@sourceregistry/sveltekit-oidc 1.1.0 → 1.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -0
- package/dist/server/index.js +5 -2
- package/dist/server/types.d.ts +1 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -33,6 +33,7 @@ export const oidc = createOIDC({
|
|
|
33
33
|
loginPath: '/auth/login',
|
|
34
34
|
redirectPath: '/auth/callback',
|
|
35
35
|
scope: ['openid', 'profile', 'email', 'offline_access'],
|
|
36
|
+
clockSkewSeconds: 30,
|
|
36
37
|
fetchUserInfo: true,
|
|
37
38
|
backChannelLogoutStore: createInMemoryBackChannelLogoutStore(),
|
|
38
39
|
transformSession(session) {
|
|
@@ -175,6 +176,7 @@ Set these environment variables to enable it:
|
|
|
175
176
|
## Notes
|
|
176
177
|
|
|
177
178
|
- `cookieSecret` should be a strong random secret and must stay stable across instances.
|
|
179
|
+
- `clockSkewSeconds` defaults to `30` and tolerates small clock drift between your app and the identity provider.
|
|
178
180
|
- `createInMemoryBackChannelLogoutStore()` is suitable for local development or single-instance deployments. Use Redis, SQL, or another shared store for production.
|
|
179
181
|
- The library validates `id_token` and `logout_token` values through `@sourceregistry/node-jwt` and provider JWKS metadata.
|
|
180
182
|
- `groups` are normalized onto the session from `groups` and `roles` claims when present.
|
package/dist/server/index.js
CHANGED
|
@@ -8,6 +8,7 @@ import { absoluteUrl, base64UrlEncode, buildCookieOptions, collectGroups, create
|
|
|
8
8
|
export { createInMemoryBackChannelLogoutStore, createInMemorySessionStore } from './store.js';
|
|
9
9
|
export function createOIDC(options) {
|
|
10
10
|
const cookieOptions = buildCookieOptions(options.cookieOptions);
|
|
11
|
+
const clockSkewSeconds = options.clockSkewSeconds ?? 30;
|
|
11
12
|
const refreshToleranceSeconds = options.refreshToleranceSeconds ?? 30;
|
|
12
13
|
const sessionCookieName = options.sessionCookieName ?? 'oidc_session';
|
|
13
14
|
const stateCookieName = options.stateCookieName ?? 'oidc_auth_state';
|
|
@@ -195,7 +196,8 @@ export function createOIDC(options) {
|
|
|
195
196
|
const claims = await verifyJwtWithJwks(idToken, {
|
|
196
197
|
issuer: metadata.issuer,
|
|
197
198
|
audience: options.clientId,
|
|
198
|
-
algorithms: metadata.id_token_signing_alg_values_supported
|
|
199
|
+
algorithms: metadata.id_token_signing_alg_values_supported,
|
|
200
|
+
clockSkew: clockSkewSeconds
|
|
199
201
|
});
|
|
200
202
|
const transformedClaims = options.transformClaims ? await options.transformClaims(claims) : claims;
|
|
201
203
|
if (transformedClaims.nonce !== nonce) {
|
|
@@ -207,7 +209,8 @@ export function createOIDC(options) {
|
|
|
207
209
|
const metadata = await getMetadata();
|
|
208
210
|
const claims = await verifyJwtWithJwks(logoutToken, {
|
|
209
211
|
issuer: metadata.issuer,
|
|
210
|
-
audience: options.clientId
|
|
212
|
+
audience: options.clientId,
|
|
213
|
+
clockSkew: clockSkewSeconds
|
|
211
214
|
});
|
|
212
215
|
if (!claims.events?.['http://schemas.openid.net/event/backchannel-logout']) {
|
|
213
216
|
throw error(400, { message: 'Invalid logout_token events claim' });
|
package/dist/server/types.d.ts
CHANGED
|
@@ -151,6 +151,7 @@ export type OIDCOptions = {
|
|
|
151
151
|
stateCookieName?: string;
|
|
152
152
|
cookieSecret: string;
|
|
153
153
|
cookieOptions?: Partial<CookieOptions>;
|
|
154
|
+
clockSkewSeconds?: number;
|
|
154
155
|
refreshToleranceSeconds?: number;
|
|
155
156
|
defaultLoginRedirect?: string;
|
|
156
157
|
defaultLogoutRedirect?: string;
|