oidc-spa 8.6.19 → 8.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/backend.d.ts +3 -20
- package/backend.js +50 -242
- package/backend.js.map +1 -1
- package/core/OidcMetadata.d.ts +2 -2
- package/core/OidcMetadata.js.map +1 -1
- package/core/createOidc.d.ts +2 -4
- package/core/createOidc.js +49 -3
- package/core/createOidc.js.map +1 -1
- package/core/dpop.d.ts +20 -0
- package/core/dpop.js +389 -0
- package/core/dpop.js.map +1 -0
- package/core/earlyInit.js +2 -0
- package/core/earlyInit.js.map +1 -1
- package/core/oidcClientTsUserToTokens.d.ts +1 -0
- package/core/oidcClientTsUserToTokens.js +15 -5
- package/core/oidcClientTsUserToTokens.js.map +1 -1
- package/core/tokenExfiltrationDefense.js +49 -6
- package/core/tokenExfiltrationDefense.js.map +1 -1
- package/esm/angular.d.ts +2 -0
- package/esm/angular.mjs.map +1 -1
- package/esm/backend.d.ts +3 -20
- package/esm/backend.mjs +50 -242
- package/esm/backend.mjs.map +1 -1
- package/esm/core/OidcMetadata.d.ts +2 -2
- package/esm/core/OidcMetadata.mjs.map +1 -1
- package/esm/core/createOidc.d.ts +2 -4
- package/esm/core/createOidc.mjs +49 -3
- package/esm/core/createOidc.mjs.map +1 -1
- package/esm/core/dpop.d.ts +20 -0
- package/esm/core/dpop.mjs +384 -0
- package/esm/core/dpop.mjs.map +1 -0
- package/esm/core/earlyInit.mjs +2 -0
- package/esm/core/earlyInit.mjs.map +1 -1
- package/esm/core/oidcClientTsUserToTokens.d.ts +1 -0
- package/esm/core/oidcClientTsUserToTokens.mjs +15 -5
- package/esm/core/oidcClientTsUserToTokens.mjs.map +1 -1
- package/esm/core/tokenExfiltrationDefense.mjs +49 -6
- package/esm/core/tokenExfiltrationDefense.mjs.map +1 -1
- package/esm/react-spa/createOidcSpaApi.mjs +2 -1
- package/esm/react-spa/createOidcSpaApi.mjs.map +1 -1
- package/esm/react-spa/types.d.ts +2 -0
- package/esm/server/createOidcSpaUtils.d.ts +5 -0
- package/esm/server/createOidcSpaUtils.mjs +639 -0
- package/esm/server/createOidcSpaUtils.mjs.map +1 -0
- package/esm/server/index.d.ts +2 -0
- package/esm/server/index.mjs +3 -0
- package/esm/server/index.mjs.map +1 -0
- package/esm/server/types.d.ts +79 -0
- package/esm/server/types.mjs +2 -0
- package/esm/server/types.mjs.map +1 -0
- package/esm/server/utilsBuilder.d.ts +10 -0
- package/esm/server/utilsBuilder.mjs +13 -0
- package/esm/server/utilsBuilder.mjs.map +1 -0
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.d.ts +1 -1
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs +102 -94
- package/esm/tanstack-start/react/accessTokenValidation_rfc9068.mjs.map +1 -1
- package/esm/tanstack-start/react/createOidcSpaApi.d.ts +2 -2
- package/esm/tanstack-start/react/createOidcSpaApi.mjs +60 -51
- package/esm/tanstack-start/react/createOidcSpaApi.mjs.map +1 -1
- package/esm/tanstack-start/react/index.d.ts +1 -1
- package/esm/tanstack-start/react/index.mjs +2 -2
- package/esm/tanstack-start/react/index.mjs.map +1 -1
- package/esm/tanstack-start/react/types.d.ts +36 -11
- package/esm/tanstack-start/react/{apiBuilder.d.ts → utilsBuilder.d.ts} +9 -9
- package/esm/tanstack-start/react/{apiBuilder.mjs → utilsBuilder.mjs} +6 -6
- package/esm/tanstack-start/react/utilsBuilder.mjs.map +1 -0
- package/esm/tools/generateES256DPoPProof.d.ts +8 -0
- package/esm/tools/generateES256DPoPProof.mjs +48 -0
