openid-client 5.0.2 → 5.1.0

package/README.md

@@ -45,7 +45,8 @@ openid-client.
 - [OpenID Connect RP-Initiated Logout 1.0 - draft 01][feature-rp-logout]
 - [Financial-grade API Security Profile 1.0 - Part 2: Advanced (FAPI)][feature-fapi]
 - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - ID1][feature-jarm]
-- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][feature-dpop]
+- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 04][feature-dpop]
+- [OAuth 2.0 Authorization Server Issuer Identification - draft-04][feature-iss]
 
 Updates to draft specifications (DPoP, JARM, etc) are released as MINOR library versions,
 if you utilize these specification implementations consider using the tilde `~` operator in your
@@ -276,9 +277,10 @@ See [Customizing (docs)][documentation-customizing].
 [feature-rp-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-01.html
 [feature-jarm]: https://openid.net/specs/openid-financial-api-jarm-ID1.html
 [feature-fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0.html
-[feature-dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-03
+[feature-dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-04
 [feature-par]: https://www.rfc-editor.org/rfc/rfc9126.html
 [feature-jar]: https://www.rfc-editor.org/rfc/rfc9101.html
+[feature-iss]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-iss-auth-resp-04
 [openid-certified-link]: https://openid.net/certification/
 [passport-url]: http://passportjs.org
 [npm-url]: https://www.npmjs.com/package/openid-client

package/lib/client.js

@@ -12,6 +12,7 @@ const isKeyObject = require('./helpers/is_key_object');
 const decodeJWT = require('./helpers/decode_jwt');
 const base64url = require('./helpers/base64url');
 const defaults = require('./helpers/defaults');
+const parseWwwAuthenticate = require('./helpers/www_authenticate_parser');
 const { assertSigningAlgValuesSupport, assertIssuerConfiguration } = require('./helpers/assert');
 const pick = require('./helpers/pick');
 const isPlainObject = require('./helpers/is_plain_object');
@@ -35,21 +36,23 @@ const [major, minor] = process.version
   .map((str) => parseInt(str, 10));
 
 const rsaPssParams = major >= 17 || (major === 16 && minor >= 9);
+const retryAttempt = Symbol();
 
 function pickCb(input) {
   return pick(
     input,
     'access_token', // OAuth 2.0
     'code', // OAuth 2.0
-    'error', // OAuth 2.0
     'error_description', // OAuth 2.0
     'error_uri', // OAuth 2.0
+    'error', // OAuth 2.0
     'expires_in', // OAuth 2.0
     'id_token', // OIDC Core 1.0
+    'iss', // draft-ietf-oauth-iss-auth-resp
+    'response', // FAPI JARM
+    'session_state', // OIDC Session Management
     'state', // OAuth 2.0
     'token_type', // OAuth 2.0
-    'session_state', // OIDC Session Management
-    'response', // FAPI JARM
   );
 }
 
@@ -396,6 +399,25 @@ class BaseClient {
       });
     }
 
+    if ('iss' in params) {
+      assertIssuerConfiguration(this.issuer, 'issuer');
+      if (params.iss !== this.issuer.issuer) {
+        throw new RPError({
+          printf: ['iss mismatch, expected %s, got: %s', this.issuer.issuer, params.iss],
+          params,
+        });
+      }
+    } else if (
+      this.issuer.authorization_response_iss_parameter_supported &&
+      !('id_token' in params) &&
+      !('response' in parameters)
+    ) {
+      throw new RPError({
+        message: 'iss missing from the response',
+        params,
+      });
+    }
+
     if (params.error) {
       throw new OPError(params);
     }
@@ -522,10 +544,37 @@ class BaseClient {
       });
     }
 
+    if ('iss' in params) {
+      assertIssuerConfiguration(this.issuer, 'issuer');
+      if (params.iss !== this.issuer.issuer) {
+        throw new RPError({
+          printf: ['iss mismatch, expected %s, got: %s', this.issuer.issuer, params.iss],
+          params,
+        });
+      }
+    } else if (
+      this.issuer.authorization_response_iss_parameter_supported &&
+      !('id_token' in params) &&
+      !('response' in parameters)
+    ) {
+      throw new RPError({
+        message: 'iss missing from the response',
+        params,
+      });
+    }
+
     if (params.error) {
       throw new OPError(params);
     }
 
