npm - openid-client - Versions diffs - 5.4.2 → 5.5.0 - Mend

openid-client 5.4.2 → 5.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -42,10 +42,10 @@ openid-client.
     - self_signed_tls_client_auth
 - [RFC9101 - OAuth 2.0 JWT-Secured Authorization Request (JAR)][feature-jar]
 - [RFC9126 - OAuth 2.0 Pushed Authorization Requests (PAR)][feature-par]
+- [RFC9449 - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)][feature-dpop]
 - [OpenID Connect RP-Initiated Logout 1.0][feature-rp-logout]
 - [Financial-grade API Security Profile 1.0 - Part 2: Advanced (FAPI)][feature-fapi]
 - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)][feature-jarm]
-- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 04][feature-dpop]
 - [OAuth 2.0 Authorization Server Issuer Identification][feature-iss]
 Updates to draft specifications are released as MINOR library versions,
@@ -282,7 +282,7 @@ See [Customizing (docs)][documentation-customizing].
 [feature-rp-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0.html
 [feature-jarm]: https://openid.net/specs/oauth-v2-jarm.html
 [feature-fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0.html
-[feature-dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-04
+[feature-dpop]: https://www.rfc-editor.org/rfc/rfc9449.html
 [feature-par]: https://www.rfc-editor.org/rfc/rfc9126.html
 [feature-jar]: https://www.rfc-editor.org/rfc/rfc9101.html
 [feature-iss]: https://www.rfc-editor.org/rfc/rfc9207.html

package/lib/client.js CHANGED Viewed

@@ -1612,6 +1612,66 @@ class BaseClient {
     const { payload } = await this.validateJWT(response, expectedAlg, ['iss', 'exp', 'aud']);
     return pickCb(payload);
   }
+  /**
+   * @name dpopProof
+   * @api private
+   */
+  async dpopProof(payload, privateKeyInput, accessToken) {
+    if (!isPlainObject(payload)) {
+      throw new TypeError('payload must be a plain object');
+    }
+    let privateKey;
+    if (isKeyObject(privateKeyInput)) {
+      privateKey = privateKeyInput;
+    } else {
+      privateKey = crypto.createPrivateKey(privateKeyInput);
+    }
+    if (privateKey.type !== 'private') {
+      throw new TypeError('"DPoP" option must be a private key');
+    }
+    let alg;
+    switch (privateKey.asymmetricKeyType) {
+      case 'ed25519':
+      case 'ed448':
+        alg = 'EdDSA';
+        break;
+      case 'ec':
+        alg = determineEcAlgorithm(privateKey, privateKeyInput);
+        break;
+      case 'rsa':
+      case rsaPssParams && 'rsa-pss':
+        alg = determineRsaAlgorithm(
+          privateKey,
+          privateKeyInput,
+          this.issuer.dpop_signing_alg_values_supported,
+        );
+        break;
+      default:
+        throw new TypeError('unsupported DPoP private key asymmetric key type');
+    }
+    if (!alg) {
+      throw new TypeError('could not determine DPoP JWS Algorithm');
+    }
+    return new jose.SignJWT({
+      ath: accessToken
+        ? base64url.encode(crypto.createHash('sha256').update(accessToken).digest())
+        : undefined,
+      ...payload,
+    })
+      .setProtectedHeader({
+        alg,
+        typ: 'dpop+jwt',
+        jwk: await getJwk(privateKey, privateKeyInput),
+      })
+      .setIssuedAt()
+      .setJti(random())
+      .sign(privateKey);
+  }
 }
 const RSPS = /^(?:RS|PS)(?:256|384|512)$/;
@@ -1706,83 +1766,6 @@ async function getJwk(privateKey, privateKeyInput) {
   return jwk;
 }
-/**
- * @name dpopProof
- * @api private
- */
-async function dpopProof(payload, privateKeyInput, accessToken) {
-  if (!isPlainObject(payload)) {
-    throw new TypeError('payload must be a plain object');
-  }
-  let privateKey;
-  if (isKeyObject(privateKeyInput)) {
-    privateKey = privateKeyInput;
-  } else {
-    privateKey = crypto.createPrivateKey(privateKeyInput);
-  }
-  if (privateKey.type !== 'private') {
-    throw new TypeError('"DPoP" option must be a private key');
-  }
-  let alg;
-  switch (privateKey.asymmetricKeyType) {
-    case 'ed25519':
-    case 'ed448':
-      alg = 'EdDSA';
-      break;
-    case 'ec':
-      alg = determineEcAlgorithm(privateKey, privateKeyInput);
-      break;
-    case 'rsa':
-    case rsaPssParams && 'rsa-pss':
-      alg = determineRsaAlgorithm(
-        privateKey,
-        privateKeyInput,
-        this.issuer.dpop_signing_alg_values_supported,
-      );
-      break;
-    default:
-      throw new TypeError('unsupported DPoP private key asymmetric key type');
-  }
-  if (!alg) {
-    throw new TypeError('could not determine DPoP JWS Algorithm');
-  }
-  return new jose.SignJWT({
-    ath: accessToken
-      ? base64url.encode(crypto.createHash('sha256').update(accessToken).digest())
-      : undefined,
-    ...payload,
-  })
-    .setProtectedHeader({
-      alg,
-      typ: 'dpop+jwt',
-      jwk: await getJwk(privateKey, privateKeyInput),
-    })
-    .setIssuedAt()
-    .setJti(random())
-    .sign(privateKey);
-}
-Object.defineProperty(BaseClient.prototype, 'dpopProof', {
-  enumerable: true,
-  configurable: true,
-  value(...args) {
-    process.emitWarning(
-      'The DPoP APIs implements an IETF draft (https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html). Breaking draft implementations are included as minor versions of the openid-client library, therefore, the ~ semver operator should be used and close attention be payed to library changelog as well as the drafts themselves.',
-      'DraftWarning',
-    );
-    Object.defineProperty(BaseClient.prototype, 'dpopProof', {
-      enumerable: true,
-      configurable: true,
-      value: dpopProof,
-    });
-    return this.dpopProof(...args);
-  },
-});
 module.exports = (issuer, aadIssValidation = false) =>
   class Client extends BaseClient {
     constructor(...args) {

