openid-client 3.14.1 → 3.15.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +36 -0
- package/lib/client.js +26 -9
- package/package.json +2 -2
- package/types/index.d.ts +7 -1
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,42 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
|
|
4
4
|
|
|
5
|
+
## [3.15.2](https://github.com/panva/node-openid-client/compare/v3.15.1...v3.15.2) (2020-06-01)
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
### Bug Fixes
|
|
9
|
+
|
|
10
|
+
* allow any JSON numeric value for timestamp values ([a24a759](https://github.com/panva/node-openid-client/commit/a24a7596c038bacd5bdbfc5b8678a96e62b86fd2)), closes [#263](https://github.com/panva/node-openid-client/issues/263)
|
|
11
|
+
|
|
12
|
+
|
|
13
|
+
|
|
14
|
+
## [3.15.1](https://github.com/panva/node-openid-client/compare/v3.15.0...v3.15.1) (2020-05-12)
|
|
15
|
+
|
|
16
|
+
|
|
17
|
+
### Bug Fixes
|
|
18
|
+
|
|
19
|
+
* A192CBC-HS384 and A256CBC-HS512 direct encryption key derivation ([c356bbe](https://github.com/panva/node-openid-client/commit/c356bbeaba1e28b6a56534b9ba503cb536c14d57))
|
|
20
|
+
|
|
21
|
+
|
|
22
|
+
|
|
23
|
+
# [3.15.0](https://github.com/panva/node-openid-client/compare/v3.14.2...v3.15.0) (2020-04-28)
|
|
24
|
+
|
|
25
|
+
|
|
26
|
+
### Features
|
|
27
|
+
|
|
28
|
+
* add RPError indicators for unix timestamp comparison failures ([fe3db5c](https://github.com/panva/node-openid-client/commit/fe3db5c46a04cab024901782f202d08234b4cd96)), closes [#250](https://github.com/panva/node-openid-client/issues/250)
|
|
29
|
+
|
|
30
|
+
|
|
31
|
+
|
|
32
|
+
## [3.14.2](https://github.com/panva/node-openid-client/compare/v3.14.1...v3.14.2) (2020-04-07)
|
|
33
|
+
|
|
34
|
+
|
|
35
|
+
### Bug Fixes
|
|
36
|
+
|
|
37
|
+
* **typescript:** add options arg to TypeOfGenericClient ([b97b028](https://github.com/panva/node-openid-client/commit/b97b0288d5d79f25cad3d0009212878c5d42a2e0))
|
|
38
|
+
|
|
39
|
+
|
|
40
|
+
|
|
5
41
|
## [3.14.1](https://github.com/panva/node-openid-client/compare/v3.14.0...v3.14.1) (2020-03-21)
|
|
6
42
|
|
|
7
43
|
|
package/lib/client.js
CHANGED
|
@@ -711,9 +711,9 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
|
|
|
711
711
|
jwt: idToken,
|
|
712
712
|
});
|
|
713
713
|
}
|
|
714
|
-
if (
|
|
714
|
+
if (typeof payload.auth_time !== 'number') {
|
|
715
715
|
throw new RPError({
|
|
716
|
-
message: 'JWT auth_time claim must be a JSON
|
|
716
|
+
message: 'JWT auth_time claim must be a JSON numeric value',
|
|
717
717
|
jwt: idToken,
|
|
718
718
|
});
|
|
719
719
|
}
|
|
@@ -722,6 +722,9 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
|
|
|
722
722
|
if (maxAge && (payload.auth_time + maxAge < timestamp - this[CLOCK_TOLERANCE])) {
|
|
723
723
|
throw new RPError({
|
|
724
724
|
printf: ['too much time has elapsed since the last End-User authentication, max_age %i, auth_time: %i, now %i', maxAge, payload.auth_time, timestamp - this[CLOCK_TOLERANCE]],
|
|
725
|
+
now: timestamp,
|
|
726
|
+
tolerance: this[CLOCK_TOLERANCE],
|
|
727
|
+
auth_time: payload.auth_time,
|
|
725
728
|
jwt: idToken,
|
|
726
729
|
});
|
|
727
730
|
}
|
|
@@ -754,6 +757,9 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
|
|
|
754
757
|
if (payload.iat < timestamp - 3600) {
|
|
755
758
|
throw new RPError({
|
|
756
759
|
printf: ['JWT issued too far in the past, now %i, iat %i', timestamp, payload.iat],
|
|
760
|
+
now: timestamp,
|
|
761
|
+
tolerance: this[CLOCK_TOLERANCE],
|
|
762
|
+
iat: payload.iat,
|
|
757
763
|
jwt: idToken,
|
|
758
764
|
});
|
|
759
765
|
}
|
|
@@ -846,39 +852,45 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
|
|
|
846
852
|
}
|
|
847
853
|
|
|
848
854
|
if (payload.iat !== undefined) {
|
|
849
|
-
if (
|
|
855
|
+
if (typeof payload.iat !== 'number') {
|
|
850
856
|
throw new RPError({
|
|
851
|
-
message: 'JWT iat claim must be a JSON
|
|
857
|
+
message: 'JWT iat claim must be a JSON numeric value',
|
|
852
858
|
jwt,
|
|
853
859
|
});
|
|
854
860
|
}
|
|
855
861
|
}
|
|
856
862
|
|
|
857
863
|
if (payload.nbf !== undefined) {
|
|
858
|
-
if (
|
|
864
|
+
if (typeof payload.nbf !== 'number') {
|
|
859
865
|
throw new RPError({
|
|
860
|
-
message: 'JWT nbf claim must be a JSON
|
|
866
|
+
message: 'JWT nbf claim must be a JSON numeric value',
|
|
861
867
|
jwt,
|
|
862
868
|
});
|
|
863
869
|
}
|
|
864
870
|
if (payload.nbf > timestamp + this[CLOCK_TOLERANCE]) {
|
|
865
871
|
throw new RPError({
|
|
866
872
|
printf: ['JWT not active yet, now %i, nbf %i', timestamp + this[CLOCK_TOLERANCE], payload.nbf],
|
|
873
|
+
now: timestamp,
|
|
874
|
+
tolerance: this[CLOCK_TOLERANCE],
|
|
875
|
+
nbf: payload.nbf,
|
|
867
876
|
jwt,
|
|
868
877
|
});
|
|
869
878
|
}
|
|
870
879
|
}
|
|
871
880
|
|
|
872
881
|
if (payload.exp !== undefined) {
|
|
873
|
-
if (
|
|
882
|
+
if (typeof payload.exp !== 'number') {
|
|
874
883
|
throw new RPError({
|
|
875
|
-
message: 'JWT exp claim must be a JSON
|
|
884
|
+
message: 'JWT exp claim must be a JSON numeric value',
|
|
876
885
|
jwt,
|
|
877
886
|
});
|
|
878
887
|
}
|
|
879
888
|
if (timestamp - this[CLOCK_TOLERANCE] >= payload.exp) {
|
|
880
889
|
throw new RPError({
|
|
881
890
|
printf: ['JWT expired, now %i, exp %i', timestamp - this[CLOCK_TOLERANCE], payload.exp],
|
|
891
|
+
now: timestamp,
|
|
892
|
+
tolerance: this[CLOCK_TOLERANCE],
|
|
893
|
+
exp: payload.exp,
|
|
882
894
|
jwt,
|
|
883
895
|
});
|
|
884
896
|
}
|
|
@@ -1179,7 +1191,12 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
|
|
|
1179
1191
|
return instance(this).get(cacheKey);
|
|
1180
1192
|
}
|
|
1181
1193
|
|
|
1182
|
-
const
|
|
1194
|
+
const hash = len <= 256 ? 'sha256' : len <= 384 ? 'sha384' : len <= 512 ? 'sha512' : false; // eslint-disable-line no-nested-ternary
|
|
1195
|
+
if (!hash) {
|
|
1196
|
+
throw new Error('unsupported symmetric encryption key derivation');
|
|
1197
|
+
}
|
|
1198
|
+
|
|
1199
|
+
const derivedBuffer = crypto.createHash(hash)
|
|
1183
1200
|
.update(this.client_secret)
|
|
1184
1201
|
.digest()
|
|
1185
1202
|
.slice(0, len / 8);
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "openid-client",
|
|
3
|
-
"version": "3.
|
|
3
|
+
"version": "3.15.2",
|
|
4
4
|
"description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"auth",
|
|
@@ -44,7 +44,7 @@
|
|
|
44
44
|
"@types/got": "^9.6.9",
|
|
45
45
|
"base64url": "^3.0.1",
|
|
46
46
|
"got": "^9.6.0",
|
|
47
|
-
"jose": "^1.
|
|
47
|
+
"jose": "^1.27.1",
|
|
48
48
|
"lodash": "^4.17.15",
|
|
49
49
|
"lru-cache": "^5.1.1",
|
|
50
50
|
"make-error": "^1.3.6",
|
package/types/index.d.ts
CHANGED
|
@@ -507,7 +507,7 @@ export interface MtlsEndpointAliases {
|
|
|
507
507
|
// https://stackoverflow.com/questions/39622778/what-is-new-in-typescript
|
|
508
508
|
// https://github.com/Microsoft/TypeScript/issues/204
|
|
509
509
|
export interface TypeOfGenericClient<TClient extends Client> {
|
|
510
|
-
new (metadata: ClientMetadata, jwks?: JSONWebKeySet): TClient;
|
|
510
|
+
new (metadata: ClientMetadata, jwks?: JSONWebKeySet, options?: ClientOptions): TClient;
|
|
511
511
|
[custom.http_options]: CustomHttpOptionsProvider;
|
|
512
512
|
[custom.clock_tolerance]: number;
|
|
513
513
|
}
|
|
@@ -779,5 +779,11 @@ export namespace errors {
|
|
|
779
779
|
* from got.
|
|
780
780
|
*/
|
|
781
781
|
response?: any;
|
|
782
|
+
now?: number;
|
|
783
|
+
tolerance?: number;
|
|
784
|
+
nbf?: number;
|
|
785
|
+
exp?: number;
|
|
786
|
+
iat?: number;
|
|
787
|
+
auth_time?: number;
|
|
782
788
|
}
|
|
783
789
|
}
|