diff --git a/jwks.js b/jwks.js index 1e4bde6..c769f09 100644 --- a/jwks.js +++ b/jwks.js @@ -33,58 +33,63 @@ function thumbprint(jwk) { return PromiseA.resolve(makeB64UrlSafe(hash)); } +function sanitizeJwk(jwk) { + // We need to sanitize the key to make sure we don't deliver any private keys fields if + // we were given a key we could use to sign tokens on behalf of the user. We also don't + // want to deliver the sub or any other PPIDs. + var whitelist = ['kty', 'alg', 'kid', 'use']; + if (jwk.kty === 'EC') { + whitelist = whitelist.concat(['crv', 'x', 'y']); + } else if (jwk.kty === 'RSA') { + whitelist = whitelist.concat(['e', 'n']); + } + + var result = {}; + whitelist.forEach(function (key) { + result[key] = jwk[key]; + }); + return result; +} + function create(app) { var restful = {}; + + async function getRawKey(req) { + var store = await req.getSiteStore(); + + if (req.params.kid === req.experienceId) { + return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId); + } + + // The keys are stored by the issuer PPID, but the sub we have might be a different PPID + // for a 3rd party. As such we need to look up the subject in the grants to get the issuer + // PPID and to make sure there wasn't some kind of error that allowed multiple users to + // somehow use the same PPID. + var results = await Promise.all([ + store.IssuerOauth3OrgGrants.find({ sub: req.params.sub }), + store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }), + ]); + var subList = [].concat.apply([], results).map(grant => grant.sub); + subList = subList.filter((sub, ind, list) => list.indexOf(sub) === ind); + if (!subList.length) { + throw new OpErr("unknown PPID '" + req.params.sub + "'"); + } + if (subList.length > 1) { + // This should not ever happen since there is a check for PPID collisions when saving + // grants, but it's probably better to have this check anyway just incase something + // happens that isn't currently accounted for. + throw new OpErr('PPID collision - unable to safely retrieve keys'); + } + + return store.IssuerOauth3OrgJwks.get(subList[0] + '/' + req.params.kid); + } + restful.get = function (req, res) { - // The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so - // we need to look up the issuer PPID using the 3rd party PPID. - var promise = req.getSiteStore().then(function (store) { - if (req.params.kid === req.experienceId) { - return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId); - } - - // First we check to see if the key is being requested by the `sub` that we as the issuer use - // to identify the user, and if not then we need to look up the specified `sub` to see if - // we can determine which (if any) account it's associated with. - return store.IssuerOauth3OrgJwks.get(req.params.sub+'/'+req.params.kid).then(function (jwk) { - if (jwk) { - return jwk; - } - - return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) { - if (!results.length) { - throw new OpErr("unknown PPID '"+req.params.sub+"'"); - } - if (results.length > 1) { - // This should not ever happen since there is a check for PPID collisions when saving - // grants, but it's probably better to have this check anyway just incase something - // happens that isn't currently accounted for. - throw new OpErr('PPID collision - unable to safely retrieve keys'); - } - - return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid); - }); - }); - }).then(function (jwk) { + var promise = PromiseA.resolve(getRawKey(req)).then(function (jwk) { if (!jwk) { throw new OpErr("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub); } - - // We need to sanitize the key to make sure we don't deliver any private keys fields if - // we were given a key we could use to sign tokens on behalf of the user. We also don't - // want to deliver the sub or any other PPIDs. - var whitelist = [ 'kty', 'alg', 'kid', 'use' ]; - if (jwk.kty === 'EC') { - whitelist = whitelist.concat([ 'crv', 'x', 'y' ]); - } else if (jwk.kty === 'RSA') { - whitelist = whitelist.concat([ 'e', 'n' ]); - } - - var result = {}; - whitelist.forEach(function (key) { - result[key] = jwk[key]; - }); - return result; + return sanitizeJwk(jwk); }); app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK");