openid-client 5.0.2 → 5.1.3

package/README.md

@@ -45,7 +45,8 @@ openid-client.
 - [OpenID Connect RP-Initiated Logout 1.0 - draft 01][feature-rp-logout]
 - [Financial-grade API Security Profile 1.0 - Part 2: Advanced (FAPI)][feature-fapi]
 - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - ID1][feature-jarm]
-- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][feature-dpop]
+- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 04][feature-dpop]
+- [OAuth 2.0 Authorization Server Issuer Identification - draft-04][feature-iss]
 
 Updates to draft specifications (DPoP, JARM, etc) are released as MINOR library versions,
 if you utilize these specification implementations consider using the tilde `~` operator in your
@@ -276,9 +277,10 @@ See [Customizing (docs)][documentation-customizing].
 [feature-rp-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-01.html
 [feature-jarm]: https://openid.net/specs/openid-financial-api-jarm-ID1.html
 [feature-fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0.html
-[feature-dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-03
+[feature-dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-04
 [feature-par]: https://www.rfc-editor.org/rfc/rfc9126.html
 [feature-jar]: https://www.rfc-editor.org/rfc/rfc9101.html
+[feature-iss]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-iss-auth-resp-04
 [openid-certified-link]: https://openid.net/certification/
 [passport-url]: http://passportjs.org
 [npm-url]: https://www.npmjs.com/package/openid-client

package/lib/client.js

@@ -12,6 +12,7 @@ const isKeyObject = require('./helpers/is_key_object');
 const decodeJWT = require('./helpers/decode_jwt');
 const base64url = require('./helpers/base64url');
 const defaults = require('./helpers/defaults');
+const parseWwwAuthenticate = require('./helpers/www_authenticate_parser');
 const { assertSigningAlgValuesSupport, assertIssuerConfiguration } = require('./helpers/assert');
 const pick = require('./helpers/pick');
 const isPlainObject = require('./helpers/is_plain_object');
@@ -30,26 +31,30 @@ const { queryKeyStore } = require('./helpers/issuer');
 const DeviceFlowHandle = require('./device_flow_handle');
 
 const [major, minor] = process.version
-  .substr(1)
+  .slice(1)
   .split('.')
   .map((str) => parseInt(str, 10));
 
 const rsaPssParams = major >= 17 || (major === 16 && minor >= 9);
+const retryAttempt = Symbol();
+const skipNonceCheck = Symbol();
+const skipMaxAgeCheck = Symbol();
 
 function pickCb(input) {
   return pick(
     input,
     'access_token', // OAuth 2.0
     'code', // OAuth 2.0
-    'error', // OAuth 2.0
     'error_description', // OAuth 2.0
     'error_uri', // OAuth 2.0
+    'error', // OAuth 2.0
     'expires_in', // OAuth 2.0
     'id_token', // OIDC Core 1.0
+    'iss', // draft-ietf-oauth-iss-auth-resp
+    'response', // FAPI JARM
+    'session_state', // OIDC Session Management
     'state', // OAuth 2.0
     'token_type', // OAuth 2.0
-    'session_state', // OIDC Session Management
-    'response', // FAPI JARM
   );
 }
 
@@ -396,6 +401,25 @@ class BaseClient {
       });
     }
 
+    if ('iss' in params) {
+      assertIssuerConfiguration(this.issuer, 'issuer');
+      if (params.iss !== this.issuer.issuer) {
+        throw new RPError({
+          printf: ['iss mismatch, expected %s, got: %s', this.issuer.issuer, params.iss],
+          params,
+        });
+      }
+    } else if (
+      this.issuer.authorization_response_iss_parameter_supported &&
+      !('id_token' in params) &&
+      !('response' in parameters)
+    ) {
+      throw new RPError({
+        message: 'iss missing from the response',
+        params,
+      });
+    }
+
     if (params.error) {
       throw new OPError(params);
     }
@@ -522,10 +546,37 @@ class BaseClient {
       });
     }
 
