@opentdf/sdk 0.9.0-beta.92 → 0.9.0-beta.94
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/cjs/src/access/access-fetch.js +1 -2
- package/dist/cjs/src/access/access-rpc.js +1 -3
- package/dist/cjs/src/access.js +1 -14
- package/dist/cjs/src/auth/auth.js +13 -10
- package/dist/cjs/src/auth/dpop.js +121 -0
- package/dist/cjs/src/auth/oidc-clientcredentials-provider.js +37 -3
- package/dist/cjs/src/auth/oidc-externaljwt-provider.js +37 -3
- package/dist/cjs/src/auth/oidc-refreshtoken-provider.js +37 -3
- package/dist/cjs/src/auth/oidc.js +10 -8
- package/dist/cjs/src/auth/providers.js +35 -12
- package/dist/cjs/src/crypto/index.js +16 -2
- package/dist/cjs/src/crypto/pemPublicToCrypto.js +17 -11
- package/dist/cjs/src/opentdf.js +50 -13
- package/dist/cjs/src/policy/discovery.js +2 -2
- package/dist/cjs/tdf3/index.js +4 -2
- package/dist/cjs/tdf3/src/assertions.js +71 -31
- package/dist/cjs/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
- package/dist/cjs/tdf3/src/ciphers/symmetric-cipher-base.js +4 -2
- package/dist/cjs/tdf3/src/client/index.js +23 -33
- package/dist/cjs/tdf3/src/crypto/crypto-utils.js +12 -5
- package/dist/cjs/tdf3/src/crypto/declarations.js +1 -1
- package/dist/cjs/tdf3/src/crypto/index.js +849 -88
- package/dist/cjs/tdf3/src/crypto/jose/jwt-claims-set.js +11 -0
- package/dist/cjs/tdf3/src/crypto/jose/validate-crit.js +8 -0
- package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js +41 -0
- package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/epoch.js +6 -0
- package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/is_object.js +21 -0
- package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js +112 -0
- package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/secs.js +60 -0
- package/dist/cjs/tdf3/src/crypto/jose/vendor/lib/validate_crit.js +38 -0
- package/dist/cjs/tdf3/src/crypto/jose/vendor/util/errors.js +135 -0
- package/dist/cjs/tdf3/src/crypto/jwt.js +183 -0
- package/dist/cjs/tdf3/src/crypto/salt.js +14 -8
- package/dist/cjs/tdf3/src/models/encryption-information.js +17 -20
- package/dist/cjs/tdf3/src/models/key-access.js +43 -63
- package/dist/cjs/tdf3/src/tdf.js +75 -75
- package/dist/cjs/tdf3/src/utils/index.js +5 -39
- package/dist/types/src/access/access-fetch.d.ts.map +1 -1
- package/dist/types/src/access/access-rpc.d.ts.map +1 -1
- package/dist/types/src/access.d.ts +0 -5
- package/dist/types/src/access.d.ts.map +1 -1
- package/dist/types/src/auth/auth.d.ts +9 -6
- package/dist/types/src/auth/auth.d.ts.map +1 -1
- package/dist/types/src/auth/dpop.d.ts +60 -0
- package/dist/types/src/auth/dpop.d.ts.map +1 -0
- package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts +3 -2
- package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts.map +1 -1
- package/dist/types/src/auth/oidc-externaljwt-provider.d.ts +3 -2
- package/dist/types/src/auth/oidc-externaljwt-provider.d.ts.map +1 -1
- package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts +3 -2
- package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts.map +1 -1
- package/dist/types/src/auth/oidc.d.ts +6 -4
- package/dist/types/src/auth/oidc.d.ts.map +1 -1
- package/dist/types/src/auth/providers.d.ts +5 -4
- package/dist/types/src/auth/providers.d.ts.map +1 -1
- package/dist/types/src/crypto/index.d.ts +2 -1
- package/dist/types/src/crypto/index.d.ts.map +1 -1
- package/dist/types/src/crypto/pemPublicToCrypto.d.ts +18 -0
- package/dist/types/src/crypto/pemPublicToCrypto.d.ts.map +1 -1
- package/dist/types/src/opentdf.d.ts +26 -7
- package/dist/types/src/opentdf.d.ts.map +1 -1
- package/dist/types/src/policy/discovery.d.ts +2 -2
- package/dist/types/tdf3/index.d.ts +3 -3
- package/dist/types/tdf3/index.d.ts.map +1 -1
- package/dist/types/tdf3/src/assertions.d.ts +23 -8
- package/dist/types/tdf3/src/assertions.d.ts.map +1 -1
- package/dist/types/tdf3/src/ciphers/aes-gcm-cipher.d.ts +3 -3
- package/dist/types/tdf3/src/ciphers/aes-gcm-cipher.d.ts.map +1 -1
- package/dist/types/tdf3/src/ciphers/symmetric-cipher-base.d.ts +4 -4
- package/dist/types/tdf3/src/ciphers/symmetric-cipher-base.d.ts.map +1 -1
- package/dist/types/tdf3/src/client/builders.d.ts +2 -2
- package/dist/types/tdf3/src/client/builders.d.ts.map +1 -1
- package/dist/types/tdf3/src/client/index.d.ts +6 -5
- package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
- package/dist/types/tdf3/src/crypto/crypto-utils.d.ts +14 -4
- package/dist/types/tdf3/src/crypto/crypto-utils.d.ts.map +1 -1
- package/dist/types/tdf3/src/crypto/declarations.d.ts +283 -18
- package/dist/types/tdf3/src/crypto/declarations.d.ts.map +1 -1
- package/dist/types/tdf3/src/crypto/index.d.ts +105 -28
- package/dist/types/tdf3/src/crypto/index.d.ts.map +1 -1
- package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts +3 -0
- package/dist/types/tdf3/src/crypto/jose/jwt-claims-set.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts +5 -0
- package/dist/types/tdf3/src/crypto/jose/validate-crit.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts +6 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/buffer_utils.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts +3 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/epoch.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts +3 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/is_object.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts +3 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts +3 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/secs.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts +3 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/lib/validate_crit.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts +76 -0
- package/dist/types/tdf3/src/crypto/jose/vendor/util/errors.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/jwt.d.ts +76 -0
- package/dist/types/tdf3/src/crypto/jwt.d.ts.map +1 -0
- package/dist/types/tdf3/src/crypto/salt.d.ts +6 -1
- package/dist/types/tdf3/src/crypto/salt.d.ts.map +1 -1
- package/dist/types/tdf3/src/models/encryption-information.d.ts +4 -4
- package/dist/types/tdf3/src/models/encryption-information.d.ts.map +1 -1
- package/dist/types/tdf3/src/models/key-access.d.ts +8 -5
- package/dist/types/tdf3/src/models/key-access.d.ts.map +1 -1
- package/dist/types/tdf3/src/tdf.d.ts +8 -8
- package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
- package/dist/types/tdf3/src/utils/index.d.ts +4 -3
- package/dist/types/tdf3/src/utils/index.d.ts.map +1 -1
- package/dist/web/src/access/access-fetch.js +3 -4
- package/dist/web/src/access/access-rpc.js +3 -5
- package/dist/web/src/access.js +1 -13
- package/dist/web/src/auth/auth.js +13 -10
- package/dist/web/src/auth/dpop.js +118 -0
- package/dist/web/src/auth/oidc-clientcredentials-provider.js +4 -3
- package/dist/web/src/auth/oidc-externaljwt-provider.js +4 -3
- package/dist/web/src/auth/oidc-refreshtoken-provider.js +4 -3
- package/dist/web/src/auth/oidc.js +11 -9
- package/dist/web/src/auth/providers.js +13 -12
- package/dist/web/src/crypto/index.js +4 -2
- package/dist/web/src/crypto/pemPublicToCrypto.js +11 -9
- package/dist/web/src/opentdf.js +17 -13
- package/dist/web/src/policy/discovery.js +2 -2
- package/dist/web/tdf3/index.js +3 -2
- package/dist/web/tdf3/src/assertions.js +71 -31
- package/dist/web/tdf3/src/ciphers/aes-gcm-cipher.js +1 -1
- package/dist/web/tdf3/src/ciphers/symmetric-cipher-base.js +4 -2
- package/dist/web/tdf3/src/client/index.js +25 -35
- package/dist/web/tdf3/src/crypto/crypto-utils.js +12 -5
- package/dist/web/tdf3/src/crypto/declarations.js +1 -1
- package/dist/web/tdf3/src/crypto/index.js +830 -84
- package/dist/web/tdf3/src/crypto/jose/jwt-claims-set.js +5 -0
- package/dist/web/tdf3/src/crypto/jose/validate-crit.js +3 -0
- package/dist/web/tdf3/src/crypto/jose/vendor/lib/buffer_utils.js +35 -0
- package/dist/web/tdf3/src/crypto/jose/vendor/lib/epoch.js +4 -0
- package/dist/web/tdf3/src/crypto/jose/vendor/lib/is_object.js +19 -0
- package/dist/web/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.js +107 -0
- package/dist/web/tdf3/src/crypto/jose/vendor/lib/secs.js +58 -0
- package/dist/web/tdf3/src/crypto/jose/vendor/lib/validate_crit.js +36 -0
- package/dist/web/tdf3/src/crypto/jose/vendor/util/errors.js +117 -0
- package/dist/web/tdf3/src/crypto/jwt.js +174 -0
- package/dist/web/tdf3/src/crypto/salt.js +13 -7
- package/dist/web/tdf3/src/models/encryption-information.js +11 -14
- package/dist/web/tdf3/src/models/key-access.js +44 -31
- package/dist/web/tdf3/src/tdf.js +71 -71
- package/dist/web/tdf3/src/utils/index.js +5 -6
- package/package.json +11 -4
- package/src/access/access-fetch.ts +2 -8
- package/src/access/access-rpc.ts +0 -7
- package/src/access.ts +0 -17
- package/src/auth/auth.ts +21 -12
- package/src/auth/dpop.ts +222 -0
- package/src/auth/oidc-clientcredentials-provider.ts +23 -15
- package/src/auth/oidc-externaljwt-provider.ts +23 -15
- package/src/auth/oidc-refreshtoken-provider.ts +23 -15
- package/src/auth/oidc.ts +21 -10
- package/src/auth/providers.ts +46 -29
- package/src/crypto/index.ts +21 -1
- package/src/crypto/pemPublicToCrypto.ts +11 -9
- package/src/opentdf.ts +36 -17
- package/src/policy/discovery.ts +2 -2
- package/tdf3/index.ts +32 -5
- package/tdf3/src/assertions.ts +99 -30
- package/tdf3/src/ciphers/aes-gcm-cipher.ts +7 -2
- package/tdf3/src/ciphers/symmetric-cipher-base.ts +7 -4
- package/tdf3/src/client/builders.ts +2 -2
- package/tdf3/src/client/index.ts +60 -59
- package/tdf3/src/crypto/crypto-utils.ts +15 -8
- package/tdf3/src/crypto/declarations.ts +338 -22
- package/tdf3/src/crypto/index.ts +1021 -118
- package/tdf3/src/crypto/jose/jwt-claims-set.ts +10 -0
- package/tdf3/src/crypto/jose/validate-crit.ts +9 -0
- package/tdf3/src/crypto/jose/vendor/lib/buffer_utils.ts +34 -0
- package/tdf3/src/crypto/jose/vendor/lib/epoch.ts +3 -0
- package/tdf3/src/crypto/jose/vendor/lib/is_object.ts +18 -0
- package/tdf3/src/crypto/jose/vendor/lib/jwt_claims_set.ts +106 -0
- package/tdf3/src/crypto/jose/vendor/lib/secs.ts +57 -0
- package/tdf3/src/crypto/jose/vendor/lib/validate_crit.ts +35 -0
- package/tdf3/src/crypto/jose/vendor/util/errors.ts +101 -0
- package/tdf3/src/crypto/jwt.ts +256 -0
- package/tdf3/src/crypto/salt.ts +16 -8
- package/tdf3/src/models/encryption-information.ts +14 -21
- package/tdf3/src/models/key-access.ts +57 -41
- package/tdf3/src/tdf.ts +110 -93
- package/tdf3/src/utils/index.ts +5 -6
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
// pulled from https://github.com/panva/dpop/tree/v1.4.1
|
|
2
|
+
// Modified to use CryptoService instead of crypto.subtle
|
|
3
|
+
const encoder = new TextEncoder();
|
|
4
|
+
function buf(input) {
|
|
5
|
+
return encoder.encode(input);
|
|
6
|
+
}
|
|
7
|
+
/**
|
|
8
|
+
* Minimal JWT sign() implementation using CryptoService.
