, TokenRenewMode,
-    Tokens,
-} from './parseTokens.js';
-import { autoRenewTokens, renewTokensAndStartTimerAsync } from './renewTokens.js';
-import { fetchFromIssuer, performTokenRequestAsync } from './requests.js';
-import { getParseQueryStringFromLocation } from './route-utils.js';
-import defaultSilentLoginAsync, { _silentLoginAsync } from './silentLogin.js';
+import {startCheckSessionAsync as defaultStartCheckSessionAsync} from './checkSession.js';
+import {CheckSessionIFrame} from './checkSessionIFrame.js';
+import {eventNames} from './events.js';
+import {initSession} from './initSession.js';
+import {initWorkerAsync, sleepAsync} from './initWorker.js';
+import {defaultLoginAsync, loginCallbackAsync} from './login.js';
+import {destroyAsync, logoutAsync} from './logout.js';
+import {computeTimeLeft, isTokensOidcValid, setTokens, TokenRenewMode, Tokens,} from './parseTokens.js';
+import {autoRenewTokens, renewTokensAndStartTimerAsync} from './renewTokens.js';
+import {fetchFromIssuer, performTokenRequestAsync} from './requests.js';
+import {getParseQueryStringFromLocation} from './route-utils.js';
+import defaultSilentLoginAsync, {_silentLoginAsync} from './silentLogin.js';
 import timer from './timer.js';
-import { AuthorityConfiguration, Fetch, OidcConfiguration, StringMap } from './types.js';
-import { userInfoAsync } from './user.js';
+import {AuthorityConfiguration, Fetch, OidcConfiguration, StringMap} from './types.js';
+import {userInfoAsync} from './user.js';
+import {base64urlOfHashOfASCIIEncodingAsync} from "./crypto";
+import {generateJwtDemonstratingProofOfPossessionAsync} from "./jwt";
 export const getFetchDefault = () => {
     return fetch;
@@ -93,12 +90,6 @@ export class Oidc {
       if (refresh_time_before_tokens_expiration_in_second > 60) {
           refresh_time_before_tokens_expiration_in_second = refresh_time_before_tokens_expiration_in_second - Math.floor(Math.random() * 40);
       }
-      if (!configuration.logout_tokens_to_invalidate) {
-          configuration.logout_tokens_to_invalidate = ['access_token', 'refresh_token'];
-      }
-      if (!configuration.authority_timeout_wellknowurl_in_millisecond) {
-          configuration.authority_timeout_wellknowurl_in_millisecond = 10000;
-      }
       this.configuration = {
           ...configuration,
           silent_login_uri,
@@ -106,6 +97,9 @@ export class Oidc {
           refresh_time_before_tokens_expiration_in_second,
           silent_login_timeout: configuration.silent_login_timeout ?? 12000,
           token_renew_mode: configuration.token_renew_mode ?? TokenRenewMode.access_token_or_id_token_invalid,
+          demonstrating_proof_of_possession: configuration.demonstrating_proof_of_possession ?? false,
+          authority_timeout_wellknowurl_in_millisecond: configuration.authority_timeout_wellknowurl_in_millisecond ?? 10000,
+          logout_tokens_to_invalidate: configuration.logout_tokens_to_invalidate ?? ['access_token', 'refresh_token'],
       };
       this.getFetch = getFetch ?? getFetchDefault;
       this.configurationName = configurationName;
@@ -259,7 +253,7 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                     if (tokens) {
                         // @ts-ignore
                         this.tokens = setTokens(tokens, null, configuration.token_renew_mode);
-                        const getLoginParams = session.getLoginParams(this.configurationName);
+                        const getLoginParams = session.getLoginParams();
                         // @ts-ignore
                         this.timeoutId = autoRenewTokens(this, tokens.refreshToken, this.tokens.expiresAt, getLoginParams.extras);
                         const sessionState = await session.getSessionStateAsync();
@@ -329,11 +323,6 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
             if (!serviceWorker) {
                 const session = initSession(this.configurationName, this.configuration.storage);
                 session.setTokens(parsedTokens);
-            } else {
-                // @ts-ignore
-                if(!parsedTokens.fromServiceWorker){
-                    throw Error('security issue, parsedTokens.fromServiceWorker is not defined');
-                }
             }
             this.publishEvent(Oidc.eventNames.token_aquired, parsedTokens);
             // @ts-ignore
