coolaj86/issuer.rest.walnut.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

made it possible to retrieve keys using publisher's sub as well

Browse Source
This commit is contained in:
tigerbot 2017-08-01 10:16:09 -06:00
parent 67c8ba56e1
commit c0ad5f19fc
2 changed files with 25 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -20,7 +20,7 @@ issuer components are these:
api: api.:hostname api: api.:hostname
authorization_dialog #/authorization_dialog authorization_dialog #/authorization_dialog
logout #/logout logout #/logout
create_jwk: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub publish_jwk: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub
retrieve_jwk: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub/:kid.json retrieve_jwk: :scheme//:hostname/api/issuer@oauth3.org/jwks/:sub/:kid.json
grants: :scheme//:hostname/api/issuer@oauth3.org/grants/:sub/:azp? grants: :scheme//:hostname/api/issuer@oauth3.org/grants/:sub/:azp?
credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id credential_meta: :scheme//:hostname/api/issuer@oauth3.org/logins/meta/:type/:id
@ -72,7 +72,7 @@ devices. This requires having a place to store the public half of those keys
on a server that can then server the public keys to resource providers for on a server that can then server the public keys to resource providers for
signature verification. signature verification.
### Saving a JWK ### ### Publishing a JWK ###
* **URL** `:scheme//:hostname/api/issuer@oauth3.org/jwks/:sub` * **URL** `:scheme//:hostname/api/issuer@oauth3.org/jwks/:sub`
* **Method** `POST` * **Method** `POST`
* **Url Params** * **Url Params**

10
jwks.js
View File

@ -43,6 +43,14 @@ function create(app) {
return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId); return store.IssuerOauth3OrgPrivateKeys.get(req.experienceId);
} }
// First we check to see if the key is being requested by the `sub` that we as the issuer use
// to identify the user, and if not then we need to look up the specified `sub` to see if
// we can determine which (if any) account it's associated with.
return store.IssuerOauth3OrgJwks.get(req.params.sub+'/'+req.params.kid).then(function (jwk) {
if (jwk) {
return jwk;
}
return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) { return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub }).then(function (results) {
if (!results.length) { if (!results.length) {
throw new OpErr("unknown PPID '"+req.params.sub+"'"); throw new OpErr("unknown PPID '"+req.params.sub+"'");
@ -56,6 +64,7 @@ function create(app) {
return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid); return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
}); });
});
}).then(function (jwk) { }).then(function (jwk) {
if (!jwk) { if (!jwk) {
throw new OpErr("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub); throw new OpErr("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub);
@ -103,4 +112,5 @@ function create(app) {
}; };
} }
module.exports.thumbprint = thumbprint;
module.exports.create = create; module.exports.create = create;