feat: enable customizing client auth jwt assertion expected audience

panva · Apr 1, 2021 · e6286a6 · e6286a6
1 parent d26fc27
commit e6286a6
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 10 deletions.
diff --git a/lib/actions/authorization/index.js b/lib/actions/authorization/index.js
@@ -113,7 +113,7 @@ module.exports = function authorizationAction(provider, endpoint) {
   use(() => deviceUserFlow.bind(undefined, allowList),                CV, DR     );
   use(() => parseBody,                                      A, DA,            PAR);
   if (authRequired.has(endpoint)) {
-    const { params: authParams, middleware: tokenAuth } = getTokenAuth(provider, 'token', endpoint);
+    const { params: authParams, middleware: tokenAuth } = getTokenAuth(provider, 'token');
     use(() => paramsMiddleware.bind(undefined, authParams),    DA,            PAR);
     tokenAuth.forEach((tokenAuthMiddleware) => {
       use(() => tokenAuthMiddleware,                           DA,            PAR);

diff --git a/lib/helpers/oidc_context.js b/lib/helpers/oidc_context.js
@@ -125,6 +125,10 @@ module.exports = function getContext(provider) {
       return requestParamClaims;
     }
 
+    clientJwtAuthExpectedAudience() {
+      return new Set([this.issuer, this.urlFor('token'), this.urlFor(this.route)]);
+    }
+
     get requestParamScopes() {
       return new Set(this.params.scope ? this.params.scope.split(' ') : undefined);
     }

diff --git a/lib/shared/token_auth.js b/lib/shared/token_auth.js
@@ -14,8 +14,8 @@ function decodeAuthToken(token) {
   return decodeURIComponent(token.replace(/\+/g, '%20'));
 }
 
-module.exports = function tokenAuth(provider, endpoint, jwtAuthEndpointIdentifier = endpoint) {
-  const tokenJwtAuth = getJWTAuthMiddleware(provider, jwtAuthEndpointIdentifier);
+module.exports = function tokenAuth(provider, endpoint) {
+  const tokenJwtAuth = getJWTAuthMiddleware(provider);
   const authParams = new Set(['client_id']);
 
   instance(provider).configuration(`${endpoint}EndpointAuthMethods`).forEach((method) => {

diff --git a/lib/shared/token_jwt_auth.js b/lib/shared/token_jwt_auth.js
@@ -2,14 +2,9 @@ const { InvalidClientAuth } = require('../helpers/errors');
 const instance = require('../helpers/weak_cache');
 const JWT = require('../helpers/jwt');
 
-module.exports = function getTokenJwtAuth(provider, endpoint) {
+module.exports = function getTokenJwtAuth(provider) {
   return async function tokenJwtAuth(ctx, keystore, algorithms) {
-    // Interoperability
-    const acceptedAud = new Set([provider.issuer, ctx.oidc.urlFor('token')]);
-    if (endpoint !== 'token') {
-      acceptedAud.add(ctx.oidc.urlFor(endpoint));
-    }
-
+    const acceptedAud = ctx.oidc.clientJwtAuthExpectedAudience();
     const { header, payload } = JWT.decode(ctx.oidc.params.client_assertion);
 
     if (!algorithms.includes(header.alg)) {