openid-client 2.4.2 → 2.5.0

package/CHANGELOG.md

@@ -2,6 +2,50 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+# [2.5.0](https://github.com/panva/node-openid-client/compare/v2.4.5...v2.5.0) (2019-04-29)
+
+
+### Bug Fixes
+
+* key lookup cache is now working as intended ([90d2f2a](https://github.com/panva/node-openid-client/commit/90d2f2a)), closes [#162](https://github.com/panva/node-openid-client/issues/162)
+
+
+### Features
+
+* add support for azure ad v2 multitenant apps ([24486dd](https://github.com/panva/node-openid-client/commit/24486dd)), closes [/github.com/panva/node-openid-client/pull/148#issuecomment-483348258](https://github.com//github.com/panva/node-openid-client/pull/148/issues/issuecomment-483348258) [#148](https://github.com/panva/node-openid-client/issues/148)
+
+
+
+<a name="2.4.5"></a>
+## [2.4.5](https://github.com/panva/node-openid-client/compare/v2.4.4...v2.4.5) (2018-11-05)
+
+
+### Bug Fixes
+
+* upgrade min node-jose version to fix its performance in node ([e682dfc](https://github.com/panva/node-openid-client/commit/e682dfc))
+
+
+
+<a name="2.4.4"></a>
+## [2.4.4](https://github.com/panva/node-openid-client/compare/v2.4.3...v2.4.4) (2018-10-18)
+
+
+### Bug Fixes
+
+* strategy code_verifier length, removed uuid dependency ([60d0cb8...ea4a8fd](https://github.com/panva/node-openid-client/compare/60d0cb8...ea4a8fd)), closes [#131](https://github.com/panva/node-openid-client/issues/131)
+
+
+
+<a name="2.4.3"></a>
+## [2.4.3](https://github.com/panva/node-openid-client/compare/v2.4.2...v2.4.3) (2018-10-10)
+
+
+### Bug Fixes
+
+* assign Discovery 1.0 defaults when discovering with .well-known ([74b593e](https://github.com/panva/node-openid-client/commit/74b593e))
+
+
+
 <a name="2.4.2"></a>
 ## [2.4.2](https://github.com/panva/node-openid-client/compare/v2.4.1...v2.4.2) (2018-09-27)
 

package/README.md

@@ -57,7 +57,7 @@ versions, if you utilize these consider using the tilde ~ operator in your packa
 breaking changes may be introduced as part of these specification updates.
 
 ## Certification
-[<img width="184" height="96" align="right" src="https://cdn.rawgit.com/panva/node-openid-client/38cf016b/OpenID_Certified.png" alt="OpenID Certification">][openid-certified-link]  
+[<img width="184" height="96" align="right" src="https://cdn.jsdelivr.net/gh/panva/node-openid-client@38cf016b0837e6d4116de3780b28d222d5780bc9/OpenID_Certified.png" alt="OpenID Certification">][openid-certified-link]  
 Filip Skokan has [certified][openid-certified-link] that [openid-client][npm-url]
 conforms to the RP Basic, RP Implicit, RP Hybrid, RP Config, RP Dynamic and RP Form Post profiles
 of the OpenID Connect™ protocol.
@@ -69,6 +69,12 @@ of the OpenID Connect™ protocol.
 
 [<img width="65" height="65" align="left" src="https://avatars.githubusercontent.com/u/2824157?s=75&v=4" alt="auth0-logo">][sponsor-auth0] If you want to quickly add OpenID Connect authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan at [auth0.com/overview][sponsor-auth0].<br><br>
 
+<h2>Support</h2>
+
+[<img src="https://c5.patreon.com/external/logo/become_a_patron_button@2x.png" width="160" align="right">][support-patreon]
+If you or your business use openid-client, please consider becoming a [Patron][support-patreon] so I can continue maintaining it and adding new features carefree. You may also donate one-time via [PayPal][support-paypal].
+[<img src="https://cdn.jsdelivr.net/gh/gregoiresgt/payment-icons@183140a5ff8f39b5a19d59ebeb2c77f03c3a24d3/Assets/Payment/PayPal/Paypal@2x.png" width="100" align="right">][support-paypal]
+
 
