Skip to content

Commit

Permalink
feat: allow to skip JWT signature validation on select responses
Browse files Browse the repository at this point in the history 
This is in-spec behaviour which is useful in javascript runtimes where
it is not possible to reliably cache the Authorization Server's JSON Web
Key Set between invocations. These are distributed systems that run
JavaScript at the edge, e.g. Cloudflare Workers or Deno Deploy.

This also allows to run this library outside of its currently supported
JWS algorithms, e.g. HMAC JWS Algorithms, or algorithms that aren't
supported by Web Cryptography API.
  • Loading branch information
@panva
panva committed Oct 31, 2022
1 parent 6f5c804 commit 44d9114
Show file tree
Hide file tree
Showing 20 changed files with 802 additions and 309 deletions.
6 changes: 6 additions & 0 deletions docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,10 +67,16 @@
- [OAuth2TokenEndpointResponse](interfaces/OAuth2TokenEndpointResponse.md)
- [OpenIDTokenEndpointResponse](interfaces/OpenIDTokenEndpointResponse.md)
- [PrivateKey](interfaces/PrivateKey.md)
- [ProcessAuthorizationCodeOpenIDResponseOptions](interfaces/ProcessAuthorizationCodeOpenIDResponseOptions.md)
- [ProcessDeviceCodeResponseOptions](interfaces/ProcessDeviceCodeResponseOptions.md)
- [ProcessIntrospectionResponseOptions](interfaces/ProcessIntrospectionResponseOptions.md)
- [ProcessRefreshTokenResponseOptions](interfaces/ProcessRefreshTokenResponseOptions.md)
- [ProcessUserInfoResponseOptions](interfaces/ProcessUserInfoResponseOptions.md)
- [ProtectedResourceRequestOptions](interfaces/ProtectedResourceRequestOptions.md)
- [PushedAuthorizationRequestOptions](interfaces/PushedAuthorizationRequestOptions.md)
- [PushedAuthorizationResponse](interfaces/PushedAuthorizationResponse.md)
- [RevocationRequestOptions](interfaces/RevocationRequestOptions.md)
- [SkipJWTSignatureCheckOptions](interfaces/SkipJWTSignatureCheckOptions.md)
- [TokenEndpointRequestOptions](interfaces/TokenEndpointRequestOptions.md)
- [TokenEndpointResponse](interfaces/TokenEndpointResponse.md)
- [UserInfoRequestOptions](interfaces/UserInfoRequestOptions.md)
Expand Down
2 changes: 1 addition & 1 deletion docs/functions/processAuthorizationCodeOpenIDResponse.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ the [`as.token_endpoint`](../interfaces/AuthorizationServer.md#token_endpoint).
| `response` | [`Response`]( https://developer.mozilla.org/en-US/docs/Web/API/Response ) | Resolved value from [authorizationCodeGrantRequest](authorizationCodeGrantRequest.md). |
| `expectedNonce?` | `string` \| typeof [`expectNoNonce`](../variables/expectNoNonce.md) | Expected ID Token `nonce` claim value. Default is [expectNoNonce](../variables/expectNoNonce.md). |
| `maxAge?` | `number` \| typeof [`skipAuthTimeCheck`](../variables/skipAuthTimeCheck.md) | ID Token [`auth_time`](../interfaces/IDToken.md#auth_time) claim value will be checked to be present and conform to the `maxAge` value. Use of this option is required if you sent a `max_age` parameter in an authorization request. Default is [`client.default_max_age`](../interfaces/Client.md#default_max_age) and falls back to [skipAuthTimeCheck](../variables/skipAuthTimeCheck.md). |
| `options?` | [`HttpRequestOptions`](../interfaces/HttpRequestOptions.md) | - |
| `options?` | [`ProcessAuthorizationCodeOpenIDResponseOptions`](../interfaces/ProcessAuthorizationCodeOpenIDResponseOptions.md) | - |

#### Returns

Expand Down
2 changes: 1 addition & 1 deletion docs/functions/processDeviceCodeResponse.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Validates Device Authorization Grant Response instance to be one coming from the
| `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
| `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
| `response` | [`Response`]( https://developer.mozilla.org/en-US/docs/Web/API/Response ) | Resolved value from [deviceCodeGrantRequest](deviceCodeGrantRequest.md). |
| `options?` | [`HttpRequestOptions`](../interfaces/HttpRequestOptions.md) | - |
| `options?` | [`ProcessDeviceCodeResponseOptions`](../interfaces/ProcessDeviceCodeResponseOptions.md) | - |

#### Returns

Expand Down
2 changes: 1 addition & 1 deletion docs/functions/processIntrospectionResponse.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Validates Response instance to be one coming from the
| `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
| `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
| `response` | [`Response`]( https://developer.mozilla.org/en-US/docs/Web/API/Response ) | Resolved value from [introspectionRequest](introspectionRequest.md). |
| `options?` | [`HttpRequestOptions`](../interfaces/HttpRequestOptions.md) | - |
| `options?` | [`ProcessIntrospectionResponseOptions`](../interfaces/ProcessIntrospectionResponseOptions.md) | - |

#### Returns

Expand Down
2 changes: 1 addition & 1 deletion docs/functions/processRefreshTokenResponse.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Validates Refresh Token Grant Response instance to be one coming from the
| `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
| `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
| `response` | [`Response`]( https://developer.mozilla.org/en-US/docs/Web/API/Response ) | Resolved value from [refreshTokenGrantRequest](refreshTokenGrantRequest.md). |
| `options?` | [`HttpRequestOptions`](../interfaces/HttpRequestOptions.md) | - |
| `options?` | [`ProcessRefreshTokenResponseOptions`](../interfaces/ProcessRefreshTokenResponseOptions.md) | - |

#### Returns

Expand Down
2 changes: 1 addition & 1 deletion docs/functions/processUserInfoResponse.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Validates Response instance to be one coming from the
| `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
| `expectedSubject` | `string` \| typeof [`skipSubjectCheck`](../variables/skipSubjectCheck.md) | Expected `sub` claim value. In response to OpenID Connect authentication requests, the expected subject is the one from the ID Token claims retrieved from [getValidatedIdTokenClaims](getValidatedIdTokenClaims.md). |
| `response` | [`Response`]( https://developer.mozilla.org/en-US/docs/Web/API/Response ) | Resolved value from [userInfoRequest](userInfoRequest.md). |
| `options?` | [`HttpRequestOptions`](../interfaces/HttpRequestOptions.md) | - |
| `options?` | [`ProcessUserInfoResponseOptions`](../interfaces/ProcessUserInfoResponseOptions.md) | - |

#### Returns

Expand Down
60 changes: 60 additions & 0 deletions docs/interfaces/ProcessAuthorizationCodeOpenIDResponseOptions.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Interface: ProcessAuthorizationCodeOpenIDResponseOptions

[💗 Help the project](https://github.com/sponsors/panva)

## Table of contents

### Properties

- [headers](ProcessAuthorizationCodeOpenIDResponseOptions.md#headers)
- [signal](ProcessAuthorizationCodeOpenIDResponseOptions.md#signal)
- [skipJwtSignatureCheck](ProcessAuthorizationCodeOpenIDResponseOptions.md#skipjwtsignaturecheck)

## Properties

### headers

`Optional` **headers**: [`Headers`]( https://developer.mozilla.org/en-US/docs/Web/API/Headers )

A Headers instance to additionally send with the HTTP Request(s) triggered by this function's
invocation.

___

### signal

`Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal )

An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by
this function's invocation.

**`example`** A 5000ms timeout AbortSignal for every request

```js
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes.
```

___

### skipJwtSignatureCheck

`Optional` **skipJwtSignatureCheck**: `boolean`

DANGER ZONE

When JWT assertions are received via direct communication between the Client and the
Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and
exposed functions) the TLS server validation MAY be used to validate the issuer in place of
checking the assertion's signature.

Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed
Introspection, or JWT Signed UserInfo Response).

Setting this to `true` also means that:

- The Authorization Server's JSON Web Key Set will not be requested. That is useful for
javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of
the JSON Web Key Set in between invocations.
- Any JWS Algorithm may be used, not just the [supported ones](../types/JWSAlgorithm.md).

Default is `false`.
60 changes: 60 additions & 0 deletions docs/interfaces/ProcessDeviceCodeResponseOptions.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Interface: ProcessDeviceCodeResponseOptions

[💗 Help the project](https://github.com/sponsors/panva)

## Table of contents

### Properties

- [headers](ProcessDeviceCodeResponseOptions.md#headers)
- [signal](ProcessDeviceCodeResponseOptions.md#signal)
- [skipJwtSignatureCheck](ProcessDeviceCodeResponseOptions.md#skipjwtsignaturecheck)

## Properties

### headers

`Optional` **headers**: [`Headers`]( https://developer.mozilla.org/en-US/docs/Web/API/Headers )

A Headers instance to additionally send with the HTTP Request(s) triggered by this function's
invocation.

___

### signal

`Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal )

An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by
this function's invocation.

**`example`** A 5000ms timeout AbortSignal for every request

```js
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes.
```

___

### skipJwtSignatureCheck

`Optional` **skipJwtSignatureCheck**: `boolean`

DANGER ZONE

When JWT assertions are received via direct communication between the Client and the
Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and
exposed functions) the TLS server validation MAY be used to validate the issuer in place of
checking the assertion's signature.

Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed
Introspection, or JWT Signed UserInfo Response).