+    if ('iss' in params) {
+      assertIssuerConfiguration(this.issuer, 'issuer');
+      if (params.iss !== this.issuer.issuer) {
+        throw new RPError({
+          printf: ['iss mismatch, expected %s, got: %s', this.issuer.issuer, params.iss],
+          params,
+        });
+      }
+    } else if (
+      this.issuer.authorization_response_iss_parameter_supported &&
+      !('id_token' in params) &&
+      !('response' in parameters)
+    ) {
+      throw new RPError({
+        message: 'iss missing from the response',
+        params,
+      });
+    }
+
     if (params.error) {
       throw new OPError(params);
     }
 
+    if ('id_token' in params) {
+      throw new RPError({
+        message:
+          'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
+        params,
+      });
+    }
+
     const RESPONSE_TYPE_REQUIRED_PARAMS = {
       code: ['code'],
       token: ['access_token', 'token_type'],
@@ -569,6 +620,14 @@ class BaseClient {
         { clientAssertionPayload, DPoP },
       );
 
+      if ('id_token' in tokenset) {
+        throw new RPError({
+          message:
+            'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
+          params,
+        });
+      }
+
       if (tokenset.scope && checks.scope && this.fapi()) {
         const expected = new Set(checks.scope.split(' '));
         const actual = tokenset.scope.split(' ');
@@ -705,7 +764,7 @@ class BaseClient {
     const timestamp = now();
     const { protected: header, payload, key } = await this.validateJWT(idToken, expectedAlg);
 
-    if (maxAge || (maxAge !== null && this.require_auth_time)) {
+    if (typeof maxAge === 'number' || (maxAge !== skipMaxAgeCheck && this.require_auth_time)) {
       if (!payload.auth_time) {
         throw new RPError({
           message: 'missing required JWT property auth_time',
@@ -720,7 +779,7 @@ class BaseClient {
       }
     }
 
-    if (maxAge && payload.auth_time + maxAge < timestamp - this[CLOCK_TOLERANCE]) {
+    if (typeof maxAge === 'number' && payload.auth_time + maxAge < timestamp - this[CLOCK_TOLERANCE]) {
       throw new RPError({
         printf: [
           'too much time has elapsed since the last End-User authentication, max_age %i, auth_time: %i, now %i',
@@ -735,7 +794,7 @@ class BaseClient {
       });
     }
 
-    if (nonce !== null && (payload.nonce || nonce !== undefined) && payload.nonce !== nonce) {
+    if (nonce !== skipNonceCheck && (payload.nonce || nonce !== undefined) && payload.nonce !== nonce) {
       throw new RPError({
         printf: ['nonce mismatch, expected %s, got: %s', nonce, payload.nonce],
         jwt: idToken,
@@ -1033,7 +1092,7 @@ class BaseClient {
 
     if (tokenset.id_token) {
       await this.decryptIdToken(tokenset);
-      await this.validateIdToken(tokenset, null, 'token', null);
+      await this.validateIdToken(tokenset, skipNonceCheck, 'token', skipMaxAgeCheck);
 
       if (refreshToken instanceof TokenSet && refreshToken.id_token) {
         const expectedSub = refreshToken.claims().sub;
@@ -1064,6 +1123,7 @@ class BaseClient {
         ? accessToken.token_type
         : 'Bearer',
     } = {},
+    retry,
   ) {
     if (accessToken instanceof TokenSet) {
       if (!accessToken.access_token) {
@@ -1088,7 +1148,7 @@ class BaseClient {
 
     const mTLS = !!this.tls_client_certificate_bound_access_tokens;
 
-    return request.call(
+    const response = await request.call(
       this,
       {
         ...requestOpts,
@@ -1098,6 +1158,24 @@ class BaseClient {
       },
       { accessToken, mTLS, DPoP },
     );
+
+    const wwwAuthenticate = response.headers['www-authenticate'];
+    if (
+      retry !== retryAttempt &&
+      wwwAuthenticate &&
+      wwwAuthenticate.toLowerCase().startsWith('dpop ') &&
+      parseWwwAuthenticate(wwwAuthenticate).error === 'use_dpop_nonce'
+    ) {
+      return this.requestResource(resourceUrl, accessToken, {
+        method,
+        headers,
+        body,
+        DPoP,
+        tokenType,
+      });
+    }
+
+    return response;
   }
 
   async userinfo(accessToken, { method = 'GET', via = 'header', tokenType, params, DPoP } = {}) {
@@ -1243,15 +1321,10 @@ class BaseClient {
       return this.encryptionSecret(parseInt(RegExp.$2 || RegExp.$1, 10));
     }
 
