Skip to content

Commit

Permalink
feat: add experimental support for validating JWT Access Tokens
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Jan 23, 2024
1 parent 2e26e91 commit f65deae
Show file tree
Hide file tree
Showing 14 changed files with 585 additions and 24 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ The following features are currently in scope and implemented in this software:
- UserInfo and Protected Resource Requests
- Authorization Server Issuer Identification
- JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
- Validating incoming JWT Access Tokens

## [Certification](https://openid.net/certification/faq/)

Expand Down
9 changes: 8 additions & 1 deletion docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,11 +67,16 @@
- [experimental\_customFetch](variables/experimental_customFetch.md)
- [experimental\_useMtlsAlias](variables/experimental_useMtlsAlias.md)
- [experimental\_validateDetachedSignatureResponse](functions/experimental_validateDetachedSignatureResponse.md)
- [experimental\_validateJwtAccessToken](functions/experimental_validateJwtAccessToken.md)

### FAPI 1.0 Advanced

- [experimental\_validateDetachedSignatureResponse](functions/experimental_validateDetachedSignatureResponse.md)

### JWT Access Tokens

- [experimental\_validateJwtAccessToken](functions/experimental_validateJwtAccessToken.md)

### JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)

- [validateJwtAuthResponse](functions/validateJwtAuthResponse.md)
Expand Down Expand Up @@ -141,6 +146,7 @@
- [Client](interfaces/Client.md)
- [ClientCredentialsGrantRequestOptions](interfaces/ClientCredentialsGrantRequestOptions.md)
- [ClientCredentialsGrantResponse](interfaces/ClientCredentialsGrantResponse.md)
- [ConfirmationClaims](interfaces/ConfirmationClaims.md)
- [DPoPOptions](interfaces/DPoPOptions.md)
- [DPoPRequestOptions](interfaces/DPoPRequestOptions.md)
- [DeviceAuthorizationRequestOptions](interfaces/DeviceAuthorizationRequestOptions.md)
Expand All @@ -150,9 +156,9 @@
- [GenerateKeyPairOptions](interfaces/GenerateKeyPairOptions.md)
- [HttpRequestOptions](interfaces/HttpRequestOptions.md)
- [IDToken](interfaces/IDToken.md)
- [IntrospectionConfirmationClaims](interfaces/IntrospectionConfirmationClaims.md)
- [IntrospectionRequestOptions](interfaces/IntrospectionRequestOptions.md)
- [IntrospectionResponse](interfaces/IntrospectionResponse.md)
- [JWTAccessTokenClaims](interfaces/JWTAccessTokenClaims.md)
- [MTLSEndpointAliases](interfaces/MTLSEndpointAliases.md)
- [OAuth2Error](interfaces/OAuth2Error.md)
- [OAuth2TokenEndpointResponse](interfaces/OAuth2TokenEndpointResponse.md)
Expand All @@ -167,6 +173,7 @@
- [UserInfoAddress](interfaces/UserInfoAddress.md)
- [UserInfoRequestOptions](interfaces/UserInfoRequestOptions.md)
- [UserInfoResponse](interfaces/UserInfoResponse.md)
- [ValidateJWTAccessTokenOptions](interfaces/ValidateJWTAccessTokenOptions.md)
- [WWWAuthenticateChallenge](interfaces/WWWAuthenticateChallenge.md)
- [WWWAuthenticateChallengeParameters](interfaces/WWWAuthenticateChallengeParameters.md)

Expand Down
44 changes: 44 additions & 0 deletions docs/functions/experimental_validateJwtAccessToken.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Function: experimental\_validateJwtAccessToken

[💗 Help the project](https://github.com/sponsors/panva)

**experimental_validateJwtAccessToken**(`as`, `request`, `expectedAudience`, `options?`): [`Promise`]( https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise )\<[`JWTAccessTokenClaims`](../interfaces/JWTAccessTokenClaims.md)\>

This is an experimental feature, it is not subject to semantic versioning rules. Non-backward
compatible changes or removal may occur in any future release.

Validates use of JSON Web Token (JWT) OAuth 2.0 Access Tokens for a given Request as per
RFC 9068 and optionally also RFC 9449.