+    if ('id_token' in params) {
+      throw new RPError({
+        message:
+          'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
+        params,
+      });
+    }
+
     const RESPONSE_TYPE_REQUIRED_PARAMS = {
       code: ['code'],
       token: ['access_token', 'token_type'],
@@ -569,6 +618,14 @@ class BaseClient {
         { clientAssertionPayload, DPoP },
       );
 
+      if ('id_token' in tokenset) {
+        throw new RPError({
+          message:
+            'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
+          params,
+        });
+      }
+
       if (tokenset.scope && checks.scope && this.fapi()) {
         const expected = new Set(checks.scope.split(' '));
         const actual = tokenset.scope.split(' ');
@@ -1064,6 +1121,7 @@ class BaseClient {
         ? accessToken.token_type
         : 'Bearer',
     } = {},
+    retry,
   ) {
     if (accessToken instanceof TokenSet) {
       if (!accessToken.access_token) {
@@ -1088,7 +1146,7 @@ class BaseClient {
 
     const mTLS = !!this.tls_client_certificate_bound_access_tokens;
 
-    return request.call(
+    const response = await request.call(
       this,
       {
         ...requestOpts,
@@ -1098,6 +1156,24 @@ class BaseClient {
       },
       { accessToken, mTLS, DPoP },
     );
+
+    const wwwAuthenticate = response.headers['www-authenticate'];
+    if (
+      retry !== retryAttempt &&
+      wwwAuthenticate &&
+      wwwAuthenticate.toLowerCase().startsWith('dpop ') &&
+      parseWwwAuthenticate(wwwAuthenticate).error === 'use_dpop_nonce'
+    ) {
+      return this.requestResource(resourceUrl, accessToken, {
+        method,
+        headers,
+        body,
+        DPoP,
+        tokenType,
+      });
+    }
+
+    return response;
   }
 
   async userinfo(accessToken, { method = 'GET', via = 'header', tokenType, params, DPoP } = {}) {
@@ -1243,15 +1319,10 @@ class BaseClient {
       return this.encryptionSecret(parseInt(RegExp.$2 || RegExp.$1, 10));
     }
 
-    const secret = Buffer.alloc(
-      Math.max(parseInt(alg.substr(-3), 10) >> 3, this.client_secret.length),
-    );
-    secret.write(this.client_secret);
-
-    return secret;
+    return new TextEncoder().encode(this.client_secret);
   }
 
-  async grant(body, { clientAssertionPayload, DPoP } = {}) {
+  async grant(body, { clientAssertionPayload, DPoP } = {}, retry) {
     assertIssuerConfiguration(this.issuer, 'token_endpoint');
     const response = await authenticatedPost.call(
       this,
@@ -1262,7 +1333,15 @@ class BaseClient {
       },
       { clientAssertionPayload, DPoP },
     );
-    const responseBody = processResponse(response);
+    let responseBody;
+    try {
+      responseBody = processResponse(response);
+    } catch (err) {
+      if (retry !== retryAttempt && err instanceof OPError && err.error === 'use_dpop_nonce') {
+        return this.grant(body, { clientAssertionPayload, DPoP }, retryAttempt);
+      }
+      throw err;
+    }
 
     return new TokenSet(responseBody);
   }
@@ -1724,7 +1803,7 @@ Object.defineProperty(BaseClient.prototype, 'dpopProof', {
   configurable: true,
   value(...args) {
     process.emitWarning(
-      'The DPoP APIs implements an IETF draft (https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.html). Breaking draft implementations are included as minor versions of the openid-client library, therefore, the ~ semver operator should be used and close attention be payed to library changelog as well as the drafts themselves.',
+      'The DPoP APIs implements an IETF draft (https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html). Breaking draft implementations are included as minor versions of the openid-client library, therefore, the ~ semver operator should be used and close attention be payed to library changelog as well as the drafts themselves.',
       'DraftWarning',
     );
     Object.defineProperty(BaseClient.prototype, 'dpopProof', {

package/lib/helpers/process_response.js

@@ -2,17 +2,10 @@ const { STATUS_CODES } = require('http');
 const { format } = require('util');
 
 const { OPError } = require('../errors');
+const parseWwwAuthenticate = require('./www_authenticate_parser');
 