-    const secret = Buffer.alloc(
-      Math.max(parseInt(alg.substr(-3), 10) >> 3, this.client_secret.length),
-    );
-    secret.write(this.client_secret);
-
-    return secret;
+    return new TextEncoder().encode(this.client_secret);
   }
 
-  async grant(body, { clientAssertionPayload, DPoP } = {}) {
+  async grant(body, { clientAssertionPayload, DPoP } = {}, retry) {
     assertIssuerConfiguration(this.issuer, 'token_endpoint');
     const response = await authenticatedPost.call(
       this,
@@ -1262,7 +1335,15 @@ class BaseClient {
       },
       { clientAssertionPayload, DPoP },
     );
-    const responseBody = processResponse(response);
+    let responseBody;
+    try {
+      responseBody = processResponse(response);
+    } catch (err) {
+      if (retry !== retryAttempt && err instanceof OPError && err.error === 'use_dpop_nonce') {
+        return this.grant(body, { clientAssertionPayload, DPoP }, retryAttempt);
+      }
+      throw err;
+    }
 
     return new TokenSet(responseBody);
   }
@@ -1724,7 +1805,7 @@ Object.defineProperty(BaseClient.prototype, 'dpopProof', {
   configurable: true,
   value(...args) {
     process.emitWarning(
-      'The DPoP APIs implements an IETF draft (https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-03.html). Breaking draft implementations are included as minor versions of the openid-client library, therefore, the ~ semver operator should be used and close attention be payed to library changelog as well as the drafts themselves.',
+      'The DPoP APIs implements an IETF draft (https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html). Breaking draft implementations are included as minor versions of the openid-client library, therefore, the ~ semver operator should be used and close attention be payed to library changelog as well as the drafts themselves.',
       'DraftWarning',
     );
     Object.defineProperty(BaseClient.prototype, 'dpopProof', {

package/lib/helpers/issuer.js

@@ -38,7 +38,7 @@ async function getKeyStore(reload = false) {
             responseType: 'json',
             url: this.jwks_uri,
             headers: {
-              Accept: 'application/json',
+              Accept: 'application/json, application/jwk-set+json',
             },
           })
           .finally(() => {

package/lib/helpers/keystore.js

@@ -39,7 +39,7 @@ const keyscore = (key, { alg, use }) => {
 };
 
 function getKtyFromAlg(alg) {
-  switch (typeof alg === 'string' && alg.substr(0, 2)) {
+  switch (typeof alg === 'string' && alg.slice(0, 2)) {
     case 'RS':
     case 'PS':
       return 'RSA';
@@ -68,7 +68,7 @@ function getAlgorithms(use, alg, kty, crv) {
       }
 
       if (use === 'sig' || use === undefined) {
-        algs = algs.concat([`ES${crv.substr(-3)}`.replace('21', '12')]);
+        algs = algs.concat([`ES${crv.slice(-3)}`.replace('21', '12')]);
       }
 
       return new Set(algs);

package/lib/helpers/pick.js

@@ -1,7 +1,7 @@
 module.exports = function pick(object, ...paths) {
   const obj = {};
   for (const path of paths) {
-    if (object[path]) {
+    if (object[path] !== undefined) {
       obj[path] = object[path];
     }
   }

package/lib/helpers/process_response.js

@@ -2,17 +2,10 @@ const { STATUS_CODES } = require('http');
 const { format } = require('util');
 
 const { OPError } = require('../errors');
+const parseWwwAuthenticate = require('./www_authenticate_parser');
 