This does validate the presence and type of all required claims as well as the values of the
[`iss`](../interfaces/JWTAccessTokenClaims.md#iss), [`exp`](../interfaces/JWTAccessTokenClaims.md#exp),
[`aud`](../interfaces/JWTAccessTokenClaims.md#aud) claims.

This does NOT validate the [`sub`](../interfaces/JWTAccessTokenClaims.md#sub),
[`jti`](../interfaces/JWTAccessTokenClaims.md#jti), and [`client_id`](../interfaces/JWTAccessTokenClaims.md#client_id)
claims beyond just checking that they're present and that their type is a string. If you need to
validate these values further you would do so after this function's execution.

This does NOT validate the DPoP Proof JWT nonce. If your server indicates RS-provided nonces to
clients you would check these after this function's execution.

This does NOT validate authorization claims such as `scope` either, you would do so after this
function's execution.

#### Parameters

| Name | Type | Description |
| :------ | :------ | :------ |
| `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server to accept JWT Access Tokens from. |
| `request` | [`Request`]( https://developer.mozilla.org/docs/Web/API/Request ) | |
| `expectedAudience` | `string` | Audience identifier the resource server expects for itself. |
| `options?` | [`ValidateJWTAccessTokenOptions`](../interfaces/ValidateJWTAccessTokenOptions.md) | |

#### Returns

[`Promise`]( https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise )\<[`JWTAccessTokenClaims`](../interfaces/JWTAccessTokenClaims.md)\>

**`See`**

- [RFC 9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://www.rfc-editor.org/rfc/rfc9068.html)
- [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html)
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Interface: IntrospectionConfirmationClaims
# Interface: ConfirmationClaims

[💗 Help the project](https://github.com/sponsors/panva)

Expand All @@ -10,8 +10,8 @@

### Properties

- [jkt](IntrospectionConfirmationClaims.md#jkt)
- [x5t#S256](IntrospectionConfirmationClaims.md#x5t#s256)
- [jkt](ConfirmationClaims.md#jkt)
- [x5t#S256](ConfirmationClaims.md#x5t#s256)

## Properties

Expand Down
2 changes: 2 additions & 0 deletions docs/interfaces/HttpRequestOptions.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,5 @@ const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may
[`IntrospectionRequestOptions`](IntrospectionRequestOptions.md)

[`DeviceAuthorizationRequestOptions`](DeviceAuthorizationRequestOptions.md)

[`ValidateJWTAccessTokenOptions`](ValidateJWTAccessTokenOptions.md)
11 changes: 11 additions & 0 deletions docs/interfaces/IDToken.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

[💗 Help the project](https://github.com/sponsors/panva)

## Indexable

[claim: `string`]: [`JsonValue`](../types/JsonValue.md) \| `undefined`

## Table of contents

### Properties
Expand All @@ -13,6 +17,7 @@
- [sub](IDToken.md#sub)
- [auth\_time](IDToken.md#auth_time)
- [azp](IDToken.md#azp)
- [cnf](IDToken.md#cnf)
- [jti](IDToken.md#jti)
- [nbf](IDToken.md#nbf)
- [nonce](IDToken.md#nonce)
Expand Down Expand Up @@ -61,6 +66,12 @@ ___

___

### cnf

`Optional` `Readonly` **cnf**: [`ConfirmationClaims`](ConfirmationClaims.md)

___

### jti

`Optional` `Readonly` **jti**: `string`
Expand Down
2 changes: 1 addition & 1 deletion docs/interfaces/IntrospectionResponse.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ ___

### cnf

`Optional` `Readonly` **cnf**: [`IntrospectionConfirmationClaims`](IntrospectionConfirmationClaims.md)
`Optional` `Readonly` **cnf**: [`ConfirmationClaims`](ConfirmationClaims.md)

___

Expand Down
81 changes: 81 additions & 0 deletions docs/interfaces/JWTAccessTokenClaims.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# Interface: JWTAccessTokenClaims

[💗 Help the project](https://github.com/sponsors/panva)

