From c0ad5f19fcf582dbc7aeba704df168f49a6c1fd2 Mon Sep 17 00:00:00 2001 From: tigerbot Date: Tue, 1 Aug 2017 10:16:09 -0600 Subject: [PATCH] made it possible to retrieve keys using publisher's `sub` as well --- README.md | 10 +++++----- jwks.js | 30 ++++++++++++++++++++---------- 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 76565db..bd0b68a 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ issuer components are these: api: api.:hostname authorization_dialog #/authorization_dialog logout #/logout -create_jwk: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub +publish_jwk: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub retrieve_jwk: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub/:kid.json grants: :scheme//:hostname/api/issuer@oauth3.org/grants/:sub/:azp? credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id @@ -40,9 +40,9 @@ And here are some others that are useful, but could be implemented differently without breaking the protocol. ``` -credential_create: :scheme//:hostname/api/issuer@oauth3.org/logins -credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id -credential_otp: :scheme//:hostname/api/issuer@oauth3.org/otp +credential_create: :scheme//:hostname/api/issuer@oauth3.org/logins +credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id +credential_otp: :scheme//:hostname/api/issuer@oauth3.org/otp ``` subject @@ -72,7 +72,7 @@ devices. This requires having a place to store the public half of those keys on a server that can then server the public keys to resource providers for signature verification. -### Saving a JWK ### +### Publishing a JWK ### * **URL** `:scheme//:hostname/api/issuer@oauth3.org/jwks/:sub` * **Method** `POST` * **Url Params** diff --git a/jwks.js b/jwks.js index cd69d34..1e4bde6 100644 --- a/jwks.js +++ b/jwks.js @@ -43,18 +43,27 @@ function create(app) { return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId); } - return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) { - if (!results.length) { - throw new OpErr("unknown PPID '"+req.params.sub+"'"); - } - if (results.length > 1) { - // This should not ever happen since there is a check for PPID collisions when saving - // grants, but it's probably better to have this check anyway just incase something - // happens that isn't currently accounted for. - throw new OpErr('PPID collision - unable to safely retrieve keys'); + // First we check to see if the key is being requested by the `sub` that we as the issuer use + // to identify the user, and if not then we need to look up the specified `sub` to see if + // we can determine which (if any) account it's associated with. + return store.IssuerOauth3OrgJwks.get(req.params.sub+'/'+req.params.kid).then(function (jwk) { + if (jwk) { + return jwk; } - return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid); + return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) { + if (!results.length) { + throw new OpErr("unknown PPID '"+req.params.sub+"'"); + } + if (results.length > 1) { + // This should not ever happen since there is a check for PPID collisions when saving + // grants, but it's probably better to have this check anyway just incase something + // happens that isn't currently accounted for. + throw new OpErr('PPID collision - unable to safely retrieve keys'); + } + + return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid); + }); }); }).then(function (jwk) { if (!jwk) { @@ -103,4 +112,5 @@ function create(app) { }; } +module.exports.thumbprint = thumbprint; module.exports.create = create;