From 3c548e4a3895fc8fcac334d600c88dcdd179bc8a Mon Sep 17 00:00:00 2001 From: tigerbot Date: Thu, 20 Jul 2017 11:34:33 -0600 Subject: [PATCH] allowing issuer's public key to be retrieved for any user --- README.md | 2 +- rest.js | 31 +++++++++++++++++-------------- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index bedd237..76565db 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ api: api.:hostname authorization_dialog #/authorization_dialog logout #/logout create_jwk: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub -jwks: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub/:kid.json +retrieve_jwk: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub/:kid.json grants: :scheme//:hostname/api/issuer@oauth3.org/grants/:sub/:azp? credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id credential_otp: :scheme//:hostname/api/issuer@oauth3.org/otp diff --git a/rest.js b/rest.js index 472b623..a3e6423 100644 --- a/rest.js +++ b/rest.js @@ -92,24 +92,26 @@ module.exports.create = function (bigconf, deps, app) { }; Jwks.restful.get = function (req, res) { - var store; // The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so // we need to look up the issuer PPID using the 3rd party PPID. - var promise = req.getSiteStore().then(function (_store) { - store = _store; - return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }); - }).then(function (results) { - if (!results.length) { - throw new Error("unknown PPID '"+req.params.sub+"'"); - } - if (results.length > 1) { - // This should not ever happen since there is a check for PPID collisions when saving - // grants, but it's probably better to have this check anyway just incase something - // happens that isn't currently accounted for. - throw new Error('PPID collision - unable to safely retrieve keys'); + var promise = req.getSiteStore().then(function (store) { + if (req.params.kid === req.experienceId) { + return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId); } - return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid); + return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) { + if (!results.length) { + throw new Error("unknown PPID '"+req.params.sub+"'"); + } + if (results.length > 1) { + // This should not ever happen since there is a check for PPID collisions when saving + // grants, but it's probably better to have this check anyway just incase something + // happens that isn't currently accounted for. + throw new Error('PPID collision - unable to safely retrieve keys'); + } + + return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid); + }); }).then(function (jwk) { if (!jwk) { throw new Error("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub); @@ -272,6 +274,7 @@ module.exports.create = function (bigconf, deps, app) { }; app.get( '/jwks/:sub/:kid.json', Jwks.restful.get); + app.get( '/jwks/:sub/:kid', Jwks.restful.get); // Everything but getting keys is only for the issuer app.use( '/jwks/:sub', authorizeIssuer, attachSiteStore.bind(null, 'IssuerOauth3OrgJwks')); app.post( '/jwks/:sub', Jwks.restful.saveNew);