- package/esm/tools/generateES256DPoPProof.mjs.map +1 -0
- package/esm/tools/getServerDateNow.d.ts +5 -0
- package/esm/tools/getServerDateNow.mjs +7 -0
- package/esm/tools/getServerDateNow.mjs.map +1 -0
- package/esm/vendor/{backend → server}/evt.mjs +84 -140
- package/esm/vendor/{backend → server}/jose.mjs +5 -27
- package/esm/vendor/{backend → server}/tsafe.d.ts +1 -0
- package/esm/vendor/{backend → server}/tsafe.mjs +6 -0
- package/esm/vendor/{backend → server}/zod.mjs +196 -50
- package/package.json +6 -1
- package/react-spa/createOidcSpaApi.js +2 -1
- package/react-spa/createOidcSpaApi.js.map +1 -1
- package/react-spa/types.d.ts +2 -0
- package/server/createOidcSpaUtils.d.ts +5 -0
- package/server/createOidcSpaUtils.js +642 -0
- package/server/createOidcSpaUtils.js.map +1 -0
- package/server/index.d.ts +2 -0
- package/server/index.js +6 -0
- package/server/index.js.map +1 -0
- package/server/types.d.ts +79 -0
- package/server/types.js +3 -0
- package/server/types.js.map +1 -0
- package/server/utilsBuilder.d.ts +10 -0
- package/server/utilsBuilder.js +16 -0
- package/server/utilsBuilder.js.map +1 -0
- package/src/angular.ts +3 -0
- package/src/backend.ts +63 -364
- package/src/core/OidcMetadata.ts +4 -2
- package/src/core/createOidc.ts +62 -6
- package/src/core/dpop.ts +583 -0
- package/src/core/earlyInit.ts +3 -0
- package/src/core/oidcClientTsUserToTokens.ts +18 -4
- package/src/core/tokenExfiltrationDefense.ts +60 -5
- package/src/react-spa/createOidcSpaApi.ts +2 -1
- package/src/react-spa/types.tsx +3 -0
- package/src/server/createOidcSpaUtils.ts +848 -0
- package/src/server/index.ts +4 -0
- package/src/server/types.tsx +99 -0
- package/src/server/utilsBuilder.ts +41 -0
- package/src/tanstack-start/react/accessTokenValidation_rfc9068.ts +134 -124
- package/src/tanstack-start/react/createOidcSpaApi.ts +73 -69
- package/src/tanstack-start/react/index.ts +2 -2
- package/src/tanstack-start/react/types.tsx +44 -12
- package/src/tanstack-start/react/{apiBuilder.ts → utilsBuilder.ts} +14 -14
- package/src/tools/generateES256DPoPProof.ts +74 -0
- package/src/tools/getServerDateNow.ts +11 -0
- package/src/vendor/{backend → server}/tsafe.ts +1 -0
- package/tools/generateES256DPoPProof.d.ts +8 -0
- package/tools/generateES256DPoPProof.js +51 -0
- package/tools/generateES256DPoPProof.js.map +1 -0
- package/tools/getServerDateNow.d.ts +5 -0
- package/tools/getServerDateNow.js +10 -0
- package/tools/getServerDateNow.js.map +1 -0
- package/vendor/server/evt.js +3 -0
- package/vendor/server/jose.js +3 -0
- package/vendor/{backend → server}/tsafe.d.ts +1 -0
- package/vendor/server/tsafe.js +2 -0
- package/vendor/server/zod.js +3 -0
- package/esm/tanstack-start/react/apiBuilder.mjs.map +0 -1
- package/vendor/backend/evt.js +0 -3
- package/vendor/backend/jose.js +0 -3
- package/vendor/backend/tsafe.js +0 -2
- package/vendor/backend/zod.js +0 -3
- /package/esm/vendor/{backend → server}/evt.d.ts +0 -0
- /package/esm/vendor/{backend → server}/jose.d.ts +0 -0
- /package/esm/vendor/{backend → server}/zod.d.ts +0 -0
- /package/src/vendor/{backend → server}/evt.ts +0 -0
- /package/src/vendor/{backend → server}/jose.ts +0 -0
- /package/src/vendor/{backend → server}/zod.ts +0 -0