@@ -378,10 +367,10 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                 let loginParams;
                 const serviceWorker = await initWorkerAsync(configuration.service_worker_relative_url, this.configurationName);
                 if (serviceWorker) {
-                    loginParams = serviceWorker.getLoginParams(this.configurationName);
+                    loginParams = serviceWorker.getLoginParams();
                 } else {
                     const session = initSession(this.configurationName, configuration.storage);
-                    loginParams = session.getLoginParams(this.configurationName);
+                    loginParams = session.getLoginParams();
                 }
                 const silent_token_response = await silentLoginAsync({
                     ...loginParams.extras,
@@ -461,7 +450,19 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                         };
                         const oidcServerConfiguration = await this.initAsync(authority, configuration.authority_configuration);
                         const timeoutMs = document.hidden ? 10000 : 30000 * 10;
-                        const tokenResponse = await performTokenRequestAsync(this.getFetch())(oidcServerConfiguration.tokenEndpoint, details, finalExtras, tokens, configuration.token_renew_mode, timeoutMs);
+                        const url = oidcServerConfiguration.tokenEndpoint;
+                        const headersExtras = {};
+                        if(configuration.demonstrating_proof_of_possession) {
+                            headersExtras['DPoP'] = await this.generateDemonstrationOfProofOfPossessionAsync(tokens.accessToken, url, 'POST');
+                        }
+                        const tokenResponse = await performTokenRequestAsync(this.getFetch())(url,
+                            details,
+                            finalExtras,
+                            tokens,
+                            headersExtras,
+                            configuration.token_renew_mode,
+                            timeoutMs);
                         if (tokenResponse.success) {
                             const { isValid, reason } = isTokensOidcValid(tokenResponse.data, nonce.nonce, oidcServerConfiguration);
                             if (!isValid) {
@@ -470,6 +471,15 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                                 return { tokens: null, status: 'SESSION_LOST' };
                             }
                             updateTokens(tokenResponse.data);
+                            if(tokenResponse.demonstratingProofOfPossessionNonce) {
+                                const serviceWorker = await initWorkerAsync(configuration.service_worker_relative_url, this.configurationName);
+                                if(serviceWorker){
+                                    await serviceWorker.setDemonstratingProofOfPossessionNonce(tokenResponse.demonstratingProofOfPossessionNonce);
+                                } else {
+                                    const session = initSession(this.configurationName, configuration.storage);
+                                    await session.setDemonstratingProofOfPossessionNonce(tokenResponse.demonstratingProofOfPossessionNonce);
+                                }
+                            }
                             this.publishEvent(eventNames.refreshTokensAsync_end, { success: tokenResponse.success });
                             this.publishEvent(Oidc.eventNames.token_renewed, { reason: 'REFRESH_TOKEN' });
                             return { tokens: tokenResponse.data, status: 'LOGGED_IN' };
@@ -491,6 +501,30 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
             }
      }
+    async generateDemonstrationOfProofOfPossessionAsync(accessToken:string, url:string, method:string): Promise<string> {
+        const configuration = this.configuration;
+        const claimsExtras = {ath: await base64urlOfHashOfASCIIEncodingAsync(accessToken),};
+        const serviceWorker = await initWorkerAsync(configuration.service_worker_relative_url, this.configurationName);
+        let demonstratingProofOfPossessionNonce:string = null;
+        let jwk;
+        if (serviceWorker) {
+            demonstratingProofOfPossessionNonce = await serviceWorker.getDemonstratingProofOfPossessionNonce();
+            jwk = await serviceWorker.getDemonstratingProofOfPossessionJwkAsync();
