oauth4webapi 2.12.0 → 2.12.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/build/index.d.ts +0 -2
- package/build/index.js +16 -12
- package/package.json +10 -10
package/README.md
CHANGED
|
@@ -21,7 +21,7 @@ The following features are currently in scope and implemented in this software:
|
|
|
21
21
|
|
|
22
22
|
[<img width="96" height="50" align="right" src="https://user-images.githubusercontent.com/241506/166977513-7cd710a9-7f60-4944-aebe-a658e9f36375.png" alt="OpenID Certification">](#certification)
|
|
23
23
|
|
|
24
|
-
[Filip Skokan](https://github.com/panva) has certified that [this software](https://github.com/panva/oauth4webapi) conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connect™ protocol.
|
|
24
|
+
[Filip Skokan](https://github.com/panva) has [certified](https://openid.net/certification) that [this software](https://github.com/panva/oauth4webapi) conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connect™ protocol.
|
|
25
25
|
|
|
26
26
|
## [💗 Help the project](https://github.com/sponsors/panva)
|
|
27
27
|
|
|
@@ -46,7 +46,7 @@ import * as oauth from 'oauth4webapi'
|
|
|
46
46
|
**`example`** Deno import
|
|
47
47
|
|
|
48
48
|
```js
|
|
49
|
-
import * as oauth from 'https://deno.land/x/oauth4webapi@v2.12.
|
|
49
|
+
import * as oauth from 'https://deno.land/x/oauth4webapi@v2.12.2/mod.ts'
|
|
50
50
|
```
|
|
51
51
|
|
|
52
52
|
- Authorization Code Flow (OAuth 2.0) - [source](examples/oauth.ts)
|
package/build/index.d.ts
CHANGED
|
@@ -1741,9 +1741,7 @@ export interface ValidateJWTAccessTokenOptions extends HttpRequestOptions, JWKSC
|
|
|
1741
1741
|
* function's execution.
|
|
1742
1742
|
*
|
|
1743
1743
|
* @param as Authorization Server to accept JWT Access Tokens from.
|
|
1744
|
-
* @param request
|
|
1745
1744
|
* @param expectedAudience Audience identifier the resource server expects for itself.
|
|
1746
|
-
* @param options
|
|
1747
1745
|
*
|
|
1748
1746
|
* @group JWT Access Tokens
|
|
1749
1747
|
*
|
package/build/index.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
let USER_AGENT;
|
|
2
2
|
if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
|
|
3
3
|
const NAME = 'oauth4webapi';
|
|
4
|
-
const VERSION = 'v2.12.
|
|
4
|
+
const VERSION = 'v2.12.2';
|
|
5
5
|
USER_AGENT = `${NAME}/${VERSION}`;
|
|
6
6
|
}
|
|
7
7
|
function looseInstanceOf(input, expected) {
|
|
@@ -702,7 +702,7 @@ export async function protectedResourceRequest(accessToken, method, url, headers
|
|
|
702
702
|
headers.set('authorization', `Bearer ${accessToken}`);
|
|
703
703
|
}
|
|
704
704
|
else {
|
|
705
|
-
await dpopProofJwt(headers, options.DPoP, url,
|
|
705
|
+
await dpopProofJwt(headers, options.DPoP, url, method.toUpperCase(), getClockSkew({ [clockSkew]: options?.[clockSkew] }), accessToken);
|
|
706
706
|
headers.set('authorization', `DPoP ${accessToken}`);
|
|
707
707
|
}
|
|
708
708
|
return (options?.[customFetch] || fetch)(url.href, {
|
|
@@ -991,8 +991,13 @@ async function processGenericAccessTokenResponse(as, client, response, ignoreIdT
|
|
|
991
991
|
.then(validatePresence.bind(undefined, ['aud', 'exp', 'iat', 'iss', 'sub']))
|
|
992
992
|
.then(validateIssuer.bind(undefined, as.issuer))
|
|
993
993
|
.then(validateAudience.bind(undefined, client.client_id));
|
|
994
|
-
if (Array.isArray(claims.aud) && claims.aud.length !== 1
|
|
995
|
-
|
|
994
|
+
if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
|
|
995
|
+
if (claims.azp === undefined) {
|
|
996
|
+
throw new OPE('ID Token "aud" (audience) claim includes additional untrusted audiences');
|
|
997
|
+
}
|
|
998
|
+
if (claims.azp !== client.client_id) {
|
|
999
|
+