- /package/vendor/{backend → server}/evt.d.ts +0 -0
- /package/vendor/{backend → server}/jose.d.ts +0 -0
- /package/vendor/{backend → server}/zod.d.ts +0 -0
package/esm/backend.mjs
CHANGED
|
@@ -1,259 +1,67 @@
|
|
|
1
|
-
import { assert,
|
|
2
|
-
import {
|
|
3
|
-
|
|
4
|
-
import { Evt, throttleTime } from "./vendor/backend/evt.mjs";
|
|
5
|
-
const zDecodedAccessToken_RFC9068 = (() => {
|
|
6
|
-
const zTargetType = z
|
|
7
|
-
.object({
|
|
8
|
-
iss: z.string(),
|
|
9
|
-
sub: z.string(),
|
|
10
|
-
aud: z.union([z.string(), z.array(z.string())]),
|
|
11
|
-
exp: z.number(),
|
|
12
|
-
iat: z.number(),
|
|
13
|
-
client_id: z.string().optional(),
|
|
14
|
-
scope: z.string().optional(),
|
|
15
|
-
jti: z.string().optional(),
|
|
16
|
-
nbf: z.number().optional(),
|
|
17
|
-
auth_time: z.number().optional(),
|
|
18
|
-
cnf: z.record(z.unknown()).optional()
|
|
19
|
-
})
|
|
20
|
-
.catchall(z.unknown());
|
|
21
|
-
assert;
|
|
22
|
-
return id(zTargetType);
|
|
23
|
-
})();
|
|
1
|
+
import { assert, id } from "./vendor/server/tsafe.mjs";
|
|
2
|
+
import { oidcSpa } from "./server/index.mjs";
|
|
3
|
+
/** @deprecated: Use "oidc-spa/server" instead */
|
|
24
4
|
export async function createOidcBackend(params) {
|
|
25
5
|
const { issuerUri, decodedAccessTokenSchema } = params;
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
}
|
|
34
|
-
catch (error) {
|
|
35
|
-
if (count === 9) {
|
|
36
|
-
console.warn(`Failed to refresh public key and signing algorithm after ${count + 1} attempts`);
|
|
37
|
-
return undefined;
|
|
38
|
-
}
|
|
39
|
-
const delayMs = 1000 * Math.pow(2, count);
|
|
40
|
-
console.warn(`Failed to refresh public key and signing algorithm: ${String(error)}, retrying in ${delayMs}ms`);
|
|
41
|
-
await new Promise(resolve => setTimeout(resolve, delayMs));
|
|
42
|
-
return callee(count + 1);
|
|
43
|
-
}
|
|
44
|
-
return wrap;
|
|
45
|
-
})(0);
|
|
46
|
-
if (publicSigningKeys_new === undefined) {
|
|
47
|
-
return;
|
|
48
|
-
}
|
|
49
|
-
publicSigningKeys = publicSigningKeys_new;
|
|
6
|
+
const { bootstrapAuth, validateAndDecodeAccessToken } = decodedAccessTokenSchema === undefined
|
|
7
|
+
? oidcSpa.createUtils()
|
|
8
|
+
: oidcSpa.withExpectedDecodedAccessTokenShape({ decodedAccessTokenSchema }).createUtils();
|
|
9
|
+
await bootstrapAuth({
|
|
10
|
+
implementation: "real",
|
|
11
|
+
issuerUri,
|
|
12
|
+
expectedAudience: undefined
|
|
50
13
|
});
|
|
51
14
|
return {
|
|
52
15
|
verifyAndDecodeAccessToken: async ({ accessToken }) => {
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
return {
|
|
62
|
-
isValid: false,
|
|
63
|
-
errorCase: "invalid signature",
|
|
64
|
-
errorMessage: "Failed to decode the JWT header"
|
|
65
|
-
};
|
|
66
|
-
}
|
|
67
|
-
const { kid: kidFromHeader, alg: algFromHeader } = header;
|
|
68
|
-
if (typeof kidFromHeader !== "string" || kidFromHeader.length === 0) {
|
|
69
|
-
return {
|
|
70
|
-
isValid: false,
|
|
71
|
-
errorCase: "invalid signature",
|
|
72
|
-
errorMessage: "The decoded JWT header does not have a kid property"
|
|
73
|
-
};
|
|
74
|
-
}
|
|
75
|
-
if (typeof algFromHeader !== "string") {
|
|
76
|
-
return {
|
|
77
|
-
isValid: false,
|
|
78
|
-
errorCase: "invalid signature",
|
|
79
|
-
