@nocobase/plugin-idp-oauth 2.1.0-alpha.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.txt +107 -0
- package/README.md +14 -0
- package/build.config.ts +46 -0
- package/client.d.ts +2 -0
- package/client.js +1 -0
- package/dist/client/ErrorPage.d.ts +11 -0
- package/dist/client/InteractionPage.d.ts +11 -0
- package/dist/client/index.d.ts +9 -0
- package/dist/client/index.js +10 -0
- package/dist/client/locale.d.ts +10 -0
- package/dist/client/models/index.d.ts +11 -0
- package/dist/client/plugin.d.ts +13 -0
- package/dist/externalVersion.js +18 -0
- package/dist/index.d.ts +10 -0
- package/dist/index.js +48 -0
- package/dist/locale/en-US.json +1 -0
- package/dist/locale/zh-CN.json +1 -0
- package/dist/node_modules/eta/LICENSE +7 -0
- package/dist/node_modules/eta/README.md +185 -0
- package/dist/node_modules/eta/dist/core.d.ts +179 -0
- package/dist/node_modules/eta/dist/core.d.ts.map +1 -0
- package/dist/node_modules/eta/dist/core.js +42 -0
- package/dist/node_modules/eta/dist/core.js.map +1 -0
- package/dist/node_modules/eta/dist/index.cjs +542 -0
- package/dist/node_modules/eta/dist/index.cjs.map +1 -0
- package/dist/node_modules/eta/dist/index.d.cts +187 -0
- package/dist/node_modules/eta/dist/index.d.cts.map +1 -0
- package/dist/node_modules/eta/dist/index.d.mts +187 -0
- package/dist/node_modules/eta/dist/index.d.mts.map +1 -0
- package/dist/node_modules/eta/dist/index.mjs +512 -0
- package/dist/node_modules/eta/dist/index.mjs.map +1 -0
- package/dist/node_modules/eta/package.json +75 -0
- package/dist/node_modules/jose/LICENSE.md +21 -0
- package/dist/node_modules/jose/README.md +153 -0
- package/dist/node_modules/jose/dist/types/index.d.ts +55 -0
- package/dist/node_modules/jose/dist/types/jwe/compact/decrypt.d.ts +31 -0
- package/dist/node_modules/jose/dist/types/jwe/compact/encrypt.d.ts +65 -0
- package/dist/node_modules/jose/dist/types/jwe/flattened/decrypt.d.ts +31 -0
- package/dist/node_modules/jose/dist/types/jwe/flattened/encrypt.d.ts +83 -0
- package/dist/node_modules/jose/dist/types/jwe/general/decrypt.d.ts +38 -0
- package/dist/node_modules/jose/dist/types/jwe/general/encrypt.d.ts +74 -0
- package/dist/node_modules/jose/dist/types/jwk/embedded.d.ts +17 -0
- package/dist/node_modules/jose/dist/types/jwk/thumbprint.d.ts +32 -0
- package/dist/node_modules/jose/dist/types/jwks/local.d.ts +29 -0
- package/dist/node_modules/jose/dist/types/jwks/remote.d.ts +237 -0
- package/dist/node_modules/jose/dist/types/jws/compact/sign.d.ts +36 -0
- package/dist/node_modules/jose/dist/types/jws/compact/verify.d.ts +33 -0
- package/dist/node_modules/jose/dist/types/jws/flattened/sign.d.ts +42 -0
- package/dist/node_modules/jose/dist/types/jws/flattened/verify.d.ts +33 -0
- package/dist/node_modules/jose/dist/types/jws/general/sign.d.ts +53 -0
- package/dist/node_modules/jose/dist/types/jws/general/verify.d.ts +41 -0
- package/dist/node_modules/jose/dist/types/jwt/decrypt.d.ts +35 -0
- package/dist/node_modules/jose/dist/types/jwt/encrypt.d.ts +91 -0
- package/dist/node_modules/jose/dist/types/jwt/sign.d.ts +43 -0
- package/dist/node_modules/jose/dist/types/jwt/unsecured.d.ts +43 -0
- package/dist/node_modules/jose/dist/types/jwt/verify.d.ts +37 -0
- package/dist/node_modules/jose/dist/types/key/export.d.ts +33 -0
- package/dist/node_modules/jose/dist/types/key/generate_key_pair.d.ts +47 -0
- package/dist/node_modules/jose/dist/types/key/generate_secret.d.ts +35 -0
- package/dist/node_modules/jose/dist/types/key/import.d.ts +83 -0
- package/dist/node_modules/jose/dist/types/types.d.ts +852 -0
- package/dist/node_modules/jose/dist/types/util/base64url.d.ts +9 -0
- package/dist/node_modules/jose/dist/types/util/decode_jwt.d.ts +18 -0
- package/dist/node_modules/jose/dist/types/util/decode_protected_header.d.ts +17 -0
- package/dist/node_modules/jose/dist/types/util/errors.d.ts +213 -0
- package/dist/node_modules/jose/dist/webapi/index.js +32 -0
- package/dist/node_modules/jose/dist/webapi/jwe/compact/decrypt.js +27 -0
- package/dist/node_modules/jose/dist/webapi/jwe/compact/encrypt.js +27 -0
- package/dist/node_modules/jose/dist/webapi/jwe/flattened/decrypt.js +155 -0
- package/dist/node_modules/jose/dist/webapi/jwe/flattened/encrypt.js +165 -0
- package/dist/node_modules/jose/dist/webapi/jwe/general/decrypt.js +31 -0
- package/dist/node_modules/jose/dist/webapi/jwe/general/encrypt.js +182 -0
- package/dist/node_modules/jose/dist/webapi/jwk/embedded.js +17 -0
- package/dist/node_modules/jose/dist/webapi/jwk/thumbprint.js +68 -0
- package/dist/node_modules/jose/dist/webapi/jwks/local.js +119 -0
- package/dist/node_modules/jose/dist/webapi/jwks/remote.js +179 -0
- package/dist/node_modules/jose/dist/webapi/jws/compact/sign.js +18 -0
- package/dist/node_modules/jose/dist/webapi/jws/compact/verify.js +21 -0
- package/dist/node_modules/jose/dist/webapi/jws/flattened/sign.js +89 -0
- package/dist/node_modules/jose/dist/webapi/jws/flattened/verify.js +110 -0
- package/dist/node_modules/jose/dist/webapi/jws/general/sign.js +70 -0
- package/dist/node_modules/jose/dist/webapi/jws/general/verify.js +24 -0
- package/dist/node_modules/jose/dist/webapi/jwt/decrypt.js +23 -0
- package/dist/node_modules/jose/dist/webapi/jwt/encrypt.js +101 -0
- package/dist/node_modules/jose/dist/webapi/jwt/sign.js +52 -0
- package/dist/node_modules/jose/dist/webapi/jwt/unsecured.js +63 -0
- package/dist/node_modules/jose/dist/webapi/jwt/verify.js +15 -0
- package/dist/node_modules/jose/dist/webapi/key/export.js +11 -0
- package/dist/node_modules/jose/dist/webapi/key/generate_key_pair.js +97 -0
- package/dist/node_modules/jose/dist/webapi/key/generate_secret.js +40 -0
- package/dist/node_modules/jose/dist/webapi/key/import.js +57 -0
- package/dist/node_modules/jose/dist/webapi/lib/aesgcmkw.js +15 -0
- package/dist/node_modules/jose/dist/webapi/lib/aeskw.js +25 -0
- package/dist/node_modules/jose/dist/webapi/lib/asn1.js +243 -0
- package/dist/node_modules/jose/dist/webapi/lib/base64.js +22 -0
- package/dist/node_modules/jose/dist/webapi/lib/buffer_utils.js +43 -0
- package/dist/node_modules/jose/dist/webapi/lib/check_key_type.js +122 -0
- package/dist/node_modules/jose/dist/webapi/lib/content_encryption.js +217 -0
- package/dist/node_modules/jose/dist/webapi/lib/crypto_key.js +136 -0
- package/dist/node_modules/jose/dist/webapi/lib/deflate.js +44 -0
- package/dist/node_modules/jose/dist/webapi/lib/ecdhes.js +52 -0
- package/dist/node_modules/jose/dist/webapi/lib/helpers.js +19 -0
- package/dist/node_modules/jose/dist/webapi/lib/invalid_key_input.js +27 -0
- package/dist/node_modules/jose/dist/webapi/lib/is_key_like.js +17 -0
- package/dist/node_modules/jose/dist/webapi/lib/jwk_to_key.js +107 -0
- package/dist/node_modules/jose/dist/webapi/lib/jwt_claims_set.js +238 -0
