oidc-spa 8.6.19 → 8.7.1

package/src/core/createOidc.ts

@@ -59,6 +59,7 @@ import {
     getIsStateDataCookieEnabled
 } from "./StateDataCookie";
 import { getIsTokenSubstitutionEnabled } from "./tokenPlaceholderSubstitution";
+import { createInMemoryDPoPStore } from "./dpop";
 import { loadWebcryptoLinerShim } from "../tools/loadWebcryptoLinerShim";
 
 // NOTE: Replaced at build time
@@ -133,10 +134,6 @@ export type ParamsOfCreateOidc<
     idleSessionLifetimeInSeconds?: number;
 
     /**
-     * Usage discouraged, this parameter exists because we don't want to assume
-     * too much about your usecase but I can't think of a scenario where you would
-     * want anything other than the current page.
-     *
      * Default: { redirectTo: "current page" }
      */
     autoLogoutParams?: Parameters<Oidc.LoggedIn<any>["logout"]>[0];
@@ -247,6 +244,9 @@ export type ParamsOfCreateOidc<
      * API and no iframe capabilities.
      */
     postLoginRedirectUrl?: string;
+
+    /** See: https://docs.oidc-spa.dev/v/v8/features/dpop */
+    dpop?: "disabled" | "enabled" | "auto";
 };
 
 const globalContext = {
@@ -380,7 +380,8 @@ export async function createOidc_nonMemoized<
         __unsafe_clientSecret,
         __unsafe_useIdTokenAsAccessToken = false,
         __metadata,
-        sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto"
+        sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto",
+        dpop
     } = params;
 
     const scopes = Array.from(new Set(["openid", ...(params.scopes ?? ["profile"])]));
@@ -454,6 +455,53 @@ export async function createOidc_nonMemoized<
 
     const oidcMetadata = __metadata ?? (await fetchOidcMetadata({ issuerUri }));
 
+    const isDPoPEnabled = (() => {
+        if (dpop === undefined) {
+            log?.("DPoP disabled, to enable it see: https://docs.oidc-spa.dev/features/dpop");
+            return false;
+        }
+
+        if (dpop === "disabled") {
+            log?.("DPoP explicitly disabled");
+            return false;
+        }
+
+        if (oidcMetadata === undefined) {
+            return false;
+        }
+
+        if (__unsafe_useIdTokenAsAccessToken) {
+            if (dpop === "enabled") {
+                throw new Error(
+                    [
+                        "oidc-spa: Cannot enable DPoP when",
+                        "__unsafe_useIdTokenAsAccessToken is set to true"
+                    ].join(" ")
+                );
+            }
+            log?.("DPoP Disabled due to __unsafe_useIdTokenAsAccessToken: true");
+            return false;
+        }
+
+        const isSupported = (() => {
+            const { dpop_signing_alg_values_supported } = oidcMetadata;
+
+            if (dpop_signing_alg_values_supported === undefined) {
+                return false;
+            }
+
+            return dpop_signing_alg_values_supported.includes("ES256");
+        })();
+
+        if (!isSupported) {
+            log?.("DPoP disabled because it's not supported by your IdP");
+        } else {
+            log?.("DPoP enabled");
+        }
+
+        return isSupported;
+    })();
+
     const canUseIframe = (() => {
         switch (sessionRestorationMethod) {
             case "auto":
@@ -666,7 +714,13 @@ export async function createOidc_nonMemoized<
                       prefix: STATE_STORE_KEY_PREFIX
                   }),
                   client_secret: __unsafe_clientSecret,
-                  metadata: oidcMetadata
+                  metadata: oidcMetadata,
+                  dpop: !isDPoPEnabled
+                      ? undefined
+                      : {
+                            bind_authorization_code: false,
+                            store: createInMemoryDPoPStore({ configId })
+                        }
               });
 
     const evtInitializationOutcomeUserNotLoggedIn = createEvt<void>();
@@ -1245,6 +1299,7 @@ export async function createOidc_nonMemoized<
         decodedIdTokenSchema,
         __unsafe_useIdTokenAsAccessToken,
         decodedIdToken_previous: undefined,
+        isDPoPEnabled,
         log
     });
 
