Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Merge pull request #90 from jplyle/add-pape-extension

Support for OpenId Provider Authentication Policy Extension 1.0
  • Loading branch information...
commit 5bb00828d46d67dce086fb1348efa56ffe8d03fd 2 parents 3f63f6b + 84f84c6
Håvard Stranden authored
1  README.md
Source Rendered
@@ -102,6 +102,7 @@ This library comes with built-in support for the following OpenID extensions:
102 102 - The Attribute Exchange (AX) 1.0 extension is implemented as `openid.AttributeExchange`
103 103 - The OAuth 1.0 extension is implemented as `openid.OAuthHybrid`
104 104 - The User Interface 1.0 extension is implemented as `openid.UserInterface`
  105 + - The Provider Authentication Policy Extension 1.0 (PAPE) as `openid.pape`
105 106
106 107 ## Storing association state
107 108
84 openid.js
@@ -1503,3 +1503,87 @@ openid.OAuthHybrid.prototype.fillResult = function(params, result)
1503 1503 result['request_token'] = params[token_attr];
1504 1504 }
1505 1505 };
  1506 +
  1507 +/*
  1508 + * Provider Authentication Policy Extension (PAPE)
  1509 + * http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html
  1510 + *
  1511 + * Note that this extension does not validate that the provider is obeying the
  1512 + * authentication request, it only allows the request to be made.
  1513 + *
  1514 + * TODO: verify requested 'max_auth_age' against response 'auth_time'
  1515 + * TODO: verify requested 'auth_level.ns.<cust>' (etc) against response 'auth_level.ns.<cust>'
  1516 + * TODO: verify requested 'preferred_auth_policies' against response 'auth_policies'
  1517 + *
  1518 + */
  1519 +
  1520 +/* Just the keys that aren't open to customisation */
  1521 +var pape_request_keys = ['max_auth_age', 'preferred_auth_policies', 'preferred_auth_level_types' ];
  1522 +var pape_response_keys = ['auth_policies', 'auth_time']
  1523 +
  1524 +/* Some short-hand mappings for auth_policies */
  1525 +var papePolicyNameMap =
  1526 +{
  1527 + 'phishing-resistant': 'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant',
  1528 + 'multi-factor': 'http://schemas.openid.net/pape/policies/2007/06/multi-factor',
  1529 + 'multi-factor-physical': 'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical',
  1530 + 'none' : 'http://schemas.openid.net/pape/policies/2007/06/none'
  1531 +}
  1532 +
  1533 +openid.PAPE = function PAPE(options)
  1534 +{
  1535 + this.requestParams = {'openid.ns.pape': 'http://specs.openid.net/extensions/pape/1.0'};
  1536 + for (var k in options)
  1537 + {
  1538 + if (k === 'preferred_auth_policies') {
  1539 + this.requestParams['openid.pape.' + k] = _getLongPolicyName(options[k]);
  1540 + } else {
  1541 + this.requestParams['openid.pape.' + k] = options[k];
  1542 + }
  1543 + }
  1544 + var util = require('util');
  1545 +};
  1546 +
  1547 +/* you can express multiple pape 'preferred_auth_policies', so replace each
  1548 + * with the full policy URI as per papePolicyNameMapping.
  1549 + */
  1550 +var _getLongPolicyName = function(policyNames) {
  1551 + var policies = policyNames.split(' ');
  1552 + for (var i=0; i<policies.length; i++) {
  1553 + if (policies[i] in papePolicyNameMap) {
  1554 + policies[i] = papePolicyNameMap[policies[i]];
  1555 + }
  1556 + }
  1557 + return policies.join(' ');
  1558 +}
  1559 +
  1560 +var _getShortPolicyName = function(policyNames) {
  1561 + var policies = policyNames.split(' ');
  1562 + for (var i=0; i<policies.length; i++) {
  1563 + for (shortName in papePolicyNameMap) {
  1564 + if (papePolicyNameMap[shortName] === policies[i]) {
  1565 + policies[i] = shortName;
  1566 + }
  1567 + }
  1568 + }
  1569 + return policies.join(' ');
  1570 +}
  1571 +
  1572 +openid.PAPE.prototype.fillResult = function(params, result)
  1573 +{
  1574 + var extension = _getExtensionAlias(params, 'http://specs.openid.net/extensions/pape/1.0') || 'pape';
  1575 + var paramString = 'openid.' + extension + '.';
  1576 + var thisParam;
  1577 + for (var p in params) {
  1578 + if (params.hasOwnProperty(p)) {
  1579 + if (p.substr(0, paramString.length) === paramString) {
  1580 + thisParam = p.substr(paramString.length);
  1581 + if (thisParam === 'auth_policies') {
  1582 + result[thisParam] = _getShortPolicyName(params[p]);
  1583 + } else {
  1584 + result[thisParam] = params[p];
  1585 + }
  1586 + }
  1587 + }
  1588 + }
  1589 +}
5 sample.js
@@ -45,6 +45,11 @@ var extensions = [new openid.UserInterface(),
45 45 "http://axschema.org/contact/email": "required",
46 46 "http://axschema.org/namePerson/friendly": "required",
47 47 "http://axschema.org/namePerson": "required"
  48 + }),
  49 + new openid.PAPE(
  50 + {
  51 + "max_auth_age": 24 * 60 * 60, // one day
  52 + "preferred_auth_policies" : "none" //no auth method preferred.
48 53 })];
49 54
50 55 var relyingParty = new openid.RelyingParty(
17 test/openid_fast_tests.js
@@ -87,3 +87,20 @@ exports.testAttributeExchange = function(test)
87 87
88 88 test.done();
89 89 }
  90 +
  91 +exports.testPape = function(test)
  92 +{
  93 + var exampleParams = {
  94 + "openid.pape.auth_time" : new Date().toISOString(),
  95 + "openid.pape.auth_policies" : 'http://schemas.openid.net/pape/policies/2007/06/multi-factor http://schemas.openid.net/pape/policies/2007/06/phishing-resistant'
  96 + };
  97 + var pape = new openid.PAPE(),
  98 + results = {};
  99 +
  100 + pape.fillResult(exampleParams, results);
  101 + assert.notEqual(results['auth_time'], undefined);
  102 + assert.notEqual(results['auth_policies'], undefined);
  103 + assert.equal(results['auth_policies'], "multi-factor phishing-resistant");
  104 + test.done();
  105 +}
  106 +

0 comments on commit 5bb0082

Please sign in to comment.
Something went wrong with that request. Please try again.