@shad-claiborne/basic-oidc 1.0.3 → 1.0.4

package/dist/index.d.ts

@@ -0,0 +1,285 @@
+export interface IdentityProviderConfiguration {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint: string;
+    registration_endpoint: string;
+    jwks_uri: string;
+    response_types_supported: string[];
+    response_modes_supported: string[];
+    grant_types_supported: string[];
+    subject_types_supported: string[];
+    id_token_signing_alg_values_supported: string[];
+    scopes_supported: string[];
+    token_endpoint_auth_methods_supported: string[];
+    claims_supported: string[];
+    code_challenge_methods_supported: string[];
+    introspection_endpoint: string;
+    introspection_endpoint_auth_methods_supported: string[];
+    revocation_endpoint: string;
+    revocation_endpoint_auth_methods_supported: string[];
+    end_session_endpoint: string;
+    request_parameter_supported: boolean;
+    request_object_signing_alg_values_supported: string[];
+    device_authorization_endpoint: string;
+    pushed_authorization_request_endpoint: string;
+    backchannel_token_delivery_modes_supported: string[];
+    backchannel_authentication_request_signing_alg_values_supported: string[];
+    dpop_signing_alg_values_supported: string[];
+}
+export interface AuthorizationResponse {
+    code?: string;
+    id_token?: string;
+    state?: string;
+}
+export interface TokenSet {
+    token_type: string;
+    access_token: string;
+    expires_in: number;
+    refresh_token: string;
+    id_token?: string;
+}
+export interface Identity {
+    sub: string;
+    name?: string;
+    email?: string;
+}
+/**
+ * class AuthorizationRequest
+ */
+export declare class AuthorizationRequest {
+    private client;
+    private responseType;
+    private responseMode;
+    private redirectUri;
+    private scope;
+    private state;
+    private codeChallenge;
+    private codeChallengeMethod;
+    /**
+     * constructor
+     * @param client Client
+     */
+    constructor(client: Client);
+    /**
+     * setRedirectUri
+     * @param uri string
+     */
+    setRedirectUri(uri: string): AuthorizationRequest;
+    /**
+     * setState
+     * @param state string
+     */
+    setState(state: string): AuthorizationRequest;
+    /**
+     * setResponseMode
+     * @param mode string
+     */
+    setResponseMode(mode: string): AuthorizationRequest;
+    /**
+     * setResponseType
+     * @param type string[]
+     */
+    setResponseType(type: string): AuthorizationRequest;
+    /**
+     * setScope
+     * @param scope string[]
+     */
+    setScope(scope: string[]): AuthorizationRequest;
+    /**
+     * setCodeChallenge
+     * @param challenge string
+     * @param method string
+     */
+    setCodeChallenge(challenge: string, method?: string): AuthorizationRequest;
+    /**
+     * toURLSearchParams
+     * @returns URLSearchParams
+     */
+    toURLSearchParams(): URLSearchParams;
+    /**
+     * toURL
+     * @returns URL
+     */
+    toURL(): URL;
+}
+/**
+ * class TokenRequest
+ */
+export declare class TokenRequest {
+    private client;
+    private code;
+    private codeVerifier;
+    private redirectUri;
+    private grantType;
+    private refreshToken;
+    /**
+     * constructor
+     * @param client Client
+     */
+    constructor(client: Client);
+    /**
+     * setCode
+     * @param code string
+     */
+    setCode(code: string): TokenRequest;
+    /**
+     * setRedirectUri
+     * @param uri string
+     */
+    setRedirectUri(uri: string): TokenRequest;
+    /**
+     * setCodeVerifier
+     * @param verifier string
+     */
+    setCodeVerifier(verifier: string): TokenRequest;
+    /**
+     * setGrantType
+     * @param type string
+     */
+    setGrantType(type: string): TokenRequest;
+    /**
+     * setRefreshToken
+     * @param token string
+     */
+    setRefreshToken(token: string): TokenRequest;
+    /**
+     * toURLSearchParams
+     * @returns URLSearchParams
+     */
+    toURLSearchParams(): URLSearchParams;
+}
+/**
+ * class IdentityProvider
+ */
+export declare class IdentityProvider {
+    private config;
+    /**
+     * constructor
+     * @param config IdentityProviderConfiguration
+     */
+    constructor(config: IdentityProviderConfiguration);
+    /**
