openid-client 5.6.5 → 5.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +4 -7
  2. package/lib/client.js +37 -2
  3. package/lib/helpers/client.js +1 -4
  4. package/lib/helpers/request.js +1 -1
  5. package/lib/issuer.js +1 -0
  6. package/package.json +8 -8
  7. package/types/index.d.ts +1 -0
package/README.md CHANGED
@@ -52,13 +52,11 @@ Updates to draft specifications are released as MINOR library versions,
52
52
  if you utilize these specification implementations consider using the tilde `~` operator in your
53
53
  package.json since breaking changes may be introduced as part of these version updates.
54
54
 
55
- ## Certification
56
- [<img width="184" height="96" align="right" src="https://cdn.jsdelivr.net/gh/panva/node-openid-client@38cf016b0837e6d4116de3780b28d222d5780bc9/OpenID_Certified.png" alt="OpenID Certification">][openid-certified-link]
57
- Filip Skokan has [certified][openid-certified-link] that [openid-client][npm-url]
58
- conforms to the following profiles of the OpenID Connect™ protocol
55
+ ## [Certification](https://openid.net/certification/faq/)
59
56
 
60
- - Basic, Implicit, Hybrid, Config, Dynamic, and Form Post RP
61
- - FAPI 1.0 Advanced RP
57
+ [<img width="96" height="50" align="right" src="https://user-images.githubusercontent.com/241506/166977513-7cd710a9-7f60-4944-aebe-a658e9f36375.png" alt="OpenID Certification">](#certification)
58
+
59
+ [Filip Skokan](https://github.com/panva) has [certified](https://openid.net/certification) that [this software](https://github.com/panva/node-openid-client) conforms to the Basic, Implicit, Hybrid, Config, Dynamic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connect™ protocol.
62
60
 
63
61
  ## Sponsor
64
62
 
@@ -304,7 +302,6 @@ See [Customizing (docs)][documentation-customizing].
304
302
  [feature-par]: https://www.rfc-editor.org/rfc/rfc9126.html
305
303
  [feature-jar]: https://www.rfc-editor.org/rfc/rfc9101.html
306
304
  [feature-iss]: https://www.rfc-editor.org/rfc/rfc9207.html
307
- [openid-certified-link]: https://openid.net/certification/
308
305
  [passport-url]: http://passportjs.org
309
306
  [npm-url]: https://www.npmjs.com/package/openid-client
310
307
  [sponsor-auth0]: https://a0.to/try-auth0
package/lib/client.js CHANGED
@@ -191,7 +191,7 @@ class BaseClient {
191
191
  authorization_signed_response_alg: 'RS256',
192
192
  response_types: ['code'],
193
193
  token_endpoint_auth_method: 'client_secret_basic',
194
- ...(this.fapi()
194
+ ...(this.fapi1()
195
195
  ? {
196
196
  grant_types: ['authorization_code', 'implicit'],
197
197
  id_token_signed_response_alg: 'PS256',
@@ -201,6 +201,13 @@ class BaseClient {
201
201
  token_endpoint_auth_method: undefined,
202
202
  }
203
203
  : undefined),
204
+ ...(this.fapi2()
205
+ ? {
206
+ id_token_signed_response_alg: 'PS256',
207
+ authorization_signed_response_alg: 'PS256',
208
+ token_endpoint_auth_method: undefined,
209
+ }
210
+ : undefined),
204
211
  ...metadata,
205
212
  };
206
213
 
@@ -221,6 +228,26 @@ class BaseClient {
221
228
  }
222
229
  }
223
230
 
231
+ if (this.fapi2()) {
232
+ if (
233
+ properties.tls_client_certificate_bound_access_tokens &&
234
+ properties.dpop_bound_access_tokens
235
+ ) {
236
+ throw new TypeError(
237
+ 'either tls_client_certificate_bound_access_tokens or dpop_bound_access_tokens must be set to true',
238
+ );
239
+ }
240
+
241
+ if (
242
+ !properties.tls_client_certificate_bound_access_tokens &&
243
+ !properties.dpop_bound_access_tokens
244
+ ) {
245
+ throw new TypeError(
246
+ 'either tls_client_certificate_bound_access_tokens or dpop_bound_access_tokens must be set to true',
247
+ );
248
+ }
249
+ }
250
+
224
251
  handleCommonMistakes(this, metadata, properties);
225
252
 
226
253
  assertSigningAlgValuesSupport('token', this.issuer, properties);
@@ -824,7 +851,7 @@ class BaseClient {
824
851
  });
825
852
  }
826
853
 