errorMessage: "The decoded JWT header does not specify an algorithm"
|
|
80
|
-
};
|
|
81
|
-
}
|
|
82
|
-
const supportedAlgs = [
|
|
83
|
-
"RS256",
|
|
84
|
-
"RS384",
|
|
85
|
-
"RS512",
|
|
86
|
-
"ES256",
|
|
87
|
-
"ES384",
|
|
88
|
-
"ES512",
|
|
89
|
-
"PS256",
|
|
90
|
-
"PS384",
|
|
91
|
-
"PS512"
|
|
92
|
-
];
|
|
93
|
-
if (!isAmong(supportedAlgs, algFromHeader)) {
|
|
94
|
-
return {
|
|
95
|
-
isValid: false,
|
|
96
|
-
errorCase: "invalid signature",
|
|
97
|
-
errorMessage: `Unsupported or too weak algorithm ${algFromHeader}`
|
|
98
|
-
};
|
|
99
|
-
}
|
|
100
|
-
kid = kidFromHeader;
|
|
101
|
-
alg = algFromHeader;
|
|
102
|
-
}
|
|
103
|
-
if (!publicSigningKeys.kidSet.has(kid)) {
|
|
104
|
-
return {
|
|
105
|
-
isValid: false,
|
|
106
|
-
errorCase: "invalid signature",
|
|
107
|
-
errorMessage: `No public signing key found with kid ${kid}`
|
|
108
|
-
};
|
|
109
|
-
}
|
|
110
|
-
let payload;
|
|
111
|
-
try {
|
|
112
|
-
const verification = await jwtVerify(accessToken, publicSigningKeys.keyResolver, {
|
|
113
|
-
algorithms: [alg]
|
|
114
|
-
});
|
|
115
|
-
payload = verification.payload;
|
|
116
|
-
}
|
|
117
|
-
catch (error) {
|
|
118
|
-
if (error instanceof errors.JWTExpired) {
|
|
119
|
-
return id({
|
|
120
|
-
isValid: false,
|
|
121
|
-
errorCase: "expired",
|
|
122
|
-
errorMessage: error.message
|
|
123
|
-
});
|
|
124
|
-
}
|
|
125
|
-
evtInvalidSignature.post();
|
|
126
|
-
return id({
|
|
127
|
-
isValid: false,
|
|
128
|
-
errorCase: "invalid signature",
|
|
129
|
-
errorMessage: error instanceof Error ? error.message : String(error)
|
|
130
|
-
});
|
|
131
|
-
}
|
|
132
|
-
const decodedAccessToken_unknown = payload;
|
|
133
|
-
try {
|
|
134
|
-
zDecodedAccessToken_RFC9068.parse(decodedAccessToken_unknown);
|
|
135
|
-
}
|
|
136
|
-
catch (error) {
|
|
137
|
-
return id({
|
|
138
|
-
isValid: false,
|
|
139
|
-
errorCase: "does not respect schema",
|
|
140
|
-
errorMessage: [
|
|
141
|
-
`The decoded access token does not satisfies`,
|
|
142
|
-
`the shape mandated by RFC9068: ${String(error)}`
|
|
143
|
-
].join(" ")
|
|
144
|
-
});
|
|
145
|
-
}
|
|
146
|
-
assert(is(decodedAccessToken_unknown));
|
|
147
|
-
const decodedAccessToken_original = decodedAccessToken_unknown;
|
|
148
|
-
let decodedAccessToken;
|
|
149
|
-
if (decodedAccessTokenSchema === undefined) {
|
|
150
|
-
decodedAccessToken = decodedAccessToken_original;
|
|
151
|
-
}
|
|
152
|
-
else {
|
|
153
|
-
try {
|
|
154
|
-
decodedAccessToken = decodedAccessTokenSchema.parse(decodedAccessToken_original);
|
|
16
|
+
const { isSuccess, errorCause, debugErrorMessage, decodedAccessToken, decodedAccessToken_original } = await validateAndDecodeAccessToken({
|
|
17
|
+
request: {
|
|
18
|
+
method: "GET",
|
|
19
|
+
url: "https://dummy.com",
|
|
20
|
+
headers: {
|
|
21
|
+
Authorization: `Bearer ${accessToken}`,
|
|
22
|
+
DPoP: undefined
|
|
23
|
+
}
|
|
155
24
|
}
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
25
|
+
});
|
|
26
|
+
if (!isSuccess) {
|
|
27
|
+
switch (errorCause) {
|
|
28
|
+
case "missing Authorization header":
|
|
29
|
+
assert(false, "29330204");
|
|
30
|
+
case "validation error":
|
|
31
|
+
if (debugErrorMessage.includes("shape") ||
|
|
32
|
+
debugErrorMessage.includes("schema")) {