package/lib/helpers/client.js CHANGED Viewed

@@ -81,7 +81,7 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
     case 'none':
       return { form: { client_id: this.client_id } };
     case 'client_secret_post':
-      if (!this.client_secret) {
+      if (typeof this.client_secret !== 'string') {
         throw new TypeError(
           'client_secret_post client authentication method requires a client_secret',
         );
@@ -120,7 +120,7 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
       // > Appendix B, and the encoded value is used as the username; the client
       // > password is encoded using the same algorithm and used as the
       // > password.
-      if (!this.client_secret) {
+      if (typeof this.client_secret !== 'string') {
         throw new TypeError(
           'client_secret_basic client authentication method requires a client_secret',
         );

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "openid-client",
-  "version": "5.4.2",
+  "version": "5.5.0",
   "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs",
   "keywords": [
     "auth",
@@ -45,19 +45,19 @@
     "test": "mocha test/**/*.test.js"
   },
   "dependencies": {
-    "jose": "^4.14.1",
+    "jose": "^4.14.4",
     "lru-cache": "^6.0.0",
     "object-hash": "^2.2.0",
     "oidc-token-hash": "^5.0.3"
   },
   "devDependencies": {
-    "@types/node": "^16.18.24",
+    "@types/node": "^16.18.31",
     "@types/passport": "^1.0.12",
     "base64url": "^3.0.1",
     "chai": "^4.3.7",
     "jose2": "npm:jose@^2.0.6",
     "mocha": "^10.2.0",
-    "nock": "^13.3.0",
+    "nock": "^13.3.1",
     "prettier": "^2.8.8",
     "readable-mock-req": "^0.2.2",
     "sinon": "^9.2.4",