827
- if (this.fapi()) {
854
+ if (this.fapi1()) {
828
855
  if (!payload.s_hash && (tokenSet.state || state)) {
829
856
  throw new RPError({
830
857
  message: 'missing required property s_hash',
@@ -1631,9 +1658,17 @@ class BaseClient {
1631
1658
  }
1632
1659
 
1633
1660
  fapi() {
1661
+ return this.fapi1() || this.fapi2();
1662
+ }
1663
+
1664
+ fapi1() {
1634
1665
  return this.constructor.name === 'FAPI1Client';
1635
1666
  }
1636
1667
 
1668
+ fapi2() {
1669
+ return this.constructor.name === 'FAPI2Client';
1670
+ }
1671
+
1637
1672
  async validateJARM(response) {
1638
1673
  const expectedAlg = this.authorization_signed_response_alg;
1639
1674
  const { payload } = await this.validateJWT(response, expectedAlg, ['iss', 'exp', 'aud']);
package/lib/helpers/client.js CHANGED
@@ -92,9 +92,6 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
92
92
  case 'private_key_jwt':
93
93
  case 'client_secret_jwt': {
94
94
  const timestamp = now();
95
- const audience = [
96
- ...new Set([this.issuer.issuer, this.issuer.token_endpoint].filter(Boolean)),
97
- ];
98
95
 
99
96
  const assertion = await clientAssertion.call(this, endpoint, {
100
97
  iat: timestamp,
@@ -102,7 +99,7 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
102
99
  jti: random(),
103
100
  iss: this.client_id,
104
101
  sub: this.client_id,
105
- aud: audience,
102
+ aud: this.issuer.issuer,
106
103
  ...clientAssertionPayload,
107
104
  });
108
105
 
package/lib/helpers/request.js CHANGED
@@ -79,7 +79,7 @@ module.exports = async function request(options, { accessToken, mTLS = false, DP
79
79
  opts.headers.DPoP = await this.dpopProof(
80
80
  {
81
81
  htu: `${url.origin}${url.pathname}`,
82
- htm: options.method,
82
+ htm: options.method || 'GET',
83
83
  nonce: nonces.get(nonceKey),
84
84
  },
85
85
  DPoP,
package/lib/issuer.js CHANGED
@@ -73,6 +73,7 @@ class Issuer {
73
73
  Object.defineProperties(this, {
74
74
  Client: { value: Client, enumerable: true },
75
75
  FAPI1Client: { value: class FAPI1Client extends Client {}, enumerable: true },
76
+ FAPI2Client: { value: class FAPI2Client extends Client {}, enumerable: true },
76
77
  });
77
78
  }
78
79
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "openid-client",
3
- "version": "5.6.5",
3
+ "version": "5.7.1",
4
4
  "description": "OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs",
5
5
  "keywords": [
6
6
  "auth",
@@ -22,8 +22,8 @@
22
22
  "relying party",
23
23
  "strategy"
24
24
  ],
25
- "homepage": "https://github.com/panva/node-openid-client",
26
- "repository": "panva/node-openid-client",
25
+ "homepage": "https://github.com/panva/openid-client",
26
+ "repository": "panva/openid-client",
27
27
  "funding": {
28
28
  "url": "https://github.com/sponsors/panva"
29
29
  },
@@ -45,18 +45,18 @@
45
45
  "test": "mocha test/**/*.test.js"
46
46
  },
47
47
  "dependencies": {
48
- "jose": "^4.15.5",
48
+ "jose": "^4.15.9",
49
49
  "lru-cache": "^6.0.0",
50
50
  "object-hash": "^2.2.0",
51
51
  "oidc-token-hash": "^5.0.3"
52
52
  },
53
53
  "devDependencies": {
54
- "@types/node": "^16.18.87",
54
+ "@types/node": "^16.18.106",
55
55
  "@types/passport": "^1.0.16",
56
56
  "base64url": "^3.0.1",
57
- "chai": "^4.4.1",
58
- "mocha": "^10.3.0",
59
- "nock": "^13.5.4",
57
+ "chai": "^4.5.0",
58
+ "mocha": "^10.7.3",
59
+ "nock": "^13.5.5",
60
60
  "prettier": "^2.8.8",
61
61
  "readable-mock-req": "^0.2.2",
62
62
  "sinon": "^9.2.4",
package/types/index.d.ts CHANGED
@@ -443,6 +443,7 @@ export class Issuer<TClient extends BaseClient = BaseClient> {
443
443
  Client: TypeOfGenericClient<TClient>;
444
444
 
445
445
  FAPI1Client: TypeOfGenericClient<TClient>;
446
+ FAPI2Client: TypeOfGenericClient<TClient>;
446
447
 
447
448
  metadata: IssuerMetadata;
448
449
  [custom.http_options]: CustomHttpOptionsProvider;