|
|
33
|
+
return {
|
|
34
|
+
isValid: false,
|
|
35
|
+
errorCase: "does not respect schema",
|
|
36
|
+
errorMessage: debugErrorMessage
|
|
37
|
+
};
|
|
38
|
+
}
|
|
39
|
+
return {
|
|
40
|
+
isValid: false,
|
|
41
|
+
errorCase: "invalid signature",
|
|
42
|
+
errorMessage: debugErrorMessage
|
|
43
|
+
};
|
|
44
|
+
case "validation error - access token expired":
|
|
45
|
+
return {
|
|
46
|
+
isValid: false,
|
|
47
|
+
errorCase: "expired",
|
|
48
|
+
errorMessage: debugErrorMessage
|
|
49
|
+
};
|
|
50
|
+
case "validation error - invalid signature":
|
|
51
|
+
return {
|
|
52
|
+
isValid: false,
|
|
53
|
+
errorCase: "invalid signature",
|
|
54
|
+
errorMessage: debugErrorMessage
|
|
55
|
+
};
|
|
162
56
|
}
|
|
163
57
|
}
|
|
164
58
|
return id({
|
|
165
59
|
isValid: true,
|
|
60
|
+
// @ts-expect-error
|
|
166
61
|
decodedAccessToken,
|
|
167
62
|
decodedAccessToken_original
|
|
168
63
|
});
|
|
169
64
|
}
|
|
170
65
|
};
|
|
171
66
|
}
|
|
172
|
-
async function fetchPublicSigningKeys(params) {
|
|
173
|
-
const { issuerUri } = params;
|
|
174
|
-
const { jwks_uri } = await (async () => {
|
|
175
|
-
const url = `${issuerUri.replace(/\/$/, "")}/.well-known/openid-configuration`;
|
|
176
|
-
const response = await fetch(url);
|
|
177
|
-
if (!response.ok) {
|
|
178
|
-
throw new Error(`Failed to fetch openid configuration of the issuerUri: ${issuerUri} (${url}): ${response.statusText}`);
|
|
179
|
-
}
|
|
180
|
-
let data;
|
|
181
|
-
try {
|
|
182
|
-
data = await response.json();
|
|
183
|
-
}
|
|
184
|
-
catch (error) {
|
|
185
|
-
throw new Error(`Failed to parse json from ${url}: ${String(error)}`);
|
|
186
|
-
}
|
|
187
|
-
{
|
|
188
|
-
const zWellKnownConfiguration = z.object({
|
|
189
|
-
jwks_uri: z.string()
|
|
190
|
-
});
|
|
191
|
-
assert();
|
|
192
|
-
try {
|
|
193
|
-
zWellKnownConfiguration.parse(data);
|
|
194
|
-
}
|
|
195
|
-
catch {
|
|
196
|
-
throw new Error(`${url} does not have a jwks_uri property`);
|
|
197
|
-
}
|
|
198
|
-
assert(is(data));
|
|
199
|
-
}
|
|
200
|
-
const { jwks_uri } = data;
|
|
201
|
-
return { jwks_uri };
|
|
202
|
-
})();
|
|
203
|
-
const { jwks } = await (async () => {
|
|
204
|
-
const response = await fetch(jwks_uri);
|
|
205
|
-
if (!response.ok) {
|
|
206
|
-
throw new Error(`Failed to fetch public key and algorithm from ${jwks_uri}: ${response.statusText}`);
|
|
207
|
-
}
|
|
208
|
-
let jwks;
|
|
209
|
-
try {
|
|
210
|
-
jwks = await response.json();
|
|
211
|
-
}
|
|
212
|
-
catch (error) {
|
|
213
|
-
throw new Error(`Failed to parse json from ${jwks_uri}: ${String(error)}`);
|
|
214
|
-
}
|
|
215
|
-
{
|
|
216
|
-
const zJwks = z.object({
|
|
217
|
-
keys: z.array(z.object({
|
|
218
|
-
kid: z.string(),
|
|
219
|
-
kty: z.string(),
|
|
220
|
-
use: z.string().optional(),
|
|
221
|
-
alg: z.string().optional()
|
|
222
|
-
}))
|
|
223
|
-
});
|
|
224
|
-
assert();
|
|
225
|
-
try {
|
|
226
|
-
zJwks.parse(jwks);
|
|
227
|
-
}
|
|
228
|
-
catch {
|
|
229
|
-
throw new Error(`${jwks_uri} does not have the expected shape`);
|
|
230
|
-
}
|
|
231
|
-
assert(is(jwks));
|
|
232
|
-
}
|
|
233
|
-
return { jwks };
|
|
234
|
-
})();
|
|
235
|
-
//const signatureKeys = jwks.keys.filter((key): key is JWKS["keys"][number] & { kid: string } => {