- package/dist/node_modules/jose/dist/webapi/lib/key_management.js +186 -0
- package/dist/node_modules/jose/dist/webapi/lib/key_to_jwk.js +31 -0
- package/dist/node_modules/jose/dist/webapi/lib/normalize_key.js +166 -0
- package/dist/node_modules/jose/dist/webapi/lib/pbes2kw.js +39 -0
- package/dist/node_modules/jose/dist/webapi/lib/rsaes.js +24 -0
- package/dist/node_modules/jose/dist/webapi/lib/signing.js +68 -0
- package/dist/node_modules/jose/dist/webapi/lib/type_checks.js +40 -0
- package/dist/node_modules/jose/dist/webapi/lib/validate_algorithms.js +10 -0
- package/dist/node_modules/jose/dist/webapi/lib/validate_crit.js +33 -0
- package/dist/node_modules/jose/dist/webapi/util/base64url.js +30 -0
- package/dist/node_modules/jose/dist/webapi/util/decode_jwt.js +32 -0
- package/dist/node_modules/jose/dist/webapi/util/decode_protected_header.js +34 -0
- package/dist/node_modules/jose/dist/webapi/util/errors.js +99 -0
- package/dist/node_modules/jose/package.json +200 -0
- package/dist/node_modules/light-my-request/.gitattributes +2 -0
- package/dist/node_modules/light-my-request/.github/dependabot.yml +13 -0
- package/dist/node_modules/light-my-request/.github/stale.yml +21 -0
- package/dist/node_modules/light-my-request/.github/workflows/benchmark.yml +30 -0
- package/dist/node_modules/light-my-request/.github/workflows/ci.yml +23 -0
- package/dist/node_modules/light-my-request/LICENSE +32 -0
- package/dist/node_modules/light-my-request/benchmark/benchmark.js +164 -0
- package/dist/node_modules/light-my-request/build/build-validation.js +100 -0
- package/dist/node_modules/light-my-request/eslint.config.js +9 -0
- package/dist/node_modules/light-my-request/index.js +2 -0
- package/dist/node_modules/light-my-request/lib/config-validator.js +919 -0
- package/dist/node_modules/light-my-request/lib/form-data.js +79 -0
- package/dist/node_modules/light-my-request/lib/parse-url.js +47 -0
- package/dist/node_modules/light-my-request/lib/request.js +290 -0
- package/dist/node_modules/light-my-request/lib/response.js +240 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/.gitattributes +2 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/.github/dependabot.yml +13 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/.github/workflows/ci.yml +24 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/.taprc +2 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/benchmarks/warn.js +25 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/eslint.config.js +6 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/examples/example.js +11 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/index.js +124 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/package.json +73 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/test/emit-interpolated-string.test.js +29 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/test/emit-once-only.test.js +28 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/test/emit-reset.test.js +36 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/test/emit-set.test.js +30 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/test/emit-unlimited.test.js +37 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/test/index.test.js +99 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/test/issue-88.test.js +33 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/test/jest.test.js +22 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/test/no-warnings.test.js +80 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/types/index.d.ts +37 -0
- package/dist/node_modules/light-my-request/node_modules/process-warning/types/index.test-d.ts +36 -0
- package/dist/node_modules/light-my-request/package.json +1 -0
- package/dist/node_modules/light-my-request/test/async-await.test.js +55 -0
- package/dist/node_modules/light-my-request/test/index.test.js +2316 -0
- package/dist/node_modules/light-my-request/test/request.test.js +16 -0
- package/dist/node_modules/light-my-request/test/response.test.js +19 -0
- package/dist/node_modules/light-my-request/test/stream.test.js +359 -0
- package/dist/node_modules/light-my-request/types/index.d.ts +128 -0
- package/dist/node_modules/light-my-request/types/index.test-d.ts +149 -0
- package/dist/node_modules/oidc-provider/LICENSE.md +21 -0
- package/dist/node_modules/oidc-provider/README.md +174 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/assign_claims.js +28 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/assign_defaults.js +17 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/authenticated_client_id.js +6 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/backchannel_request_remap_errors.js +17 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/backchannel_request_response.js +41 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_ciba_context.js +12 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_claims.js +68 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_client.js +21 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_client_grant_type.js +21 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_dpop_jkt.js +35 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_extra_params.js +18 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_id_token_hint.js +23 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_max_age.js +25 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_openid_scope.js +47 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_pkce.js +41 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_prompt.js +25 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_redirect_uri.js +41 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_requested_expiry.js +16 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_response_mode.js +54 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_response_type.js +26 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/check_scope.js +53 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/ciba_load_account.js +58 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/ciba_required.js +13 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/device_authorization_response.js +31 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/device_user_flow.js +31 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/device_user_flow_errors.js +37 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/device_user_flow_response.js +55 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/index.js +200 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/interaction_emit.js +9 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/interactions.js +149 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/load_account.js +15 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/load_grant.js +29 