@@ -1572,6 +1627,7 @@ export async function createOidc_nonMemoized<
                     decodedIdTokenSchema,
                     __unsafe_useIdTokenAsAccessToken,
                     decodedIdToken_previous: currentTokens.decodedIdToken,
+                    isDPoPEnabled,
                     log
                 });
 

package/src/core/dpop.ts

@@ -0,0 +1,583 @@
+import { assert } from "../tools/tsafe/assert";
+import { generateES256DPoPProof } from "../tools/generateES256DPoPProof";
+import { createGetServerDateNow, type ParamsOfCreateGetServerDateNow } from "../tools/getServerDateNow";
+
+export type DPoPStore = {
+    set: (key: string, value: DPoPState) => Promise<void>;
+    get: (key: string) => Promise<DPoPState>;
+    remove: (key: string) => Promise<DPoPState>;
+    getAllKeys: () => Promise<string[]>;
+};
+
+export type DPoPState = {
+    keys: CryptoKeyPair;
+    nonce?: string;
+};
+
+// NOTE: Using object instead of Map because Map is not freezed.
+const dpopStateByConfigId: { [configId: string]: DPoPState | undefined } = {};
+
+export function createInMemoryDPoPStore(params: { configId: string }): DPoPStore {
+    const { configId } = params;
+
+    let key_singleton: string | undefined = undefined;
+
+    const store: DPoPStore = {
+        set: (key, value) => {
+            if (key_singleton !== undefined) {
+                assert(key === key_singleton, "394303302");
+            }
+
+            key_singleton = key;
+
+            dpopStateByConfigId[configId] = value;
+
+            return Promise.resolve();
+        },
+        get: key => {
+            assert(key_singleton !== undefined, "49303403");
+            assert(key_singleton === key, "34023493");
+            const value = dpopStateByConfigId[configId];
+            assert(value !== undefined, "943023493");
+            return Promise.resolve(value);
+        },
+        remove: async key => {
+            const value = await store.get(key);
+            delete dpopStateByConfigId[configId];
+            return value;
+        },
+        getAllKeys: () => {
+            if (configId in dpopStateByConfigId) {
+                assert(key_singleton !== undefined, "39430338");
+                return Promise.resolve([key_singleton]);
+            } else {
+                return Promise.resolve([]);
+            }
+        }
+    };
+
+    return store;
+}
+
+const accessTokenConfigIdEntries: {
+    configId: string;
+    accessToken: string;
+    paramsOfCreateGetServerDateNow: ParamsOfCreateGetServerDateNow;
+}[] = [];
+
+export function registerAccessTokenForDPoP(params: {
+    configId: string;
+    accessToken: string;
+    paramsOfCreateGetServerDateNow: ParamsOfCreateGetServerDateNow;
+}) {
+    const { configId, accessToken, paramsOfCreateGetServerDateNow } = params;
+
+    for (const entry of accessTokenConfigIdEntries) {
+        if (entry.configId !== configId) {
+            continue;
+        }
+
+        setTimeout(() => {
+            const index = accessTokenConfigIdEntries.indexOf(entry);
+
+            if (index === -1) {
+                return;
+            }
+
+            accessTokenConfigIdEntries.splice(index, 1);
+        }, 30_000);
+    }
+
+    const entry_new: (typeof accessTokenConfigIdEntries)[number] = {
+        configId,
+        accessToken,
+        paramsOfCreateGetServerDateNow
+    };
+
+    accessTokenConfigIdEntries.push(entry_new);
+}
+
+const nonceEntriesByConfigId: { [configId: string]: { origin: string; nonce: string }[] | undefined } =
+    {};
+
+function generateMaterialToUpgradeBearerRequestToDPoP(params: {
+    httpMethod: string;
+    url: string;
+    authorizationHeaderValue: string | undefined;
+}):
+    | {
+          isHandled: false;
+      }
+    | {
+          isHandled: true;
+          accessToken: string;
+          nextStepDPoP: () => Promise<{
+              dpopProof: string;
+              registerDPoPNonce: (params: { nonce: string }) => void;
+              reGenerateDpopProof: () => Promise<string>;
+          }>;
+      } {
+    const { httpMethod, url, authorizationHeaderValue } = params;
+
+    if (authorizationHeaderValue === undefined) {
+        return {
+            isHandled: false
+        };
+    }
+
+    const accessToken = (() => {
+        const match = authorizationHeaderValue.match(/^\s*Bearer\s+(.+?)\s*$/i);
+
+        if (match === null) {
+            return undefined;
+        }
+
+        return match[1];
+    })();
+
+    if (accessToken === undefined) {
+        return {
+            isHandled: false
+        };
+    }
+
+    const entry = accessTokenConfigIdEntries.find(entry => entry.accessToken === accessToken);
+
+    if (entry === undefined) {
+        return {
+            isHandled: false
+        };
+    }
+
+    const { configId, paramsOfCreateGetServerDateNow } = entry;
+
+    const dpopState = dpopStateByConfigId[configId];
+
+    assert(dpopState !== undefined, "304922047");
+
+    const nonceEntries = (nonceEntriesByConfigId[configId] ??= []);
+
+    const origin = new URL(url).origin;
+
