@connectid-tools/rp-nodejs-sdk 4.2.1 → 5.0.1

package/model/token-set.d.ts

@@ -0,0 +1,73 @@
+import { IdTokenClaims } from './claims.js';
+import { TokenResponse } from './token-response.js';
+import { JWKSet } from './jwks.js';
+/**
+ * Token Set
+ *
+ * Represents an OAuth 2.0 / OIDC token response with validation capabilities.
+ * Handles ID token validation and claims extraction.
+ */
+export declare class TokenSet {
+    readonly access_token?: string;
+    readonly token_type?: string;
+    readonly expires_in?: number;
+    readonly refresh_token?: string;
+    readonly scope?: string;
+    readonly id_token?: string;
+    private idTokenClaims?;
+    private jwtPayload?;
+    private tokenIssuedAt;
+    /**
+     * Creates a new TokenSet from a token response.
+     *
+     * @param tokenResponse - Raw token response from the token endpoint
+     */
+    constructor(tokenResponse: TokenResponse);
+    /**
+     * Validates the ID token.
+     *
+     * Performs the following validations:
+     * - Algorithm validation against allowed algorithms
+     * - Signature verification using JWKS
+     * - Issuer validation
+     * - Audience validation
+     * - Nonce validation
+     * - Timestamp validation (iat, exp)
+     *
+     * @param jwks - JSON Web Key Set for signature verification
+     * @param expectedIssuer - Expected issuer claim value
+     * @param expectedAudience - Expected audience claim value
+     * @param expectedNonce - Expected nonce value
+     * @param allowedAlgorithms - Optional list of allowed signing algorithms from discovery document
+     * @throws Error if validation fails
+     */
+    validate(jwks: JWKSet, expectedIssuer: string, expectedAudience: string, expectedNonce: string, allowedAlgorithms?: string[]): Promise<void>;
+    /**
+     * Returns the parsed ID token claims.
+     *
+     * Must call validate() first.
+     *
+     * @returns Parsed and validated ID token claims
+     * @throws Error if token has not been validated
+     */
+    claims(): IdTokenClaims;
+    /**
+     * Checks if the access token has expired.
+     *
+     * @returns true if the token is expired, false otherwise
+     */
+    expired(): boolean;
+    /**
+     * Selects the appropriate key from JWKS for verification.
+     *
+     * Matches based on:
+     * - kid (key ID)
+     * - alg (algorithm)
+     * - use (key usage - should be 'sig')
+     *
+     * @param jwks - JSON Web Key Set
+     * @returns Imported crypto key for verification
+     * @throws Error if no matching key is found
+     */
+    private selectKey;
+}