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/load_pushed_authorization_request.js +36 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/oauth_required.js +11 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/oidc_required.js +27 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/one_redirect_uri_clients.js +20 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/process_request_object.js +214 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/pushed_authorization_request_remap_errors.js +17 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/pushed_authorization_request_response.js +65 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/reject_registration.js +12 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/reject_request_and_uri.js +12 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/reject_unsupported.js +33 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/respond.js +46 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/resume.js +111 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/strip_outside_jar_params.js +19 -0
- package/dist/node_modules/oidc-provider/lib/actions/authorization/unsupported_rar.js +9 -0
- package/dist/node_modules/oidc-provider/lib/actions/challenge.js +22 -0
- package/dist/node_modules/oidc-provider/lib/actions/code_verification.js +122 -0
- package/dist/node_modules/oidc-provider/lib/actions/discovery.js +151 -0
- package/dist/node_modules/oidc-provider/lib/actions/end_session.js +222 -0
- package/dist/node_modules/oidc-provider/lib/actions/grants/authorization_code.js +144 -0
- package/dist/node_modules/oidc-provider/lib/actions/grants/ciba.js +127 -0
- package/dist/node_modules/oidc-provider/lib/actions/grants/client_credentials.js +79 -0
- package/dist/node_modules/oidc-provider/lib/actions/grants/device_code.js +125 -0
- package/dist/node_modules/oidc-provider/lib/actions/grants/index.js +7 -0
- package/dist/node_modules/oidc-provider/lib/actions/grants/refresh_token.js +229 -0
- package/dist/node_modules/oidc-provider/lib/actions/index.js +25 -0
- package/dist/node_modules/oidc-provider/lib/actions/interaction.js +150 -0
- package/dist/node_modules/oidc-provider/lib/actions/introspection.js +164 -0
- package/dist/node_modules/oidc-provider/lib/actions/jwks.js +7 -0
- package/dist/node_modules/oidc-provider/lib/actions/registration.js +274 -0
- package/dist/node_modules/oidc-provider/lib/actions/revocation.js +81 -0
- package/dist/node_modules/oidc-provider/lib/actions/token.js +74 -0
- package/dist/node_modules/oidc-provider/lib/actions/userinfo.js +183 -0
- package/dist/node_modules/oidc-provider/lib/adapters/memory_adapter.js +95 -0
- package/dist/node_modules/oidc-provider/lib/consts/client_attributes.js +211 -0
- package/dist/node_modules/oidc-provider/lib/consts/dev_keystore.js +18 -0
- package/dist/node_modules/oidc-provider/lib/consts/index.js +13 -0
- package/dist/node_modules/oidc-provider/lib/consts/jwa.js +47 -0
- package/dist/node_modules/oidc-provider/lib/consts/non_rejectable_claims.js +1 -0
- package/dist/node_modules/oidc-provider/lib/consts/param_list.js +23 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/camel_case.js +1 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/defaults.js +28 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/difference.js +1 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/is_plain_object.js +1 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/map_keys.js +9 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/merge.js +25 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/omit_by.js +11 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/pick.js +10 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/pick_by.js +10 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/remove.js +9 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/set.js +18 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/snake_case.js +1 -0
- package/dist/node_modules/oidc-provider/lib/helpers/_/upper_first.js +1 -0
- package/dist/node_modules/oidc-provider/lib/helpers/account_claims.js +6 -0
- package/dist/node_modules/oidc-provider/lib/helpers/add_client.js +14 -0
- package/dist/node_modules/oidc-provider/lib/helpers/als.js +3 -0
- package/dist/node_modules/oidc-provider/lib/helpers/append_www_authenticate.js +9 -0
- package/dist/node_modules/oidc-provider/lib/helpers/attention.js +23 -0
- package/dist/node_modules/oidc-provider/lib/helpers/base64url.js +11 -0
- package/dist/node_modules/oidc-provider/lib/helpers/certificate_thumbprint.js +15 -0
- package/dist/node_modules/oidc-provider/lib/helpers/challenge.js +111 -0
- package/dist/node_modules/oidc-provider/lib/helpers/check_attest_binding.js +10 -0
- package/dist/node_modules/oidc-provider/lib/helpers/claims.js +79 -0
- package/dist/node_modules/oidc-provider/lib/helpers/client_id_metadata_document.js +198 -0
- package/dist/node_modules/oidc-provider/lib/helpers/client_schema.js +700 -0
- package/dist/node_modules/oidc-provider/lib/helpers/combined_scope.js +17 -0
- package/dist/node_modules/oidc-provider/lib/helpers/configuration.js +544 -0
- package/dist/node_modules/oidc-provider/lib/helpers/constant_equals.js +20 -0
- package/dist/node_modules/oidc-provider/lib/helpers/defaults.js +3510 -0
- package/dist/node_modules/oidc-provider/lib/helpers/epoch_time.js +1 -0
- package/dist/node_modules/oidc-provider/lib/helpers/err_out.js +17 -0
- package/dist/node_modules/oidc-provider/lib/helpers/errors.js +161 -0
- package/dist/node_modules/oidc-provider/lib/helpers/features.js +51 -0
- package/dist/node_modules/oidc-provider/lib/helpers/fetch_body_check.js +25 -0
- package/dist/node_modules/oidc-provider/lib/helpers/fetch_request.js +221 -0
- package/dist/node_modules/oidc-provider/lib/helpers/filter_claims.js +16 -0
- package/dist/node_modules/oidc-provider/lib/helpers/formatters.js +24 -0
- package/dist/node_modules/oidc-provider/lib/helpers/grant_common.js +214 -0
- package/dist/node_modules/oidc-provider/lib/helpers/html_safe.js +19 -0
- package/dist/node_modules/oidc-provider/lib/helpers/initialize_adapter.js +24 -0
- package/dist/node_modules/oidc-provider/lib/helpers/initialize_app.js +243 -0
- package/dist/node_modules/oidc-provider/lib/helpers/initialize_clients.js +24 -0
- package/dist/node_modules/oidc-provider/lib/helpers/initialize_keystore.js +310 -0
- package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/check.js +21 -0
- package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/index.js +43 -0
- package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/prompt.js +95 -0
- package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/prompts/consent.js +105 -0
- package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/prompts/login.js +162 -0
- package/dist/node_modules/oidc-provider/lib/helpers/jwt.js +211 -0