|
|
9
|
+
*/
|
|
10
|
+
async function jwt(header, claimsSet, privateKey, cryptoService) {
|
|
11
|
+
const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(claimsSet)))}`;
|
|
12
|
+
const signature = await cryptoService.sign(buf(input), privateKey, header.alg);
|
|
13
|
+
return `${input}.${b64u(signature)}`;
|
|
14
|
+
}
|
|
15
|
+
const CHUNK_SIZE = 0x8000;
|
|
16
|
+
function encodeBase64Url(input) {
|
|
17
|
+
const bytes = input instanceof ArrayBuffer ? new Uint8Array(input) : input;
|
|
18
|
+
const arr = [];
|
|
19
|
+
for (let i = 0; i < bytes.byteLength; i += CHUNK_SIZE) {
|
|
20
|
+
arr.push(String.fromCharCode.apply(null, bytes.subarray(i, i + CHUNK_SIZE)));
|
|
21
|
+
}
|
|
22
|
+
return btoa(arr.join('')).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
|
|
23
|
+
}
|
|
24
|
+
function b64u(input) {
|
|
25
|
+
return encodeBase64Url(input);
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Generates 32 random bytes and encodes them using base64url.
|
|
29
|
+
*/
|
|
30
|
+
async function randomBytes(cryptoService) {
|
|
31
|
+
return b64u(await cryptoService.randomBytes(32));
|
|
32
|
+
}
|
|
33
|
+
class UnsupportedOperationError extends Error {
|
|
34
|
+
constructor(message) {
|
|
35
|
+
super(message ?? 'operation not supported');
|
|
36
|
+
this.name = this.constructor.name;
|
|
37
|
+
Error.captureStackTrace?.(this, this.constructor);
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
/**
|
|
41
|
+
* Determines a supported JWS `alg` identifier from PublicKeyInfo algorithm string.
|
|
42
|
+
*/
|
|
43
|
+
function determineJWSAlgorithmFromKeyInfo(algorithm) {
|
|
44
|
+
if (algorithm.startsWith('rsa:')) {
|
|
45
|
+
return 'RS256';
|
|
46
|
+
}
|
|
47
|
+
switch (algorithm) {
|
|
48
|
+
case 'ec:secp256r1':
|
|
49
|
+
return 'ES256';
|
|
50
|
+
case 'ec:secp384r1':
|
|
51
|
+
return 'ES384';
|
|
52
|
+
case 'ec:secp521r1':
|
|
53
|
+
return 'ES512';
|
|
54
|
+
default:
|
|
55
|
+
throw new UnsupportedOperationError(`unsupported key algorithm: ${algorithm}`);
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
/**
|
|
59
|
+
* Returns the current unix timestamp in seconds.
|
|
60
|
+
*/
|
|
61
|
+
function epochTime() {
|
|
62
|
+
return Math.floor(Date.now() / 1000);
|
|
63
|
+
}
|
|
64
|
+
/**
|
|
65
|
+
* Generates a unique DPoP Proof JWT.
|
|
66
|
+
*
|
|
67
|
+
* @param keypair Opaque key pair
|
|
68
|
+
* @param cryptoService CryptoService for cryptographic operations
|
|
69
|
+
* @param htu The HTTP URI (without query and fragment parts) of the request
|
|
70
|
+
* @param htm The HTTP method of the request
|
|
71
|
+
* @param nonce Server-provided nonce.
|
|
72
|
+
* @param accessToken Associated access token's value.
|
|
73
|
+
* @param additional Any additional claims.
|
|
74
|
+
*/
|
|
75
|
+
export default async function DPoP(keypair, cryptoService, htu, htm, nonce, accessToken, additional) {
|
|
76
|
+
const privateKey = keypair?.privateKey;
|
|
77
|
+
const publicKey = keypair?.publicKey;
|
|
78
|
+
if (typeof htu !== 'string') {
|
|
79
|
+
throw new TypeError('"htu" must be a string');
|
|
80
|
+
}
|
|
81
|
+
if (typeof htm !== 'string') {
|
|
82
|
+
throw new TypeError('"htm" must be a string');
|
|
83
|
+
}
|
|
84
|
+
if (nonce !== undefined && typeof nonce !== 'string') {
|
|
85
|
+
throw new TypeError('"nonce" must be a string or undefined');
|
|
86
|
+
}
|
|
87
|
+
if (accessToken !== undefined && typeof accessToken !== 'string') {
|
|
88
|
+
throw new TypeError('"accessToken" must be a string or undefined');
|
|
89
|
+
}
|
|
90
|
+
if (additional !== undefined &&
|
|
91
|
+
(typeof additional !== 'object' || additional === null || Array.isArray(additional))) {
|
|
92
|
+
throw new TypeError('"additional" must be an object');
|
|
93
|
+
}
|
|
94
|
+
// Detect algorithm from opaque key metadata
|
|
95
|
+
const alg = determineJWSAlgorithmFromKeyInfo(publicKey.algorithm);
|
|
96
|
+
// Export public key as JWK for the header
|
|
97
|
+
const jwk = await cryptoService.exportPublicKeyJwk(publicKey);
|
|
98
|
+
// Compute access token hash if provided
|
|
99
|
+
let ath;
|
|
100
|
+
if (accessToken) {
|
|
101
|
+
const athBytes = await cryptoService.digest('SHA-256', buf(accessToken));
|
|
102
|
+
ath = b64u(athBytes);
|
|
103
|
+
}
|
|
104
|
+
return jwt({
|
|
105
|
+
alg,
|
|
106
|
+
typ: 'dpop+jwt',
|
|
107
|
+
jwk,
|
|
108
|
+
}, {
|
|
109
|
+
...additional,
|
|
110
|
+
iat: epochTime(),
|
|
111
|
+
jti: await randomBytes(cryptoService),
|
|
112
|
+
htm,
|
|
113
|
+
nonce,
|
|
114
|
+
htu,
|
|
115
|
+
ath,
|
|
116
|
+
}, privateKey, cryptoService);
|
|
117
|
+
}
|
|
118
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZHBvcC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL2Rwb3AudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsd0RBQXdEO0FBQ3hELHlEQUF5RDtBQWN6RCxNQUFNLE9BQU8sR0FBRyxJQUFJLFdBQVcsRUFBRSxDQUFDO0FBRWxDLFNBQVMsR0FBRyxDQUFDLEtBQWE7SUFDeEIsT0FBTyxPQUFPLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDO0FBQy9CLENBQUM7QUFRRDs7R0FFRztBQUNILEtBQUssVUFBVSxHQUFHLENBQ2hCLE1BQStCLEVBQy9CLFNBQWtDLEVBQ2xDLFVBQXNCLEVBQ3RCLGFBQTRCO0lBRTVCLE1BQU0sS0FBSyxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsSUFBSSxJQUFJLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7SUFDN0YsTUFBTSxTQUFTLEdBQUcsTUFBTSxhQUFhLENBQUMsSUFBSSxDQUN4QyxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQ1YsVUFBVSxFQUNWLE1BQU0sQ0FBQyxHQUFpQyxDQUN6QyxDQUFDO0lBQ0YsT0FBTyxHQUFHLEtBQUssSUFBSSxJQUFJLENBQUMsU0FBUyxDQUFDLEVBQUUsQ0FBQztBQUN2QyxDQUFDO0FBRUQsTUFBTSxVQUFVLEdBQUcsTUFBTSxDQUFDO0FBQzFCLFNBQVMsZUFBZSxDQUFDLEtBQStCO0lBQ3RELE1BQU0sS0FBSyxHQUFHLEtBQUssWUFBWSxXQUFXLENBQUMsQ0FBQyxDQUFDLElBQUksVUFBVSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUM7SUFFM0UsTUFBTSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2YsS0FBSyxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxHQUFHLEtBQUssQ0FBQyxVQUFVLEVBQUUsQ0FBQyxJQUFJLFVBQVUsRUFBRSxDQUFDO1FBQ3RELEdBQUcsQ0FBQyxJQUFJLENBQ04sTUFBTSxDQUFDLFlBQVksQ0FBQyxLQUFLLENBQUMsSUFBSSxFQUFFLEtBQUssQ0FBQyxRQUFRLENBQUMsQ0FBQyxFQUFFLENBQUMsR0FBRyxVQUFVLENBQXdCLENBQUMsQ0FDMUYsQ0FBQztJQUNKLENBQUM7SUFDRCxPQUFPLElBQUksQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsS0FBSyxFQUFFLEdBQUcsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsR0FBRyxDQUFDLENBQUM7QUFDdEYsQ0FBQztBQUVELFNBQVMsSUFBSSxDQUFDLEtBQStCO0lBQzNDLE9BQU8sZUFBZSxDQUFDLEtBQUssQ0FBQyxDQUFDO0FBQ2hDLENBQUM7QUFFRDs7R0FFRztBQUNILEtBQUssVUFBVSxXQUFXLENBQUMsYUFBNEI7SUFDckQsT0FBTyxJQUFJLENBQUMsTUFBTSxhQUFhLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFDbkQsQ0FBQztBQTJDRCxNQUFNLHlCQUEwQixTQUFRLEtBQUs7SUFDM0MsWUFBWSxPQUFnQjtRQUMxQixLQUFLLENBQUMsT0FBTyxJQUFJLHlCQUF5QixDQUFDLENBQUM7UUFDNUMsSUFBSSxDQUFDLElBQUksR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLElBQUksQ0FBQztRQUNsQyxLQUFLLENBQUMsaUJBQWlCLEVBQUUsQ0FBQyxJQUFJLEVBQUUsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO0lBQ3BELENBQUM7Q0FDRjtBQUVEOztHQUVHO0FBQ0gsU0FBUyxnQ0FBZ0MsQ0FBQyxTQUFpQjtJQUN6RCxJQUFJLFNBQVMsQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztRQUNqQyxPQUFPLE9BQU8sQ0FBQztJQUNqQixDQUFDO0lBQ0QsUUFBUSxTQUFTLEVBQUUsQ0FBQztRQUNsQixLQUFLLGNBQWM7WUFDakIsT0FBTyxPQUFPLENBQUM7UUFDakIsS0FBSyxjQUFjO1lBQ2pCLE9BQU8sT0FBTyxDQUFDO1FBQ2pCLEtBQUssY0FBYztZQUNqQixPQUFPLE9BQU8sQ0FBQztRQUNqQjtZQUNFLE1BQU0sSUFBSSx5QkFBeUIsQ0FBQyw4QkFBOEIsU0FBUyxFQUFFLENBQUMsQ0FBQztJQUNuRixDQUFDO0FBQ0gsQ0FBQztBQUVEOztHQUVHO0FBQ0gsU0FBUyxTQUFTO0lBQ2hCLE9BQU8sSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDLENBQUM7QUFDdkMsQ0FBQztBQUVEOzs7Ozs7Ozs7O0dBVUc7QUFDSCxNQUFNLENBQUMsT0FBTyxDQUFDLEtBQUssVUFBVSxJQUFJLENBQ2hDLE9BQWdCLEVBQ2hCLGFBQTRCLEVBQzVCLEdBQVcsRUFDWCxHQUFXLEVBQ1gsS0FBYyxFQUNkLFdBQW9CLEVBQ3BCLFVBQXNDO0lBRXRDLE1BQU0sVUFBVSxHQUFHLE9BQU8sRUFBRSxVQUFVLENBQUM7SUFDdkMsTUFBTSxTQUFTLEdBQUcsT0FBTyxFQUFFLFNBQVMsQ0FBQztJQUVyQyxJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVEsRUFBRSxDQUFDO1FBQzVCLE1BQU0sSUFBSSxTQUFTLENBQUMsd0JBQXdCLENBQUMsQ0FBQztJQUNoRCxDQUFDO0lBRUQsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUM1QixNQUFNLElBQUksU0FBUyxDQUFDLHdCQUF3QixDQUFDLENBQUM7SUFDaEQsQ0FBQztJQUVELElBQUksS0FBSyxLQUFLLFNBQVMsSUFBSSxPQUFPLEtBQUssS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUNyRCxNQUFNLElBQUksU0FBUyxDQUFDLHVDQUF1QyxDQUFDLENBQUM7SUFDL0QsQ0FBQztJQUVELElBQUksV0FBVyxLQUFLLFNBQVMsSUFBSSxPQUFPLFdBQVcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUNqRSxNQUFNLElBQUksU0FBUyxDQUFDLDZDQUE2QyxDQUFDLENBQUM7SUFDckUsQ0FBQztJQUVELElBQ0UsVUFBVSxLQUFLLFNBQVM7UUFDeEIsQ0FBQyxPQUFPLFVBQVUsS0FBSyxRQUFRLElBQUksVUFBVSxLQUFLLElBQUksSUFBSSxLQUFLLENBQUMsT0FBTyxDQUFDLFVBQVUsQ0FBQyxDQUFDLEVBQ3BGLENBQUM7UUFDRCxNQUFNLElBQUksU0FBUyxDQUFDLGdDQUFnQyxDQUFDLENBQUM7SUFDeEQsQ0FBQztJQUVELDRDQUE0QztJQUM1QyxNQUFNLEdBQUcsR0FBRyxnQ0FBZ0MsQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLENBQUM7SUFFbEUsMENBQTBDO0lBQzFDLE1BQU0sR0FBRyxHQUFHLE1BQU0sYUFBYSxDQUFDLGtCQUFrQixDQUFDLFNBQVMsQ0FBQyxDQUFDO0lBRTlELHdDQUF3QztJQUN4QyxJQUFJLEdBQXVCLENBQUM7SUFDNUIsSUFBSSxXQUFXLEVBQUUsQ0FBQztRQUNoQixNQUFNLFFBQVEsR0FBRyxNQUFNLGFBQWEsQ0FBQyxNQUFNLENBQUMsU0FBUyxFQUFFLEdBQUcsQ0FBQyxXQUFXLENBQUMsQ0FBQyxDQUFDO1FBQ3pFLEdBQUcsR0FBRyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUM7SUFDdkIsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUNSO1FBQ0UsR0FBRztRQUNILEdBQUcsRUFBRSxVQUFVO1FBQ2YsR0FBRztLQUNKLEVBQ0Q7UUFDRSxHQUFHLFVBQVU7UUFDYixHQUFHLEVBQUUsU0FBUyxFQUFFO1FBQ2hCLEdBQUcsRUFBRSxNQUFNLFdBQVcsQ0FBQyxhQUFhLENBQUM7UUFDckMsR0FBRztRQUNILEtBQUs7UUFDTCxHQUFHO1FBQ0gsR0FBRztLQUNKLEVBQ0QsVUFBVSxFQUNWLGFBQWEsQ0FDZCxDQUFDO0FBQ0osQ0FBQyJ9
|
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
import { ConfigurationError } from '../errors.js';
|
|
2
2
|
import { AccessToken } from './oidc.js';
|
|
3
|
+
import * as defaultCryptoService from '../../tdf3/src/crypto/index.js';
|
|
3
4
|
export class OIDCClientCredentialsProvider {
|
|
4
|
-
constructor({ clientId, clientSecret, oidcOrigin, oidcTokenEndpoint, oidcUserInfoEndpoint, }) {
|
|
5
|
+
constructor({ clientId, clientSecret, oidcOrigin, oidcTokenEndpoint, oidcUserInfoEndpoint, }, cryptoService = defaultCryptoService) {
|
|
5
6
|
if (!clientId || !clientSecret) {
|
|
6
7
|
throw new ConfigurationError('clientId & clientSecret required for client credentials flow');
|
|
7
8
|
}
|
|
@@ -12,7 +13,7 @@ export class OIDCClientCredentialsProvider {
|
|
|
12
13
|
oidcOrigin,
|
|
13
14
|
oidcTokenEndpoint,
|
|
14
15
|
oidcUserInfoEndpoint,
|
|
15
|
-
});
|
|
16
|
+
}, cryptoService);
|
|
16
17
|
}
|
|
17
18
|
async updateClientPublicKey(signingKey) {
|
|
18
19
|
await this.oidcAuth.refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey);
|
|
@@ -21,4 +22,4 @@ export class OIDCClientCredentialsProvider {
|
|
|
21
22
|
return this.oidcAuth.withCreds(httpReq);
|
|
22
23
|
}
|
|
23
24
|
}
|
|
24
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
25
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy1jbGllbnRjcmVkZW50aWFscy1wcm92aWRlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL29pZGMtY2xpZW50Y3JlZGVudGlhbHMtcHJvdmlkZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sY0FBYyxDQUFDO0FBRWxELE9BQU8sRUFBRSxXQUFXLEVBQWdDLE1BQU0sV0FBVyxDQUFDO0FBQ3RFLE9BQU8sS0FBSyxvQkFBb0IsTUFBTSxnQ0FBZ0MsQ0FBQztBQUd2RSxNQUFNLE9BQU8sNkJBQTZCO0lBR3hDLFlBQ0UsRUFDRSxRQUFRLEVBQ1IsWUFBWSxFQUNaLFVBQVUsRUFDVixpQkFBaUIsRUFDakIsb0JBQW9CLEdBQ3lELEVBQy9FLGdCQUErQixvQkFBb0I7UUFFbkQsSUFBSSxDQUFDLFFBQVEsSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO1lBQy9CLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyw4REFBOEQsQ0FBQyxDQUFDO1FBQy9GLENBQUM7UUFFRCxJQUFJLENBQUMsUUFBUSxHQUFHLElBQUksV0FBVyxDQUM3QjtZQUNFLFFBQVEsRUFBRSxRQUFRO1lBQ2xCLFFBQVE7WUFDUixZQUFZO1lBQ1osVUFBVTtZQUNWLGlCQUFpQjtZQUNqQixvQkFBb0I7U0FDckIsRUFDRCxhQUFhLENBQ2QsQ0FBQztJQUNKLENBQUM7SUFFRCxLQUFLLENBQUMscUJBQXFCLENBQUMsVUFBbUI7UUFDN0MsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLDBDQUEwQyxDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQzdFLENBQUM7SUFFRCxLQUFLLENBQUMsU0FBUyxDQUFDLE9BQW9CO1FBQ2xDLE9BQU8sSUFBSSxDQUFDLFFBQVEsQ0FBQyxTQUFTLENBQUMsT0FBTyxDQUFDLENBQUM7SUFDMUMsQ0FBQztDQUNGIn0=
|
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
import { ConfigurationError } from '../errors.js';
|
|
2
2
|
import { AccessToken } from './oidc.js';
|
|
3
|
+
import * as defaultCryptoService from '../../tdf3/src/crypto/index.js';
|
|
3
4
|
export class OIDCExternalJwtProvider {
|
|
4
|
-
constructor({ clientId, externalJwt, oidcOrigin, oidcTokenEndpoint, oidcUserInfoEndpoint, }) {
|
|
5
|
+
constructor({ clientId, externalJwt, oidcOrigin, oidcTokenEndpoint, oidcUserInfoEndpoint, }, cryptoService = defaultCryptoService) {
|
|
5
6
|
if (!clientId || !externalJwt) {
|
|
6
7
|
throw new ConfigurationError('external JWT exchange reequires client id and jwt');
|
|
7
8
|
}
|
|
@@ -12,7 +13,7 @@ export class OIDCExternalJwtProvider {
|
|
|
12
13
|
oidcOrigin,
|
|
13
14
|
oidcTokenEndpoint,
|
|
14
15
|
oidcUserInfoEndpoint,
|
|
15
|
-
});
|
|
16
|
+
}, cryptoService);
|
|
16
17
|
this.externalJwt = externalJwt;
|
|
17
18
|
}
|
|
18
19
|
async updateClientPublicKey(signingKey) {
|
|
@@ -28,4 +29,4 @@ export class OIDCExternalJwtProvider {
|
|
|
28
29
|
return this.oidcAuth.withCreds(httpReq);
|
|
29
30
|
}
|
|
30
31
|
}
|
|
31
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
32
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy1leHRlcm5hbGp3dC1wcm92aWRlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL29pZGMtZXh0ZXJuYWxqd3QtcHJvdmlkZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sY0FBYyxDQUFDO0FBRWxELE9BQU8sRUFBRSxXQUFXLEVBQStCLE1BQU0sV0FBVyxDQUFDO0FBQ3JFLE9BQU8sS0FBSyxvQkFBb0IsTUFBTSxnQ0FBZ0MsQ0FBQztBQUd2RSxNQUFNLE9BQU8sdUJBQXVCO0lBSWxDLFlBQ0UsRUFDRSxRQUFRLEVBQ1IsV0FBVyxFQUNYLFVBQVUsRUFDVixpQkFBaUIsRUFDakIsb0JBQW9CLEdBQ3VELEVBQzdFLGdCQUErQixvQkFBb0I7UUFFbkQsSUFBSSxDQUFDLFFBQVEsSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQzlCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyxtREFBbUQsQ0FBQyxDQUFDO1FBQ3BGLENBQUM7UUFFRCxJQUFJLENBQUMsUUFBUSxHQUFHLElBQUksV0FBVyxDQUM3QjtZQUNFLFFBQVEsRUFBRSxVQUFVO1lBQ3BCLFFBQVE7WUFDUixXQUFXO1lBQ1gsVUFBVTtZQUNWLGlCQUFpQjtZQUNqQixvQkFBb0I7U0FDckIsRUFDRCxhQUFhLENBQ2QsQ0FBQztRQUVGLElBQUksQ0FBQyxXQUFXLEdBQUcsV0FBVyxDQUFDO0lBQ2pDLENBQUM7SUFFRCxLQUFLLENBQUMscUJBQXFCLENBQUMsVUFBbUI7UUFDN0MsSUFBSSxDQUFDLFFBQVEsQ0FBQywwQ0FBMEMsQ0FBQyxVQUFVLENBQUMsQ0FBQztJQUN2RSxDQUFDO0lBRUQsS0FBSyxDQUFDLFNBQVMsQ0FBQyxPQUFvQjtRQUNsQyxnRUFBZ0U7UUFDaEUsNENBQTRDO1FBQzVDLElBQUksSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQ3JCLE1BQU0sSUFBSSxDQUFDLFFBQVEsQ0FBQyx1QkFBdUIsRUFBRSxDQUFDO1lBQzlDLE9BQU8sSUFBSSxDQUFDLFdBQVcsQ0FBQztRQUMxQixDQUFDO1FBQ0QsT0FBTyxJQUFJLENBQUMsUUFBUSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUMxQyxDQUFDO0NBQ0YifQ==
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { ConfigurationError } from '../errors.js';
|
|
2
2
|
import { AccessToken } from './oidc.js';
|
|
3
|
+
import * as defaultCryptoService from '../../tdf3/src/crypto/index.js';
|
|
3
4
|
/**
|
|
4
5
|
* An AuthProvider that uses an OIDC refresh token to obtain an access token.