package/model/token-set.js

@@ -0,0 +1,179 @@
+import { jwtVerify, decodeProtectedHeader, importJWK } from 'jose';
+/**
+ * Token Set
+ *
+ * Represents an OAuth 2.0 / OIDC token response with validation capabilities.
+ * Handles ID token validation and claims extraction.
+ */
+export class TokenSet {
+    /**
+     * Creates a new TokenSet from a token response.
+     *
+     * @param tokenResponse - Raw token response from the token endpoint
+     */
+    constructor(tokenResponse) {
+        this.access_token = tokenResponse.access_token;
+        this.token_type = tokenResponse.token_type;
+        this.expires_in = tokenResponse.expires_in;
+        this.refresh_token = tokenResponse.refresh_token;
+        this.scope = tokenResponse.scope;
+        this.id_token = tokenResponse.id_token;
+        this.tokenIssuedAt = Math.floor(Date.now() / 1000);
+    }
+    /**
+     * Validates the ID token.
+     *
+     * Performs the following validations:
+     * - Algorithm validation against allowed algorithms
+     * - Signature verification using JWKS
+     * - Issuer validation
+     * - Audience validation
+     * - Nonce validation
+     * - Timestamp validation (iat, exp)
+     *
+     * @param jwks - JSON Web Key Set for signature verification
+     * @param expectedIssuer - Expected issuer claim value
+     * @param expectedAudience - Expected audience claim value
+     * @param expectedNonce - Expected nonce value
+     * @param allowedAlgorithms - Optional list of allowed signing algorithms from discovery document
+     * @throws Error if validation fails
+     */
+    async validate(jwks, expectedIssuer, expectedAudience, expectedNonce, allowedAlgorithms) {
+        if (!this.id_token) {
+            throw new Error('No id_token to validate');
+        }
+        try {
+            // Decode header to check algorithm before verification
+            const header = decodeProtectedHeader(this.id_token);
+            // Validate algorithm if allowed algorithms are provided
+            if (allowedAlgorithms && allowedAlgorithms.length > 0) {
+                if (!header.alg) {
+                    throw new Error('ID token missing alg in header');
+                }
+                const isAllowed = allowedAlgorithms.some((alg) => alg.toLowerCase() === header.alg.toLowerCase());
+                if (!isAllowed) {
+                    throw new Error(`ID token algorithm '${header.alg}' is not one of the allowed algorithms: ${allowedAlgorithms.join(', ')}`);
+                }
+            }
+            // Select the appropriate key from JWKS
+            const key = await this.selectKey(jwks);
+            // Verify signature and standard claims
+            const { payload } = await jwtVerify(this.id_token, key, {
+                issuer: expectedIssuer,
+                audience: expectedAudience,
+                algorithms: ['PS256', 'RS256'], // Accept both algorithms
+            });
+            // Validate nonce
+            if (payload.nonce !== expectedNonce) {
+                throw new Error(`Nonce mismatch: expected ${expectedNonce}, got ${payload.nonce}`);
+            }
+            // Validate audience claim per OpenID Connect Core 3.1.3.7
+            // If aud is an array, all audiences must be trusted (only our client ID is trusted)
+            // and azp claim should be present
+            if (Array.isArray(payload.aud)) {
+                // Check if all audiences are trusted (only client ID is trusted)
+                const untrustedAudiences = payload.aud.filter((aud) => aud !== expectedAudience);
+                if (untrustedAudiences.length > 0) {
+                    throw new Error(`ID token contains untrusted audiences: ${untrustedAudiences.join(', ')}`);
+                }
+                // Per OIDC spec clause 4: if multiple audiences, azp should be present
+                if (payload.aud.length > 1 && !payload.azp) {
+                    throw new Error('ID token contains multiple audiences but azp claim is missing');
+                }
+            }
+            // Validate required claims are present
+            const now = Math.floor(Date.now() / 1000);
+            if (!payload.iat) {
+                throw new Error('ID token missing iat claim');
+            }
+            if (!payload.exp) {
+                throw new Error('ID token missing exp claim');
+            }
+            // Validate iat (must not be more than 10 minutes old per Java SDK)
+            if (now - payload.iat > 600) {
+                throw new Error(`ID token iat is too old: issued at ${payload.iat}, current time ${now}`);
+            }
+            // Validate exp (must not be more than 5 minutes in the past - clock skew tolerance)
+            if (payload.exp < now - 300) {
+                throw new Error(`ID token expired more than 5 minutes ago: exp ${payload.exp}, current time ${now}`);
+            }
+            // Store validated claims
+            this.jwtPayload = payload;
+            this.idTokenClaims = payload;
+        }
+        catch (error) {
+            throw new Error(`ID token validation failed: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    /**
+     * Returns the parsed ID token claims.
+     *
+     * Must call validate() first.
+     *
+     * @returns Parsed and validated ID token claims
+     * @throws Error if token has not been validated
+     */
+    claims() {
+        if (!this.idTokenClaims) {
+            throw new Error('ID token has not been validated. Call validate() first.');
+        }
+        return this.idTokenClaims;
+    }
+    /**
+     * Checks if the access token has expired.
+     *
+     * @returns true if the token is expired, false otherwise
+     */
+    expired() {
+        if (!this.expires_in) {
+            // If no expires_in, assume token doesn't expire
+            return false;
+        }
+        const now = Math.floor(Date.now() / 1000);
+        const expiresAt = this.tokenIssuedAt + this.expires_in;
+        return now >= expiresAt;
+    }
+    /**
+     * Selects the appropriate key from JWKS for verification.
+     *
+     * Matches based on:
+     * - kid (key ID)
+     * - alg (algorithm)
+     * - use (key usage - should be 'sig')
+     *
+     * @param jwks - JSON Web Key Set
+     * @returns Imported crypto key for verification
+     * @throws Error if no matching key is found
+     */
+    async selectKey(jwks) {
+        if (!this.id_token) {
+            throw new Error('No id_token present');
+        }
+        // Decode header to get kid and alg
+        const header = decodeProtectedHeader(this.id_token);
+        if (!header.kid) {
+            throw new Error('ID token missing kid in header');
+        }
+        // Find matching key
+        const matchingKey = jwks.keys.find((key) => {
+            // Match by kid (required)
+            if (key.kid !== header.kid) {
+                return false;
+            }
+            // Match by alg if present in key
+            if (key.alg && key.alg !== header.alg) {
+                return false;
+            }
+            // Match by use if present (should be 'sig' for signing)
+            if (key.use && key.use !== 'sig') {
+                return false;
+            }
+            return true;
+        });
+        if (!matchingKey) {
+            throw new Error(`No matching key found in JWKS for kid: ${header.kid}, alg: ${header.alg}`);
+        }
+        // Import the JWK for verification
+        return importJWK(matchingKey, header.alg);
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@connectid-tools/rp-nodejs-sdk",
-  "version": "4.2.1",
+  "version": "5.0.1",
   "description": "Digital Identity Relying Party Node SDK",
   "main": "relying-party-client-sdk.js",
   "types": "relying-party-client-sdk.d.ts",
@@ -31,17 +31,16 @@
   "homepage": "https://github.com/connectid-tools/rp-nodejs-sample-app",
   "dependencies": {
     "https": "^1.0.0",
-    "node-jose": "^2.2.0",
-    "openid-client": "^5.7.1",
+    "jose": "^6.0.0",
+    "undici": "^7.16.0",
     "winston": "^3.17.0"
   },
   "devDependencies": {
     "@types/node": "^20.19.9",
-    "@types/openid-client": "^3.7.0",
     "add-js-extension": "^1.0.4",
     "eslint": "^9.32.0",
     "prettier": "^3.6.2",
-    "replace-in-files-cli": "^2.2.0",
+    "replace-in-files-cli": "^4.0.0",
     "tsx": "^4.20.3",
     "typescript": "^5.9.2"
   },