- package/dist/node_modules/oidc-provider/lib/helpers/keystore.js +301 -0
- package/dist/node_modules/oidc-provider/lib/helpers/nanoid.js +5 -0
- package/dist/node_modules/oidc-provider/lib/helpers/oidc_context.js +284 -0
- package/dist/node_modules/oidc-provider/lib/helpers/params.js +27 -0
- package/dist/node_modules/oidc-provider/lib/helpers/pkce.js +30 -0
- package/dist/node_modules/oidc-provider/lib/helpers/pkce_format.js +17 -0
- package/dist/node_modules/oidc-provider/lib/helpers/process_response_types.js +202 -0
- package/dist/node_modules/oidc-provider/lib/helpers/re_render_errors.js +39 -0
- package/dist/node_modules/oidc-provider/lib/helpers/redirect_uri.js +16 -0
- package/dist/node_modules/oidc-provider/lib/helpers/resolve_resource.js +33 -0
- package/dist/node_modules/oidc-provider/lib/helpers/resolve_response_mode.js +7 -0
- package/dist/node_modules/oidc-provider/lib/helpers/resource_server.js +20 -0
- package/dist/node_modules/oidc-provider/lib/helpers/revoke.js +27 -0
- package/dist/node_modules/oidc-provider/lib/helpers/script_src_sha.js +21 -0
- package/dist/node_modules/oidc-provider/lib/helpers/sector_identifier.js +19 -0
- package/dist/node_modules/oidc-provider/lib/helpers/sector_validate.js +55 -0
- package/dist/node_modules/oidc-provider/lib/helpers/set_rt_bindings.js +21 -0
- package/dist/node_modules/oidc-provider/lib/helpers/token_find.js +51 -0
- package/dist/node_modules/oidc-provider/lib/helpers/type_validators.js +8 -0
- package/dist/node_modules/oidc-provider/lib/helpers/user_code_form.js +19 -0
- package/dist/node_modules/oidc-provider/lib/helpers/user_codes.js +38 -0
- package/dist/node_modules/oidc-provider/lib/helpers/valid_url.js +8 -0
- package/dist/node_modules/oidc-provider/lib/helpers/validate_dpop.js +129 -0
- package/dist/node_modules/oidc-provider/lib/helpers/validate_presence.js +17 -0
- package/dist/node_modules/oidc-provider/lib/helpers/weak_cache.js +11 -0
- package/dist/node_modules/oidc-provider/lib/index.js +21 -0
- package/dist/node_modules/oidc-provider/lib/models/access_token.js +31 -0
- package/dist/node_modules/oidc-provider/lib/models/authorization_code.js +27 -0
- package/dist/node_modules/oidc-provider/lib/models/backchannel_authentication_request.js +26 -0
- package/dist/node_modules/oidc-provider/lib/models/base_model.js +141 -0
- package/dist/node_modules/oidc-provider/lib/models/base_token.js +86 -0
- package/dist/node_modules/oidc-provider/lib/models/client.js +593 -0
- package/dist/node_modules/oidc-provider/lib/models/client_credentials.js +19 -0
- package/dist/node_modules/oidc-provider/lib/models/device_code.js +44 -0
- package/dist/node_modules/oidc-provider/lib/models/formats/dynamic.js +21 -0
- package/dist/node_modules/oidc-provider/lib/models/formats/index.js +14 -0
- package/dist/node_modules/oidc-provider/lib/models/formats/jwt.js +198 -0
- package/dist/node_modules/oidc-provider/lib/models/formats/opaque.js +58 -0
- package/dist/node_modules/oidc-provider/lib/models/grant.js +243 -0
- package/dist/node_modules/oidc-provider/lib/models/id_token.js +271 -0
- package/dist/node_modules/oidc-provider/lib/models/index.js +37 -0
- package/dist/node_modules/oidc-provider/lib/models/initial_access_token.js +12 -0
- package/dist/node_modules/oidc-provider/lib/models/interaction.js +73 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/apply.js +4 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/consumable.js +17 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/has_format.js +46 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/has_grant_id.js +12 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/has_grant_type.js +8 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/has_policies.js +38 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/is_attestation_constrained.js +15 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/is_sender_constrained.js +50 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/is_session_bound.js +38 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/set_audience.js +21 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/stores_auth.js +16 -0
- package/dist/node_modules/oidc-provider/lib/models/mixins/stores_pkce.js +9 -0
- package/dist/node_modules/oidc-provider/lib/models/pushed_authorization_request.js +21 -0
- package/dist/node_modules/oidc-provider/lib/models/refresh_token.js +47 -0
- package/dist/node_modules/oidc-provider/lib/models/registration_access_token.js +8 -0
- package/dist/node_modules/oidc-provider/lib/models/replay_detection.js +31 -0
- package/dist/node_modules/oidc-provider/lib/models/session.js +192 -0
- package/dist/node_modules/oidc-provider/lib/provider.js +453 -0
- package/dist/node_modules/oidc-provider/lib/response_modes/form_post.js +36 -0
- package/dist/node_modules/oidc-provider/lib/response_modes/fragment.js +7 -0
- package/dist/node_modules/oidc-provider/lib/response_modes/index.js +15 -0
- package/dist/node_modules/oidc-provider/lib/response_modes/jwt.js +43 -0
- package/dist/node_modules/oidc-provider/lib/response_modes/query.js +7 -0
- package/dist/node_modules/oidc-provider/lib/response_modes/web_message.js +55 -0
- package/dist/node_modules/oidc-provider/lib/shared/assemble_params.js +7 -0
- package/dist/node_modules/oidc-provider/lib/shared/attest_client_auth.js +111 -0
- package/dist/node_modules/oidc-provider/lib/shared/authorization_error_handler.js +104 -0
- package/dist/node_modules/oidc-provider/lib/shared/check_rar.js +75 -0
- package/dist/node_modules/oidc-provider/lib/shared/check_resource.js +77 -0
- package/dist/node_modules/oidc-provider/lib/shared/client_auth.js +263 -0
- package/dist/node_modules/oidc-provider/lib/shared/conditional_body.js +9 -0
- package/dist/node_modules/oidc-provider/lib/shared/cors.js +49 -0
- package/dist/node_modules/oidc-provider/lib/shared/error_handler.js +59 -0
- package/dist/node_modules/oidc-provider/lib/shared/jwt_client_auth.js +79 -0
- package/dist/node_modules/oidc-provider/lib/shared/no_cache.js +4 -0
- package/dist/node_modules/oidc-provider/lib/shared/reject_dupes.js +45 -0
- package/dist/node_modules/oidc-provider/lib/shared/reject_structured_tokens.js +18 -0
- package/dist/node_modules/oidc-provider/lib/shared/selective_body.js +60 -0
- package/dist/node_modules/oidc-provider/lib/shared/session.js +68 -0
- package/dist/node_modules/oidc-provider/lib/shared/set_www_authenticate_header.js +52 -0
- package/dist/node_modules/oidc-provider/lib/views/index.js +22 -0
- package/dist/node_modules/oidc-provider/lib/views/interaction.js +171 -0
- package/dist/node_modules/oidc-provider/lib/views/layout.js +237 -0
- package/dist/node_modules/oidc-provider/lib/views/login.js +43 -0
- package/dist/node_modules/oidc-provider/node_modules/@koa/router/LICENSE +21 -0