 ## Get started
 On the off-chance you want to manage multiple clients for multiple issuers you need to first get
@@ -153,8 +159,8 @@ client.authorizationCallback('https://client.example.com/callback', request.quer
   });
 ```
 
-Aside from `state` and `response_type`, checks for `nonce` (implicit and hybrid responses) and
-`max_age` are implemented. `id_token` signature and claims validation does not need to be requested,
+Aside from `state` and `response_type`, checks for `nonce` (implicit and hybrid responses),
+`max_age`, and `code_verifier` (for use with PKCE) are implemented. `id_token` signature and claims validation does not need to be requested,
 it is done automatically.
 
 ### OP Errors - OpenIdConnectError
@@ -558,7 +564,8 @@ Issuer.useRequest();
 [request-library]: https://github.com/request/request
 [signed-userinfo]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
 [openid-certified-link]: https://openid.net/certification/
-[openid-certified-logo]: https://cdn.rawgit.com/panva/node-openid-client/master/OpenID_Certified.png
 [passport-url]: http://passportjs.org
 [npm-url]: https://www.npmjs.com/package/openid-client
 [sponsor-auth0]: https://auth0.com/overview?utm_source=GHsponsor&utm_medium=GHsponsor&utm_campaign=openid-client&utm_content=auth
+[support-patreon]: https://www.patreon.com/panva
+[support-paypal]: https://www.paypal.me/panva

package/lib/client.js

@@ -6,7 +6,6 @@ const querystring = require('querystring');
 const url = require('url');
 
 const jose = require('node-jose');
-const uuid = require('uuid/v4');
 const base64url = require('base64url');
 const _ = require('lodash');
 const tokenHash = require('oidc-token-hash');
@@ -19,6 +18,7 @@ const now = require('./util/unix_timestamp');
 const { CALLBACK_PROPERTIES, CLIENT_DEFAULTS, JWT_CONTENT } = require('./helpers/consts');
 const issuerRegistry = require('./issuer_registry');
 const forEach = require('./util/for_each');
+const random = require('./util/random');
 
 const errorHandler = errorHandlerFactory();
 const bearerErrorHandler = errorHandlerFactory({ bearerEndpoint: true });
@@ -200,12 +200,15 @@ function assertIssuerConfiguration(issuer, endpoint) {
   assert(issuer[endpoint], `${endpoint} must be configured on the issuer`);
 }
 
-class Client {
+class BaseClient {}
+
+module.exports = (issuer, aadIssValidation = false) => class Client extends BaseClient {
   /**
    * @name constructor
    * @api public
    */
   constructor(metadata = {}, keystore) {
+    super();
     const properties = Object.assign({}, CLIENT_DEFAULTS, metadata);
 
     if (!metadata.token_endpoint_auth_method) { // if no explicit value was provided
@@ -570,7 +573,12 @@ class Client {
     }
 
     if (payload.iss !== undefined) {
-      assert.equal(payload.iss, this.issuer.issuer, 'unexpected iss value');
+      if (aadIssValidation) {
+        const azureADv2Issuer = this.issuer.issuer.replace('{tenantid}', payload.tid);
+        assert.equal(payload.iss, azureADv2Issuer, 'unexpected iss value');
+      } else {
+        assert.equal(payload.iss, this.issuer.issuer, 'unexpected iss value');
+      }
     }
 
     if (payload.iat !== undefined) {
@@ -715,8 +723,9 @@ class Client {
       }
     }
 
-    const { issuer } = this;
-    return this.httpClient[verb](issuer.userinfo_endpoint, issuer.httpOptions(httpOptions))
+    return this.httpClient[verb](
+      this.issuer.userinfo_endpoint, this.issuer.httpOptions(httpOptions)
+    )
       .then(expectResponseWithBody(200))
       .then((response) => {
         if (JWT_CONTENT.exec(response.headers['content-type'])) {
@@ -951,7 +960,7 @@ class Client {
         return this.createSign(endpoint).then(sign => sign.update(JSON.stringify({
           iat: timestamp,
           exp: timestamp + 60,
-          jti: uuid(),
+          jti: random(),
           iss: this.client_id,
           sub: this.client_id,
           aud: this.issuer[`${endpoint}_endpoint`],
@@ -1109,6 +1118,23 @@ class Client {
   static get httpClient() {
     return this.issuer.httpClient;
   }
-}
 
-module.exports = Client;
+  /**
+   * @name issuer