+    const generateDPoPProof = () =>
+        generateES256DPoPProof({
+            keyPair: dpopState.keys,
+            url,
+            accessToken,
+            httpMethod,
+            nonce: nonceEntries.find(entry => entry.origin === origin)?.nonce,
+            getServerDateNow: createGetServerDateNow(paramsOfCreateGetServerDateNow)
+        });
+
+    return {
+        isHandled: true,
+        accessToken,
+        nextStepDPoP: async () => ({
+            dpopProof: await generateDPoPProof(),
+            registerDPoPNonce: ({ nonce }) => {
+                const nonceEntry = nonceEntries.find(entry => entry.origin === origin);
+
+                if (nonceEntry !== undefined) {
+                    nonceEntry.nonce = nonce;
+                } else {
+                    nonceEntries.push({ origin, nonce });
+                }
+            },
+            reGenerateDpopProof: generateDPoPProof
+        })
+    };
+}
+
+export function implementFetchAndXhrDPoPInterceptor() {
+    function readNonceFromResponseHeader(params: {
+        getResponseHeader: (headerName: string) => string | null;
+    }) {
+        const { getResponseHeader } = params;
+
+        dpop_nonce_header: {
+            const value = getResponseHeader("DPoP-Nonce");
+            if (value === null) {
+                break dpop_nonce_header;
+            }
+            return value;
+        }
+
+        www_authenticate_header: {
+            const value = getResponseHeader("WWW-Authenticate");
+
+            if (value === null) {
+                break www_authenticate_header;
+            }
+
+            {
+                const value_lower = value.toLowerCase();
+
+                if (!value_lower.includes("dpop") || !value_lower.includes("use_dpop_nonce")) {
+                    break www_authenticate_header;
+                }
+            }
+
+            const match = value.match(/nonce="([^"]+)"/i);
+
+            if (match === null) {
+                break www_authenticate_header;
+            }
+
+            return match[1];
+        }
+
+        return undefined;
+    }
+
+    {
+        const createFetchProxy = (params: { fetch: typeof window.fetch; isFetchLater: boolean }) => {
+            const { fetch, isFetchLater } = params;
+
+            let hasLoggedFetchLaterWarning = false;
+
+            const fetchProxy: typeof fetch = async (input, init) => {
+                if (accessTokenConfigIdEntries.length === 0) {
+                    return fetch(input, init);
+                }
+
+                let request = input instanceof Request ? input : new Request(input, init);
+
+                const fetch_ctx: (request: Request) => Promise<Response> = (() => {
+                    if (!init) {
+                        return fetch;
+                    }
+
+                    // @ts-expect-error
+                    const { activateAfter } = init;
+
+                    if (!activateAfter) {
+                        return fetch;
+                    }
+
+                    return request => {
+                        // @ts-expect-error
+                        return fetch(request, { activateAfter });
+                    };
+                })();
+
+                let dpopStatus:
+                    | { isHandled: false }
+                    | {
+                          isHandled: true;
+                          registerDPoPNonce: (params: { nonce: string }) => void;
+                          reGenerateDpopProof: () => Promise<string>;
+                      };
+
+                update_headers: {
+                    const result = generateMaterialToUpgradeBearerRequestToDPoP({
+                        authorizationHeaderValue: request.headers.get("Authorization") ?? undefined,
+                        url: request.url,
+                        httpMethod: request.method
+                    });
+
+                    if (!result.isHandled) {
+                        dpopStatus = { isHandled: false };
+                        break update_headers;
+                    }
+
+                    const { accessToken, nextStepDPoP } = result;
+
+                    const { dpopProof, reGenerateDpopProof, registerDPoPNonce } = await nextStepDPoP();
+
+                    request = new Request(request, {
+                        headers: (() => {
+                            const h = new Headers(request.headers);
+                            h.set("Authorization", `DPoP ${accessToken}`);
+                            h.set("DPoP", dpopProof);
+                            return h;
+                        })()
+                    });
+
+                    dpopStatus = {
+                        isHandled: true,
+                        registerDPoPNonce,
+                        reGenerateDpopProof
+                    };
+                }
+
+                if (!dpopStatus.isHandled) {
+                    return fetch_ctx(request);
+                }
+
+                if (isFetchLater && !hasLoggedFetchLaterWarning) {
+                    console.warn(
+                        [