- package/dist/node_modules/oidc-provider/node_modules/@koa/router/README.md +1370 -0
- package/dist/node_modules/oidc-provider/node_modules/@koa/router/dist/index.d.mts +1003 -0
- package/dist/node_modules/oidc-provider/node_modules/@koa/router/dist/index.d.ts +1003 -0
- package/dist/node_modules/oidc-provider/node_modules/@koa/router/dist/index.js +1616 -0
- package/dist/node_modules/oidc-provider/node_modules/@koa/router/dist/index.mjs +1573 -0
- package/dist/node_modules/oidc-provider/node_modules/@koa/router/package.json +122 -0
- package/dist/node_modules/oidc-provider/node_modules/debug/LICENSE +20 -0
- package/dist/node_modules/oidc-provider/node_modules/debug/README.md +481 -0
- package/dist/node_modules/oidc-provider/node_modules/debug/package.json +64 -0
- package/dist/node_modules/oidc-provider/node_modules/debug/src/browser.js +272 -0
- package/dist/node_modules/oidc-provider/node_modules/debug/src/common.js +292 -0
- package/dist/node_modules/oidc-provider/node_modules/debug/src/index.js +10 -0
- package/dist/node_modules/oidc-provider/node_modules/debug/src/node.js +263 -0
- package/dist/node_modules/oidc-provider/node_modules/http-errors/HISTORY.md +186 -0
- package/dist/node_modules/oidc-provider/node_modules/http-errors/LICENSE +23 -0
- package/dist/node_modules/oidc-provider/node_modules/http-errors/README.md +169 -0
- package/dist/node_modules/oidc-provider/node_modules/http-errors/index.js +290 -0
- package/dist/node_modules/oidc-provider/node_modules/http-errors/package.json +54 -0
- package/dist/node_modules/oidc-provider/node_modules/jsesc/LICENSE-MIT.txt +20 -0
- package/dist/node_modules/oidc-provider/node_modules/jsesc/README.md +422 -0
- package/dist/node_modules/oidc-provider/node_modules/jsesc/bin/jsesc +148 -0
- package/dist/node_modules/oidc-provider/node_modules/jsesc/jsesc.js +337 -0
- package/dist/node_modules/oidc-provider/node_modules/jsesc/man/jsesc.1 +94 -0
- package/dist/node_modules/oidc-provider/node_modules/jsesc/package.json +56 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/LICENSE +20 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/README.md +38 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/bin/nanoid.js +55 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/index.browser.js +29 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/index.d.ts +106 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/index.js +47 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/nanoid.js +1 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/non-secure/index.d.ts +48 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/non-secure/index.js +21 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/package.json +46 -0
- package/dist/node_modules/oidc-provider/node_modules/nanoid/url-alphabet/index.js +2 -0
- package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/LICENSE +21 -0
- package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/Readme.md +224 -0
- package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/dist/index.d.ts +144 -0
- package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/dist/index.js +409 -0
- package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/dist/index.js.map +1 -0
- package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/package.json +64 -0
- package/dist/node_modules/oidc-provider/node_modules/statuses/HISTORY.md +87 -0
- package/dist/node_modules/oidc-provider/node_modules/statuses/LICENSE +23 -0
- package/dist/node_modules/oidc-provider/node_modules/statuses/README.md +139 -0
- package/dist/node_modules/oidc-provider/node_modules/statuses/codes.json +65 -0
- package/dist/node_modules/oidc-provider/node_modules/statuses/index.js +146 -0
- package/dist/node_modules/oidc-provider/node_modules/statuses/package.json +49 -0
- package/dist/node_modules/oidc-provider/package.json +95 -0
- package/dist/node_modules/quick-lru/index.d.ts +178 -0
- package/dist/node_modules/quick-lru/index.js +329 -0
- package/dist/node_modules/quick-lru/license +9 -0
- package/dist/node_modules/quick-lru/package.json +54 -0
- package/dist/node_modules/quick-lru/readme.md +236 -0
- package/dist/node_modules/statuses/HISTORY.md +65 -0
- package/dist/node_modules/statuses/LICENSE +23 -0
- package/dist/node_modules/statuses/README.md +127 -0
- package/dist/node_modules/statuses/codes.json +66 -0
- package/dist/node_modules/statuses/index.js +113 -0
- package/dist/node_modules/statuses/package.json +48 -0
- package/dist/server/cache-adapter.d.ts +33 -0
- package/dist/server/cache-adapter.js +159 -0
- package/dist/server/index.d.ts +10 -0
- package/dist/server/index.js +48 -0
- package/dist/server/interaction.d.ts +26 -0
- package/dist/server/interaction.js +172 -0
- package/dist/server/paths.d.ts +19 -0
- package/dist/server/paths.js +64 -0
- package/dist/server/plugin.d.ts +16 -0
- package/dist/server/plugin.js +108 -0
- package/dist/server/provider-dispatch.d.ts +32 -0
- package/dist/server/provider-dispatch.js +252 -0
- package/dist/server/service.d.ts +63 -0
- package/dist/server/service.js +540 -0
- package/dist/server/utils.d.ts +12 -0
- package/dist/server/utils.js +58 -0
- package/package.json +24 -0
- package/server.d.ts +2 -0
- package/server.js +1 -0
|
@@ -0,0 +1,229 @@
|
|
|
1
|
+
import difference from '../../helpers/_/difference.js';
|
|
2
|
+
import { InvalidRequest, InvalidGrant, InvalidScope } from '../../helpers/errors.js';
|
|
3
|
+
import presence from '../../helpers/validate_presence.js';
|
|
4
|
+
import instance from '../../helpers/weak_cache.js';
|
|
5
|
+
import revoke from '../../helpers/revoke.js';
|
|
6
|
+
import certificateThumbprint from '../../helpers/certificate_thumbprint.js';
|
|
7
|
+
import * as formatters from '../../helpers/formatters.js';
|
|
8
|
+
import dpopValidate, { CHALLENGE_OK_WINDOW } from '../../helpers/validate_dpop.js';
|
|
9
|
+
import resolveResource from '../../helpers/resolve_resource.js';
|
|
10
|
+
import epochTime from '../../helpers/epoch_time.js';
|
|
11
|
+
import checkRar from '../../shared/check_rar.js';
|
|
12
|
+
import { checkAttestBinding } from '../../helpers/check_attest_binding.js';
|
|
13
|
+
import {
|
|
14
|
+
checkDpopRequired,
|
|
15
|
+
validateGrant,
|
|
16
|
+
validateAccount,
|
|
17
|
+
checkAccountMismatch,
|
|
18
|
+
createAccessToken,
|
|
19
|
+
applyMtlsBinding,
|
|
20
|
+
issueIdToken,
|
|
21
|
+
buildTokenResponse,
|
|
22
|
+
} from '../../helpers/grant_common.js';
|
|
23
|
+
|
|
24
|
+
import { gty as deviceCodeGty } from './device_code.js';
|
|
25
|
+
|
|
26
|
+
function rarSupported(token) {
|
|
27
|
+
const [origin] = token.gty.split(' ');
|
|
28
|
+
return origin !== deviceCodeGty;
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
const gty = 'refresh_token';
|
|
32
|
+
|
|
33
|