|
|
236
|
-
const signatureKeys = jwks.keys.filter(key => {
|
|
237
|
-
if (typeof key.kid !== "string" || key.kid.length === 0) {
|
|
238
|
-
return false;
|
|
239
|
-
}
|
|
240
|
-
if (key.use !== undefined && key.use !== "sig") {
|
|
241
|
-
return false;
|
|
242
|
-
}
|
|
243
|
-
const supportedKty = ["RSA", "EC"];
|
|
244
|
-
if (!supportedKty.includes(key.kty)) {
|
|
245
|
-
return false;
|
|
246
|
-
}
|
|
247
|
-
return true;
|
|
248
|
-
});
|
|
249
|
-
assert(signatureKeys.length !== 0, `No public signing key found at ${jwks_uri}, ${JSON.stringify(jwks, null, 2)}`);
|
|
250
|
-
const kidSet = new Set(signatureKeys.map(({ kid }) => kid));
|
|
251
|
-
const keyResolver = createLocalJWKSet({
|
|
252
|
-
keys: signatureKeys
|
|
253
|
-
});
|
|
254
|
-
return {
|
|
255
|
-
keyResolver,
|
|
256
|
-
kidSet
|
|
257
|
-
};
|
|
258
|
-
}
|
|
259
67
|
//# sourceMappingURL=backend.mjs.map
|
package/esm/backend.mjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"backend.mjs","sourceRoot":"","sources":["../src/backend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,
|
|
1
|
+
{"version":3,"file":"backend.mjs","sourceRoot":"","sources":["../src/backend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,uBAAuB,CAAC;AAGnD,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAwCnC,iDAAiD;AACjD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAErC,MAAqD;IACnD,MAAM,EAAE,SAAS,EAAE,wBAAwB,EAAE,GAAG,MAAM,CAAC;IAEvD,MAAM,EAAE,aAAa,EAAE,4BAA4B,EAAE,GACjD,wBAAwB,KAAK,SAAS;QAClC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE;QACvB,CAAC,CAAC,OAAO,CAAC,mCAAmC,CAAC,EAAE,wBAAwB,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAElG,MAAM,aAAa,CAAC;QAChB,cAAc,EAAE,MAAM;QACtB,SAAS;QACT,gBAAgB,EAAE,SAAS;KAC9B,CAAC,CAAC;IAEH,OAAO;QACH,0BAA0B,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE;YAClD,MAAM,EACF,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,kBAAkB,EAClB,2BAA2B,EAC9B,GAAG,MAAM,4BAA4B,CAAC;gBACnC,OAAO,EAAE;oBACL,MAAM,EAAE,KAAK;oBACb,GAAG,EAAE,mBAAmB;oBACxB,OAAO,EAAE;wBACL,aAAa,EAAE,UAAU,WAAW,EAAE;wBACtC,IAAI,EAAE,SAAS;qBAClB;iBACJ;aACJ,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,EAAE,CAAC;gBACb,QAAQ,UAAU,EAAE,CAAC;oBACjB,KAAK,8BAA8B;wBAC/B,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;oBAC9B,KAAK,kBAAkB;wBACnB,IACI,iBAAiB,CAAC,QAAQ,CAAC,OAAO,CAAC;4BACnC,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,EACtC,CAAC;4BACC,OAAO;gCACH,OAAO,EAAE,KAAK;gCACd,SAAS,EAAE,yBAAyB;gCACpC,YAAY,EAAE,iBAAiB;6BAClC,CAAC;wBACN,CAAC;wBAED,OAAO;4BACH,OAAO,EAAE,KAAK;4BACd,SAAS,EAAE,mBAAmB;4BAC9B,YAAY,EAAE,iBAAiB;yBAClC,CAAC;oBAEN,KAAK,yCAAyC;wBAC1C,OAAO;4BACH,OAAO,EAAE,KAAK;4BACd,SAAS,EAAE,SAAS;4BACpB,YAAY,EAAE,iBAAiB;yBAClC,CAAC;oBACN,KAAK,sCAAsC;wBACvC,OAAO;4BACH,OAAO,EAAE,KAAK;4BACd,SAAS,EAAE,mBAAmB;4BAC9B,YAAY,EAAE,iBAAiB;yBAClC,CAAC;gBACV,CAAC;YACL,CAAC;YAED,OAAO,EAAE,CAAsD;gBAC3D,OAAO,EAAE,IAAI;gBACb,mBAAmB;gBACnB,kBAAkB;gBAClB,2BAA2B;aAC9B,CAAC,CAAC;QACP,CAAC;KACJ,CAAC;AACN,CAAC"}
|
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
import { type OidcMetadata as OidcClientTsOidcMetadata } from "../vendor/frontend/oidc-client-ts";
|
|
2
1
|
/**
|
|
3
2
|
* OpenID Providers have metadata describing their configuration.