package/relying-party-client-sdk.d.ts

@@ -1,37 +1,68 @@
-import { CallbackParamsType } from 'openid-client';
-import { AuthorisationServer, ConsolidatedTokenSet, Participant, RelyingPartyClientSdkConfig } from './types';
+import { CallbackParams, ConsolidatedTokenSet, Participant, RelyingPartyClientSdkConfig } from './types.js';
 export default class RelyingPartyClientSdk {
     private readonly logger;
     private config;
-    private readonly transportKey;
-    private readonly transportPem;
-    private readonly signingKey;
-    private readonly caPem;
     private readonly purpose;
-    private participantFilters;
-    private readonly default_cache_ttl;
-    private cachedParticipantsExpiry;
-    private cachedParticipants;
+    private readonly participantsEndpoint;
+    private readonly pushedAuthorisationRequestEndpoint;
+    private readonly retrieveTokenEndpoint;
+    private readonly userInfoEndpoint;
+    private readonly httpClient;
+    private readonly jwtHelper;
     constructor(config: RelyingPartyClientSdkConfig);
+    /**
+     * Get the list of participating identity providers within the scheme.
+     *
+     * Applies filtering based on SDK configuration.
+     *
+     * @returns List of participants
+     */
     getParticipants(): Promise<Participant[]>;
+    /**
+     * Get the list of fallback provider participants.
+     *
+     * @returns List of fallback provider participants
+     */
     getFallbackProviderParticipants(): Promise<Participant[]>;
-    getCurrentDate(): Date;
-    fetchParticipants(participantsUri: string): Promise<Participant[]>;
-    private retrieveFullParticipantsList;
+    /**
+     * Sends a Pushed Authorization Request (PAR).
+     *
+     * @param authServerId - Authorization server ID
+     * @param essentialClaims - Claims that must be provided
+     * @param voluntaryClaims - Claims that are optional
+     * @param purpose - Purpose string for data sharing
+     * @returns Object containing authorization URL and PKCE parameters
+     */
     sendPushedAuthorisationRequest(authServerId: string, essentialClaims: string[], voluntaryClaims?: string[], purpose?: string): Promise<{
         authUrl: string;
-        code_verifier: string;
+        codeVerifier: string;
         state: string;
         nonce: string;
-        xFapiInteractionId: `${string}-${string}-${string}-${string}-${string}`;
+        xFapiInteractionId: string;
     }>;
-    retrieveTokens(authorisationServerId: string, requestParams: CallbackParamsType, codeVerifier: string, state: string, nonce: string): Promise<ConsolidatedTokenSet>;
-    private buildConsolidatedTokenSet;
-    getAuthServerDetails(authServerId: string): Promise<AuthorisationServer>;
-    private generateClaimsRequest;
-    getUserInfo(authorisationServerId: string, accessToken: string): Promise<import("openid-client").UserinfoResponse<import("openid-client").UnknownObject, import("openid-client").UnknownObject>>;
-    private getKeyset;
-    private setupClient;
-    private generateRequest;
-    private generateXFapiInteractionId;
+    /**
+     * Retrieves tokens using an authorisation code.
+     *
+     * @param authorisationServerId - Authorisation server ID
+     * @param requestParams - OAuth callback parameters
+     * @param codeVerifier - PKCE code verifier from PAR
+     * @param state - State parameter from PAR
+     * @param nonce - Nonce parameter from PAR
+     * @returns Consolidated token set with validated claims
+     */
+    retrieveTokens(authorisationServerId: string, requestParams: CallbackParams, codeVerifier: string, state: string, nonce: string): Promise<ConsolidatedTokenSet>;
+    /**
+     * Retrieves user information from the UserInfo endpoint.
+     *
+     * @param authorisationServerId - Authorization server ID
+     * @param accessToken - Access token
+     * @returns UserInfo claims
+     */
+    getUserInfo(authorisationServerId: string, accessToken: string): Promise<Record<string, unknown>>;
+    /**
+     * Gets the current date (for testing purposes).
+     *
+     * @returns Current date
+     */
+    getCurrentDate(): Date;
 }