Allow UA to submit arbitrary claims to assertion

seanmonstar · Oct 15, 2013 · 991c65f · 991c65f
1 parent dec5a57
commit 991c65f
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/resources/static/common/js/models/rp_info.js b/resources/static/common/js/models/rp_info.js
@@ -32,6 +32,7 @@ BrowserID.Models.RpInfo = (function() {
     returnTo: und,
     issuer: 'default',
     emailHint: und,
+    userAssertedClaims: und,
 
     init: function(options) {
       var self = this;
@@ -47,7 +48,8 @@ BrowserID.Models.RpInfo = (function() {
         'termsOfService',
         'allowUnverified',
         'returnTo',
-        'emailHint'
+        'emailHint',
+        'userAssertedClaims'
         );
 
       if (options.forceIssuer) self.issuer = options.forceIssuer;
@@ -108,6 +110,10 @@ BrowserID.Models.RpInfo = (function() {
 
     getEmailHint: function() {
       return this.emailHint;
+    },
+
+    getUserAssertedClaims: function() {
+      return this.userAssertedClaims;
     }
   });
 

diff --git a/resources/static/common/js/user.js b/resources/static/common/js/user.js
@@ -1277,6 +1277,7 @@ BrowserID.User = (function() {
     getAssertion: function(email, audience, onComplete, onFailure) {
       var issuer = User.rpInfo.getIssuer(),
           storedID = storage.getEmail(email, issuer),
+          userAssertedClaims = User.rpInfo.getUserAssertedClaims() || {},
           assertion;
 
       function createAssertion(idInfo) {
@@ -1295,7 +1296,7 @@ BrowserID.User = (function() {
             // raise "script has become unresponsive" errors.
             setTimeout(function() {
               jwcrypto.assertion.sign(
-                {}, {audience: audience, expiresAt: expirationDate},
+                userAssertedClaims, {audience: audience, expiresAt: expirationDate},
                 sk,
                 function(err, signedAssertion) {
                   assertion = jwcrypto.cert.bundle([idInfo.cert], signedAssertion);

diff --git a/resources/static/dialog/js/modules/validate_rp_params.js b/resources/static/dialog/js/modules/validate_rp_params.js
@@ -120,6 +120,21 @@ BrowserID.Modules.ValidateRpParams = (function() {
             "experimental_emailHint");
       }
 
+      // additional features available only to internal/native consumers
+      if (isInternalRPAPI(params)) {
+        // userAssertedClaims allows a user agent to include additional
+        // claims in the generated assertion. Note that these claims are
+        // asserted by the user, not the IdP, so RP must not use them for
+        // positive access grants. They may be used for negative access
+        // grants or additional attributes that need to be authenticated,
+        // such as key exchange.
+        if (paramsFromRP.experimental_userAssertedClaims) {
+          params.userAssertedClaims = validateUserAssertedClaims(
+              paramsFromRP.experimental_userAssertedClaims,
+              "experimental_userAssertedClaims");
+        }
+      }
+
       if (hash.indexOf("#AUTH_RETURN") === 0) {
         var primaryParams = storage.idpVerification.get();
         if (!primaryParams)
@@ -288,6 +303,10 @@ BrowserID.Modules.ValidateRpParams = (function() {
     return rpAPI;
   }
 
+  function isInternalRPAPI(params) {
+    return (params.rpAPI === "internal");
+  }
+
   function validateStartTime(startTime) {
     var parsedTime = parseInt(startTime, 10);
     if (typeof parsedTime !== "number" || isNaN(parsedTime)) {
@@ -313,6 +332,14 @@ BrowserID.Modules.ValidateRpParams = (function() {
     return email;
   }
 
+  function validateUserAssertedClaims(claims, name) {
+    if (typeof claims !== "object") {
+      throw new Error("invalid value for " + name + ": " + claims);
+    }
+
+    return claims;
+  }
+
   return Module;
 
 }());