+                            "oidc-spa: Detected an authenticated fetchLater() request while DPoP is enabled.",
+                            "Support for fetchLater + DPoP is not fully implemented yet.",
+                            "If you rely on this, please open an issue and we will implement support:",
+                            "https://github.com/keycloakify/oidc-spa"
+                        ].join(" ")
+                    );
+                    hasLoggedFetchLaterWarning = true;
+                }
+
+                let request_cloneForReplay = (() => {
+                    const method = request.method.toUpperCase();
+
+                    if (method !== "GET" && method !== "HEAD") {
+                        return undefined;
+                    }
+
+                    try {
+                        return request.clone();
+                    } catch {
+                        return undefined;
+                    }
+                })();
+
+                let response = await fetch_ctx(request);
+
+                re_send_with_DPoP_nonce: {
+                    if (response.status !== 401) {
+                        break re_send_with_DPoP_nonce;
+                    }
+
+                    const nonce = readNonceFromResponseHeader({
+                        getResponseHeader: headerName => response.headers.get(headerName)
+                    });
+
+                    if (nonce === undefined) {
+                        break re_send_with_DPoP_nonce;
+                    }
+
+                    dpopStatus.registerDPoPNonce({ nonce });
+
+                    if (request_cloneForReplay === undefined) {
+                        break re_send_with_DPoP_nonce;
+                    }
+
+                    const dpopProof_new = await dpopStatus.reGenerateDpopProof();
+
+                    response = await fetch_ctx(
+                        new Request(request_cloneForReplay, {
+                            headers: (() => {
+                                const h = new Headers(request_cloneForReplay.headers);
+                                h.set("DPoP", dpopProof_new);
+                                return h;
+                            })()
+                        })
+                    );
+                }
+
+                {
+                    const nonce = readNonceFromResponseHeader({
+                        getResponseHeader: headerName => response.headers.get(headerName)
+                    });
+
+                    if (nonce !== undefined) {
+                        dpopStatus.registerDPoPNonce({ nonce });
+                    }
+                }
+
+                return response;
+            };
+
+            return fetchProxy;
+        };
+
+        window.fetch = createFetchProxy({ fetch: window.fetch, isFetchLater: false });
+
+        // @ts-expect-error
+        if (window.fetchLater) {
+            // @ts-expect-error
+            window.fetchLater = createFetchProxy({ fetch: window.fetchLater, isFetchLater: true });
+        }
+    }
+    {
+        const XMLHttpRequest_prototype_actual = {
+            open: XMLHttpRequest.prototype.open,
+            send: XMLHttpRequest.prototype.send,
+            setRequestHeader: XMLHttpRequest.prototype.setRequestHeader
+        };
+
+        const stateByInstance = new WeakMap<
+            XMLHttpRequest,
+            {
+                method: string;
+                url: string;
+                isSynchronous: boolean;
+                handledRequestState:
+                    | {
+                          accessToken: string;
+                          nextStepDPoP: () => Promise<{
+                              dpopProof: string;
+                              registerDPoPNonce: (params: { nonce: string }) => void;
+                              reGenerateDpopProof: () => Promise<string>;
+                          }>;
+                          hasSendBeenCalled: boolean;
+                      }
+                    | undefined;
+            }
+        >();
+
+        XMLHttpRequest.prototype.open = function () {
+            const [method, url, async] = arguments as any as [string, string | URL, boolean | undefined];
+
+            if (stateByInstance.get(this)?.handledRequestState !== undefined) {
+                throw new Error(
+                    [
+                        "oidc-spa: Cannot reuse XMLHttpRequest instances",
+                        "that have been DPoP upgraded"
+                    ].join(" ")
+                );
+            }
+
+            stateByInstance.set(this, {
+                method: method.toUpperCase(),
+                url: typeof url === "string" ? new URL(url, window.location.href).href : url.href,
+                isSynchronous: async === false,
+                handledRequestState: undefined
+            });
+
+            return XMLHttpRequest_prototype_actual.open.apply(
+                this,
+                // @ts-expect-error
+                arguments
+            );
+        };
+
+        XMLHttpRequest.prototype.setRequestHeader = function (name, value) {