|
|
4
3
|
*
|
|
@@ -264,8 +263,9 @@ export type OidcMetadata = {
|
|
|
264
263
|
* @see https://datatracker.ietf.org/doc/html/rfc8414
|
|
265
264
|
*/
|
|
266
265
|
code_challenge_methods_supported: string[];
|
|
266
|
+
dpop_signing_alg_values_supported: string[];
|
|
267
267
|
};
|
|
268
268
|
export declare const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
|
|
269
269
|
export declare function fetchOidcMetadata(params: {
|
|
270
270
|
issuerUri: string;
|
|
271
|
-
}): Promise<Partial<
|
|
271
|
+
}): Promise<Partial<OidcMetadata> | undefined>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OidcMetadata.mjs","sourceRoot":"","sources":["../../src/core/OidcMetadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;
|
|
1
|
+
{"version":3,"file":"OidcMetadata.mjs","sourceRoot":"","sources":["../../src/core/OidcMetadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AA+QlE,MAAiG,CAAC;AAElG,MAAM,CAAC,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAEnE,SAAS,oBAAoB,CAAC,MAA6B;IACvD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,OAAO,iCAAiC,SAAS,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA6B;IACrD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,MAAM,KAAK,GAAG,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAE1E,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACjB,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAA0B,CAAC;AACtD,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAkE;IACzF,MAAM,EAAE,SAAS,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAE3C,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC,CAAC;AAC9F,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAA6B;IACjE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAE7B,UAAU,EAAE,CAAC;QACT,MAAM,YAAY,GAAG,kBAAkB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;QAEvD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,UAAU,CAAC;QACrB,CAAC;QAED,OAAO,YAAY,CAAC;IACxB,CAAC;IAED,IAAI,YAAmC,CAAC;IAExC,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,GAAG,eAAe,EAAE,EAAE;YAC3D,OAAO,EAAE;gBACL,MAAM,EAAE,4CAA4C;aACvD;SACJ,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAElC,CAAC;YACG,MAAM,EAAE,sBAAsB,EAAE,GAAG,GAAG,CAAC;YAEvC,IAAI,OAAO,sBAAsB,KAAK,QAAQ,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,EAAE,CAAC;YACtB,CAAC;QACL,CAAC;QAED,YAAY,GAAG,GAAG,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;QAC1B,iBAAiB,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,YAAY,CAAC;AACxB,CAAC"}
|
package/esm/core/createOidc.d.ts
CHANGED
|
@@ -65,10 +65,6 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
|
|
|
65
65
|
* */
|
|
66
66
|
idleSessionLifetimeInSeconds?: number;
|
|
67
67
|
/**
|
|
68
|
-
* Usage discouraged, this parameter exists because we don't want to assume
|
|
69
|
-
* too much about your usecase but I can't think of a scenario where you would
|
|
70
|
-
* want anything other than the current page.
|
|
71
|
-
*
|
|
72
68
|
* Default: { redirectTo: "current page" }
|
|
73
69
|
*/
|
|
74
70
|
autoLogoutParams?: Parameters<Oidc.LoggedIn<any>["logout"]>[0];
|
|
@@ -170,6 +166,8 @@ export type ParamsOfCreateOidc<DecodedIdToken extends Record<string, unknown> =
|
|
|
170
166
|
* API and no iframe capabilities.
|
|
171
167
|
*/
|
|
172
168
|
postLoginRedirectUrl?: string;
|
|
169
|
+
/** See: https://docs.oidc-spa.dev/v/v8/features/dpop */
|
|
170
|
+
dpop?: "disabled" | "enabled" | "auto";
|
|
173
171
|
};
|
|
174
172
|
/** @see: https://docs.oidc-spa.dev/v/v8/usage */
|
|
175
173
|
export declare function createOidc<DecodedIdToken extends Record<string, unknown> = Oidc.Tokens.DecodedIdToken_OidcCoreSpec, AutoLogin extends boolean = false>(params: ParamsOfCreateOidc<DecodedIdToken, AutoLogin>): Promise<AutoLogin extends true ? Oidc.LoggedIn<DecodedIdToken> : Oidc<DecodedIdToken>>;
|
package/esm/core/createOidc.mjs
CHANGED
|
@@ -35,9 +35,10 @@ import { getHomeAndRedirectUri } from "./homeAndRedirectUri.mjs";
|
|
|
35
35
|
import { ensureNonBlankPaint } from "../tools/ensureNonBlankPaint.mjs";
|
|
36
36
|
import { setStateDataCookieIfEnabled, clearStateDataCookie, getIsStateDataCookieEnabled } from "./StateDataCookie.mjs";
|
|
37
37
|
import { getIsTokenSubstitutionEnabled } from "./tokenPlaceholderSubstitution.mjs";
|
|
38
|
+
import { createInMemoryDPoPStore } from "./dpop.mjs";
|
|
38
39
|
import { loadWebcryptoLinerShim } from "../tools/loadWebcryptoLinerShim.mjs";
|
|
39
40
|
// NOTE: Replaced at build time
|
|
40
|
-
const VERSION = "8.
