@axa-fr/react-oidc 6.3.0 → 6.4.0

package/src/oidc/vanilla/oidc.ts

@@ -19,7 +19,7 @@ import timer from './timer';
 import {CheckSessionIFrame} from "./checkSessionIFrame"
 import {getParseQueryStringFromLocation} from "./route-utils";
 import {AuthorizationServiceConfigurationJson} from "@openid/appauth/src/authorization_service_configuration";
-import {computeTimeLeft, isTokensValid, parseOriginalTokens, setTokens} from "./parseTokens";
+import {computeTimeLeft, isTokensOidcValid, isTokensValid, parseOriginalTokens, setTokens} from "./parseTokens";
 
 const performTokenRequestAsync= async (url, details, extras) => {
     
@@ -80,10 +80,12 @@ const internalFetch = async (url, headers, numberRetry=0) => {
 
 export interface OidcAuthorizationServiceConfigurationJson extends AuthorizationServiceConfigurationJson{
     check_session_iframe?: string;
+    issuer:string;
 }
 
 export class OidcAuthorizationServiceConfiguration extends AuthorizationServiceConfiguration{
     private check_session_iframe: string;
+    private issuer: string;
     
     constructor(request: any) {
         super(request);
@@ -92,6 +94,7 @@ export class OidcAuthorizationServiceConfiguration extends AuthorizationServiceC
         this.revocationEndpoint = request.revocation_endpoint;
         this.userInfoEndpoint = request.userinfo_endpoint;
         this.check_session_iframe = request.check_session_iframe;
+        this.issuer = request.issuer;
     }
     
 }
@@ -113,6 +116,7 @@ export interface AuthorityConfiguration {
     end_session_endpoint?: string;
     userinfo_endpoint?: string;
     check_session_iframe?:string;
+    issuer:string;
 }
 
  export type OidcConfiguration = {
@@ -519,6 +523,7 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                     token_endpoint: authorityConfiguration.token_endpoint,
                     userinfo_endpoint: authorityConfiguration.userinfo_endpoint,
                     check_session_iframe: authorityConfiguration.check_session_iframe,
+                    issuer: authorityConfiguration.issuer,
                 });
             }
 
@@ -636,23 +641,38 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                     scope = configuration.scope;
                 }
 
+                const randomString = function(length) {
+                    let text = "";
+                    const possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+                    for(let i = 0; i < length; i++) {
+                        text += possible.charAt(Math.floor(Math.random() * possible.length));
+                    }
+                    return text;
+                }
+
                 setLoginParams(this.configurationName, redirectUri, {callbackPath: url, extras, state});
-                
+                const extraFinal = extras ?? configuration.extras ?? {};
+                if(!extraFinal.nonce) {
+                    extraFinal["nonce"] = randomString(12);
+                }
+                const nonce = {"nonce":extraFinal.nonce};
                 let serviceWorker = await initWorkerAsync(configuration.service_worker_relative_url, this.configurationName);
                 const oidcServerConfiguration = await this.initAsync(configuration.authority, configuration.authority_configuration);
                 let storage;
                 if (serviceWorker) {
                     serviceWorker.startKeepAliveServiceWorker();
                     await serviceWorker.initAsync(oidcServerConfiguration, "loginAsync");
+                    await serviceWorker.setNonceAsync(nonce);
                     storage = new MemoryStorageBackend(serviceWorker.saveItemsAsync, {});
                     await storage.setItem("dummy", {});
+                    
                 } else {
                     const session = initSession(this.configurationName, redirectUri);
+                    await session.setNonceAsync(nonce);
                     storage = new MemoryStorageBackend(session.saveItemsAsync, {});
                 }
-
-                const extraFinal = extras ?? configuration.extras ?? {};
-
+                
+                
                 // @ts-ignore
                 const queryStringUtil = redirectUri.includes("#") ? new HashQueryStringUtils() : new NoHashQueryStringUtils();
                 const authorizationHandler = new RedirectRequestHandler(storage, queryStringUtil, window.location, new DefaultCrypto());
@@ -774,6 +794,7 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
             const sessionState =  queryParams.session_state;
             const serviceWorker = await initWorkerAsync(configuration.service_worker_relative_url, this.configurationName);
             let storage = null;
+            let nonceData = null;
             if(serviceWorker){
                 serviceWorker.startKeepAliveServiceWorker();
                 this.serviceWorker = serviceWorker;
@@ -786,14 +807,16 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                 }
                 await storage.removeItem("dummy");
                 await serviceWorker.setSessionStateAsync(sessionState);
+                nonceData = await serviceWorker.getNonceAsync();
             }else{
-                
                 this.session = initSession(this.configurationName, redirectUri, configuration.storage ?? sessionStorage);
                 const session = initSession(this.configurationName, redirectUri);
                 session.setSessionState(sessionState);
                 const items = await session.loadItemsAsync();
                 storage = new MemoryStorageBackend(session.saveItemsAsync, items);
+                nonceData = await session.getNonceAsync();
             }
+
             return new Promise((resolve, reject) => {
                 // @ts-ignore
                 let queryStringUtil = new NoHashQueryStringUtils();
@@ -853,6 +876,16 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                                 if (serviceWorker) {
                                     const {tokens} = await serviceWorker.initAsync(oidcServerConfiguration, "syncTokensAsync");
                                     tokenResponse = tokens;
+                                };
+                                if(!isTokensOidcValid(tokenResponse, nonceData.nonce, oidcServerConfiguration)){
+                                    const exception = new Error("Tokens are not OpenID valid");
+                                    if(timeoutId) {
+                                        clearTimeout(timeoutId);
+                                        this.timeoutId=null;
+                                        this.publishEvent(eventNames.loginCallbackAsync_error, exception);
+                                        console.error(exception);
+                                        reject(exception);
+                                    }
                                 }
 