throw new OPE('unexpected ID Token "azp" (authorized party) claim value');
|
|
1000
|
+
}
|
|
996
1001
|
}
|
|
997
1002
|
if (claims.auth_time !== undefined &&
|
|
998
1003
|
(!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {
|
|
@@ -1462,9 +1467,6 @@ export async function validateJwtAuthResponse(as, client, parameters, expectedSt
|
|
|
1462
1467
|
if (!response) {
|
|
1463
1468
|
throw new OPE('"parameters" does not contain a JARM response');
|
|
1464
1469
|
}
|
|
1465
|
-
if (typeof as.jwks_uri !== 'string') {
|
|
1466
|
-
throw new TypeError('"as.jwks_uri" must be a string');
|
|
1467
|
-
}
|
|
1468
1470
|
const { claims } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client))
|
|
1469
1471
|
.then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))
|
|
1470
1472
|
.then(validateIssuer.bind(undefined, as.issuer))
|
|
@@ -1549,9 +1551,6 @@ export async function validateDetachedSignatureResponse(as, client, parameters,
|
|
|
1549
1551
|
if (!code) {
|
|
1550
1552
|
throw new OPE('"parameters" does not contain an Authorization Code');
|
|
1551
1553
|
}
|
|
1552
|
-
if (typeof as.jwks_uri !== 'string') {
|
|
1553
|
-
throw new TypeError('"as.jwks_uri" must be a string');
|
|
1554
|
-
}
|
|
1555
1554
|
const requiredClaims = [
|
|
1556
1555
|
'aud',
|
|
1557
1556
|
'exp',
|
|
@@ -1610,8 +1609,13 @@ export async function validateDetachedSignatureResponse(as, client, parameters,
|
|
|
1610
1609
|
if (claims.nonce !== expectedNonce) {
|
|
1611
1610
|
throw new OPE('unexpected ID Token "nonce" claim value');
|
|
1612
1611
|
}
|
|
1613
|
-
if (Array.isArray(claims.aud) && claims.aud.length !== 1
|
|
1614
|
-
|
|
1612
|
+
if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
|
|
1613
|
+
if (claims.azp === undefined) {
|
|
1614
|
+
throw new OPE('ID Token "aud" (audience) claim includes additional untrusted audiences');
|
|
1615
|
+
}
|
|
1616
|
+
if (claims.azp !== client.client_id) {
|
|
1617
|
+
throw new OPE('unexpected ID Token "azp" (authorized party) claim value');
|
|
1618
|
+
}
|
|
1615
1619
|
}
|
|
1616
1620
|
return result;
|
|
1617
1621
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "oauth4webapi",
|
|
3
|
-
"version": "2.12.
|
|
3
|
+
"version": "2.12.2",
|
|
4
4
|
"description": "OAuth 2 / OpenID Connect for JavaScript Runtimes",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"access token",
|
|
@@ -67,28 +67,28 @@
|
|
|
67
67
|
"devDependencies": {
|
|
68
68
|
"@koa/cors": "^5.0.0",
|
|
69
69
|
"@types/koa__cors": "^5.0.0",
|
|
70
|
-
"@types/node": "^20.
|
|
70
|
+
"@types/node": "^20.16.5",
|
|
71
71
|
"@types/qunit": "^2.19.10",
|
|
72
72
|
"archiver": "^7.0.1",
|
|
73
73
|
"ava": "^6.1.3",
|
|
74
74
|
"chrome-launcher": "^1.1.2",
|
|
75
|
-
"edge-runtime": "^3.0.
|
|
75
|
+
"edge-runtime": "^3.0.3",
|
|
76
76
|
"esbuild": "^0.23.1",
|
|
77
|
-
"jose": "^5.
|
|
77
|
+
"jose": "^5.8.0",
|
|
78
78
|
"oidc-provider": "^8.5.1",
|
|
79
79
|
"patch-package": "^8.0.0",
|
|
80
80
|
"prettier": "^3.3.3",
|
|
81
81
|
"prettier-plugin-jsdoc": "^1.3.0",
|
|
82
|
-
"puppeteer-core": "^23.
|
|
83
|
-
"qunit": "^2.
|
|
82
|
+
"puppeteer-core": "^23.3.0",
|
|
83
|
+
"qunit": "^2.22.0",
|
|
84
84
|
"raw-body": "^3.0.0",
|
|
85
85
|
"selfsigned": "^2.4.1",
|
|
86
86
|
"timekeeper": "^2.3.1",
|
|
87
|
-
"tsx": "^4.
|
|
87
|
+
"tsx": "^4.19.0",
|
|
88
88
|
"typedoc": "^0.26.6",
|
|
89
|
-
"typedoc-plugin-markdown": "^4.2.
|
|
90
|
-
"typedoc-plugin-mdn-links": "^3.2.
|
|
89
|
+
"typedoc-plugin-markdown": "^4.2.7",
|
|
90
|
+
"typedoc-plugin-mdn-links": "^3.2.12",
|
|
91
91
|
"typescript": "~5.5.4",
|
|
92
|
-
"undici": "^6.19.
|
|
92
|
+
"undici": "^6.19.8"
|
|
93
93
|
}
|
|
94
94
|
}
|