-
-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add experimental support for validating JWT Access Tokens
- Loading branch information
Showing
14 changed files
with
585 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# Function: experimental\_validateJwtAccessToken | ||
|
||
[💗 Help the project](https://github.com/sponsors/panva) | ||
|
||
▸ **experimental_validateJwtAccessToken**(`as`, `request`, `expectedAudience`, `options?`): [`Promise`]( https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise )\<[`JWTAccessTokenClaims`](../interfaces/JWTAccessTokenClaims.md)\> | ||
|
||
This is an experimental feature, it is not subject to semantic versioning rules. Non-backward | ||
compatible changes or removal may occur in any future release. | ||
|
||
Validates use of JSON Web Token (JWT) OAuth 2.0 Access Tokens for a given Request as per | ||
RFC 9068 and optionally also RFC 9449. | ||
|
||
This does validate the presence and type of all required claims as well as the values of the | ||
[`iss`](../interfaces/JWTAccessTokenClaims.md#iss), [`exp`](../interfaces/JWTAccessTokenClaims.md#exp), | ||
[`aud`](../interfaces/JWTAccessTokenClaims.md#aud) claims. | ||
|
||
This does NOT validate the [`sub`](../interfaces/JWTAccessTokenClaims.md#sub), | ||
[`jti`](../interfaces/JWTAccessTokenClaims.md#jti), and [`client_id`](../interfaces/JWTAccessTokenClaims.md#client_id) | ||
claims beyond just checking that they're present and that their type is a string. If you need to | ||
validate these values further you would do so after this function's execution. | ||
|
||
This does NOT validate the DPoP Proof JWT nonce. If your server indicates RS-provided nonces to | ||
clients you would check these after this function's execution. | ||
|
||
This does NOT validate authorization claims such as `scope` either, you would do so after this | ||
function's execution. | ||
|
||
#### Parameters | ||
|
||
| Name | Type | Description | | ||
| :------ | :------ | :------ | | ||
| `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server to accept JWT Access Tokens from. | | ||
| `request` | [`Request`]( https://developer.mozilla.org/docs/Web/API/Request ) | | | ||
| `expectedAudience` | `string` | Audience identifier the resource server expects for itself. | | ||
| `options?` | [`ValidateJWTAccessTokenOptions`](../interfaces/ValidateJWTAccessTokenOptions.md) | | | ||
|
||
#### Returns | ||
|
||
[`Promise`]( https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise )\<[`JWTAccessTokenClaims`](../interfaces/JWTAccessTokenClaims.md)\> | ||
|
||
**`See`** | ||
|
||
- [RFC 9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://www.rfc-editor.org/rfc/rfc9068.html) | ||
- [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
# Interface: JWTAccessTokenClaims | ||
|
||
[💗 Help the project](https://github.com/sponsors/panva) | ||
|
||
## Indexable | ||
|
||
▪ [claim: `string`]: [`JsonValue`](../types/JsonValue.md) \| `undefined` | ||
|
||
## Table of contents | ||
|
||
### Properties | ||
|
||
- [aud](JWTAccessTokenClaims.md#aud) | ||
- [client\_id](JWTAccessTokenClaims.md#client_id) | ||
- [exp](JWTAccessTokenClaims.md#exp) | ||
- [iat](JWTAccessTokenClaims.md#iat) | ||
- [iss](JWTAccessTokenClaims.md#iss) | ||
- [jti](JWTAccessTokenClaims.md#jti) | ||
- [sub](JWTAccessTokenClaims.md#sub) | ||
- [cnf](JWTAccessTokenClaims.md#cnf) | ||
- [nbf](JWTAccessTokenClaims.md#nbf) | ||
|
||
## Properties | ||
|
||
### aud | ||
|
||
• `Readonly` **aud**: `string` \| `string`[] | ||