                                 // @ts-ignore
@@ -971,6 +1004,10 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                             const oidcServerConfiguration = await this.initAsync(authority, configuration.authority_configuration);
                             const tokenResponse = await performTokenRequestAsync(oidcServerConfiguration.tokenEndpoint, details, extras)
                             if (tokenResponse.success) {
+                                if(!isTokensOidcValid(tokenResponse.data, null, oidcServerConfiguration)){
+                                    this.publishEvent(eventNames.refreshTokensAsync_error, {message: `refresh token return not valid tokens` });
+                                    return {tokens:null, status:"SESSION_LOST"};
+                                }
                                 this.publishEvent(eventNames.refreshTokensAsync_end, {success: tokenResponse.success});
                                 this.publishEvent(Oidc.eventNames.token_renewed, {});
                                 return {tokens: tokenResponse.data, status:"LOGGED_IN"};

package/src/oidc/vanilla/parseTokens.ts

@@ -51,7 +51,7 @@ export const setTokens = (tokens) =>{
     else {
         accessTokenPayload = extractAccessTokenPayload(tokens);
     }
-    const _idTokenPayload = idTokenPayload(tokens.idToken);
+    const _idTokenPayload = tokens.idTokenPayload ? tokens.idTokenPayload : idTokenPayload(tokens.idToken);
 
     const idTokenExipreAt =(_idTokenPayload && _idTokenPayload.exp) ? _idTokenPayload.exp: Number.MAX_VALUE;
     const accessTokenExpiresAt =  (accessTokenPayload && accessTokenPayload.exp)? accessTokenPayload.exp : tokens.issuedAt + tokens.expiresIn;
@@ -61,6 +61,7 @@ export const setTokens = (tokens) =>{
 }
 
 
+
 export const parseOriginalTokens= (tokens) =>{
     if(!tokens){
         return null;
@@ -104,4 +105,35 @@ export const isTokensValid= (tokens) =>{
         return false;
     }
     return computeTimeLeft(0, tokens.expiresAt) > 0;
+}
+
+// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation (excluding rules #1, #4, #5, #7, #8, #12, and #13 which did not apply).
+// https://github.com/openid/AppAuth-JS/issues/65
+export const isTokensOidcValid =(tokens, nonce, oidcServerConfiguration) =>{
+    if(tokens.idTokenPayload) {
+        const idTokenPayload = tokens.idTokenPayload;
+        // 2: The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
+        if(oidcServerConfiguration.issuer !==  idTokenPayload.iss){
+            return false;
+        }
+        // 3: The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
+        
+        // 6: If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer.
+        
+        // 9: The current time MUST be before the time represented by the exp Claim.
+        const currentTimeUnixSecond = new Date().getTime() /1000;
+        if(idTokenPayload.exp && idTokenPayload.exp < currentTimeUnixSecond) {
+            return false;
+        }
+        // 10: The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.
+        const timeInSevenDays = 60 * 60 * 24 * 7;
+        if(idTokenPayload.iat && (idTokenPayload.iat + timeInSevenDays) < currentTimeUnixSecond) {
+            return false;
+        }
+        // 11: If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.
+        if (idTokenPayload.nonce && idTokenPayload.nonce !== nonce) {
+            return false;
+        }
+    }
+    return true;
 }