made it possible to retrieve keys using publisher's `sub` as well

2017-08-01 10:16:09 -06:00 · 2017-08-01 10:16:09 -06:00 · c0ad5f19fc
parent 67c8ba56e1
commit c0ad5f19fc
2 changed files with 25 additions and 15 deletions
--- a/README.md
+++ b/README.md
@ -20,7 +20,7 @@ issuer components are these:
 api:                    api.:hostname
 authorization_dialog    #/authorization_dialog
 logout                  #/logout
-create_jwk:             :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub
+publish_jwk:            :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub
 retrieve_jwk:           :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub/:kid.json
 grants:                 :scheme//:hostname/api/issuer@oauth3.org/grants/:sub/:azp?
 credential_meta:        :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
@ -40,9 +40,9 @@ And here are some others that are useful, but could be implemented differently
 without breaking the protocol.

 ```
-credential_create: :scheme//:hostname/api/issuer@oauth3.org/logins
-credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
-credential_otp: :scheme//:hostname/api/issuer@oauth3.org/otp
+credential_create:  :scheme//:hostname/api/issuer@oauth3.org/logins
+credential_meta:    :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
+credential_otp:     :scheme//:hostname/api/issuer@oauth3.org/otp
 ```

 subject
@ -72,7 +72,7 @@ devices. This requires having a place to store the public half of those keys
 on a server that can then server the public keys to resource providers for
 signature verification.

-### Saving a JWK ###
+### Publishing a JWK ###
  * **URL** `:scheme//:hostname/api/issuer@oauth3.org/jwks/:sub`
  * **Method** `POST`
  * **Url Params**
--- a/jwks.js
+++ b/jwks.js
@ -43,18 +43,27 @@ function create(app) {
        return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);
      }

-      return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {
-        if (!results.length) {
-          throw new OpErr("unknown PPID '"+req.params.sub+"'");
-        }
-        if (results.length > 1) {
-          // This should not ever happen since there is a check for PPID collisions when saving
-          // grants, but it's probably better to have this check anyway just incase something
-          // happens that isn't currently accounted for.
-          throw new OpErr('PPID collision - unable to safely retrieve keys');
+      // First we check to see if the key is being requested by the `sub` that we as the issuer use
+      // to identify the user, and if not then we need to look up the specified `sub` to see if
+      // we can determine which (if any) account it's associated with.
+      return store.IssuerOauth3OrgJwks.get(req.params.sub+'/'+req.params.kid).then(function (jwk) {
+        if (jwk) {
+          return jwk;
        }

-        return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
+        return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {
+          if (!results.length) {
+            throw new OpErr("unknown PPID '"+req.params.sub+"'");
+          }
+          if (results.length > 1) {
+            // This should not ever happen since there is a check for PPID collisions when saving
+            // grants, but it's probably better to have this check anyway just incase something
+            // happens that isn't currently accounted for.
+            throw new OpErr('PPID collision - unable to safely retrieve keys');
+          }
+
+          return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
+        });
      });
    }).then(function (jwk) {
      if (!jwk) {
@ -103,4 +112,5 @@ function create(app) {
  };
 }

+module.exports.thumbprint = thumbprint;
 module.exports.create = create;