+
export const handler = async function refreshTokenHandler(ctx) {
|
|
34
|
+
presence(ctx, 'refresh_token');
|
|
35
|
+
|
|
36
|
+
const {
|
|
37
|
+
findAccount,
|
|
38
|
+
conformIdTokenClaims,
|
|
39
|
+
rotateRefreshToken,
|
|
40
|
+
features: {
|
|
41
|
+
userinfo,
|
|
42
|
+
mTLS: { getCertificate },
|
|
43
|
+
dPoP: { allowReplay },
|
|
44
|
+
resourceIndicators,
|
|
45
|
+
richAuthorizationRequests,
|
|
46
|
+
},
|
|
47
|
+
} = instance(ctx.oidc.provider).configuration;
|
|
48
|
+
|
|
49
|
+
const {
|
|
50
|
+
RefreshToken, AccessToken, ReplayDetection,
|
|
51
|
+
} = ctx.oidc.provider;
|
|
52
|
+
const { client } = ctx.oidc;
|
|
53
|
+
|
|
54
|
+
const dPoP = await dpopValidate(ctx);
|
|
55
|
+
|
|
56
|
+
let refreshTokenValue = ctx.oidc.params.refresh_token;
|
|
57
|
+
let refreshToken = await RefreshToken.find(refreshTokenValue, { ignoreExpiration: true });
|
|
58
|
+
|
|
59
|
+
if (!refreshToken) {
|
|
60
|
+
throw new InvalidGrant('refresh token not found');
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
if (refreshToken.clientId !== client.clientId) {
|
|
64
|
+
throw new InvalidGrant('client mismatch');
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
if (refreshToken.isExpired) {
|
|
68
|
+
throw new InvalidGrant('refresh token is expired');
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
let cert;
|
|
72
|
+
if (client.tlsClientCertificateBoundAccessTokens || refreshToken['x5t#S256']) {
|
|
73
|
+
cert = getCertificate(ctx);
|
|
74
|
+
if (!cert) {
|
|
75
|
+
throw new InvalidGrant('mutual TLS client certificate not provided');
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
checkDpopRequired(ctx, dPoP);
|
|
80
|
+
|
|
81
|
+
if (refreshToken['x5t#S256'] && refreshToken['x5t#S256'] !== certificateThumbprint(cert)) {
|
|
82
|
+
throw new InvalidGrant('failed x5t#S256 verification');
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
const grant = await validateGrant(ctx, refreshToken.grantId);
|
|
86
|
+
|
|
87
|
+
if (ctx.oidc.params.scope) {
|
|
88
|
+
const missing = difference([...ctx.oidc.requestParamScopes], [...refreshToken.scopes]);
|
|
89
|
+
|
|
90
|
+
if (missing.length !== 0) {
|
|
91
|
+
throw new InvalidScope(`refresh token missing requested ${formatters.pluralize('scope', missing.length)}`, missing.join(' '));
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
if (dPoP && !allowReplay) {
|
|
96
|
+
const unique = await ReplayDetection.unique(
|
|
97
|
+
client.clientId,
|
|
98
|
+
dPoP.jti,
|
|
99
|
+
epochTime() + CHALLENGE_OK_WINDOW,
|
|
100
|
+
);
|
|
101
|
+
|
|
102
|
+
ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
if (refreshToken.jkt && (!dPoP || refreshToken.jkt !== dPoP.thumbprint)) {
|
|
106
|
+
throw new InvalidGrant('failed jkt verification');
|
|
107
|
+
}
|
|
108
|
+
|
|
109
|
+
if (ctx.oidc.client.clientAuthMethod === 'attest_jwt_client_auth') {
|
|
110
|
+
await checkAttestBinding(ctx, refreshToken);
|
|
111
|
+
}
|
|
112
|
+
|
|
113
|
+
ctx.oidc.entity('RefreshToken', refreshToken);
|
|
114
|
+
ctx.oidc.entity('Grant', grant);
|
|
115
|
+
|
|
116
|
+
const account = await validateAccount(ctx, findAccount, refreshToken, 'refresh token');
|
|
117
|
+
checkAccountMismatch(refreshToken, grant);
|
|
118
|
+
|
|
119
|
+
ctx.oidc.entity('Account', account);
|
|
120
|
+
|
|
121
|
+
if (refreshToken.consumed) {
|
|
122
|
+
await Promise.all([
|
|
123
|
+
refreshToken.destroy(),
|
|
124
|
+
revoke(ctx, refreshToken.grantId),
|
|
125
|
+
]);
|
|
126
|
+
throw new InvalidGrant('refresh token already used');
|
|
127
|
+
}
|
|
128
|
+
|
|
129
|
+
if (ctx.oidc.params.authorization_details && !rarSupported(refreshToken)) {
|
|
130
|
+
throw new InvalidRequest('authorization_details is unsupported for this refresh token');
|
|
131
|
+
}
|
|
132
|
+
|
|
133
|
+
if (
|
|
134
|
+
rotateRefreshToken === true
|
|
135
|
+
|| (typeof rotateRefreshToken === 'function' && await rotateRefreshToken(ctx))
|
|
136
|
+
) {
|
|
137
|
+
await refreshToken.consume();
|
|
138
|
+
ctx.oidc.entity('RotatedRefreshToken', refreshToken);
|
|
139
|
+
|
|
140
|
+
refreshToken = new RefreshToken({
|
|
141
|
+
accountId: refreshToken.accountId,
|
|
142
|
+
acr: refreshToken.acr,
|
|
143
|
+
amr: refreshToken.amr,
|
|
144
|
+
authTime: refreshToken.authTime,
|
|
145
|
+
claims: refreshToken.claims,
|
|
146
|
+
client,
|
|
147
|
+
expiresWithSession: refreshToken.expiresWithSession,
|
|
148
|
+
iiat: refreshToken.iiat,
|
|
149
|
+
grantId: refreshToken.grantId,
|
|
150
|
+
gty: refreshToken.gty,
|
|
151
|
+
nonce: refreshToken.nonce,
|
|
152
|
+
resource: refreshToken.resource,
|
|
153
|
+
rotations: typeof refreshToken.rotations === 'number' ? refreshToken.rotations + 1 : 1,
|
|
154
|
+
scope: refreshToken.scope,
|
|
155
|
+
sessionUid: refreshToken.sessionUid,
|
|
156
|
+
sid: refreshToken.sid,
|
|
157
|
+
rar: refreshToken.rar,
|
|
158
|
+
'x5t#S256': refreshToken['x5t#S256'],
|
|
159
|
+
jkt: refreshToken.jkt,
|
|
160
|
+
attestationJkt: refreshToken.attestationJkt,
|
|
161
|
+
});
|
|
162
|
+
|
|
163
|
+
if (refreshToken.gty && !refreshToken.gty.endsWith(gty)) {
|
|
164
|
+
refreshToken.gty = `${refreshToken.gty} ${gty}`;
|
|
165
|
+
}
|
|
166
|
+
|
|
167
|
+
ctx.oidc.entity('RefreshToken', refreshToken);
|
|
168
|
+
refreshTokenValue = await refreshToken.save();
|
|
169
|
+
}
|
|
170
|
+
|
|
171
|
+
const at = createAccessToken(ctx, AccessToken, {
|
|
172
|
+
accountId: account.accountId,
|
|
173
|
+
expiresWithSession: refreshToken.expiresWithSession,
|
|
174
|
+
grantId: refreshToken.grantId,
|
|
175
|
+
sessionUid: refreshToken.sessionUid,
|
|
176
|
+
sid: refreshToken.sid,
|
|
177
|
+
}, refreshToken.gty);
|
|
178
|
+
|
|
179
|
+
applyMtlsBinding(at, cert);
|
|
180
|
+
|
|
181
|
+
if (dPoP) {
|
|
182
|
+
at.setThumbprint('jkt', dPoP.thumbprint);
|
|
183
|
+
}
|
|
184
|
+
|
|
185
|
+
if (at.gty && !at.gty.endsWith(gty)) {
|
|
186
|
+
at.gty = `${at.gty} ${gty}`;
|
|
187
|
+
}
|
|
188
|
+
|
|
189
|
+
const scope = ctx.oidc.params.scope ? ctx.oidc.requestParamScopes : refreshToken.scopes;
|
|
190
|
+
await checkRar(ctx, () => {});
|
|
191
|
+
const resource = await resolveResource(
|
|
192
|
+
ctx,
|
|
193
|
+
refreshToken,
|
|
194
|
+
{ userinfo, resourceIndicators },
|
|
195
|
+
scope,
|
|
196
|
+
);
|
|
197
|
+
|
|
198
|
+
if (resource) {
|
|
199
|
+
const resourceServerInfo = await resourceIndicators
|
|
200
|
+
.getResourceServerInfo(ctx, resource, ctx.oidc.client);
|
|
201
|
+
at.resourceServer = new ctx.oidc.provider.ResourceServer(resource, resourceServerInfo);
|
|
202
|
+
at.scope = grant.getResourceScopeFiltered(
|
|
203
|
+
resource,
|
|
204
|
+
[...scope].filter(Set.prototype.has.bind(at.resourceServer.scopes)),
|
|
205
|
+
);
|
|
206
|
+
} else {
|
|
207
|
+
at.claims = refreshToken.claims;
|
|
208
|
+