+            intercept: {
+                const state = stateByInstance.get(this);
+
+                if (state?.handledRequestState?.hasSendBeenCalled === true) {
+                    throw new DOMException(
+                        "Failed to execute 'setRequestHeader' on 'XMLHttpRequest': The object's state must be OPENED.",
+                        "InvalidStateError"
+                    );
+                }
+
+                if (name.toLowerCase() !== "authorization") {
+                    break intercept;
+                }
+
+                if (this.readyState !== XMLHttpRequest.OPENED) {
+                    break intercept;
+                }
+
+                // NOTE: If it's opened we know open have been called and hence the state is set.
+                assert(state !== undefined, "34308330");
+
+                const result = generateMaterialToUpgradeBearerRequestToDPoP({
+                    httpMethod: state.method,
+                    url: state.url,
+                    authorizationHeaderValue: value
+                });
+
+                if (!result.isHandled) {
+                    break intercept;
+                }
+
+                if (state.handledRequestState !== undefined) {
+                    throw new Error(
+                        [
+                            'oidc-spa: Calling xhr.setRequestHeader("Authorization", `Bearer <access_token>`)',
+                            "more than once on the same instance, this is probably an usage error"
+                        ].join(" ")
+                    );
+                }
+
+                if (state.isSynchronous) {
+                    throw new Error(
+                        [
+                            "oidc-spa: Cannot perform synchronous authenticated XMLHttpRequest",
+                            "requests when DPoP is enabled."
+                        ].join(" ")
+                    );
+                }
+
+                state.handledRequestState = {
+                    accessToken: result.accessToken,
+                    nextStepDPoP: result.nextStepDPoP,
+                    hasSendBeenCalled: false
+                };
+
+                return;
+            }
+
+            return XMLHttpRequest_prototype_actual.setRequestHeader.apply(
+                this,
+                // @ts-expect-error
+                arguments
+            );
+        };
+
+        XMLHttpRequest.prototype.send = function () {
+            intercept: {
+                const state = stateByInstance.get(this);
+
+                if (state === undefined) {
+                    break intercept;
+                }
+
+                const { handledRequestState } = state;
+
+                if (handledRequestState === undefined) {
+                    break intercept;
+                }
+
+                if (handledRequestState.hasSendBeenCalled) {
+                    throw new DOMException(
+                        "Failed to execute 'send' on 'XMLHttpRequest': The object's state must be OPENED.",
+                        "InvalidStateError"
+                    );
+                }
+
+                handledRequestState.hasSendBeenCalled = true;
+
+                const { accessToken, nextStepDPoP } = handledRequestState;
+
+                nextStepDPoP().then(({ dpopProof, registerDPoPNonce }) => {
+                    if (this.readyState !== XMLHttpRequest.OPENED) {
+                        // abort() has been called.
+                        return;
+                    }
+
+                    const onReadyStateChange = () => {
+                        if (this.readyState !== XMLHttpRequest.DONE) {
+                            return;
+                        }
+
+                        const nonce = readNonceFromResponseHeader({
+                            getResponseHeader: headerName => this.getResponseHeader(headerName)
+                        });
+
+                        if (nonce !== undefined) {
+                            registerDPoPNonce({ nonce });
+                        }
+
+                        this.removeEventListener("readystatechange", onReadyStateChange);
+                    };
+
+                    this.addEventListener("readystatechange", onReadyStateChange);
+
+                    XMLHttpRequest_prototype_actual.setRequestHeader.call(
+                        this,
+                        "Authorization",
+                        `DPoP ${accessToken}`
+                    );
+                    XMLHttpRequest_prototype_actual.setRequestHeader.call(this, "DPoP", dpopProof);
+
+                    XMLHttpRequest_prototype_actual.send.apply(
+                        this,
+                        // @ts-expect-error
+                        arguments
+                    );
+                });
+
+                return;
+            }
+
+            return XMLHttpRequest_prototype_actual.send.apply(
+                this,
+                // @ts-expect-error
+                arguments
+            );
+        };
+    }
+}