-const REGEXP = /(\w+)=("[^"]*")/g;
 const throwAuthenticateErrors = (response) => {
-  const params = {};
-  try {
-    while (REGEXP.exec(response.headers['www-authenticate']) !== null) {
-      if (RegExp.$1 && RegExp.$2) {
-        params[RegExp.$1] = RegExp.$2.slice(1, -1);
-      }
-    }
-  } catch (err) {}
+  const params = parseWwwAuthenticate(response.headers['www-authenticate']);
 
   if (params.error) {
     throw new OPError(params, response);

package/lib/helpers/request.js

@@ -4,6 +4,8 @@ const http = require('http');
 const https = require('https');
 const { once } = require('events');
 
+const LRU = require('lru-cache');
+
 const pkg = require('../../package.json');
 const { RPError } = require('../errors');
 
@@ -12,6 +14,7 @@ const { deep: defaultsDeep } = require('./defaults');
 const { HTTP_OPTIONS } = require('./consts');
 
 let DEFAULT_HTTP_OPTIONS;
+const NQCHAR = /^[\x21\x23-\x5B\x5D-\x7E]+$/;
 
 const allowed = [
   'agent',
@@ -52,6 +55,8 @@ function send(req, body, contentType) {
   req.end();
 }
 
+const nonces = new LRU({ max: 100 });
+
 module.exports = async function request(options, { accessToken, mTLS = false, DPoP } = {}) {
   let url;
   try {
@@ -64,12 +69,14 @@ module.exports = async function request(options, { accessToken, mTLS = false, DP
   const optsFn = this[HTTP_OPTIONS];
   let opts = options;
 
+  const nonceKey = `${url.origin}${url.pathname}`;
   if (DPoP && 'dpopProof' in this) {
     opts.headers = opts.headers || {};
     opts.headers.DPoP = await this.dpopProof(
       {
-        htu: url,
+        htu: url.href,
         htm: options.method,
+        nonce: nonces.get(nonceKey),
       },
       DPoP,
       accessToken,
@@ -173,10 +180,17 @@ module.exports = async function request(options, { accessToken, mTLS = false, DP
     }
 
     return response;
-  })().catch((err) => {
-    Object.defineProperty(err, 'response', { value: response });
-    throw err;
-  });
+  })()
+    .catch((err) => {
+      if (response) Object.defineProperty(err, 'response', { value: response });
+      throw err;
+    })
+    .finally(() => {
+      const dpopNonce = response && response.headers['dpop-nonce'];
+      if (dpopNonce && NQCHAR.test(dpopNonce)) {
+        nonces.set(nonceKey, dpopNonce);
+      }
+    });
 };
 
 module.exports.setDefaults = setDefaults.bind(undefined, allowed);

package/lib/helpers/www_authenticate_parser.js

@@ -0,0 +1,14 @@
+const REGEXP = /(\w+)=("[^"]*")/g;
+
+module.exports = (wwwAuthenticate) => {
+  const params = {};
+  try {
+    while (REGEXP.exec(wwwAuthenticate) !== null) {
+      if (RegExp.$1 && RegExp.$2) {
+        params[RegExp.$1] = RegExp.$2.slice(1, -1);
+      }
+    }
+  } catch (err) {}
+
+  return params;
+};

package/lib/issuer.js

@@ -16,7 +16,7 @@ const AAD_MULTITENANT_DISCOVERY = [
   'https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration',
   'https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration',
 ];
-const AAD_MULTITENANT = Symbol('AAD_MULTITENANT');
+const AAD_MULTITENANT = Symbol();
 const ISSUER_DEFAULTS = {
   claim_types_supported: ['normal'],
   claims_parameter_supported: false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openid-client",
-  "version": "5.0.2",
+  "version": "5.1.3",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs",
   "keywords": [
     "auth",
@@ -51,7 +51,7 @@
     ]
   },
   "dependencies": {
-    "jose": "^4.1.0",
+    "jose": "^4.1.4",
     "lru-cache": "^6.0.0",
     "object-hash": "^2.0.1",
     "oidc-token-hash": "^5.0.1"
@@ -84,7 +84,7 @@
       },
       {
         "type": "fix",
-        "section": "Bug Fixes"
+        "section": "Fixes"
       },
       {
         "type": "chore",

package/types/index.d.ts

@@ -382,6 +382,7 @@ declare class BaseClient {
 }
 
 interface DeviceFlowPollOptions {
+  // @ts-ignore
   signal?: AbortSignal;
 }