at.scope = grant.getOIDCScopeFiltered(scope);
|
|
209
|
+
}
|
|
210
|
+
|
|
211
|
+
if (richAuthorizationRequests.enabled && at.resourceServer) {
|
|
212
|
+
at.rar = await richAuthorizationRequests.rarForRefreshTokenResponse(ctx, at.resourceServer);
|
|
213
|
+
}
|
|
214
|
+
|
|
215
|
+
ctx.oidc.entity('AccessToken', at);
|
|
216
|
+
const accessToken = await at.save();
|
|
217
|
+
|
|
218
|
+
const idToken = await issueIdToken(ctx, refreshToken, at, grant, {
|
|
219
|
+
conformIdTokenClaims, userinfo,
|
|
220
|
+
}, scope);
|
|
221
|
+
|
|
222
|
+
ctx.body = buildTokenResponse(at, accessToken, {
|
|
223
|
+
idToken, refreshToken: refreshTokenValue, source: refreshToken, rar: at.rar,
|
|
224
|
+
});
|
|
225
|
+
};
|
|
226
|
+
|
|
227
|
+
export const parameters = new Set(['refresh_token', 'scope']);
|
|
228
|
+
|
|
229
|
+
export const grantType = gty;
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import getAuthorization from './authorization/index.js';
|
|
2
|
+
import userinfo from './userinfo.js';
|
|
3
|
+
import getToken from './token.js';
|
|
4
|
+
import jwks from './jwks.js';
|
|
5
|
+
import * as registration from './registration.js';
|
|
6
|
+
import getRevocation from './revocation.js';
|
|
7
|
+
import getIntrospection from './introspection.js';
|
|
8
|
+
import discovery from './discovery.js';
|
|
9
|
+
import challenge from './challenge.js';
|
|
10
|
+
import * as endSession from './end_session.js';
|
|
11
|
+
import * as codeVerification from './code_verification.js';
|
|
12
|
+
|
|
13
|
+
export {
|
|
14
|
+
getAuthorization,
|
|
15
|
+
userinfo,
|
|
16
|
+
getToken,
|
|
17
|
+
jwks,
|
|
18
|
+
registration,
|
|
19
|
+
getRevocation,
|
|
20
|
+
getIntrospection,
|
|
21
|
+
discovery,
|
|
22
|
+
endSession,
|
|
23
|
+
codeVerification,
|
|
24
|
+
challenge,
|
|
25
|
+
};
|
|
@@ -0,0 +1,150 @@
|
|
|
1
|
+
import { strict as assert } from 'node:assert';
|
|
2
|
+
import * as querystring from 'node:querystring';
|
|
3
|
+
import { inspect } from 'node:util';
|
|
4
|
+
|
|
5
|
+
import * as attention from '../helpers/attention.js';
|
|
6
|
+
import { urlencoded as parseBody } from '../shared/selective_body.js';
|
|
7
|
+
import * as views from '../views/index.js';
|
|
8
|
+
import instance from '../helpers/weak_cache.js';
|
|
9
|
+
import noCache from '../shared/no_cache.js';
|
|
10
|
+
import { defaults } from '../helpers/defaults.js';
|
|
11
|
+
|
|
12
|
+
const { interactions: { url: defaultInteractionUri } } = defaults;
|
|
13
|
+
const keys = new Set();
|
|
14
|
+
const dbg = (obj) => querystring.stringify(Object.entries(obj).reduce((acc, [key, value]) => {
|
|
15
|
+
keys.add(key);
|
|
16
|
+
acc[key] = inspect(value, { depth: null });
|
|
17
|
+
return acc;
|
|
18
|
+
}, {}), '<br/>', ': ', {
|
|
19
|
+
encodeURIComponent(value) { return keys.has(value) ? `<strong>${value}</strong>` : value; },
|
|
20
|
+
});
|
|
21
|
+
|
|
22
|
+
export default function devInteractions(provider) {
|
|
23
|
+
/* eslint-disable no-multi-str */
|
|
24
|
+
attention.warn('a quick start development-only feature devInteractions is enabled, \
|
|
25
|
+
you are expected to disable these interactions and provide your own');
|
|
26
|
+
|
|
27
|
+
const configuration = instance(provider).configuration.interactions;
|
|
28
|
+
|
|
29
|
+
if (configuration.url !== defaultInteractionUri) {
|
|
30
|
+
attention.warn('you\'ve configured your own interactions.url but devInteractions are still enabled, \
|
|
31
|
+
your configuration is not in effect');
|
|
32
|
+
}
|
|
33
|
+
/* eslint-enable */
|
|
34
|
+
|
|
35
|
+
configuration.url = (ctx, interaction) => new URL(ctx.oidc.urlFor('interaction', { uid: interaction.uid })).pathname;
|
|
36
|
+
|
|
37
|
+
return {
|
|
38
|
+
render: [
|
|
39
|
+
noCache,
|
|
40
|
+
async function interactionRender(ctx) {
|
|
41
|
+
const {
|
|
42
|
+
uid, prompt, params, session,
|
|
43
|
+
} = await provider.interactionDetails(ctx.req, ctx.res);
|
|
44
|
+
const client = await provider.Client.find(params.client_id);
|
|
45
|
+
|
|
46
|
+
let view;
|
|
47
|
+
let title;
|
|
48
|
+
|
|
49
|
+
switch (prompt.name) {
|
|
50
|
+
case 'login':
|
|
51
|
+
view = 'login';
|
|
52
|
+
title = 'Sign-in';
|
|
53
|
+
break;
|
|
54
|
+
case 'consent':
|
|
55
|
+
view = 'interaction';
|
|
56
|
+
title = 'Authorize';
|
|
57
|
+
break;
|
|
58
|
+
default:
|
|
59
|
+
ctx.throw(501, 'not implemented');
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
const locals = {
|
|
63
|
+
client,
|
|
64
|
+
uid,
|
|
65
|
+
abortUrl: ctx.oidc.urlFor('abort', { uid }),
|
|
66
|
+
submitUrl: ctx.oidc.urlFor('submit', { uid }),
|
|
67
|
+
details: prompt.details,
|
|
68
|
+
prompt: prompt.name,
|
|
69
|
+
params,
|
|
70
|
+
title,
|
|
71
|
+
session: session ? dbg(session) : undefined,
|
|
72
|
+
dbg: {
|
|
73
|
+
params: dbg(params),
|
|
74
|
+
prompt: dbg(prompt),
|
|
75
|
+
},
|
|
76
|
+
};
|
|
77
|
+
|
|
78
|
+
locals.body = views[view](locals);
|
|
79
|
+
|
|
80
|
+
ctx.type = 'html';
|
|
81
|
+
ctx.body = views.layout(locals);
|
|
82
|
+
},
|
|
83
|
+
],
|
|
84
|
+
abort: [
|
|
85
|
+
noCache,
|
|
86
|
+
function interactionAbort(ctx) {
|
|
87
|
+
const result = {
|
|
88
|
+
error: 'access_denied',
|
|
89
|
+
error_description: 'End-User aborted interaction',
|
|
90
|
+
};
|
|
91
|
+
|
|
92
|
+
return provider.interactionFinished(ctx.req, ctx.res, result, {
|
|
93
|
+
mergeWithLastSubmission: false,
|
|
94
|
+
});
|
|
95
|
+
},
|
|
96
|
+
],
|
|
97
|
+
submit: [
|
|
98
|
+
noCache,
|
|
99
|
+
parseBody,
|
|
100
|
+
async function interactionSubmit(ctx) {
|
|
101
|
+
const {
|
|
102
|
+
prompt: { name, details }, grantId, session, params,
|
|
103
|
+
} = await provider.interactionDetails(ctx.req, ctx.res);
|
|
104
|
+
switch (ctx.oidc.body.prompt) { // eslint-disable-line default-case
|
|
105
|
+
case 'login': {
|
|
106
|
+
assert.equal(name, 'login');
|
|
107
|
+
await provider.interactionFinished(ctx.req, ctx.res, {
|
|
108
|
+
login: { accountId: ctx.oidc.body.login },
|
|
109
|
+
}, { mergeWithLastSubmission: false });
|
|
110
|
+
break;
|
|
111
|
+
}
|
|
112
|
+
case 'consent': {
|
|
113
|
+
assert.equal(name, 'consent');
|
|
114
|
+
|
|
115
|
+
let grant;
|
|
116
|
+
if (grantId) {
|
|
117
|
+
// we'll be modifying existing grant in existing session
|
|
118
|
+
grant = await provider.Grant.find(grantId);
|
|
119
|
+
} else {
|
|
120
|
+
// we're establishing a new grant
|
|
121
|
+
grant = new provider.Grant({
|
|
122
|
+
accountId: session.accountId,
|
|
123
|
+
clientId: params.client_id,
|
|
124
|
+
});
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
if (details.missingOIDCScope) {
|
|
128
|
+
grant.addOIDCScope(details.missingOIDCScope.join(' '));
|
|
129
|
+
}
|
|
130
|
+
if (details.missingOIDCClaims) {
|
|
131
|
+
grant.addOIDCClaims(details.missingOIDCClaims);
