openid-client 5.1.1 → 5.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/lib/client.js +6 -4
  2. package/lib/helpers/issuer.js +1 -1
  3. package/lib/helpers/request.js +1 -1
  4. package/package.json +1 -1
package/lib/client.js CHANGED
@@ -37,6 +37,8 @@ const [major, minor] = process.version
37
37
 
38
38
  const rsaPssParams = major >= 17 || (major === 16 && minor >= 9);
39
39
  const retryAttempt = Symbol();
40
+ const skipNonceCheck = Symbol();
41
+ const skipMaxAgeCheck = Symbol();
40
42
 
41
43
  function pickCb(input) {
42
44
  return pick(
@@ -762,7 +764,7 @@ class BaseClient {
762
764
  const timestamp = now();
763
765
  const { protected: header, payload, key } = await this.validateJWT(idToken, expectedAlg);
764
766
 
765
- if (maxAge || (maxAge !== null && this.require_auth_time)) {
767
+ if (typeof maxAge === 'number' || (maxAge !== skipMaxAgeCheck && this.require_auth_time)) {
766
768
  if (!payload.auth_time) {
767
769
  throw new RPError({
768
770
  message: 'missing required JWT property auth_time',
@@ -777,7 +779,7 @@ class BaseClient {
777
779
  }
778
780
  }
779
781
 
780
- if (maxAge && payload.auth_time + maxAge < timestamp - this[CLOCK_TOLERANCE]) {
782
+ if (typeof maxAge === 'number' && payload.auth_time + maxAge < timestamp - this[CLOCK_TOLERANCE]) {
781
783
  throw new RPError({
782
784
  printf: [
783
785
  'too much time has elapsed since the last End-User authentication, max_age %i, auth_time: %i, now %i',
@@ -792,7 +794,7 @@ class BaseClient {
792
794
  });
793
795
  }
794
796
 
795
- if (nonce !== null && (payload.nonce || nonce !== undefined) && payload.nonce !== nonce) {
797
+ if (nonce !== skipNonceCheck && (payload.nonce || nonce !== undefined) && payload.nonce !== nonce) {
796
798
  throw new RPError({
797
799
  printf: ['nonce mismatch, expected %s, got: %s', nonce, payload.nonce],
798
800
  jwt: idToken,
@@ -1090,7 +1092,7 @@ class BaseClient {
1090
1092
 
1091
1093
  if (tokenset.id_token) {
1092
1094
  await this.decryptIdToken(tokenset);
1093
- await this.validateIdToken(tokenset, null, 'token', null);
1095
+ await this.validateIdToken(tokenset, skipNonceCheck, 'token', skipMaxAgeCheck);
1094
1096
 
1095
1097
  if (refreshToken instanceof TokenSet && refreshToken.id_token) {
1096
1098
  const expectedSub = refreshToken.claims().sub;
package/lib/helpers/issuer.js CHANGED
@@ -38,7 +38,7 @@ async function getKeyStore(reload = false) {
38
38
  responseType: 'json',
39
39
  url: this.jwks_uri,
40
40
  headers: {
41
- Accept: 'application/json',
41
+ Accept: 'application/json, application/jwk-set+json',
42
42
  },
43
43
  })
44
44
  .finally(() => {
package/lib/helpers/request.js CHANGED
@@ -74,7 +74,7 @@ module.exports = async function request(options, { accessToken, mTLS = false, DP
74
74
  opts.headers = opts.headers || {};
75
75
  opts.headers.DPoP = await this.dpopProof(
76
76
  {
77
- htu: url.href,
77
+ htu: `${url.origin}${url.pathname}`,
78
78
  htm: options.method,
79
79
  nonce: nonces.get(nonceKey),
80
80
  },
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "openid-client",
3
- "version": "5.1.1",
3
+ "version": "5.1.4",
4
4
  "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs",
5
5
  "keywords": [
6
6
  "auth",