|
|
5
6
|
* It exchanges the refresh token for an access token and uses that to augment HTTP requests with credentials.
|
|
@@ -15,7 +16,7 @@ import { AccessToken } from './oidc.js';
|
|
|
15
16
|
```
|
|
16
17
|
*/
|
|
17
18
|
export class OIDCRefreshTokenProvider {
|
|
18
|
-
constructor({ clientId, refreshToken, oidcOrigin, oidcTokenEndpoint, oidcUserInfoEndpoint, }) {
|
|
19
|
+
constructor({ clientId, refreshToken, oidcOrigin, oidcTokenEndpoint, oidcUserInfoEndpoint, }, cryptoService = defaultCryptoService) {
|
|
19
20
|
if (!clientId || !refreshToken) {
|
|
20
21
|
throw new ConfigurationError('refresh token or client id missing');
|
|
21
22
|
}
|
|
@@ -26,7 +27,7 @@ export class OIDCRefreshTokenProvider {
|
|
|
26
27
|
oidcOrigin,
|
|
27
28
|
oidcTokenEndpoint,
|
|
28
29
|
oidcUserInfoEndpoint,
|
|
29
|
-
});
|
|
30
|
+
}, cryptoService);
|
|
30
31
|
this.refreshToken = refreshToken;
|
|
31
32
|
}
|
|
32
33
|
async updateClientPublicKey(signingKey) {
|
|
@@ -43,4 +44,4 @@ export class OIDCRefreshTokenProvider {
|
|
|
43
44
|
return this.oidcAuth.withCreds(httpReq);
|
|
44
45
|
}
|
|
45
46
|
}
|
|
46
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
47
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy1yZWZyZXNodG9rZW4tcHJvdmlkZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXV0aC9vaWRjLXJlZnJlc2h0b2tlbi1wcm92aWRlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsa0JBQWtCLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFFbEQsT0FBTyxFQUFFLFdBQVcsRUFBZ0MsTUFBTSxXQUFXLENBQUM7QUFDdEUsT0FBTyxLQUFLLG9CQUFvQixNQUFNLGdDQUFnQyxDQUFDO0FBR3ZFOzs7Ozs7Ozs7Ozs7O0dBYUc7QUFDSCxNQUFNLE9BQU8sd0JBQXdCO0lBSW5DLFlBQ0UsRUFDRSxRQUFRLEVBQ1IsWUFBWSxFQUNaLFVBQVUsRUFDVixpQkFBaUIsRUFDakIsb0JBQW9CLEdBQ3lELEVBQy9FLGdCQUErQixvQkFBb0I7UUFFbkQsSUFBSSxDQUFDLFFBQVEsSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO1lBQy9CLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyxvQ0FBb0MsQ0FBQyxDQUFDO1FBQ3JFLENBQUM7UUFFRCxJQUFJLENBQUMsUUFBUSxHQUFHLElBQUksV0FBVyxDQUM3QjtZQUNFLFFBQVEsRUFBRSxTQUFTO1lBQ25CLFFBQVE7WUFDUixZQUFZO1lBQ1osVUFBVTtZQUNWLGlCQUFpQjtZQUNqQixvQkFBb0I7U0FDckIsRUFDRCxhQUFhLENBQ2QsQ0FBQztRQUNGLElBQUksQ0FBQyxZQUFZLEdBQUcsWUFBWSxDQUFDO0lBQ25DLENBQUM7SUFFRCxLQUFLLENBQUMscUJBQXFCLENBQUMsVUFBbUI7UUFDN0MsTUFBTSxJQUFJLENBQUMsUUFBUSxDQUFDLDBDQUEwQyxDQUFDLFVBQVUsQ0FBQyxDQUFDO0lBQzdFLENBQUM7SUFFRCxLQUFLLENBQUMsU0FBUyxDQUFDLE9BQW9CO1FBQ2xDLDBFQUEwRTtRQUMxRSw0RUFBNEU7UUFDNUUsZ0JBQWdCO1FBQ2hCLElBQUksSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO1lBQ3RCLE1BQU0sSUFBSSxDQUFDLFFBQVEsQ0FBQyx1QkFBdUIsRUFBRSxDQUFDO1lBQzlDLE9BQU8sSUFBSSxDQUFDLFlBQVksQ0FBQztRQUMzQixDQUFDO1FBQ0QsT0FBTyxJQUFJLENBQUMsUUFBUSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsQ0FBQztJQUMxQyxDQUFDO0NBQ0YifQ==
|
|
@@ -1,8 +1,8 @@
|
|
|
1
|
-
import { default as dpopFn } from 'dpop';
|
|
1
|
+
import { default as dpopFn } from './dpop.js';
|
|
2
2
|
import { withHeaders } from './auth.js';
|
|
3
3
|
import { base64 } from '../encodings/index.js';
|
|
4
4
|
import { ConfigurationError, TdfError } from '../errors.js';
|
|
5
|
-
import {
|
|
5
|
+
import { rstrip } from '../utils.js';
|
|
6
6
|
const qstringify = (obj) => new URLSearchParams(obj).toString();
|
|
7
7
|
/**
|
|
8
8
|
* Class that provides OIDC functionality to auth providers, assuming 'enhanced'
|
|
@@ -27,7 +27,7 @@ const qstringify = (obj) => new URLSearchParams(obj).toString();
|
|
|
27
27
|
* explicit token refresh
|
|
28
28
|
*/
|
|
29
29
|
export class AccessToken {
|
|
30
|
-
constructor(cfg, request) {
|
|
30
|
+
constructor(cfg, cryptoService, request) {
|
|
31
31
|
this.extraHeaders = {};
|
|
32
32
|
if (!cfg.clientId) {
|
|
33
33
|
throw new ConfigurationError('A Keycloak client identifier is currently required for all auth mechanisms');
|
|
@@ -45,6 +45,7 @@ export class AccessToken {
|
|
|
45
45
|
throw new ConfigurationError('Invalid oidc configuration');
|
|
46
46
|
}
|
|
47
47
|
this.config = cfg;
|
|
48
|
+
this.cryptoService = cryptoService;
|
|
48
49
|
this.request = request;
|
|
49
50
|
this.baseUrl = rstrip(cfg.oidcOrigin, '/');
|
|
50
51
|
this.tokenEndpoint = cfg.oidcTokenEndpoint || `${this.baseUrl}/protocol/openid-connect/token`;
|
|
@@ -63,7 +64,7 @@ export class AccessToken {
|
|
|
63
64
|
Authorization: `Bearer ${accessToken}`,
|
|
64
65
|
};
|
|
65
66
|
if (this.config.dpopEnabled && this.signingKey) {
|
|
66
|
-
headers.DPoP = await dpopFn(this.signingKey, this.userInfoEndpoint, 'POST');
|
|
67
|
+
headers.DPoP = await dpopFn(this.signingKey, this.cryptoService, this.userInfoEndpoint, 'POST');
|
|
67
68
|
}
|
|
68
69
|
const response = await (this.request || fetch)(this.userInfoEndpoint, {
|
|
69
70
|
headers,
|
|
@@ -84,9 +85,10 @@ export class AccessToken {
|
|
|
84
85
|
if (!this.signingKey) {
|
|
85
86
|
throw new ConfigurationError('No signature configured');
|
|
86
87
|
}
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
headers
|
|
88
|
+
// Export opaque public key to PEM format for header
|
|
89
|
+
const publicKeyPem = await this.cryptoService.exportPublicKeyPem(this.signingKey.publicKey);
|
|
90
|
+
headers['X-VirtruPubKey'] = base64.encode(publicKeyPem);
|
|
91
|
+
headers.DPoP = await dpopFn(this.signingKey, this.cryptoService, url, 'POST');
|
|
90
92
|
}
|
|
91
93
|
return (this.request || fetch)(url, {
|
|
92
94
|
method: 'POST',
|
|
@@ -205,7 +207,7 @@ export class AccessToken {
|
|
|
205
207
|
}
|
|
206
208
|
const accessToken = (this.currentAccessToken ??= await this.get());
|
|
207
209
|
if (this.config.dpopEnabled && this.signingKey) {
|
|
208
|
-
const dpopToken = await dpopFn(this.signingKey, httpReq.url, httpReq.method,
|
|
210
|
+
const dpopToken = await dpopFn(this.signingKey, this.cryptoService, httpReq.url, httpReq.method,
|
|
209
211
|
/* nonce */ undefined, accessToken);
|
|
210
212
|
// TODO: Consider: only set DPoP if cnf.jkt is present in access token?
|
|
211
213
|
return withHeaders(httpReq, { Authorization: `Bearer ${accessToken}`, DPoP: dpopToken });
|
|
@@ -213,4 +215,4 @@ export class AccessToken {
|
|
|
213
215
|
return withHeaders(httpReq, { Authorization: `Bearer ${accessToken}` });
|
|
214
216
|
}
|
|
215
217
|
}
|
|
216
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
218
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL29pZGMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLE9BQU8sSUFBSSxNQUFNLEVBQUUsTUFBTSxXQUFXLENBQUM7QUFDOUMsT0FBTyxFQUFlLFdBQVcsRUFBRSxNQUFNLFdBQVcsQ0FBQztBQUNyRCxPQUFPLEVBQUUsTUFBTSxFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFDL0MsT0FBTyxFQUFFLGtCQUFrQixFQUFFLFFBQVEsRUFBRSxNQUFNLGNBQWMsQ0FBQztBQUM1RCxPQUFPLEVBQUUsTUFBTSxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBcURyQyxNQUFNLFVBQVUsR0FBRyxDQUFDLEdBQTJCLEVBQUUsRUFBRSxDQUFDLElBQUksZUFBZSxDQUFDLEdBQUcsQ0FBQyxDQUFDLFFBQVEsRUFBRSxDQUFDO0FBT3hGOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7R0FxQkc7QUFDSCxNQUFNLE9BQU8sV0FBVztJQW1CdEIsWUFBWSxHQUFvQixFQUFFLGFBQTRCLEVBQUUsT0FBc0I7UUFOdEYsaUJBQVksR0FBMkIsRUFBRSxDQUFDO1FBT3hDLElBQUksQ0FBQyxHQUFHLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDbEIsTUFBTSxJQUFJLGtCQUFrQixDQUMxQiw0RUFBNEUsQ0FDN0UsQ0FBQztRQUNKLENBQUM7UUFDRCxJQUFJLEdBQUcsQ0FBQyxRQUFRLEtBQUssUUFBUSxJQUFJLENBQUMsR0FBRyxDQUFDLFlBQVksRUFBRSxDQUFDO1lBQ25ELE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsNEVBQTRFLENBQzdFLENBQUM7UUFDSixDQUFDO1FBQ0QsSUFBSSxHQUFHLENBQUMsUUFBUSxLQUFLLFNBQVMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxZQUFZLEVBQUUsQ0FBQztZQUNwRCxNQUFNLElBQUksa0JBQWtCLENBQUMsNERBQTRELENBQUMsQ0FBQztRQUM3RixDQUFDO1FBQ0QsSUFBSSxHQUFHLENBQUMsUUFBUSxLQUFLLFVBQVUsSUFBSSxDQUFDLEdBQUcsQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUNwRCxNQUFNLElBQUksa0JBQWtCLENBQUMsbURBQW1ELENBQUMsQ0FBQztRQUNwRixDQUFDO1FBQ0QsSUFBSSxDQUFDLEdBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUNsQixNQUFNLElBQUksa0JBQWtCLENBQUMsNEJBQTRCLENBQUMsQ0FBQztRQUM3RCxDQUFDO1FBQ0QsSUFBSSxDQUFDLE1BQU0sR0FBRyxHQUFHLENBQUM7UUFDbEIsSUFBSSxDQUFDLGFBQWEsR0FBRyxhQUFhLENBQUM7UUFDbkMsSUFBSSxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUM7UUFDdkIsSUFBSSxDQUFDLE9BQU8sR0FBRyxNQUFNLENBQUMsR0FBRyxDQUFDLFVBQVUsRUFBRSxHQUFHLENBQUMsQ0FBQztRQUMzQyxJQUFJLENBQUMsYUFBYSxHQUFHLEdBQUcsQ0FBQyxpQkFBaUIsSUFBSSxHQUFHLElBQUksQ0FBQyxPQUFPLGdDQUFnQyxDQUFDO1FBQzlGLElBQUksQ0FBQyxnQkFBZ0I7WUFDbkIsR0FBRyxDQUFDLG9CQUFvQixJQUFJLEdBQUcsSUFBSSxDQUFDLE9BQU8sbUNBQW1DLENBQUM7UUFDakYsSUFBSSxDQUFDLFVBQVUsR0FBRyxHQUFHLENBQUMsVUFBVSxDQUFDO0lBQ25DLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsS0FBSyxDQUFDLElBQUksQ0FBQyxXQUFtQjtRQUM1QixNQUFNLE9BQU8sR0FBRztZQUNkLEdBQUcsSUFBSSxDQUFDLFlBQVk7WUFDcEIsYUFBYSxFQUFFLFVBQVUsV0FBVyxFQUFFO1NBQ2IsQ0FBQztRQUM1QixJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsV0FBVyxJQUFJLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUMvQyxPQUFPLENBQUMsSUFBSSxHQUFHLE1BQU0sTUFBTSxDQUN6QixJQUFJLENBQUMsVUFBVSxFQUNmLElBQUksQ0FBQyxhQUFhLEVBQ2xCLElBQUksQ0FBQyxnQkFBZ0IsRUFDckIsTUFBTSxDQUNQLENBQUM7UUFDSixDQUFDO1FBQ0QsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxPQUFPLElBQUksS0FBSyxDQUFDLENBQUMsSUFBSSxDQUFDLGdCQUFnQixFQUFFO1lBQ3BFLE9BQU87U0FDUixDQUFDLENBQUM7UUFDSCxJQUFJLENBQUMsUUFBUSxDQUFDLEVBQUUsRUFBRSxDQUFDO1lBQ2pCLE9BQU8sQ0FBQyxLQUFLLENBQUMsTUFBTSxRQUFRLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQztZQUNyQyxNQUFNLElBQUksUUFBUSxDQUNoQix3QkFBd0IsSUFBSSxDQUFDLGdCQUFnQixRQUFRLFFBQVEsQ0FBQyxNQUFNLElBQUksUUFBUSxDQUFDLFVBQVUsRUFBRSxDQUM5RixDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sQ0FBQyxNQUFNLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBWSxDQUFDO0lBQzVDLENBQUM7SUFFRCxLQUFLLENBQUMsTUFBTSxDQUFDLEdBQVcsRUFBRSxDQUF5QjtRQUNqRCxNQUFNLE9BQU8sR0FBMkI7WUFDdEMsY0FBYyxFQUFFLG1DQUFtQztZQUNuRCxNQUFNLEVBQUUsa0JBQWtCO1NBQzNCLENBQUM7UUFDRixpQ0FBaUM7UUFDakMsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQzVCLElBQUksQ0FBQyxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7Z0JBQ3JCLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO1lBQzFELENBQUM7WUFDRCxvREFBb0Q7WUFDcEQsTUFBTSxZQUFZLEdBQUcsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLGtCQUFrQixDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDNUYsT0FBTyxDQUFDLGdCQUFnQixDQUFDLEdBQUcsTUFBTSxDQUFDLE1BQU0sQ0FBQyxZQUFZLENBQUMsQ0FBQztZQUN4RCxPQUFPLENBQUMsSUFBSSxHQUFHLE1BQU0sTUFBTSxDQUFDLElBQUksQ0FBQyxVQUFVLEVBQUUsSUFBSSxDQUFDLGFBQWEsRUFBRSxHQUFHLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFDaEYsQ0FBQztRQUNELE9BQU8sQ0FBQyxJQUFJLENBQUMsT0FBTyxJQUFJLEtBQUssQ0FBQyxDQUFDLEdBQUcsRUFBRTtZQUNsQyxNQUFNLEVBQUUsTUFBTTtZQUNkLE9BQU87WUFDUCxJQUFJLEVBQUUsVUFBVSxDQUFDLENBQUMsQ0FBQztTQUNwQixDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsS0FBSyxDQUFDLGlCQUFpQixDQUFDLEdBQW9CO1FBQzFDLElBQUksSUFBSSxDQUFDO1FBQ1QsUUFBUSxHQUFHLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDckIsS0FBSyxRQUFRO2dCQUNYLElBQUksR0FBRztvQkFDTCxVQUFVLEVBQUUsb0JBQW9CO29CQUNoQyxTQUFTLEVBQUUsR0FBRyxDQUFDLFFBQVE7b0JBQ3ZCLGFBQWEsRUFBRSxHQUFHLENBQUMsWUFBWTtpQkFDaEMsQ0FBQztnQkFDRixNQUFNO1lBQ1IsS0FBSyxVQUFVO2dCQUNiLElBQUksR0FBRztvQkFDTCxVQUFVLEVBQUUsaURBQWlEO29CQUM3RCxhQUFhLEVBQUUsR0FBRyxDQUFDLFdBQVc7b0JBQzlCLGtCQUFrQixFQUFFLHNDQUFzQztvQkFDMUQsUUFBUSxFQUFFLEdBQUcsQ0FBQyxRQUFRO29CQUN0QixTQUFTLEVBQUUsR0FBRyxDQUFDLFFBQVE7aUJBQ3hCLENBQUM7Z0JBQ0YsTUFBTTtZQUNSLEtBQUssU0FBUztnQkFDWixJQUFJLEdBQUc7b0JBQ0wsVUFBVSxFQUFFLGVBQWU7b0JBQzNCLGFBQWEsRUFBRSxHQUFHLENBQUMsWUFBWTtvQkFDL0IsU0FBUyxFQUFFLEdBQUcsQ0FBQyxRQUFRO2lCQUN4QixDQUFDO2dCQUNGLE1BQU07UUFDVixDQUFDO1FBQ0QsTUFBTSxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxhQUFhLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFDN0QsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLEVBQUUsQ0FBQztZQUNqQixPQUFPLENBQUMsS0FBSyxDQUFDLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDLENBQUM7WUFDckMsTUFBTSxJQUFJLFFBQVEsQ0FDaEIsbUNBQW1DLElBQUksQ0FBQyxhQUFhLFFBQVEsUUFBUSxDQUFDLE1BQU0sSUFBSSxRQUFRLENBQUMsVUFBVSxFQUFFLENBQ3RHLENBQUM7UUFDSixDQUFDO1FBQ0QsT0FBTyxRQUFRLENBQUMsSUFBSSxFQUFFLENBQUM7SUFDekIsQ0FBQztJQUVEOzs7O09BSUc7SUFDSCxLQUFLLENBQUMsR0FBRyxDQUFDLFFBQVEsR0FBRyxJQUFJO1FBQ3ZCLElBQUksSUFBSSxDQUFDLElBQUksRUFBRSxZQUFZLEVBQUUsQ0FBQztZQUM1QixJQUFJLENBQUM7Z0JBQ0gsSUFBSSxRQUFRLEVBQUUsQ0FBQztvQkFDYixNQUFNLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxZQUFZLENBQUMsQ0FBQztnQkFDMUMsQ0FBQztnQkFDRCxPQUFPLElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDO1lBQ2hDLENBQUM7WUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO2dCQUNYLE9BQU8sQ0FBQyxHQUFHLENBQUMsK0RBQStELEVBQUUsQ0FBQyxDQUFDLENBQUM7Z0JBQ2hGLElBQUksSUFBSSxDQUFDLElBQUksRUFBRSxhQUFhLEVBQUUsQ0FBQztvQkFDN0Isa0VBQWtFO29CQUNsRSxpQkFBaUI7b0JBQ2pCLElBQUksQ0FBQyxNQUFNLEdBQUc7d0JBQ1osR0FBRyxJQUFJLENBQUMsTUFBTTt3QkFDZCxRQUFRLEVBQUUsU0FBUzt3QkFDbkIsWUFBWSxFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsYUFBYTtxQkFDdEMsQ0FBQztnQkFDSixDQUFDO2dCQUNELE9BQU8sSUFBSSxDQUFDLElBQUksQ0FBQztZQUNuQixDQUFDO1FBQ0gsQ0FBQztRQUVELE1BQU0sYUFBYSxHQUFHLENBQUMsSUFBSSxDQUFDLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztRQUM5RSxPQUFPLGFBQWEsQ0FBQyxZQUFZLENBQUM7SUFDcEMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNILEtBQUssQ0FBQywwQ0FBMEMsQ0FBQyxVQUFtQjtRQUNsRSxzREFBc0Q7UUFDdEQsNkNBQTZDO1FBQzdDLDJEQUEyRDtRQUMzRCxJQUFJLElBQUksQ0FBQyxrQkFBa0IsSUFBSSxVQUFVLEtBQUssSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQzlELE9BQU87UUFDVCxDQUFDO1FBQ0QsT0FBTyxJQUFJLENBQUMsa0JBQWtCLENBQUM7UUFDL0IsSUFBSSxDQUFDLFVBQVUsR0FBRyxVQUFVLENBQUM7SUFDL0IsQ0FBQztJQUVEOztPQUVHO0lBQ0gsS0FBSyxDQUFDLHVCQUF1QjtRQUMzQixNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsTUFBTSxDQUFDO1FBQ3hCLElBQUksR0FBRyxDQUFDLFFBQVEsSUFBSSxVQUFVLElBQUksR0FBRyxDQUFDLFFBQVEsSUFBSSxTQUFTLEVBQUUsQ0FBQztZQUM1RCxNQUFNLElBQUksa0JBQWtCLENBQUMsNEJBQTRCLENBQUMsQ0FBQztRQUM3RCxDQUFDO1FBQ0QsTUFBTSxhQUFhLEdBQUcsQ0FBQyxJQUFJLENBQUMsSUFBSSxHQUFHLE1BQU0sSUFBSSxDQUFDLGlCQUFpQixDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDO1FBQzlFLElBQUksQ0FBQyxhQUFhLENBQUMsYUFBYSxFQUFFLENBQUM7WUFDakMsT0FBTyxDQUFDLEdBQUcsQ0FBQywyQkFBMkIsQ0FBQyxDQUFDO1lBQ3pDLE9BQU8sQ0FDTCxDQUFDLEdBQUcsQ0FBQyxRQUFRLElBQUksU0FBUyxJQUFJLEdBQUcsQ0FBQyxZQUFZLENBQUM7Z0JBQy9DLENBQUMsR0FBRyxDQUFDLFFBQVEsSUFBSSxVQUFVLElBQUksR0FBRyxDQUFDLFdBQVcsQ0FBQztnQkFDL0MsRUFBRSxDQUNILENBQUM7UUFDSixDQUFDO1FBQ0Qsa0VBQWtFO1FBQ2xFLGlCQUFpQjtRQUNqQixJQUFJLENBQUMsTUFBTSxHQUFHO1lBQ1osR0FBRyxJQUFJLENBQUMsTUFBTTtZQUNkLFFBQVEsRUFBRSxTQUFTO1lBQ25CLFlBQVksRUFBRSxhQUFhLENBQUMsYUFBYTtTQUMxQyxDQUFDO1FBQ0YsT0FBTyxhQUFhLENBQUMsWUFBWSxDQUFDO0lBQ3BDLENBQUM7SUFFRCxLQUFLLENBQUMsU0FBUyxDQUFDLE9BQW9CO1FBQ2xDLElBQUksQ0FBQyxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDckIsTUFBTSxJQUFJLGtCQUFrQixDQUMxQiwwSUFBMEksQ0FDM0ksQ0FBQztRQUNKLENBQUM7UUFDRCxNQUFNLFdBQVcsR0FBRyxDQUFDLElBQUksQ0FBQyxrQkFBa0IsS0FBSyxNQUFNLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQyxDQUFDO1FBQ25FLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxXQUFXLElBQUksSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQy9DLE1BQU0sU0FBUyxHQUFHLE1BQU0sTUFBTSxDQUM1QixJQUFJLENBQUMsVUFBVSxFQUNmLElBQUksQ0FBQyxhQUFhLEVBQ2xCLE9BQU8sQ0FBQyxHQUFHLEVBQ1gsT0FBTyxDQUFDLE1BQU07WUFDZCxXQUFXLENBQUMsU0FBUyxFQUNyQixXQUFXLENBQ1osQ0FBQztZQUNGLHVFQUF1RTtZQUN2RSxPQUFPLFdBQVcsQ0FBQyxPQUFPLEVBQUUsRUFBRSxhQUFhLEVBQUUsVUFBVSxXQUFXLEVBQUUsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLENBQUMsQ0FBQztRQUMzRixDQUFDO1FBQ0QsT0FBTyxXQUFXLENBQUMsT0FBTyxFQUFFLEVBQUUsYUFBYSxFQUFFLFVBQVUsV0FBVyxFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBQzFFLENBQUM7Q0FDRiJ9
|
|
@@ -3,6 +3,7 @@ import { OIDCExternalJwtProvider } from './oidc-externaljwt-provider.js';
|
|
|
3
3
|
import { OIDCRefreshTokenProvider } from './oidc-refreshtoken-provider.js';
|
|
4
4
|
import { isBrowser } from '../utils.js';
|
|
5
5
|
import { ConfigurationError } from '../errors.js';
|
|
6
|
+
import * as defaultCryptoService from '../../tdf3/src/crypto/index.js';
|
|
6
7
|
/**
|
|
7
8
|
* Creates an OIDC Client Credentials Provider for non-browser contexts.
|
|
8
9
|
*
|
|
@@ -21,14 +22,14 @@ import { ConfigurationError } from '../errors.js';
|
|
|
21
22
|
* {@link updateClientPublicKey} which will force an explicit token refresh
|
|
22
23
|
*
|
|
23
24
|
*/
|
|
24
|
-
export const clientSecretAuthProvider = async (clientConfig) => {
|
|
25
|
+
export const clientSecretAuthProvider = async (clientConfig, cryptoService = defaultCryptoService) => {
|
|
25
26
|
return new OIDCClientCredentialsProvider({
|
|
26
27
|
clientId: clientConfig.clientId,
|
|
27
28
|
clientSecret: clientConfig.clientSecret,
|
|
28
29
|
oidcOrigin: clientConfig.oidcOrigin,
|
|
29
30
|
oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
|
|
30
31
|
oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
|
|
31
|
-
});
|
|
32
|
+
}, cryptoService);
|
|
32
33
|
};
|
|
33
34
|
/**
|
|
34
35
|
* Create an OIDC External JWT Provider for browser contexts.
|
|
@@ -46,14 +47,14 @@ export const clientSecretAuthProvider = async (clientConfig) => {
|
|
|
46
47
|
* Virtru claims. The public key may be passed to this provider's constructor, or supplied post-construction by calling
|
|
47
48
|
* {@link updateClientPublicKey}, which will force an explicit token refresh.
|
|
48
49
|
*/
|
|
49
|
-
export const externalAuthProvider = async (clientConfig) => {
|
|
50
|
+
export const externalAuthProvider = async (clientConfig, cryptoService = defaultCryptoService) => {
|
|
50
51
|
return new OIDCExternalJwtProvider({
|
|
51
52
|
clientId: clientConfig.clientId,
|
|
52
53
|
externalJwt: clientConfig.externalJwt,
|
|
53
54
|
oidcOrigin: clientConfig.oidcOrigin,
|
|
54
55
|
oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
|
|
55
56
|
oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
|
|
56
|
-
});
|
|
57
|
+
}, cryptoService);
|
|
57
58
|
};
|
|
58
59
|
/**
|
|
59
60
|
* Creates an OIDC Refresh Token Provider for browser and non-browser contexts.
|
|
@@ -69,21 +70,21 @@ export const externalAuthProvider = async (clientConfig) => {
|
|
|
69
70
|
* Virtru claims. The public key may be passed to this provider's constructor, or supplied post-construction by calling
|
|
70
71
|
* {@link updateClientPublicKey} which will force an explicit token refresh
|
|
71
72
|
*/
|
|
72
|
-
export const refreshAuthProvider = async (clientConfig) => {
|
|
73
|
+
export const refreshAuthProvider = async (clientConfig, cryptoService = defaultCryptoService) => {
|
|
73
74
|
return new OIDCRefreshTokenProvider({
|
|
74
75
|
clientId: clientConfig.clientId,
|
|
75
76
|
refreshToken: clientConfig.refreshToken,
|
|
76
77
|
oidcOrigin: clientConfig.oidcOrigin,
|
|
77
78
|
oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
|
|
78
79
|
oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
|
|
79
|
-
});
|
|
80
|
+
}, cryptoService);
|
|
80
81
|
};
|
|
81
82
|
/**
|
|
82
83
|
* Generate an auth provder.
|
|
83
84
|
* @param clientConfig OIDC client credentials
|
|
84
85
|
* @returns a promise for a new auth provider with the requested excahnge type
|
|
85
86
|
*/
|
|
86
|
-
export const clientAuthProvider = async (clientConfig) => {
|
|
87
|
+
export const clientAuthProvider = async (clientConfig, cryptoService = defaultCryptoService) => {
|
|
87
88
|
if (!clientConfig.clientId) {
|
|
88
89
|
throw new ConfigurationError('Client ID must be provided to constructor');
|
|
89
90
|
}
|
|
@@ -98,13 +99,13 @@ export const clientAuthProvider = async (clientConfig) => {
|
|
|
98
99
|
//and provide us with a valid refresh token/clientId obtained from that process.
|
|
99
100
|
switch (clientConfig.exchange) {
|
|
100
101
|
case 'refresh': {
|
|
101
|
-
return refreshAuthProvider(clientConfig);
|
|
102
|
+
return refreshAuthProvider(clientConfig, cryptoService);
|
|
102
103
|
}
|
|
103
104
|
case 'external': {
|
|
104
|
-
return externalAuthProvider(clientConfig);
|
|
105
|
+
return externalAuthProvider(clientConfig, cryptoService);
|
|
105
106
|
}
|
|
106
107
|
case 'client': {
|
|
107
|
-
return clientSecretAuthProvider(clientConfig);
|
|
108
|
+
return clientSecretAuthProvider(clientConfig, cryptoService);
|
|
108
109
|
}
|
|
109
110
|
default:
|
|
110
111
|
throw new ConfigurationError(`Unsupported client type`);
|
|
@@ -116,10 +117,10 @@ export const clientAuthProvider = async (clientConfig) => {
|
|
|
116
117
|
if (clientConfig.exchange !== 'client') {
|
|
117
118
|
throw new ConfigurationError('When using client credentials, must supply both client ID and client secret to constructor');
|
|
118
119
|
}
|
|
119
|
-
return clientSecretAuthProvider(clientConfig);
|
|
120
|
+
return clientSecretAuthProvider(clientConfig, cryptoService);
|
|
120
121
|
};
|
|
121
122
|
export * from './auth.js';
|
|
122
123
|
export { OIDCClientCredentialsProvider } from './oidc-clientcredentials-provider.js';
|