|
|
132
|
+
}
|
|
133
|
+
if (details.missingResourceScopes) {
|
|
134
|
+
for (const [indicator, scope] of Object.entries(details.missingResourceScopes)) {
|
|
135
|
+
grant.addResourceScope(indicator, scope.join(' '));
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
const result = { consent: { grantId: await grant.save() } };
|
|
139
|
+
await provider.interactionFinished(ctx.req, ctx.res, result, {
|
|
140
|
+
mergeWithLastSubmission: true,
|
|
141
|
+
});
|
|
142
|
+
break;
|
|
143
|
+
}
|
|
144
|
+
default:
|
|
145
|
+
ctx.throw(501, 'not implemented');
|
|
146
|
+
}
|
|
147
|
+
},
|
|
148
|
+
],
|
|
149
|
+
};
|
|
150
|
+
}
|
|
@@ -0,0 +1,164 @@
|
|
|
1
|
+
import presence from '../helpers/validate_presence.js';
|
|
2
|
+
import getClientAuth from '../shared/client_auth.js';
|
|
3
|
+
import noCache from '../shared/no_cache.js';
|
|
4
|
+
import instance from '../helpers/weak_cache.js';
|
|
5
|
+
import { urlencoded as parseBody } from '../shared/selective_body.js';
|
|
6
|
+
import rejectDupes from '../shared/reject_dupes.js';
|
|
7
|
+
import paramsMiddleware from '../shared/assemble_params.js';
|
|
8
|
+
import { InvalidRequest } from '../helpers/errors.js';
|
|
9
|
+
import rejectStructuredTokens from '../shared/reject_structured_tokens.js';
|
|
10
|
+
import { checkAttestBinding } from '../helpers/check_attest_binding.js';
|
|
11
|
+
import { createTokenFinder } from '../helpers/token_find.js';
|
|
12
|
+
|
|
13
|
+
const introspectable = new Set(['AccessToken', 'ClientCredentials', 'RefreshToken']);
|
|
14
|
+
const JWT = 'application/token-introspection+jwt';
|
|
15
|
+
|
|
16
|
+
export default function introspectionAction(provider) {
|
|
17
|
+
const { params: authParams, middleware: clientAuth } = getClientAuth(provider);
|
|
18
|
+
const PARAM_LIST = new Set(['token', 'token_type_hint', ...authParams]);
|
|
19
|
+
const { configuration } = instance(provider);
|
|
20
|
+
const {
|
|
21
|
+
pairwiseIdentifier,
|
|
22
|
+
features: {
|
|
23
|
+
introspection: { allowedPolicy },
|
|
24
|
+
jwtIntrospection,
|
|
25
|
+
richAuthorizationRequests,
|
|
26
|
+
},
|
|
27
|
+
} = configuration;
|
|
28
|
+
const { grantTypeHandlers } = instance(provider);
|
|
29
|
+
const {
|
|
30
|
+
IdToken, Client,
|
|
31
|
+
} = provider;
|
|
32
|
+
|
|
33
|
+
const findToken = createTokenFinder(provider, grantTypeHandlers);
|
|
34
|
+
|
|
35
|
+
return [
|
|
36
|
+
noCache,
|
|
37
|
+
parseBody,
|
|
38
|
+
paramsMiddleware.bind(undefined, PARAM_LIST),
|
|
39
|
+
...clientAuth,
|
|
40
|
+
rejectDupes.bind(undefined, {}),
|
|
41
|
+
|
|
42
|
+
async function validateTokenPresence(ctx, next) {
|
|
43
|
+
presence(ctx, 'token');
|
|
44
|
+
await next();
|
|
45
|
+
},
|
|
46
|
+
|
|
47
|
+
rejectStructuredTokens,
|
|
48
|
+
|
|
49
|
+
async function jwtIntrospectionResponse(ctx, next) {
|
|
50
|
+
if (jwtIntrospection.enabled) {
|
|
51
|
+
const { client } = ctx.oidc;
|
|
52
|
+
|
|
53
|
+
const {
|
|
54
|
+
introspectionEncryptedResponseAlg: encrypt,
|
|
55
|
+
introspectionSignedResponseAlg: sign,
|
|
56
|
+
} = client;
|
|
57
|
+
|
|
58
|
+
const accepts = ctx.accepts('json', JWT);
|
|
59
|
+
if (encrypt && accepts !== JWT) {
|
|
60
|
+
throw new InvalidRequest(`introspection must be requested with Accept: ${JWT} for this client`);
|
|
61
|
+
}
|
|
62
|
+
|
|
63
|
+
await next();
|
|
64
|
+
|
|
65
|
+
if ((encrypt || sign) && accepts === JWT) {
|
|
66
|
+
const token = new IdToken({}, { ctx });
|
|
67
|
+
token.extra = {
|
|
68
|
+
token_introspection: ctx.body,
|
|
69
|
+
aud: ctx.body.aud,
|
|
70
|
+
};
|
|
71
|
+
|
|
72
|
+
ctx.body = await token.issue({ use: 'introspection' });
|
|
73
|
+
ctx.type = 'application/token-introspection+jwt; charset=utf-8';
|
|
74
|
+
}
|
|
75
|
+
} else {
|
|
76
|
+
await next();
|
|
77
|
+
}
|
|
78
|
+
},
|
|
79
|
+
|
|
80
|
+
async function renderTokenResponse(ctx) {
|
|
81
|
+
const { params } = ctx.oidc;
|
|
82
|
+
|
|
83
|
+
ctx.body = { active: false };
|
|
84
|
+
|
|
85
|
+
const token = await findToken(params.token, params.token_type_hint);
|
|
86
|
+
|
|
87
|
+
if (!token?.isValid) {
|
|
88
|
+
return;
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
if (token.grantId) {
|
|
92
|
+
const grant = await ctx.oidc.provider.Grant.find(token.grantId, {
|
|
93
|
+
ignoreExpiration: true,
|
|
94
|
+
});
|
|
95
|
+
|
|
96
|
+
if (!grant) return;
|
|
97
|
+
if (grant.isExpired) return;
|
|
98
|
+
if (grant.clientId !== token.clientId) return;
|
|
99
|
+
if (grant.accountId !== token.accountId) return;
|
|
100
|
+
|
|
101
|
+
ctx.oidc.entity('Grant', grant);
|
|
102
|
+
}
|
|
103
|
+
|
|
104
|
+
if (introspectable.has(token.kind)) {
|
|
105
|
+
ctx.oidc.entity(token.kind, token);
|
|
106
|
+
} else {
|
|
107
|
+
return;
|
|
108
|
+
}
|
|
109
|
+
|
|
110
|
+
if (
|
|
111
|
+
token.kind === 'RefreshToken'
|
|
112
|
+
&& ctx.oidc.client.clientId === token.clientId
|
|
113
|
+
&& ctx.oidc.client.clientAuthMethod === 'attest_jwt_client_auth'
|
|
114
|
+
) {
|
|
115
|
+
try {
|
|
116
|
+
await checkAttestBinding(ctx, token);
|
|
117
|
+
} catch {
|
|
118
|
+
return;
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
|
|
122
|
+
if (!(await allowedPolicy(ctx, ctx.oidc.client, token))) {
|
|
123
|
+
return;
|
|
124
|
+
}
|
|
125
|
+
|
|
126
|
+
if (token.accountId) {
|
|
127
|
+
ctx.body.sub = token.accountId;
|
|
128
|
+
if (token.clientId !== ctx.oidc.client.clientId) {
|
|
129
|
+
const client = await Client.find(token.clientId);
|
|
130
|
+
if (client.subjectType === 'pairwise') {
|
|
131
|
+
ctx.body.sub = await pairwiseIdentifier(ctx, ctx.body.sub, client);
|
|
132
|
+
}
|
|
133
|
+
} else if (ctx.oidc.client.subjectType === 'pairwise') {
|
|
134
|
+
ctx.body.sub = await pairwiseIdentifier(ctx, ctx.body.sub, ctx.oidc.client);
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
|
|
138
|
+
Object.assign(ctx.body, {
|
|
139
|
+
...token.extra,
|
|
140
|
+
active: true,
|
|
141
|
+
client_id: token.clientId,
|
|
142
|
+
exp: token.exp,
|
|
143
|
+
iat: token.iat,
|
|
144
|
+
sid: token.sid,
|
|
145
|
+
iss: provider.issuer,
|
|
146
|
+
jti: token.jti !== params.token ? token.jti : undefined,
|
|
147
|
+
aud: token.aud,
|
|
148
|
+
authorization_details: token.rar
|
|
149
|
+
? await richAuthorizationRequests.rarForIntrospectionResponse(ctx, token) : undefined,
|
|
150
|
+
scope: token.scope || undefined,
|
|
151
|
+
cnf: token.isSenderConstrained() ? {} : undefined,
|
|
152
|
+
token_type: token.kind !== 'RefreshToken' ? token.tokenType : undefined,
|
|
153
|
+
});
|
|
154
|
+
|
|
155
|
+
if (token['x5t#S256']) {
|
|
156
|
+
ctx.body.cnf['x5t#S256'] = token['x5t#S256'];
|
|
157
|
+
}
|
|
158
|
+
|
|
159
|
+
if (token.jkt) {
|
|
160
|
+
ctx.body.cnf.jkt = token.jkt;
|
|
161
|
+
}
|
|
162
|
+
},
|
|
163
|
+
];
|
|
164
|
+
}
|