-const REGEXP = /(\w+)=("[^"]*")/g;
 const throwAuthenticateErrors = (response) => {
-  const params = {};
-  try {
-    while (REGEXP.exec(response.headers['www-authenticate']) !== null) {
-      if (RegExp.$1 && RegExp.$2) {
-        params[RegExp.$1] = RegExp.$2.slice(1, -1);
-      }
-    }
-  } catch (err) {}
+  const params = parseWwwAuthenticate(response.headers['www-authenticate']);
 
   if (params.error) {
     throw new OPError(params, response);

package/lib/helpers/request.js

@@ -4,6 +4,8 @@ const http = require('http');
 const https = require('https');
 const { once } = require('events');
 
+const LRU = require('lru-cache');
+
 const pkg = require('../../package.json');
 const { RPError } = require('../errors');
 
@@ -12,6 +14,7 @@ const { deep: defaultsDeep } = require('./defaults');
 const { HTTP_OPTIONS } = require('./consts');
 
 let DEFAULT_HTTP_OPTIONS;
+const NQCHAR = /^[\x21\x23-\x5B\x5D-\x7E]+$/;
 
 const allowed = [
   'agent',
@@ -52,6 +55,8 @@ function send(req, body, contentType) {
   req.end();
 }
 
+const nonces = new LRU({ max: 100 });
+
 module.exports = async function request(options, { accessToken, mTLS = false, DPoP } = {}) {
   let url;
   try {
@@ -64,12 +69,14 @@ module.exports = async function request(options, { accessToken, mTLS = false, DP
   const optsFn = this[HTTP_OPTIONS];
   let opts = options;
 
+  const nonceKey = `${url.origin}${url.pathname}`;
   if (DPoP && 'dpopProof' in this) {
     opts.headers = opts.headers || {};
     opts.headers.DPoP = await this.dpopProof(
       {
-        htu: url,
+        htu: url.href,
         htm: options.method,
+        nonce: nonces.get(nonceKey),
       },
       DPoP,
       accessToken,
@@ -173,10 +180,17 @@ module.exports = async function request(options, { accessToken, mTLS = false, DP
     }
 
     return response;
-  })().catch((err) => {
-    Object.defineProperty(err, 'response', { value: response });
-    throw err;
-  });
+  })()
+    .catch((err) => {
+      if (response) Object.defineProperty(err, 'response', { value: response });
+      throw err;
+    })
+    .finally(() => {
+      const dpopNonce = response && response.headers['dpop-nonce'];
+      if (dpopNonce && NQCHAR.test(dpopNonce)) {
+        nonces.set(nonceKey, dpopNonce);
+      }
+    });
 };
 
 module.exports.setDefaults = setDefaults.bind(undefined, allowed);

package/lib/helpers/www_authenticate_parser.js

@@ -0,0 +1,14 @@
+const REGEXP = /(\w+)=("[^"]*")/g;
+
+module.exports = (wwwAuthenticate) => {
+  const params = {};
+  try {
+    while (REGEXP.exec(wwwAuthenticate) !== null) {
+      if (RegExp.$1 && RegExp.$2) {
+        params[RegExp.$1] = RegExp.$2.slice(1, -1);
+      }
+    }
+  } catch (err) {}
+
+  return params;
+};

package/lib/issuer.js

@@ -16,7 +16,7 @@ const AAD_MULTITENANT_DISCOVERY = [
   'https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration',
   'https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration',
 ];
-const AAD_MULTITENANT = Symbol('AAD_MULTITENANT');
+const AAD_MULTITENANT = Symbol();
 const ISSUER_DEFAULTS = {
   claim_types_supported: ['normal'],
   claims_parameter_supported: false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openid-client",
-  "version": "5.0.2",
+  "version": "5.1.0",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs",
   "keywords": [
     "auth",
@@ -51,7 +51,7 @@
     ]
   },
   "dependencies": {
-    "jose": "^4.1.0",
+    "jose": "^4.1.4",
     "lru-cache": "^6.0.0",
     "object-hash": "^2.0.1",
     "oidc-token-hash": "^5.0.1"

package/types/index.d.ts

@@ -382,6 +382,7 @@ declare class BaseClient {
 }
 
 interface DeviceFlowPollOptions {
+  // @ts-ignore
   signal?: AbortSignal;
 }