Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding access_token validation for RS256 id_token's #709

Merged
merged 4 commits into from
Mar 22, 2018
Merged

Adding access_token validation for RS256 id_token's #709

merged 4 commits into from
Mar 22, 2018

Conversation

luisrudge
Copy link
Contributor

@luisrudge luisrudge commented Mar 15, 2018
edited
Loading

No description provided.

@luisrudge luisrudge added this to the v9.4.0 milestone Mar 15, 2018
lbalmaceda
lbalmaceda reviewed Mar 22, 2018
View reviewed changes
src/helper/error.js
@@ -5,11 +5,11 @@ function buildResponse(error, description) {
};
}

function invalidJwt(description) {
function invalidToken(description) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can this be considered a breaking change?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope. not a public method. just used internally.

test/web-auth/web-auth.test.js
@@ -307,6 +317,75 @@ describe('auth0.WebAuth', function() {
}
); // eslint-disable-line
});
it('should return the id_token payload when there is no access_token', function(done) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't the payload also be returned when there's a VALID access token? That's the missing test case IMO, even if it's 95% similar to this

lbalmaceda
lbalmaceda reviewed Mar 22, 2018
View reviewed changes
test/web-auth/web-auth.test.js Outdated
}
); // eslint-disable-line
});
it('should return the id_token payload when there is an access_token', function(done) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when there is a valid access_token

test/web-auth/web-auth.test.js
}
); // eslint-disable-line
});
it('should validate an access_token when available', function(done) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if you are using the same convention somewhere, but I'd say:

should throw a token validation error when the access_token is available but not valid

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

lbalmaceda
lbalmaceda approved these changes Mar 22, 2018
View reviewed changes
Copy link
Contributor

@lbalmaceda lbalmaceda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@luisrudge luisrudge merged commit 9a52fcd into master Mar 22, 2018
@luisrudge luisrudge deleted the feature-validate-at-token branch March 22, 2018 18:48
@luisrudge luisrudge mentioned this pull request May 3, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lbalmaceda lbalmaceda lbalmaceda approved these changes

Assignees
No one assigned
Labels
CH: Added
Projects
None yet
Milestone
v9.4.0
Development

Successfully merging this pull request may close these issues.
2 participants
@luisrudge @lbalmaceda