|
123
124
|
export { OIDCExternalJwtProvider } from './oidc-externaljwt-provider.js';
|
|
124
125
|
export { OIDCRefreshTokenProvider } from './oidc-refreshtoken-provider.js';
|
|
125
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
126
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHJvdmlkZXJzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2F1dGgvcHJvdmlkZXJzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQU1BLE9BQU8sRUFBRSw2QkFBNkIsRUFBRSxNQUFNLHNDQUFzQyxDQUFDO0FBQ3JGLE9BQU8sRUFBRSx1QkFBdUIsRUFBRSxNQUFNLGdDQUFnQyxDQUFDO0FBRXpFLE9BQU8sRUFBRSx3QkFBd0IsRUFBRSxNQUFNLGlDQUFpQyxDQUFDO0FBQzNFLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFDeEMsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sY0FBYyxDQUFDO0FBRWxELE9BQU8sS0FBSyxvQkFBb0IsTUFBTSxnQ0FBZ0MsQ0FBQztBQUV2RTs7Ozs7Ozs7Ozs7Ozs7Ozs7R0FpQkc7QUFDSCxNQUFNLENBQUMsTUFBTSx3QkFBd0IsR0FBRyxLQUFLLEVBQzNDLFlBQXFDLEVBQ3JDLGdCQUErQixvQkFBb0IsRUFDWCxFQUFFO0lBQzFDLE9BQU8sSUFBSSw2QkFBNkIsQ0FDdEM7UUFDRSxRQUFRLEVBQUUsWUFBWSxDQUFDLFFBQVE7UUFDL0IsWUFBWSxFQUFFLFlBQVksQ0FBQyxZQUFZO1FBQ3ZDLFVBQVUsRUFBRSxZQUFZLENBQUMsVUFBVTtRQUNuQyxpQkFBaUIsRUFBRSxZQUFZLENBQUMsaUJBQWlCO1FBQ2pELG9CQUFvQixFQUFFLFlBQVksQ0FBQyxvQkFBb0I7S0FDeEQsRUFDRCxhQUFhLENBQ2QsQ0FBQztBQUNKLENBQUMsQ0FBQztBQUVGOzs7Ozs7Ozs7Ozs7Ozs7R0FlRztBQUNILE1BQU0sQ0FBQyxNQUFNLG9CQUFvQixHQUFHLEtBQUssRUFDdkMsWUFBb0MsRUFDcEMsZ0JBQStCLG9CQUFvQixFQUNqQixFQUFFO0lBQ3BDLE9BQU8sSUFBSSx1QkFBdUIsQ0FDaEM7UUFDRSxRQUFRLEVBQUUsWUFBWSxDQUFDLFFBQVE7UUFDL0IsV0FBVyxFQUFFLFlBQVksQ0FBQyxXQUFXO1FBQ3JDLFVBQVUsRUFBRSxZQUFZLENBQUMsVUFBVTtRQUNuQyxpQkFBaUIsRUFBRSxZQUFZLENBQUMsaUJBQWlCO1FBQ2pELG9CQUFvQixFQUFFLFlBQVksQ0FBQyxvQkFBb0I7S0FDeEQsRUFDRCxhQUFhLENBQ2QsQ0FBQztBQUNKLENBQUMsQ0FBQztBQUVGOzs7Ozs7Ozs7Ozs7O0dBYUc7QUFDSCxNQUFNLENBQUMsTUFBTSxtQkFBbUIsR0FBRyxLQUFLLEVBQ3RDLFlBQXFDLEVBQ3JDLGdCQUErQixvQkFBb0IsRUFDaEIsRUFBRTtJQUNyQyxPQUFPLElBQUksd0JBQXdCLENBQ2pDO1FBQ0UsUUFBUSxFQUFFLFlBQVksQ0FBQyxRQUFRO1FBQy9CLFlBQVksRUFBRSxZQUFZLENBQUMsWUFBWTtRQUN2QyxVQUFVLEVBQUUsWUFBWSxDQUFDLFVBQVU7UUFDbkMsaUJBQWlCLEVBQUUsWUFBWSxDQUFDLGlCQUFpQjtRQUNqRCxvQkFBb0IsRUFBRSxZQUFZLENBQUMsb0JBQW9CO0tBQ3hELEVBQ0QsYUFBYSxDQUNkLENBQUM7QUFDSixDQUFDLENBQUM7QUFFRjs7OztHQUlHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sa0JBQWtCLEdBQUcsS0FBSyxFQUNyQyxZQUE2QixFQUM3QixnQkFBK0Isb0JBQW9CLEVBQzVCLEVBQUU7SUFDekIsSUFBSSxDQUFDLFlBQVksQ0FBQyxRQUFRLEVBQUUsQ0FBQztRQUMzQixNQUFNLElBQUksa0JBQWtCLENBQUMsMkNBQTJDLENBQUMsQ0FBQztJQUM1RSxDQUFDO0lBRUQsSUFBSSxTQUFTLEVBQUUsRUFBRSxDQUFDO1FBQ2hCLDJFQUEyRTtRQUMzRSxtQ0FBbUM7UUFDbkMsMkZBQTJGO1FBQzNGLElBQUk7UUFDSiwwRkFBMEY7UUFDMUYsMEVBQTBFO1FBQzFFLDBHQUEwRztRQUMxRyxnRkFBZ0Y7UUFDaEYsUUFBUSxZQUFZLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDOUIsS0FBSyxTQUFTLENBQUMsQ0FBQyxDQUFDO2dCQUNmLE9BQU8sbUJBQW1CLENBQUMsWUFBWSxFQUFFLGFBQWEsQ0FBQyxDQUFDO1lBQzFELENBQUM7WUFDRCxLQUFLLFVBQVUsQ0FBQyxDQUFDLENBQUM7Z0JBQ2hCLE9BQU8sb0JBQW9CLENBQUMsWUFBWSxFQUFFLGFBQWEsQ0FBQyxDQUFDO1lBQzNELENBQUM7WUFDRCxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUM7Z0JBQ2QsT0FBTyx3QkFBd0IsQ0FBQyxZQUFZLEVBQUUsYUFBYSxDQUFDLENBQUM7WUFDL0QsQ0FBQztZQUNEO2dCQUNFLE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO1FBQzVELENBQUM7SUFDSCxDQUFDO0lBQ0QsdUZBQXVGO0lBQ3ZGLDZHQUE2RztJQUM3Ryw0REFBNEQ7SUFDNUQsSUFBSSxZQUFZLENBQUMsUUFBUSxLQUFLLFFBQVEsRUFBRSxDQUFDO1FBQ3ZDLE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsNEZBQTRGLENBQzdGLENBQUM7SUFDSixDQUFDO0lBQ0QsT0FBTyx3QkFBd0IsQ0FBQyxZQUFZLEVBQUUsYUFBYSxDQUFDLENBQUM7QUFDL0QsQ0FBQyxDQUFDO0FBRUYsY0FBYyxXQUFXLENBQUM7QUFDMUIsT0FBTyxFQUFFLDZCQUE2QixFQUFFLE1BQU0sc0NBQXNDLENBQUM7QUFDckYsT0FBTyxFQUFFLHVCQUF1QixFQUFFLE1BQU0sZ0NBQWdDLENBQUM7QUFDekUsT0FBTyxFQUFFLHdCQUF3QixFQUFFLE1BQU0saUNBQWlDLENBQUMifQ==
|
|
@@ -6,6 +6,8 @@ export { generateKeyPair } from './generateKeyPair.js';
|
|
|
6
6
|
export { keyAgreement } from './keyAgreement.js';
|
|
7
7
|
export { default as exportCryptoKey } from './exportCryptoKey.js';
|
|
8
8
|
export { generateRandomNumber } from './generateRandomNumber.js';
|
|
9
|
-
export { pemPublicToCrypto, pemCertToCrypto } from './pemPublicToCrypto.js';
|
|
9
|
+
export { pemPublicToCrypto, pemCertToCrypto, guessAlgorithmName, guessCurveName, toJwsAlg, RSA_OID, EC_OID, P256_OID, P384_OID, P521_OID, } from './pemPublicToCrypto.js';
|
|
10
10
|
export * as enums from './enums.js';
|
|
11
|
-
|
|
11
|
+
// PEM Formatting Utilities from tdf3
|
|
12
|
+
export { formatAsPem, removePemFormatting, isPemKeyPair, isCryptoKeyPair, } from '../../tdf3/src/crypto/crypto-utils.js';
|
|
13
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvY3J5cHRvL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sRUFBRSxPQUFPLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFDdkMsT0FBTyxFQUFFLE9BQU8sSUFBSSxPQUFPLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFDbEQsT0FBTyxFQUFFLE9BQU8sSUFBSSxNQUFNLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFDaEQsT0FBTyxFQUFFLE9BQU8sSUFBSSxPQUFPLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFDbEQsT0FBTyxFQUFFLGVBQWUsRUFBRSxNQUFNLHNCQUFzQixDQUFDO0FBQ3ZELE9BQU8sRUFBRSxZQUFZLEVBQUUsTUFBTSxtQkFBbUIsQ0FBQztBQUNqRCxPQUFPLEVBQUUsT0FBTyxJQUFJLGVBQWUsRUFBRSxNQUFNLHNCQUFzQixDQUFDO0FBQ2xFLE9BQU8sRUFBRSxvQkFBb0IsRUFBRSxNQUFNLDJCQUEyQixDQUFDO0FBQ2pFLE9BQU8sRUFDTCxpQkFBaUIsRUFDakIsZUFBZSxFQUNmLGtCQUFrQixFQUNsQixjQUFjLEVBQ2QsUUFBUSxFQUNSLE9BQU8sRUFDUCxNQUFNLEVBQ04sUUFBUSxFQUNSLFFBQVEsRUFDUixRQUFRLEdBRVQsTUFBTSx3QkFBd0IsQ0FBQztBQUNoQyxPQUFPLEtBQUssS0FBSyxNQUFNLFlBQVksQ0FBQztBQUVwQyxxQ0FBcUM7QUFDckMsT0FBTyxFQUNMLFdBQVcsRUFDWCxtQkFBbUIsRUFDbkIsWUFBWSxFQUNaLGVBQWUsR0FDaEIsTUFBTSx1Q0FBdUMsQ0FBQyJ9
|
|
@@ -30,11 +30,12 @@ import { importX509 } from 'jose';
|
|
|
30
30
|
import { encodeArrayBuffer as hexEncodeArrayBuffer } from '../encodings/hex.js';
|
|
31
31
|
import { ConfigurationError, TdfError } from '../errors.js';
|
|
32
32
|
import { NamedCurve } from './enums.js';
|
|
33
|
-
|
|
34
|
-
const
|
|
35
|
-
const
|
|
36
|
-
const
|
|
37
|
-
const
|
|
33
|
+
// OID constants for algorithm detection (hex-encoded ASN.1 OIDs)
|
|
34
|
+
export const RSA_OID = '06092a864886f70d010101';
|
|
35
|
+
export const EC_OID = '06072a8648ce3d0201';
|
|
36
|
+
export const P256_OID = '06082a8648ce3d030107';
|
|
37
|
+
export const P384_OID = '06052b81040022';
|
|
38
|
+
export const P521_OID = '06052b81040023';
|
|
38
39
|
const SHA_512 = 'SHA-512';
|
|
39
40
|
const SPKI = 'spki';
|
|
40
41
|
const CERT_BEGIN = '-----BEGIN CERTIFICATE-----';
|
|
@@ -58,7 +59,7 @@ function guessKeyUsages(algorithmName, usages) {
|
|
|
58
59
|
return [];
|
|
59
60
|
}
|
|
60
61
|
}
|
|
61
|
-
function guessAlgorithmName(hex, algorithmName) {
|
|
62
|
+
export function guessAlgorithmName(hex, algorithmName) {
|
|
62
63
|
if (hex.includes(EC_OID)) {
|
|
63
64
|
if (!algorithmName || algorithmName === ECDH) {
|
|
64
65
|
return ECDH;
|
|
@@ -77,7 +78,7 @@ function guessAlgorithmName(hex, algorithmName) {
|
|
|
77
78
|
}
|
|
78
79
|
throw new TypeError(`Invalid public key, ${algorithmName}`);
|
|
79
80
|
}
|
|
80
|
-
function guessCurveName(hex) {
|
|
81
|
+
export function guessCurveName(hex) {
|
|
81
82
|
if (hex.includes(P256_OID)) {
|
|
82
83
|
return NamedCurve.P256;
|
|
83
84
|
}
|
|
@@ -129,9 +130,10 @@ export async function pemPublicToCrypto(pem, options = {
|
|
|
129
130
|
}
|
|
130
131
|
}
|
|
131
132
|
/**
|
|
133
|
+
* Detect JWS algorithm from hex-encoded key/certificate data.