+     * getAuthorizationEndpoint
+     * @returns string
+     */
+    getAuthorizationEndpoint(): string;
+    /**
+     * getTokenEndpoint
+     * @returns string
+     */
+    getTokenEndpoint(): string;
+    /**
+     * getUserinfoEndpoint
+     * @returns string
+     */
+    getUserinfoEndpoint(): string;
+    /**
+     * getRevocationEndpoint
+     * @returns string
+     */
+    getRevocationEndpoint(): string;
+    /**
+     * isResponseModeSupported
+     * @param mode string
+     * @returns boolean
+     */
+    isResponseModeSupported(mode: string): boolean;
+    /**
+     * isResponseTypeSupported
+     * @param type string[]
+     * @returns boolean
+     */
+    isResponseTypeSupported(type: string): boolean;
+    /**
+     * isScopeSupported
+     * @param scope string[]
+     * @returns boolean
+     */
+    isScopeSupported(scope: string[]): boolean;
+    /**
+     * isChallengeMethodSupported
+     * @param method string
+     * @returns boolean
+     */
+    isChallengeMethodSupported(method: string): boolean;
+    /**
+     * isGrantTypeSupported
+     * @param method string
+     * @returns boolean
+     */
+    isGrantTypeSupported(type: string): boolean;
+    /**
+     * createClient
+     * @returns Client
+     */
+    createClient(id: string, secret: string): Client;
+    /**
+     * getIdentity
+     * @param client Client
+     * @param tokenSet TokenSet
+     * @returns Promise<Identity | null>
+     */
+    getIdentity(client: Client, tokenSet: TokenSet): Promise<Identity | null>;
+}
+/**
+ * class Client
+ */
+export declare class Client {
+    private provider;
+    private clientId;
+    private clientSecret;
+    /**
+     * constructor
+     * @param provider IdentityProvider
+     * @param id string
+     * @param secret string
+     */
+    constructor(provider: IdentityProvider, id: string, secret: string);
+    /**
+     * getProvider
+     * @returns IdentityProvider
+     */
+    getProvider(): IdentityProvider;
+    /**
+     * getClientId
+     * @returns string
+     */
+    getClientId(): string;
+    /**
+     * getClientSecret
+     * @returns string
+     */
+    getClientSecret(): string;
+    /**
+     * newAuthorizationRequest
+     * @returns AuthorizationRequest
+     */
+    newAuthorizationRequest(): AuthorizationRequest;
+    /**
+     * requestAccess
+     * @param authResponse AuthorizationResponse
+     * @param codeVerifier string
+     * @returns Promise<TokenSet>
+     */
+    requestAccess(authResponse: AuthorizationResponse, codeVerifier?: string): Promise<TokenSet>;
+    /**
+     * refreshAccess
+     * @param tokenSet TokenSet
+     * @returns Promise<TokenSet>
+     */
+    refreshAccess(tokenSet: TokenSet): Promise<TokenSet>;
+    /**
+     * revokeAccess
+     * @param tokenSet TokenSet
+     * @returns Promise<void>
+     */
+    revokeAccess(tokenSet: TokenSet): Promise<void>;
+}
+/**
+ * createIdentityProvider
+ * @param issuer string
+ * @returns IdentityProvider
+ */
+export declare const createIdentityProvider: (issuer: string) => Promise<IdentityProvider>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -0,0 +1,486 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createIdentityProvider = exports.Client = exports.IdentityProvider = exports.TokenRequest = exports.AuthorizationRequest = void 0;
+const sha256_1 = __importDefault(require("crypto-js/sha256"));
+const enc_base64url_1 = __importDefault(require("crypto-js/enc-base64url"));
+const axios_1 = __importDefault(require("axios"));
+const jose_1 = require("jose");
+/**
+ * class AuthorizationRequest
+ */
+class AuthorizationRequest {
+    client;
+    responseType;
+    responseMode;
+    redirectUri;
+    scope;
+    state;
+    codeChallenge;
+    codeChallengeMethod;
+    /**
+     * constructor
+     * @param client Client
+     */
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * setRedirectUri
+     * @param uri string
+     */
+    setRedirectUri(uri) {
+        this.redirectUri = uri;
+        return this;
+    }
+    /**
+     * setState
+     * @param state string
+     */
+    setState(state) {
+        this.state = state;
+        return this;
+    }
+    /**
+     * setResponseMode
+     * @param mode string
+     */
+    setResponseMode(mode) {
