allowing issuer's public key to be retrieved for any user

2017-07-20 11:34:33 -06:00 · 2017-07-20 11:34:33 -06:00 · 3c548e4a38
parent c03f380e8d
commit 3c548e4a38
2 changed files with 18 additions and 15 deletions
--- a/README.md
+++ b/README.md
@ -21,7 +21,7 @@ api:                    api.:hostname
 authorization_dialog    #/authorization_dialog
 logout                  #/logout
 create_jwk:             :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub
-jwks:                   :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub/:kid.json
+retrieve_jwk:           :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub/:kid.json
 grants:                 :scheme//:hostname/api/issuer@oauth3.org/grants/:sub/:azp?
 credential_meta:        :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
 credential_otp:         :scheme//:hostname/api/issuer@oauth3.org/otp
--- a/rest.js
+++ b/rest.js
@ -92,24 +92,26 @@ module.exports.create = function (bigconf, deps, app) {
  };

  Jwks.restful.get = function (req, res) {
-    var store;
    // The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so
    // we need to look up the issuer PPID using the 3rd party PPID.
-    var promise = req.getSiteStore().then(function (_store) {
-      store = _store;
-      return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub });
-    }).then(function (results) {
-      if (!results.length) {
-        throw new Error("unknown PPID '"+req.params.sub+"'");
-      }
-      if (results.length > 1) {
-        // This should not ever happen since there is a check for PPID collisions when saving
-        // grants, but it's probably better to have this check anyway just incase something
-        // happens that isn't currently accounted for.
-        throw new Error('PPID collision - unable to safely retrieve keys');
+    var promise = req.getSiteStore().then(function (store) {
+      if (req.params.kid === req.experienceId) {
+        return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);
      }

-      return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
+      return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {
+        if (!results.length) {
+          throw new Error("unknown PPID '"+req.params.sub+"'");
+        }
+        if (results.length > 1) {
+          // This should not ever happen since there is a check for PPID collisions when saving
+          // grants, but it's probably better to have this check anyway just incase something
+          // happens that isn't currently accounted for.
+          throw new Error('PPID collision - unable to safely retrieve keys');
+        }
+
+        return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
+      });
    }).then(function (jwk) {
      if (!jwk) {
        throw new Error("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub);
@ -272,6 +274,7 @@ module.exports.create = function (bigconf, deps, app) {
  };

  app.get(   '/jwks/:sub/:kid.json', Jwks.restful.get);
+  app.get(   '/jwks/:sub/:kid',      Jwks.restful.get);
  // Everything but getting keys is only for the issuer
  app.use(   '/jwks/:sub', authorizeIssuer, attachSiteStore.bind(null, 'IssuerOauth3OrgJwks'));
  app.post(  '/jwks/:sub', Jwks.restful.saveNew);