+   * @api public
+   */
+  static get issuer() {
+    return issuer;
+  }
+
+
+  /**
+   * @name issuer
+   * @api public
+   */
+  get issuer() { // eslint-disable-line class-methods-use-this
+    return issuer;
+  }
+};
+
+module.exports.BaseClient = BaseClient;

package/lib/helpers/consts.js

@@ -6,6 +6,7 @@ const OIDC_DISCOVERY = '/.well-known/openid-configuration';
 const OAUTH2_DISCOVERY = '/.well-known/oauth-authorization-server';
 const WEBFINGER = '/.well-known/webfinger';
 const REL = 'http://openid.net/specs/connect/1.0/issuer';
+const AAD_MULTITENANT_DISCOVERY = `https://login.microsoftonline.com/common/v2.0${OIDC_DISCOVERY}`;
 
 const CLIENT_DEFAULTS = {
   application_type: 'web',
@@ -49,6 +50,7 @@ const DEFAULT_HTTP_OPTIONS = {
 const JWT_CONTENT = /^application\/jwt/;
 
 module.exports = {
+  AAD_MULTITENANT_DISCOVERY,
   CALLBACK_PROPERTIES,
   CLIENT_DEFAULTS,
   DEFAULT_HTTP_OPTIONS,

package/lib/issuer.js

@@ -6,17 +6,19 @@ const jose = require('node-jose');
 const _ = require('lodash');
 const pAny = require('p-any');
 const LRU = require('lru-cache');
+const objectHash = require('object-hash');
 
 const http = require('./helpers/http');
 const httpRequest = require('./helpers/http_request');
 const errorHandler = require('./helpers/error_handler')();
-const BaseClient = require('./client');
+const getClient = require('./client');
 const registry = require('./issuer_registry');
 const expectResponseWithBody = require('./helpers/expect_response');
 const webfingerNormalize = require('./util/webfinger_normalize');
 const forEach = require('./util/for_each');
 const {
-  DEFAULT_HTTP_OPTIONS, ISSUER_DEFAULTS, OIDC_DISCOVERY, OAUTH2_DISCOVERY, WEBFINGER, REL,
+  DEFAULT_HTTP_OPTIONS, ISSUER_DEFAULTS, OIDC_DISCOVERY,
+  OAUTH2_DISCOVERY, WEBFINGER, REL, AAD_MULTITENANT_DISCOVERY,
 } = require('./helpers/consts');
 
 const privateProps = new WeakMap();
@@ -29,12 +31,17 @@ function instance(ctx) {
   return privateProps.get(ctx);
 }
 
+const AAD_MULTITENANT = Symbol('AAD_MULTITENANT');
+
 class Issuer {
   /**
    * @name constructor
    * @api public
    */
   constructor(meta = {}) {
+    const aadIssValidation = meta[AAD_MULTITENANT];
+    delete meta[AAD_MULTITENANT];
+
     ['introspection', 'revocation'].forEach((endpoint) => {
       // e.g. defaults introspection_endpoint to token_introspection_endpoint value
       if (
@@ -74,18 +81,8 @@ class Issuer {
 
     registry.set(this.issuer, this);
 
-    const self = this;
-
     Object.defineProperty(this, 'Client', {
-      value: class Client extends BaseClient {
-        static get issuer() {
-          return self;
-        }
-
-        get issuer() {
-          return this.constructor.issuer;
-        }
-      },
+      value: getClient(this, aadIssValidation),
     });
   }
 
@@ -127,11 +124,24 @@ class Issuer {
    * @name key
    * @api private
    */
-  key(def, allowMulti) {
+  key({
+    kid, kty, alg, use, key_ops: ops,
+  }, allowMulti = false) {
     const { cache } = instance(this);
 
+    const def = {
+      kid, kty, alg, use, key_ops: ops,
+    };
+
+    const defHash = objectHash(def, {
+      algorithm: 'sha256',
+      ignoreUnknown: true,
+      unorderedArrays: true,
+      unorderedSets: true,
+    });
+
     // refresh keystore on every unknown key but also only upto once every minute
-    const freshJwksUri = cache.get(def) || cache.get('throttle');
+    const freshJwksUri = cache.get(defHash) || cache.get('throttle');
 
     return this.keystore(!freshJwksUri)
       .then(store => store.all(def))
@@ -139,7 +149,7 @@ class Issuer {
         assert(keys.length, 'no valid key found');
         if (!allowMulti) {
           assert.equal(keys.length, 1, 'multiple matching keys, kid must be provided');
-          cache.set(def, true);
+          cache.set(defHash, true);
         }
         return keys[0];
       });
@@ -196,7 +206,12 @@ class Issuer {
     if (parsed.pathname.includes('/.well-known/')) {
       return this.httpClient.get(uri, this.httpOptions())
         .then(expectResponseWithBody(200))
