Updated per RD review

okta · Aug 7, 2018 · 13ffd77 · 13ffd77
1 parent 907641e
commit 13ffd77
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 43 deletions.
diff --git a/README.md b/README.md
@@ -161,6 +161,8 @@ tokenManager: {
 | `redirectUri`  | The url that is redirected to when using `token.getWithRedirect`. This must be pre-registered as part of client registration. If no `redirectUri` is provided, defaults to the current origin. |
 | `authorizeUrl` | Specify a custom authorizeUrl to perform the OIDC flow. Defaults to the issuer plus "/v1/authorize". |
 | `userinfoUrl`  | Specify a custom userinfoUrl. Defaults to the issuer plus "/v1/userinfo". |
+| `ignoreSignature` | Disable ID token signature validation. Defaults to `false`.  |
+| | **Important:** For the Implicit flow, the token signature MUST be validated per [ID token Validation](http://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDTValidation). This option should be used only for browser support and testing purposes. |
 
 ##### Example Client
 
@@ -251,7 +253,7 @@ var config = {
   * [token.refresh](#tokenrefreshtokentorefresh)
   * [token.getUserInfo](#tokengetuserinfoaccesstokenobject)
   * [token.verify](#tokenverifyidtokenobject)
-* [tokenManager](#tokenManager)
+* [tokenManager](#tokenmanager)
   * [tokenManager.add](#tokenmanageraddkey-token)
   * [tokenManager.get](#tokenmanagergetkey)
   * [tokenManager.remove](#tokenmanagerremovekey)
@@ -1477,6 +1479,7 @@ authClient.token.getUserInfo(accessTokenObject)
 Verify the validity of an ID token's claims and check the signature on browsers that support web cryptography.
 
 * `idTokenObject` - an ID token returned by this library. note: this is not the raw ID token JWT
+* `ignoreSignature` - Optional parameter to disable ID token signature validation.
 
 ```javascript
 authClient.token.verify(idTokenObject)

diff --git a/lib/oauthUtil.js b/lib/oauthUtil.js
@@ -114,25 +114,16 @@ function getKey(sdk, issuer, kid) {
   });
 }
 
-function getDefaultValidationParams(sdk, oauthOptions) {
-  var defaults = {
-    clientId: sdk.options.clientId,
-    issuer: sdk.options.issuer || sdk.options.url,
-    ignoreSignature: sdk.options.ignoreSignature
-  };
-  util.extend(defaults, oauthOptions);
-  return defaults;
-}
-
 function validateClaims(sdk, claims, validationParams) {
   var aud = validationParams.clientId;
   var iss = validationParams.issuer;
+  var nonce = validationParams.nonce;
 
   if (!claims || !iss || !aud) {
     throw new AuthSdkError('The jwt, iss, and aud arguments are all required');
   }
 
-  if (validationParams.nonce && claims.nonce !== validationParams.nonce) {
+  if (nonce && claims.nonce !== nonce) {
     throw new AuthSdkError('OAuth flow response nonce doesn\'t match request nonce');
   }
 
@@ -260,7 +251,6 @@ function hashToObject(hash) {
 }
 
 module.exports = {
-  getDefaultValidationParams: getDefaultValidationParams,
   getWellKnown: getWellKnown,
   getKey: getKey,
   validateClaims: validateClaims,

diff --git a/lib/token.js b/lib/token.js
@@ -48,7 +48,13 @@ function verifyToken(sdk, token, validationParams) {
 
     var jwt = decodeToken(token.idToken);
 
-    var validationOptions = oauthUtil.getDefaultValidationParams(sdk, validationParams);
+    var validationOptions = {
+      clientId: sdk.options.clientId,
+      issuer: sdk.options.issuer || sdk.options.url,
+      ignoreSignature: sdk.options.ignoreSignature
+    };
+
+    util.extend(validationOptions, validationParams);
 
     // Standard claim validation
     oauthUtil.validateClaims(sdk, jwt.payload, validationOptions);

diff --git a/test/spec/oauthUtil.js b/test/spec/oauthUtil.js
@@ -559,35 +559,6 @@ define(function(require) {
 
   });
 
-  describe('getDefaultValidationParams', function () {
-    var contains = jasmine.objectContaining;
-    var sdk = new OktaAuth({
-      url: 'https://auth-js-test.okta.com',
-      clientId: 'foo',
-      ignoreSignature: false
-    });
-
-    it('returns params passed in during AuthJS construction', function () {
-      expect(oauthUtil.getDefaultValidationParams(sdk)).toEqual(contains({
-        issuer: 'https://auth-js-test.okta.com',
-        clientId: 'foo',
-        ignoreSignature: false
-      }));
-    });
-
-    it('returns passed in options over the params used during AuthJS construction', function () {
-      var defaultParams = oauthUtil.getDefaultValidationParams(sdk, {
-        issuer: 'https://auth-js-test.okta.com/oauth2/default',
-        clientId: 'bar'
-      });
-      expect(defaultParams).toEqual(contains({
-        issuer: 'https://auth-js-test.okta.com/oauth2/default',
-        clientId: 'bar',
-        ignoreSignature: false
-      }));
-    });
-  });
-
   describe('validateClaims', function () {
     var sdk = new OktaAuth({
       url: 'https://auth-js-test.okta.com',