+        if (this.client.getProvider().isResponseModeSupported(mode)) {
+            this.responseMode = mode;
+        }
+        else
+            throw new Error('invalid or unsupported response mode');
+        return this;
+    }
+    /**
+     * setResponseType
+     * @param type string[]
+     */
+    setResponseType(type) {
+        if (this.client.getProvider().isResponseTypeSupported(type)) {
+            this.responseType = type;
+        }
+        else
+            throw new Error('invalid or unsupported response type');
+        return this;
+    }
+    /**
+     * setScope
+     * @param scope string[]
+     */
+    setScope(scope) {
+        if (this.client.getProvider().isScopeSupported(scope)) {
+            this.scope = ['openid', ...scope];
+        }
+        else
+            throw new Error('invalid or unsupported scope');
+        return this;
+    }
+    /**
+     * setCodeChallenge
+     * @param challenge string
+     * @param method string
+     */
+    setCodeChallenge(challenge, method = 'S256') {
+        if (this.client.getProvider().isChallengeMethodSupported(method)) {
+            if (method === 'plain') {
+                this.codeChallenge = challenge;
+            }
+            else if (method === 'S256') {
+                this.codeChallenge = enc_base64url_1.default.stringify((0, sha256_1.default)(challenge));
+            }
+            else
+                throw new Error('code challenge method not yet implemented');
+            this.codeChallengeMethod = method;
+        }
+        else
+            throw new Error('invalid or unsupported code challenge method');
+        return this;
+    }
+    /**
+     * toURLSearchParams
+     * @returns URLSearchParams
+     */
+    toURLSearchParams() {
+        const params = new URLSearchParams();
+        params.append('client_id', this.client.getClientId());
+        if (this.responseType === undefined)
+            throw new Error('response type is required');
+        params.append('response_type', this.responseType);
+        if (this.responseMode)
+            params.append('response_mode', this.responseMode);
+        if (this.redirectUri)
+            params.append('redirect_uri', this.redirectUri);
+        if (this.scope === undefined)
+            throw new Error('scope is required');
+        params.append('scope', this.scope.join(' '));
+        if (this.state)
+            params.append('state', this.state);
+        const isCodeResponseTypeIncluded = this.responseType.includes('code');
+        if (this.codeChallenge === undefined) {
+            if (isCodeResponseTypeIncluded)
+                throw new Error("code challenge required for 'code' response type");
+        }
+        else
+            params.append('code_challenge', this.codeChallenge);
+        if (this.codeChallengeMethod === undefined) {
+            if (isCodeResponseTypeIncluded)
+                throw new Error("code challenge method required for 'code' response type");
+        }
+        else
+            params.append('code_challenge_method', this.codeChallengeMethod);
+        return params;
+    }
+    /**
+     * toURL
+     * @returns URL
+     */
+    toURL() {
+        const endpointUrl = new URL(this.client.getProvider().getAuthorizationEndpoint());
+        endpointUrl.search = this.toURLSearchParams().toString();
+        return endpointUrl;
+    }
+}
+exports.AuthorizationRequest = AuthorizationRequest;
+/**
+ * class TokenRequest
+ */
+class TokenRequest {
+    client;
+    code;
+    codeVerifier;
+    redirectUri;
+    grantType;
+    refreshToken;
+    /**
+     * constructor
+     * @param client Client
+     */
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * setCode
+     * @param code string
+     */
+    setCode(code) {
+        this.code = code;
+        return this;
+    }
+    /**
+     * setRedirectUri
+     * @param uri string
+     */
+    setRedirectUri(uri) {
+        this.redirectUri = uri;
+        return this;
+    }
+    /**
+     * setCodeVerifier
+     * @param verifier string
+     */
+    setCodeVerifier(verifier) {
+        this.codeVerifier = verifier;
+        return this;
+    }
+    /**
+     * setGrantType
+     * @param type string
+     */
+    setGrantType(type) {
+        if (this.client.getProvider().isGrantTypeSupported(type)) {