|
|
132
134
|
* Look up JWK algorithm at https://github.com/panva/jose/issues/210
|
|
133
135
|
*/
|
|
134
|
-
function toJwsAlg(hex) {
|
|
136
|
+
export function toJwsAlg(hex) {
|
|
135
137
|
const a = guessAlgorithmName(hex);
|
|
136
138
|
if (a === ECDH) {
|
|
137
139
|
return 'ECDH-ES';
|
|
@@ -169,4 +171,4 @@ export async function pemCertToCrypto(pem, options = {
|
|
|
169
171
|
}
|
|
170
172
|
return key;
|
|
171
173
|
}
|
|
172
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
174
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicGVtUHVibGljVG9DcnlwdG8uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvY3J5cHRvL3BlbVB1YmxpY1RvQ3J5cHRvLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOzs7Ozs7O0dBT0c7QUFFSDs7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBa0JHO0FBRUgsT0FBTyxLQUFLLE1BQU0sTUFBTSx3QkFBd0IsQ0FBQztBQUNqRCxPQUFPLEVBQUUsVUFBVSxFQUFFLE1BQU0sTUFBTSxDQUFDO0FBQ2xDLE9BQU8sRUFBRSxpQkFBaUIsSUFBSSxvQkFBb0IsRUFBRSxNQUFNLHFCQUFxQixDQUFDO0FBQ2hGLE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxRQUFRLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFDNUQsT0FBTyxFQUFFLFVBQVUsRUFBRSxNQUFNLFlBQVksQ0FBQztBQUV4QyxpRUFBaUU7QUFDakUsTUFBTSxDQUFDLE1BQU0sT0FBTyxHQUFHLHdCQUF3QixDQUFDO0FBQ2hELE1BQU0sQ0FBQyxNQUFNLE1BQU0sR0FBRyxvQkFBb0IsQ0FBQztBQUMzQyxNQUFNLENBQUMsTUFBTSxRQUFRLEdBQUcsc0JBQXNCLENBQUM7QUFDL0MsTUFBTSxDQUFDLE1BQU0sUUFBUSxHQUFHLGdCQUFnQixDQUFDO0FBQ3pDLE1BQU0sQ0FBQyxNQUFNLFFBQVEsR0FBRyxnQkFBZ0IsQ0FBQztBQUN6QyxNQUFNLE9BQU8sR0FBRyxTQUFTLENBQUM7QUFDMUIsTUFBTSxJQUFJLEdBQUcsTUFBTSxDQUFDO0FBQ3BCLE1BQU0sVUFBVSxHQUFHLDZCQUE2QixDQUFDO0FBQ2pELE1BQU0sUUFBUSxHQUFHLDJCQUEyQixDQUFDO0FBRTdDLE1BQU0sSUFBSSxHQUFHLE1BQU0sQ0FBQztBQUNwQixNQUFNLEtBQUssR0FBRyxPQUFPLENBQUM7QUFDdEIsTUFBTSxRQUFRLEdBQUcsVUFBVSxDQUFDO0FBQzVCLE1BQU0sT0FBTyxHQUFHLFNBQVMsQ0FBQztBQVUxQixTQUFTLGNBQWMsQ0FBQyxhQUE0QixFQUFFLE1BQW1CO0lBQ3ZFLElBQUksTUFBTTtRQUFFLE9BQU8sTUFBTSxDQUFDO0lBQzFCLFFBQVEsYUFBYSxFQUFFLENBQUM7UUFDdEIsS0FBSyxLQUFLO1lBQ1IsT0FBTyxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQ3BCLEtBQUssUUFBUTtZQUNYLE9BQU8sQ0FBQyxTQUFTLEVBQUUsU0FBUyxDQUFDLENBQUM7UUFDaEMsS0FBSyxPQUFPO1lBQ1YsT0FBTyxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQ3BCLEtBQUssSUFBSSxDQUFDO1FBQ1Y7WUFDRSxPQUFPLEVBQUUsQ0FBQztJQUNkLENBQUM7QUFDSCxDQUFDO0FBRUQsTUFBTSxVQUFVLGtCQUFrQixDQUFDLEdBQVcsRUFBRSxhQUFzQjtJQUNwRSxJQUFJLEdBQUcsQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQztRQUN6QixJQUFJLENBQUMsYUFBYSxJQUFJLGFBQWEsS0FBSyxJQUFJLEVBQUUsQ0FBQztZQUM3QyxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7YUFBTSxJQUFJLGFBQWEsS0FBSyxLQUFLLEVBQUUsQ0FBQztZQUNuQyxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7SUFDSCxDQUFDO1NBQU0sSUFBSSxHQUFHLENBQUMsUUFBUSxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7UUFDakMsSUFBSSxDQUFDLGFBQWEsSUFBSSxhQUFhLEtBQUssUUFBUSxFQUFFLENBQUM7WUFDakQsT0FBTyxRQUFRLENBQUM7UUFDbEIsQ0FBQzthQUFNLElBQUksYUFBYSxLQUFLLE9BQU8sRUFBRSxDQUFDO1lBQ3JDLE9BQU8sT0FBTyxDQUFDO1FBQ2pCLENBQUM7SUFDSCxDQUFDO0lBQ0QsTUFBTSxJQUFJLFNBQVMsQ0FBQyx1QkFBdUIsYUFBYSxFQUFFLENBQUMsQ0FBQztBQUM5RCxDQUFDO0FBRUQsTUFBTSxVQUFVLGNBQWMsQ0FBQyxHQUFXO0lBQ3hDLElBQUksR0FBRyxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO1FBQzNCLE9BQU8sVUFBVSxDQUFDLElBQUksQ0FBQztJQUN6QixDQUFDO1NBQU0sSUFBSSxHQUFHLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUM7UUFDbEMsT0FBTyxVQUFVLENBQUMsSUFBSSxDQUFDO0lBQ3pCLENBQUM7U0FBTSxJQUFJLEdBQUcsQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztRQUNsQyxPQUFPLFVBQVUsQ0FBQyxJQUFJLENBQUM7SUFDekIsQ0FBQztJQUNELE1BQU0sSUFBSSxRQUFRLENBQUMsdUNBQXVDLENBQUMsQ0FBQztBQUM5RCxDQUFDO0FBRUQ7Ozs7Ozs7OztHQVNHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxpQkFBaUIsQ0FDckMsR0FBVyxFQUNYLFVBQW9DO0lBQ2xDLGFBQWEsRUFBRSxJQUFJO0NBQ3BCO0lBRUQsR0FBRyxHQUFHLEdBQUcsQ0FBQyxPQUFPLENBQUMsNEJBQTRCLEVBQUUsRUFBRSxDQUFDLENBQUM7SUFDcEQsR0FBRyxHQUFHLEdBQUcsQ0FBQyxPQUFPLENBQUMsMEJBQTBCLEVBQUUsRUFBRSxDQUFDLENBQUM7SUFDbEQsTUFBTSxHQUFHLEdBQUcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUM7SUFDbkMsTUFBTSxXQUFXLEdBQUcsTUFBTSxDQUFDLGlCQUFpQixDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ2xELE1BQU0sR0FBRyxHQUFHLG9CQUFvQixDQUFDLFdBQVcsQ0FBQyxDQUFDO0lBRTlDLE1BQU0sYUFBYSxHQUFHLGtCQUFrQixDQUFDLEdBQUcsRUFBRSxPQUFPLENBQUMsSUFBSSxDQUFDLENBQUM7SUFDNUQsTUFBTSxTQUFTLEdBQUcsY0FBYyxDQUFDLGFBQWEsRUFBRSxPQUFPLENBQUMsTUFBTSxDQUFDLENBQUM7SUFFaEUsSUFBSSxhQUFhLEtBQUssSUFBSSxJQUFJLGFBQWEsS0FBSyxLQUFLLEVBQUUsQ0FBQztRQUN0RCxNQUFNLFVBQVUsR0FBRyxjQUFjLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDdkMsT0FBTyxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FDNUIsSUFBSSxFQUNKLFdBQVcsRUFDWDtZQUNFLElBQUksRUFBRSxhQUFhO1lBQ25CLFVBQVU7U0FDWCxFQUNELE9BQU8sQ0FBQyxhQUFhLEVBQ3JCLFNBQVMsQ0FDVixDQUFDO0lBQ0osQ0FBQztTQUFNLElBQUksYUFBYSxLQUFLLFFBQVEsSUFBSSxhQUFhLEtBQUssT0FBTyxFQUFFLENBQUM7UUFDbkUsT0FBTyxNQUFNLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FDNUIsSUFBSSxFQUNKLFdBQVcsRUFDWDtZQUNFLElBQUksRUFBRSxhQUFhO1lBQ25CLElBQUksRUFBRTtnQkFDSixJQUFJLEVBQUUsT0FBTyxDQUFDLElBQUksSUFBSSxPQUFPO2FBQzlCO1NBQ0YsRUFDRCxPQUFPLENBQUMsYUFBYSxFQUNyQixTQUFTLENBQ1YsQ0FBQztJQUNKLENBQUM7U0FBTSxDQUFDO1FBQ04sTUFBTSxJQUFJLFNBQVMsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO0lBQzVDLENBQUM7QUFDSCxDQUFDO0FBRUQ7OztHQUdHO0FBQ0gsTUFBTSxVQUFVLFFBQVEsQ0FBQyxHQUFXO0lBQ2xDLE1BQU0sQ0FBQyxHQUFHLGtCQUFrQixDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ2xDLElBQUksQ0FBQyxLQUFLLElBQUksRUFBRSxDQUFDO1FBQ2YsT0FBTyxTQUFTLENBQUM7SUFDbkIsQ0FBQztTQUFNLElBQUksQ0FBQyxLQUFLLEtBQUssRUFBRSxDQUFDO1FBQ3ZCLFFBQVEsY0FBYyxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDNUIsS0FBSyxVQUFVLENBQUMsSUFBSTtnQkFDbEIsT0FBTyxPQUFPLENBQUM7WUFDakIsS0FBSyxVQUFVLENBQUMsSUFBSTtnQkFDbEIsT0FBTyxPQUFPLENBQUM7WUFDakIsS0FBSyxVQUFVLENBQUMsSUFBSTtnQkFDbEIsT0FBTyxPQUFPLENBQUM7UUFDbkIsQ0FBQztJQUNILENBQUM7U0FBTSxJQUFJLENBQUMsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUMxQixPQUFPLE9BQU8sQ0FBQztJQUNqQixDQUFDO1NBQU0sQ0FBQztRQUNOLE9BQU8sY0FBYyxDQUFDO0lBQ3hCLENBQUM7QUFDSCxDQUFDO0FBRUQsTUFBTSxDQUFDLEtBQUssVUFBVSxlQUFlLENBQ25DLEdBQVcsRUFDWCxVQUFvQztJQUNsQyxhQUFhLEVBQUUsSUFBSTtDQUNwQjtJQUVELElBQUksR0FBRyxHQUFHLEdBQUcsQ0FBQyxPQUFPLENBQUMsVUFBVSxFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBQ3RDLEdBQUcsR0FBRyxHQUFHLENBQUMsT0FBTyxDQUFDLFFBQVEsRUFBRSxFQUFFLENBQUMsQ0FBQztJQUNoQyxNQUFNLEdBQUcsR0FBRyxHQUFHLENBQUMsT0FBTyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztJQUNuQyxNQUFNLFdBQVcsR0FBRyxNQUFNLENBQUMsaUJBQWlCLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDbEQsTUFBTSxHQUFHLEdBQUcsb0JBQW9CLENBQUMsV0FBVyxDQUFDLENBQUM7SUFDOUMsTUFBTSxNQUFNLEdBQUcsUUFBUSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQzdCLE1BQU0sR0FBRyxHQUFHLE1BQU0sVUFBVSxDQUFDLEdBQUcsRUFBRSxNQUFNLEVBQUUsRUFBRSxXQUFXLEVBQUUsT0FBTyxDQUFDLGFBQWEsRUFBRSxDQUFDLENBQUM7SUFDbEYsTUFBTSxFQUFFLElBQUksRUFBRSxHQUFHLEdBQUcsQ0FBQztJQUNyQixJQUFJLElBQUksS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUN0QixNQUFNLElBQUksa0JBQWtCLENBQUMsVUFBVSxDQUFDLENBQUM7SUFDM0MsQ0FBQztJQUNELE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQyJ9
|