@connectid-tools/rp-nodejs-sdk 5.1.0 → 5.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +9 -0
  2. package/model/discovery-service.d.ts +9 -0
  3. package/model/discovery-service.js +20 -0
  4. package/package.json +2 -2
  5. package/relying-party-client-sdk.js +1 -1
  6. package/utils/user-agent.d.ts +1 -1
  7. package/utils/user-agent.js +1 -1
package/README.md CHANGED
@@ -468,6 +468,15 @@ The required function parameters are:
468
468
 
469
469
  # Release Notes
470
470
 
471
+ ### 5.2.0 (Mar 23, 2026)
472
+
473
+ - **OpenID Connect Discovery Section 4.3 Compliance**: Implemented issuer validation to ensure the issuer value in the provider configuration matches the Issuer URL used to retrieve it
474
+ - Added validation that compares the issuer in `/.well-known/openid-configuration` response with the expected issuer URL
475
+ - Properly handles trailing slash normalisation per RFC 3986
476
+ - Throws descriptive exception when issuer mismatch is detected, stopping the flow as required by the specification
477
+ - Validates both fresh and cached issuer metadata
478
+
479
+
471
480
  ### 5.1.0 (Feb 12, 2026)
472
481
 
473
482
  **HTTP Response Cache Implementation**
package/model/discovery-service.d.ts CHANGED
@@ -31,6 +31,15 @@ export declare class DiscoveryService {
31
31
  * @throws Error if the JWKS cannot be fetched or parsed
32
32
  */
33
33
  static fetchJwks(jwksUri: string, httpAgent?: Agent, cache?: HttpResponseCache): Promise<JWKSet>;
34
+ /**
35
+ * Validates that the issuer in the discovery document matches the expected issuer
36
+ * derived from the discovery URL, as required by OpenID Connect Discovery Section 4.3.
37
+ *
38
+ * @param discoveryUrl - The URL used to fetch the discovery document
39
+ * @param metadata - The fetched discovery document
40
+ * @throws Error if the issuer does not match
41
+ */
42
+ private static validateIssuerMatch;
34
43
  /**
35
44
  * Validates that required discovery document fields are present.
36
45
  *
package/model/discovery-service.js CHANGED
@@ -38,6 +38,8 @@ export class DiscoveryService {
38
38
  const metadata = (await response.json());
39
39
  // Validate required fields
40
40
  this.validateDiscoveryDocument(metadata);
41
+ // Validate issuer matches the discovery URL (OpenID Connect Discovery Section 4.3)
42
+ this.validateIssuerMatch(discoveryUrl, metadata);
41
43
  // Apply mtls_endpoint_aliases if present
42
44
  const processedMetadata = this.applyMtlsAliases(metadata);
43
45
  // Cache successful response
@@ -95,6 +97,24 @@ export class DiscoveryService {
95
97
  throw new Error(`Failed to fetch JWKS from ${jwksUri}: ${error instanceof Error ? error.message : String(error)}`);
96
98
  }
97
99
  }
100
+ /**
101
+ * Validates that the issuer in the discovery document matches the expected issuer
102
+ * derived from the discovery URL, as required by OpenID Connect Discovery Section 4.3.
103
+ *
104
+ * @param discoveryUrl - The URL used to fetch the discovery document
105
+ * @param metadata - The fetched discovery document
106
+ * @throws Error if the issuer does not match
107
+ */
108
+ static validateIssuerMatch(discoveryUrl, metadata) {
109
+ const wellKnownSuffix = '/.well-known/openid-configuration';
110
+ if (discoveryUrl.endsWith(wellKnownSuffix)) {
111
+ const expectedIssuer = discoveryUrl.slice(0, -wellKnownSuffix.length).replace(/\/+$/, '');
112
+ const actualIssuer = metadata.issuer.replace(/\/+$/, '');
113
+ if (actualIssuer !== expectedIssuer) {
114
+ throw new Error(`Issuer mismatch: discovery document issuer "${metadata.issuer}" does not match expected issuer "${expectedIssuer}" derived from discovery URL`);
115
+ }
116
+ }
117
+ }
98
118
  /**
99
119
  * Validates that required discovery document fields are present.
100
120
  *
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@connectid-tools/rp-nodejs-sdk",
3
- "version": "5.1.0",
3
+ "version": "5.2.0",
4
4
  "description": "Digital Identity Relying Party Node SDK",
5
5
  "main": "relying-party-client-sdk.js",
6
6
  "types": "relying-party-client-sdk.d.ts",
@@ -32,7 +32,7 @@
32
32
  "dependencies": {
33
33
  "https": "^1.0.0",
34
34
  "jose": "^6.0.0",
35
- "undici": "^7.16.0",
35
+ "undici": "^7.24.0",
36
36
  "winston": "^3.17.0"
37
37
  },
38
38
  "devDependencies": {
package/relying-party-client-sdk.js CHANGED
@@ -28,7 +28,7 @@ export default class RelyingPartyClientSdk {
28
28
  throw new Error('Either ca_pem or ca_pem_content must be provided');
29
29
  }
30
30
  this.logger = getLogger(this.config.data.log_level);
31
- this.logger.info(`Creating RelyingPartyClientSdk - version 5.1.0`);
31
+ this.logger.info(`Creating RelyingPartyClientSdk - version 5.2.0`);
32
32
  // Validate and set purpose
33
33
  if (this.config.data.purpose) {
34
34
  const purposeValidation = validatePurpose(this.config.data.purpose);
package/utils/user-agent.d.ts CHANGED
@@ -1,2 +1,2 @@
1
- export declare const packageJsonVersion = "5.1.0";
1
+ export declare const packageJsonVersion = "5.2.0";
2
2
  export declare const buildUserAgent: (clientId: string) => string;
package/utils/user-agent.js CHANGED
@@ -1,4 +1,4 @@
1
1
  import { getSystemInformation } from './system-information.js';
2
2
  // important: Update this every time the package version changes
3
- export const packageJsonVersion = '5.1.0';
3
+ export const packageJsonVersion = '5.2.0';
4
4
  export const buildUserAgent = (clientId) => `cid-rp-nodejs-sdk/${packageJsonVersion} ${getSystemInformation()} +${clientId}`;