+            this.grantType = type;
+        }
+        else
+            throw new Error('grant type not supported');
+        return this;
+    }
+    /**
+     * setRefreshToken
+     * @param token string
+     */
+    setRefreshToken(token) {
+        this.refreshToken = token;
+        return this;
+    }
+    /**
+     * toURLSearchParams
+     * @returns URLSearchParams
+     */
+    toURLSearchParams() {
+        const params = new URLSearchParams();
+        params.append('client_id', this.client.getClientId());
+        params.append('client_secret', this.client.getClientSecret());
+        if (this.grantType === undefined)
+            throw new Error('grant type is required');
+        params.append('grant_type', this.grantType);
+        if (this.grantType === 'authorization_code') {
+            if (this.code === undefined)
+                throw new Error('code is required for authorization code flow');
+            params.append('code', this.code);
+            if (this.codeVerifier)
+                params.append('code_verifier', this.codeVerifier);
+            if (this.redirectUri)
+                params.append('redirect_uri', this.redirectUri);
+        }
+        else if (this.grantType === 'refresh_token') {
+            if (this.refreshToken === undefined)
+                throw new Error('refresh token required for grant type');
+            params.append('refresh_token', this.refreshToken);
+        }
+        return params;
+    }
+}
+exports.TokenRequest = TokenRequest;
+/**
+ * class IdentityProvider
+ */
+class IdentityProvider {
+    config;
+    /**
+     * constructor
+     * @param config IdentityProviderConfiguration
+     */
+    constructor(config) {
+        this.config = config;
+    }
+    /**
+     * getAuthorizationEndpoint
+     * @returns string
+     */
+    getAuthorizationEndpoint() {
+        return this.config.authorization_endpoint;
+    }
+    /**
+     * getTokenEndpoint
+     * @returns string
+     */
+    getTokenEndpoint() {
+        return this.config.token_endpoint;
+    }
+    /**
+     * getUserinfoEndpoint
+     * @returns string
+     */
+    getUserinfoEndpoint() {
+        return this.config.userinfo_endpoint;
+    }
+    /**
+     * getRevocationEndpoint
+     * @returns string
+     */
+    getRevocationEndpoint() {
+        return this.config.revocation_endpoint;
+    }
+    /**
+     * isResponseModeSupported
+     * @param mode string
+     * @returns boolean
+     */
+    isResponseModeSupported(mode) {
+        return this.config.response_modes_supported.includes(mode);
+    }
+    /**
+     * isResponseTypeSupported
+     * @param type string[]
+     * @returns boolean
+     */
+    isResponseTypeSupported(type) {
+        return this.config.response_types_supported.includes(type);
+    }
+    /**
+     * isScopeSupported
+     * @param scope string[]
+     * @returns boolean
+     */
+    isScopeSupported(scope) {
+        return scope.length === scope.filter(s => this.config.scopes_supported.includes(s)).length;
+    }
+    /**
+     * isChallengeMethodSupported
+     * @param method string
+     * @returns boolean
+     */
+    isChallengeMethodSupported(method) {
+        return this.config.code_challenge_methods_supported.includes(method);
+    }
+    /**
+     * isGrantTypeSupported
+     * @param method string
+     * @returns boolean
+     */
+    isGrantTypeSupported(type) {
+        return this.config.grant_types_supported.includes(type);
+    }
+    /**
+     * createClient
+     * @returns Client
+     */
+    createClient(id, secret) {
+        const client = new Client(this, id, secret);
+        return client;
+    }
+    /**
+     * getIdentity
+     * @param client Client
+     * @param tokenSet TokenSet
+     * @returns Promise<Identity | null>
+     */
+    async getIdentity(client, tokenSet) {
+        let id = null;
+        if (tokenSet.id_token) {
+            const jwks = (0, jose_1.createRemoteJWKSet)(new URL(this.config.jwks_uri));
+            const { payload } = await (0, jose_1.jwtVerify)(tokenSet.id_token, jwks, { issuer: this.config.issuer });
+            id = payload;
+        }
+        else {
+            const api = new IdentityProviderApi(this, tokenSet);