|
||
___ | ||
|
||
### client\_id | ||
|
||
• `Readonly` **client\_id**: `string` | ||
|
||
___ | ||
|
||
### exp | ||
|
||
• `Readonly` **exp**: `number` | ||
|
||
___ | ||
|
||
### iat | ||
|
||
• `Readonly` **iat**: `number` | ||
|
||
___ | ||
|
||
### iss | ||
|
||
• `Readonly` **iss**: `string` | ||
|
||
___ | ||
|
||
### jti | ||
|
||
• `Readonly` **jti**: `string` | ||
|
||
___ | ||
|
||
### sub | ||
|
||
• `Readonly` **sub**: `string` | ||
|
||
___ | ||
|
||
### cnf | ||
|
||
• `Optional` `Readonly` **cnf**: [`ConfirmationClaims`](ConfirmationClaims.md) | ||
|
||
___ | ||
|
||
### nbf | ||
|
||
• `Optional` `Readonly` **nbf**: `number` | ||
|
||
## Hierarchy | ||
|
||
- `JWTPayload` | ||
|
||
↳ **`JWTAccessTokenClaims`** |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
# Interface: ValidateJWTAccessTokenOptions | ||
|
||
[💗 Help the project](https://github.com/sponsors/panva) | ||
|
||
## Table of contents | ||
|
||
### Experimental | ||
|
||
- [[experimental\_customFetch]](ValidateJWTAccessTokenOptions.md#experimental_customfetch) | ||
|
||
### Properties | ||
|
||
- [[clockSkew]](ValidateJWTAccessTokenOptions.md#clockskew) | ||
- [[clockTolerance]](ValidateJWTAccessTokenOptions.md#clocktolerance) | ||
- [headers](ValidateJWTAccessTokenOptions.md#headers) | ||
- [requireDPoP](ValidateJWTAccessTokenOptions.md#requiredpop) | ||
- [signal](ValidateJWTAccessTokenOptions.md#signal) | ||
|
||
## Experimental | ||
|
||
### [experimental\_customFetch] | ||
|
||
• `Optional` **[experimental\_customFetch]**: (`input`: `RequestInfo` \| [`URL`]( https://developer.mozilla.org/docs/Web/API/URL ), `init?`: `RequestInit`) => [`Promise`]( https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise )\<[`Response`]( https://developer.mozilla.org/docs/Web/API/Response )\> | ||
|
||
This is an experimental feature, it is not subject to semantic versioning rules. Non-backward | ||
compatible changes or removal may occur in any future release. | ||
|
||
See [experimental_customFetch](../variables/experimental_customFetch.md) for its documentation. | ||
|
||
## Properties | ||
|
||
### [clockSkew] | ||
|
||
• `Optional` **[clockSkew]**: `number` | ||
|
||
Same functionality as in [Client](Client.md) | ||
|
||
___ | ||
|
||
### [clockTolerance] | ||
|
||
• `Optional` **[clockTolerance]**: `number` | ||
|
||
Same functionality as in [Client](Client.md) | ||
|
||
___ | ||
|
||
### headers | ||
|
||
• `Optional` **headers**: [`Record`]( https://www.typescriptlang.org/docs/handbook/utility-types.html#recordkeys-type )\<`string`, `string`\> \| [`string`, `string`][] \| [`Headers`]( https://developer.mozilla.org/docs/Web/API/Headers ) | ||
|
||
Headers to additionally send with the HTTP Request(s) triggered by this function's invocation. | ||
|
||
___ | ||
|
||
### requireDPoP | ||
|
||
• `Optional` **requireDPoP**: `boolean` | ||
|
||
Indicates whether DPoP use is required. | ||
|
||
___ | ||
|
||
### signal | ||
|
||
• `Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/docs/Web/API/AbortSignal ) | ||
|
||
An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by | ||
this function's invocation. | ||
|
||
**`Example`** | ||
|
||
A 5000ms timeout AbortSignal for every request | ||
|
||
```js | ||
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes. | ||
``` | ||
|
||
## Hierarchy | ||
|
||
- [`HttpRequestOptions`](HttpRequestOptions.md) | ||
|
||
↳ **`ValidateJWTAccessTokenOptions`** |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.