-        .then(response => new this(JSON.parse(response.body)))
+        .then(({ body }) => new Issuer(Object.assign(
+          {},
+          ISSUER_DEFAULTS,
+          JSON.parse(body),
+          { [AAD_MULTITENANT]: uri === AAD_MULTITENANT_DISCOVERY }
+        )))
         .catch(errorHandler.bind(this));
     }
 
@@ -216,7 +231,12 @@ class Issuer {
       const wellKnownUri = url.format(Object.assign({}, parsed, { pathname }));
       return this.httpClient.get(wellKnownUri, this.httpOptions())
         .then(expectResponseWithBody(200))
-        .then(response => new this(Object.assign({}, ISSUER_DEFAULTS, JSON.parse(response.body))));
+        .then(({ body }) => new Issuer(Object.assign(
+          {},
+          ISSUER_DEFAULTS,
+          JSON.parse(body),
+          { [AAD_MULTITENANT]: wellKnownUri === AAD_MULTITENANT_DISCOVERY }
+        )));
     }))
       .catch((err) => {
         if (err instanceof pAny.AggregateError) {

package/lib/passport_strategy.js

@@ -6,11 +6,11 @@ const url = require('url');
 const assert = require('assert');
 
 const base64url = require('base64url');
-const uuid = require('uuid/v4');
 const _ = require('lodash');
 
 const OpenIdConnectError = require('./open_id_connect_error');
-const Client = require('./client');
+const { BaseClient } = require('./client');
+const random = require('./util/random');
 
 function verified(err, user, info = {}) {
   if (err) {
@@ -33,7 +33,7 @@ function OpenIDConnectStrategy({
   sessionKey,
   usePKCE = false,
 } = {}, verify) {
-  assert(client instanceof Client, 'client must be an instance of openid-client Client');
+  assert(client instanceof BaseClient, 'client must be an instance of openid-client Client');
   assert.equal(typeof verify, 'function', 'verify must be a function');
 
   assert(client.issuer && client.issuer.issuer, 'client must have an issuer with an identifier');
@@ -81,17 +81,17 @@ OpenIDConnectStrategy.prototype.authenticate = function authenticate(req, option
     if (_.isEmpty(reqParams)) {
       // provide options object with extra authentication parameters
       const params = _.defaults({}, options, this._params, {
-        state: uuid(),
+        state: random(),
       });
 
       if (!params.nonce && params.response_type.includes('id_token')) {
-        params.nonce = uuid();
+        params.nonce = random();
       }
 
       req.session[sessionKey] = _.pick(params, 'nonce', 'state', 'max_age', 'response_type');
 
       if (this._usePKCE) {
-        const verifier = uuid();
+        const verifier = random();
         req.session[sessionKey].code_verifier = verifier;
 
         switch (this._usePKCE) { // eslint-disable-line default-case

package/lib/util/random.js

@@ -0,0 +1,5 @@
+const { randomBytes } = require('crypto');
+
+const base64url = require('base64url');
+
+module.exports = (bytes = 32) => base64url(randomBytes(bytes));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openid-client",
-  "version": "2.4.2",
+  "version": "2.5.0",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js servers, supports passportjs",
   "keywords": [
     "auth",
@@ -42,11 +42,11 @@
     "base64url": "^3.0.0",
     "got": "^8.3.2",
     "lodash": "^4.17.11",
-    "lru-cache": "^4.1.3",
-    "node-jose": "^1.0.0",
+    "lru-cache": "^5.1.1",
+    "node-jose": "^1.1.0",
+    "object-hash": "^1.3.1",
     "oidc-token-hash": "^3.0.1",
-    "p-any": "^1.1.0",
-    "uuid": "^3.3.2"
+    "p-any": "^1.1.0"
   },
   "devDependencies": {
     "@commitlint/cli": "^7.1.2",
@@ -55,18 +55,13 @@
     "eslint": "^5.6.0",
     "eslint-config-airbnb-base": "^13.1.0",
     "eslint-plugin-import": "^2.14.0",
-    "husky": "^1.0.0",
-    "koa": "^2.5.3",
-    "koa-body": "^4.0.4",
-    "koa-ejs": "^4.1.2",
-    "koa-router": "^7.4.0",
-    "koa-session": "^5.9.0",
-    "mocha": "^5.2.0",
+    "husky": "^2.1.0",
+    "mocha": "^6.1.4",
     "nock": "^10.0.0",
-    "nyc": "^13.0.1",
+    "nyc": "^14.0.0",
     "readable-mock-req": "^0.2.2",
     "request": "^2.88.0",
-    "sinon": "^6.3.4",
+    "sinon": "^7.0.0",
     "timekeeper": "^2.1.2"
   },
   "engines": {