+            id = await api.fetchUserinfo();
+        }
+        return id;
+    }
+}
+exports.IdentityProvider = IdentityProvider;
+/**
+ * class IdentityProviderApi
+ */
+class IdentityProviderApi {
+    provider;
+    tokenSet;
+    /**
+     * constructor
+     * @param provider IdentityProvider
+     * @param client Client
+     */
+    constructor(provider, tokenSet) {
+        this.provider = provider;
+        this.tokenSet = tokenSet;
+    }
+    /**
+     * setTokenSet
+     * @param tokenSet TokenSet
+     */
+    setTokenSet(tokenSet) {
+        this.tokenSet = tokenSet;
+    }
+    /**
+     * fetchUserinfo
+     * @returns Promise<Identity>
+     */
+    async fetchUserinfo() {
+        const res = await axios_1.default.get(this.provider.getUserinfoEndpoint(), {
+            headers: {
+                'Authorization': `Bearer ${this.tokenSet.access_token}`
+            }
+        });
+        return res.data;
+    }
+}
+/**
+ * class Client
+ */
+class Client {
+    provider;
+    clientId;
+    clientSecret;
+    /**
+     * constructor
+     * @param provider IdentityProvider
+     * @param id string
+     * @param secret string
+     */
+    constructor(provider, id, secret) {
+        this.provider = provider;
+        this.clientId = id;
+        this.clientSecret = secret;
+    }
+    /**
+     * getProvider
+     * @returns IdentityProvider
+     */
+    getProvider() {
+        return this.provider;
+    }
+    /**
+     * getClientId
+     * @returns string
+     */
+    getClientId() {
+        return this.clientId;
+    }
+    /**
+     * getClientSecret
+     * @returns string
+     */
+    getClientSecret() {
+        return this.clientSecret;
+    }
+    /**
+     * newAuthorizationRequest
+     * @returns AuthorizationRequest
+     */
+    newAuthorizationRequest() {
+        const req = new AuthorizationRequest(this);
+        return req;
+    }
+    /**
+     * requestAccess
+     * @param authResponse AuthorizationResponse
+     * @param codeVerifier string
+     * @returns Promise<TokenSet>
+     */
+    async requestAccess(authResponse, codeVerifier) {
+        const tokenRequest = new TokenRequest(this);
+        if (authResponse.code === undefined)
+            throw new Error('authorization response did not include a code');
+        tokenRequest.setCode(authResponse.code)
+            .setGrantType('authorization_code');
+        if (codeVerifier)
+            tokenRequest.setCodeVerifier(codeVerifier);
+        const res = await axios_1.default.post(this.provider.getTokenEndpoint(), tokenRequest.toURLSearchParams());
+        return res.data;
+    }
+    /**
+     * refreshAccess
+     * @param tokenSet TokenSet
+     * @returns Promise<TokenSet>
+     */
+    async refreshAccess(tokenSet) {
+        const tokenRequest = new TokenRequest(this)
+            .setRefreshToken(tokenSet.refresh_token)
+            .setGrantType('refresh_token');
+        const res = await axios_1.default.post(this.provider.getTokenEndpoint(), tokenRequest.toURLSearchParams());
+        return res.data;
+    }
+    /**
+     * revokeAccess
+     * @param tokenSet TokenSet
+     * @returns Promise<void>
+     */
+    async revokeAccess(tokenSet) {
+        const params = new URLSearchParams();
+        params.append('client_id', this.clientId);
+        params.append('client_secret', this.clientSecret);
+        params.append('token', tokenSet.access_token);
+        params.append('token_type_hint', 'access_token');
+        await axios_1.default.post(this.provider.getRevocationEndpoint(), params);
+    }
+}
+exports.Client = Client;
+/**
+ * createIdentityProvider
+ * @param issuer string
+ * @returns IdentityProvider
+ */
+const createIdentityProvider = async (issuer) => {
+    const discoveryUrl = `${issuer}/.well-known/openid-configuration`;
+    const res = await axios_1.default.get(discoveryUrl);
+    const config = res.data;
+    const provider = new IdentityProvider(config);
+    return provider;
+};
+exports.createIdentityProvider = createIdentityProvider;
+//# sourceMappingURL=index.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@shad-claiborne/basic-oidc",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "Basic OpenID Connect library",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",