+        } else {
+            const session = initSession(this.configurationName, configuration.storage);
+            jwk = await session.getDemonstratingProofOfPossessionJwkAsync();
+            demonstratingProofOfPossessionNonce = await session.getDemonstratingProofOfPossessionNonce();
+        }
+        if (demonstratingProofOfPossessionNonce) {
+            claimsExtras['nonce'] = demonstratingProofOfPossessionNonce;
+        }
+        return await generateJwtDemonstratingProofOfPossessionAsync(jwk, method, url, claimsExtras);
+    }
     async syncTokensInfoAsync(configuration, configurationName, currentTokens, forceRefresh = false) {
         // Service Worker can be killed by the browser (when it wants,for example after 10 seconds of inactivity, so we retreieve the session if it happen)
         // const configuration = this.configuration;

package/src/oidcClient.ts CHANGED Viewed

@@ -65,6 +65,10 @@ export class OidcClient {
         return this._oidc.configuration;
     }
+    async generateDemonstrationOfProofOfPossessionAsync(accessToken:string, url:string, method:string) : Promise<string> {
+        return this._oidc.generateDemonstrationOfProofOfPossessionAsync(accessToken, url, method);
+    }
     async getValidTokenAsync(waitMs = 200, numberWait = 50): Promise<ValidToken> {
         return getValidTokenAsync(this._oidc, waitMs, numberWait);
     }

package/src/parseTokens.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { sleepAsync } from './initWorker.js';
+import {sleepAsync} from './initWorker.js';
 const b64DecodeUnicode = (str) =>
     decodeURIComponent(Array.prototype.map.call(atob(str), (c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2)).join(''));
@@ -46,20 +46,29 @@ export const TokenRenewMode = {
     id_token_invalid: 'id_token_invalid',
 };
+function extractedIssueAt(tokens, accessTokenPayload, _idTokenPayload) {
+    if (!tokens.issuedAt) {
+        if (accessTokenPayload && accessTokenPayload.iat) {
+            return accessTokenPayload.iat;
+        } else if (_idTokenPayload && _idTokenPayload.iat) {
+            return _idTokenPayload.iat;
+        } else {
+            const currentTimeUnixSecond = new Date().getTime() / 1000;
+            return currentTimeUnixSecond;
+        }
+    } else if (typeof tokens.issuedAt == "string") {
+        return parseInt(tokens.issuedAt, 10);
+    }
+    return tokens.issuedAt;
+}
 export const setTokens = (tokens, oldTokens = null, tokenRenewMode: string):Tokens => {
     if (!tokens) {
         return null;
     }
     let accessTokenPayload;
     const expireIn = typeof tokens.expiresIn == "string" ? parseInt(tokens.expiresIn, 10) : tokens.expiresIn;
-    if (!tokens.issuedAt) {
-        const currentTimeUnixSecond = new Date().getTime() / 1000;
-        tokens.issuedAt = currentTimeUnixSecond;
-    } else if (typeof tokens.issuedAt == "string") {
-        tokens.issuedAt = parseInt(tokens.issuedAt, 10);
-    }
     if (tokens.accessTokenPayload !== undefined) {
         accessTokenPayload = tokens.accessTokenPayload;
     } else {
@@ -70,6 +79,8 @@ export const setTokens = (tokens, oldTokens = null, tokenRenewMode: string):Toke
     const idTokenExpireAt = (_idTokenPayload && _idTokenPayload.exp) ? _idTokenPayload.exp : Number.MAX_VALUE;
     const accessTokenExpiresAt = (accessTokenPayload && accessTokenPayload.exp) ? accessTokenPayload.exp : tokens.issuedAt + expireIn;
+    tokens.issuedAt = extractedIssueAt(tokens, accessTokenPayload, _idTokenPayload);
     let expiresAt;
     if(tokens.expiresAt)
     {
@@ -127,18 +138,16 @@ export const parseOriginalTokens = (tokens, oldTokens, tokenRenewMode: string) =
         // @ts-ignore
         data.idTokenPayload = tokens.idTokenPayload;
     }
-    if(tokens.fromServiceWorker !== undefined) {
-        // @ts-ignore
-        data.fromServiceWorker = tokens.fromServiceWorker;
-    }
     return setTokens(data, oldTokens, tokenRenewMode);
 };
 export const computeTimeLeft = (refreshTimeBeforeTokensExpirationInSecond, expiresAt) => {
     const currentTimeUnixSecond = new Date().getTime() / 1000;
-    return Math.round(((expiresAt - refreshTimeBeforeTokensExpirationInSecond) - currentTimeUnixSecond));
+    const timeLeftSecond = expiresAt - currentTimeUnixSecond;
+    return Math.round(timeLeftSecond - refreshTimeBeforeTokensExpirationInSecond);
 };
 export const isTokensValid = (tokens) => {