-
Notifications
You must be signed in to change notification settings - Fork 5
/
DPoP.ts
85 lines (77 loc) · 2.59 KB
/
DPoP.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
import EmbeddedJWK from "jose/jwk/embedded";
import calculateThumbprint from "jose/jwk/thumbprint";
import jwtVerify from "jose/jwt/verify";
import { asserts } from "ts-guards";
import { isDPoPBoundAccessTokenPayload, isDPoPToken } from "../guards";
import type {
AccessToken,
DPoPToken,
JTICheckFunction,
RequestMethod,
} from "../types";
import { asymetricCryptographicAlgorithm } from "../types";
import { clockToleranceInSeconds, maxAgeInMilliseconds } from "./Defaults";
async function isValidProof(
accessToken: AccessToken,
dpop: DPoPToken,
method: RequestMethod,
url: string,
isDuplicateJTI: JTICheckFunction
) {
asserts.isObjectPropertyOf(accessToken.payload, "cnf");
isDPoPBoundAccessTokenPayload(accessToken.payload);
/*
* Check DPoP is bound to the access token
* The value in "jkt" MUST be the base64url encoding [RFC7515] of the
* JWK SHA-256 Thumbprint (according to [RFC7638]) of the public key to
* which the access token is bound.
* https://tools.ietf.org/html/draft-fett-oauth-dpop-04#section-7
*/
asserts.isLiteral(
await calculateThumbprint(dpop.header.jwk),
accessToken.payload.cnf.jkt
);
// Check DPoP Token claims method, url and unique token id
asserts.isLiteral(dpop.payload.htm, method);
asserts.isLiteral(dpop.payload.htu, url);
asserts.isLiteral(isDuplicateJTI(dpop.payload.jti), false);
}
/**
* Verify DPoP
* - Signature of DPoP JWT/JWS matches the key embedded in its header
* - DPoP max age 60 seconds
* - Claims:
* - algorithm 'alg' is an asymetric cryptographic algorithm
* - 'iat' is not too far in the future (clockTolerance) or in the past (maxTokenAge)
* - 'typ' is 'dpop+jwt'
* Note:
* - The maxTokenAge option makes the iat claim mandatory
* - DPoP tokens can rely on iat+maxTokenAge to be invalidated since they are specific to a request
* (so the exp claim which is not required in DPoP tokens' bodys is also redundant)
*/
export async function verify(
dpopHeader: string,
accessToken: AccessToken,
method: RequestMethod,
url: string,
isDuplicateJTI: JTICheckFunction
): Promise<DPoPToken> {
const { payload, protectedHeader } = await jwtVerify(
dpopHeader,
EmbeddedJWK,
{
typ: "dpop+jwt",
algorithms: Array.from(asymetricCryptographicAlgorithm),
maxTokenAge: `${maxAgeInMilliseconds / 1000}s`,
clockTolerance: `${clockToleranceInSeconds}s`,
}
);
const dpop = {
header: protectedHeader,
payload,
signature: dpopHeader.split(".")[2],
};
isDPoPToken(dpop);
await isValidProof(accessToken, dpop, method, url, isDuplicateJTI);
return dpop;
}