|
|
41
|
+
const VERSION = "8.7.1";
|
|
41
42
|
const globalContext = {
|
|
42
43
|
prOidcByConfigId: new Map(),
|
|
43
44
|
hasLogoutBeenCalled: id(false)
|
|
@@ -114,7 +115,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
114
115
|
return new Promise(() => { });
|
|
115
116
|
}
|
|
116
117
|
}
|
|
117
|
-
const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto" } = params;
|
|
118
|
+
const { transformUrlBeforeRedirect, extraQueryParams: extraQueryParamsOrGetter, extraTokenParams: extraTokenParamsOrGetter, decodedIdTokenSchema, idleSessionLifetimeInSeconds, autoLogoutParams = { redirectTo: "current page" }, autoLogin = false, postLoginRedirectUrl: postLoginRedirectUrl_default, __unsafe_clientSecret, __unsafe_useIdTokenAsAccessToken = false, __metadata, sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto", dpop } = params;
|
|
118
119
|
const scopes = Array.from(new Set(["openid", ...(params.scopes ?? ["profile"])]));
|
|
119
120
|
const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
|
|
120
121
|
const { issuerUri, clientId, configId, log } = preProcessedParams;
|
|
@@ -163,6 +164,43 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
163
164
|
}
|
|
164
165
|
const stateUrlParamValue_instance = generateStateUrlParamValue();
|
|
165
166
|
const oidcMetadata = __metadata ?? (await fetchOidcMetadata({ issuerUri }));
|
|
167
|
+
const isDPoPEnabled = (() => {
|
|
168
|
+
if (dpop === undefined) {
|
|
169
|
+
log?.("DPoP disabled, to enable it see: https://docs.oidc-spa.dev/features/dpop");
|
|
170
|
+
return false;
|
|
171
|
+
}
|
|
172
|
+
if (dpop === "disabled") {
|
|
173
|
+
log?.("DPoP explicitly disabled");
|
|
174
|
+
return false;
|
|
175
|
+
}
|
|
176
|
+
if (oidcMetadata === undefined) {
|
|
177
|
+
return false;
|
|
178
|
+
}
|
|
179
|
+
if (__unsafe_useIdTokenAsAccessToken) {
|
|
180
|
+
if (dpop === "enabled") {
|
|
181
|
+
throw new Error([
|
|
182
|
+
"oidc-spa: Cannot enable DPoP when",
|
|
183
|
+
"__unsafe_useIdTokenAsAccessToken is set to true"
|
|
184
|
+
].join(" "));
|
|
185
|
+
}
|
|
186
|
+
log?.("DPoP Disabled due to __unsafe_useIdTokenAsAccessToken: true");
|
|
187
|
+
return false;
|
|
188
|
+
}
|
|
189
|
+
const isSupported = (() => {
|
|
190
|
+
const { dpop_signing_alg_values_supported } = oidcMetadata;
|
|
191
|
+
if (dpop_signing_alg_values_supported === undefined) {
|
|
192
|
+
return false;
|
|
193
|
+
}
|
|
194
|
+
return dpop_signing_alg_values_supported.includes("ES256");
|
|
195
|
+
})();
|
|
196
|
+
if (!isSupported) {
|
|
197
|
+
log?.("DPoP disabled because it's not supported by your IdP");
|
|
198
|
+
}
|
|
199
|
+
else {
|
|
200
|
+
log?.("DPoP enabled");
|
|
201
|
+
}
|
|
202
|
+
return isSupported;
|
|
203
|
+
})();
|
|
166
204
|
const canUseIframe = (() => {
|
|
167
205
|
switch (sessionRestorationMethod) {
|
|
168
206
|
case "auto":
|
|
@@ -334,7 +372,13 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
334
372
|
prefix: STATE_STORE_KEY_PREFIX
|
|
335
373
|
}),
|
|
336
374
|
client_secret: __unsafe_clientSecret,
|
|
337
|
-
metadata: oidcMetadata
|
|
375
|
+
metadata: oidcMetadata,
|
|
376
|
+
dpop: !isDPoPEnabled
|
|
377
|
+
? undefined
|
|
378
|
+
: {
|
|
379
|
+
bind_authorization_code: false,
|
|
380
|
+
store: createInMemoryDPoPStore({ configId })
|
|
381
|
+
}
|
|
338
382
|
});
|
|
339
383
|
const evtInitializationOutcomeUserNotLoggedIn = createEvt();
|
|
340
384
|
const { loginOrGoToAuthServer } = createLoginOrGoToAuthServer({
|
|
@@ -754,6 +798,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
754
798
|
decodedIdTokenSchema,
|
|
755
799
|
__unsafe_useIdTokenAsAccessToken,
|
|
756
800
|
decodedIdToken_previous: undefined,
|
|
801
|
+
isDPoPEnabled,
|
|
757
802
|
log
|
|
758
803
|
});
|
|
759
804
|
detect_useless_idleSessionLifetimeInSeconds: {
|
|
@@ -1007,6 +1052,7 @@ export async function createOidc_nonMemoized(params, preProcessedParams) {
|
|
|
1007
1052
|
decodedIdTokenSchema,
|
|
1008
1053
|
__unsafe_useIdTokenAsAccessToken,
|
|
1009
1054
|
decodedIdToken_previous: currentTokens.decodedIdToken,
|
|
1055
|
+
isDPoPEnabled,
|
|
1010
1056
|
log
|
|
1011
1057
|
});
|
|
1012
1058
|
if (getPersistedAuthState({ configId }) !== undefined) {
|