Setting this to `true` also means that:

- The Authorization Server's JSON Web Key Set will not be requested. That is useful for
javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of
the JSON Web Key Set in between invocations.
- Any JWS Algorithm may be used, not just the [supported ones](../types/JWSAlgorithm.md).

Default is `false`.
60 changes: 60 additions & 0 deletions docs/interfaces/ProcessIntrospectionResponseOptions.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Interface: ProcessIntrospectionResponseOptions

[💗 Help the project](https://github.com/sponsors/panva)

## Table of contents

### Properties

- [headers](ProcessIntrospectionResponseOptions.md#headers)
- [signal](ProcessIntrospectionResponseOptions.md#signal)
- [skipJwtSignatureCheck](ProcessIntrospectionResponseOptions.md#skipjwtsignaturecheck)

## Properties

### headers

`Optional` **headers**: [`Headers`]( https://developer.mozilla.org/en-US/docs/Web/API/Headers )

A Headers instance to additionally send with the HTTP Request(s) triggered by this function's
invocation.

___

### signal

`Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal )

An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by
this function's invocation.

**`example`** A 5000ms timeout AbortSignal for every request

```js
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes.
```

___

### skipJwtSignatureCheck

`Optional` **skipJwtSignatureCheck**: `boolean`

DANGER ZONE

When JWT assertions are received via direct communication between the Client and the
Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and
exposed functions) the TLS server validation MAY be used to validate the issuer in place of
checking the assertion's signature.

Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed
Introspection, or JWT Signed UserInfo Response).

Setting this to `true` also means that:

- The Authorization Server's JSON Web Key Set will not be requested. That is useful for
javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of
the JSON Web Key Set in between invocations.
- Any JWS Algorithm may be used, not just the [supported ones](../types/JWSAlgorithm.md).

Default is `false`.
60 changes: 60 additions & 0 deletions docs/interfaces/ProcessRefreshTokenResponseOptions.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Interface: ProcessRefreshTokenResponseOptions

[💗 Help the project](https://github.com/sponsors/panva)

## Table of contents

### Properties

- [headers](ProcessRefreshTokenResponseOptions.md#headers)
- [signal](ProcessRefreshTokenResponseOptions.md#signal)
- [skipJwtSignatureCheck](ProcessRefreshTokenResponseOptions.md#skipjwtsignaturecheck)

## Properties

### headers

`Optional` **headers**: [`Headers`]( https://developer.mozilla.org/en-US/docs/Web/API/Headers )

A Headers instance to additionally send with the HTTP Request(s) triggered by this function's
invocation.

___

### signal

`Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal )

An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by
this function's invocation.

**`example`** A 5000ms timeout AbortSignal for every request

```js
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes.
```

___

### skipJwtSignatureCheck

`Optional` **skipJwtSignatureCheck**: `boolean`

DANGER ZONE

When JWT assertions are received via direct communication between the Client and the
Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and
exposed functions) the TLS server validation MAY be used to validate the issuer in place of
checking the assertion's signature.

Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed
Introspection, or JWT Signed UserInfo Response).

Setting this to `true` also means that:

- The Authorization Server's JSON Web Key Set will not be requested. That is useful for
javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of
the JSON Web Key Set in between invocations.
- Any JWS Algorithm may be used, not just the [supported ones](../types/JWSAlgorithm.md).

Default is `false`.
60 changes: 60 additions & 0 deletions docs/interfaces/ProcessUserInfoResponseOptions.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Interface: ProcessUserInfoResponseOptions

[💗 Help the project](https://github.com/sponsors/panva)

## Table of contents

### Properties

- [headers](ProcessUserInfoResponseOptions.md#headers)
- [signal](ProcessUserInfoResponseOptions.md#signal)
- [skipJwtSignatureCheck](ProcessUserInfoResponseOptions.md#skipjwtsignaturecheck)

## Properties

### headers

`Optional` **headers**: [`Headers`]( https://developer.mozilla.org/en-US/docs/Web/API/Headers )

A Headers instance to additionally send with the HTTP Request(s) triggered by this function's
invocation.

___

### signal

`Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal )

An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by
this function's invocation.

**`example`** A 5000ms timeout AbortSignal for every request

```js
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes.
```

___

### skipJwtSignatureCheck

`Optional` **skipJwtSignatureCheck**: `boolean`

DANGER ZONE

When JWT assertions are received via direct communication between the Client and the
Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and
exposed functions) the TLS server validation MAY be used to validate the issuer in place of
checking the assertion's signature.

Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed
Introspection, or JWT Signed UserInfo Response).

Setting this to `true` also means that:

- The Authorization Server's JSON Web Key Set will not be requested. That is useful for
javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of
the JSON Web Key Set in between invocations.
- Any JWS Algorithm may be used, not just the [supported ones](../types/JWSAlgorithm.md).

Default is `false`.
Loading

0 comments on commit 44d9114

Please sign in to comment.