Skip to content

Commit

Permalink
feat: update JWT Profile for OAuth 2.0 Access Tokens to latest draft
Browse files Browse the repository at this point in the history
  • Loading branch information
@panva
panva committed Mar 11, 2020
1 parent d661852 commit bc77a15
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 28 deletions.
15 changes: 4 additions & 11 deletions lib/jwt/verify.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,17 +205,10 @@ const checkAudiencePresence = (audPayload, audOption, profile) => {
return audOption.includes(audPayload)
}

if (profile === ATJWT) {
// reject if it contains additional audiences that are not known aliases of the resource
// indicator of the current resource server
audOption = new Set(audOption)
return audPayload.every(Set.prototype.has.bind(audOption))
} else {
// Each principal intended to process the JWT MUST
// identify itself with a value in the audience claim
audPayload = new Set(audPayload)
return audOption.some(Set.prototype.has.bind(audPayload))
}
// Each principal intended to process the JWT MUST
// identify itself with a value in the audience claim
audPayload = new Set(audPayload)
return audOption.some(Set.prototype.has.bind(audPayload))
}

module.exports = (token, key, options = {}) => {
Expand Down
17 changes: 0 additions & 17 deletions test/jwt/verify.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -761,23 +761,6 @@ test('must be a supported value', t => {
t.is(err.reason, 'missing')
})

test('profile=at+JWT mandates that all known aliases of the current RS are provided as the audience option', t => {
const err = t.throws(() => {
JWT.verify(
JWT.sign({ client_id: 'client_id' }, key, { expiresIn: '10m', subject: 'subject', issuer: 'issuer', audience: ['RS-alias1', 'RS-alias2'], header: { typ: 'at+JWT' } }),
key,
{ profile: 'at+JWT', issuer: 'issuer', audience: ['RS-alias1'] }
)
}, { instanceOf: errors.JWTClaimInvalid, message: 'unexpected "aud" claim value' })
t.is(err.claim, 'aud')
t.is(err.reason, 'check_failed')
JWT.verify(
JWT.sign({ client_id: 'client_id' }, key, { expiresIn: '10m', subject: 'subject', issuer: 'issuer', audience: ['RS-alias1', 'RS-alias2'], header: { typ: 'at+JWT' } }),
key,
{ profile: 'at+JWT', issuer: 'issuer', audience: ['RS-alias1', 'RS-alias2'] }
)
})

test('profile=at+JWT mandates client_id to be present', t => {
const err = t.throws(() => {
JWT.verify(
Expand Down

0 comments on commit bc77a15

Please sign in to comment.