## Indexable

[claim: `string`]: [`JsonValue`](../types/JsonValue.md) \| `undefined`

## Table of contents

### Properties

- [aud](JWTAccessTokenClaims.md#aud)
- [client\_id](JWTAccessTokenClaims.md#client_id)
- [exp](JWTAccessTokenClaims.md#exp)
- [iat](JWTAccessTokenClaims.md#iat)
- [iss](JWTAccessTokenClaims.md#iss)
- [jti](JWTAccessTokenClaims.md#jti)
- [sub](JWTAccessTokenClaims.md#sub)
- [cnf](JWTAccessTokenClaims.md#cnf)
- [nbf](JWTAccessTokenClaims.md#nbf)

## Properties

### aud

`Readonly` **aud**: `string` \| `string`[]

___

### client\_id

`Readonly` **client\_id**: `string`

___

### exp

`Readonly` **exp**: `number`

___

### iat

`Readonly` **iat**: `number`

___

### iss

`Readonly` **iss**: `string`

___

### jti

`Readonly` **jti**: `string`

___

### sub

`Readonly` **sub**: `string`

___

### cnf

`Optional` `Readonly` **cnf**: [`ConfirmationClaims`](ConfirmationClaims.md)

___

### nbf

`Optional` `Readonly` **nbf**: `number`

## Hierarchy

- `JWTPayload`

**`JWTAccessTokenClaims`**
83 changes: 83 additions & 0 deletions docs/interfaces/ValidateJWTAccessTokenOptions.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# Interface: ValidateJWTAccessTokenOptions

[💗 Help the project](https://github.com/sponsors/panva)

## Table of contents

### Experimental

- [[experimental\_customFetch]](ValidateJWTAccessTokenOptions.md#experimental_customfetch)

### Properties

- [[clockSkew]](ValidateJWTAccessTokenOptions.md#clockskew)
- [[clockTolerance]](ValidateJWTAccessTokenOptions.md#clocktolerance)
- [headers](ValidateJWTAccessTokenOptions.md#headers)
- [requireDPoP](ValidateJWTAccessTokenOptions.md#requiredpop)
- [signal](ValidateJWTAccessTokenOptions.md#signal)

## Experimental

### [experimental\_customFetch]

`Optional` **[experimental\_customFetch]**: (`input`: `RequestInfo` \| [`URL`]( https://developer.mozilla.org/docs/Web/API/URL ), `init?`: `RequestInit`) => [`Promise`]( https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise )\<[`Response`]( https://developer.mozilla.org/docs/Web/API/Response )\>

This is an experimental feature, it is not subject to semantic versioning rules. Non-backward
compatible changes or removal may occur in any future release.

See [experimental_customFetch](../variables/experimental_customFetch.md) for its documentation.

## Properties

### [clockSkew]

`Optional` **[clockSkew]**: `number`

Same functionality as in [Client](Client.md)

___

### [clockTolerance]

`Optional` **[clockTolerance]**: `number`

Same functionality as in [Client](Client.md)

___

### headers

`Optional` **headers**: [`Record`]( https://www.typescriptlang.org/docs/handbook/utility-types.html#recordkeys-type )\<`string`, `string`\> \| [`string`, `string`][] \| [`Headers`]( https://developer.mozilla.org/docs/Web/API/Headers )

Headers to additionally send with the HTTP Request(s) triggered by this function's invocation.

___

### requireDPoP

`Optional` **requireDPoP**: `boolean`

Indicates whether DPoP use is required.

___

### signal

`Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/docs/Web/API/AbortSignal )

An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by
this function's invocation.

**`Example`**

A 5000ms timeout AbortSignal for every request

```js
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes.
```

## Hierarchy

- [`HttpRequestOptions`](HttpRequestOptions.md)

**`ValidateJWTAccessTokenOptions`**
2 changes: 2 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"version": "2.7.0",
"description": "OAuth 2 / OpenID Connect for JavaScript Runtimes",
"keywords": [
"access token",
"auth",
"authentication",
"authorization",
Expand All @@ -17,6 +18,7 @@
"electron",
"fapi",
"javascript",
"jwt",
"netlify",
"next",
"nextjs",
Expand Down

0 comments on commit f65deae

Please sign in to comment.