From 02bb01fdf4f2f697813d893066294086c3d608ed Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 16 Mar 2017 17:23:19 -0400 Subject: [PATCH 1/2] note the need for limitations on refresh token --- oauth3.issuer.js | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/oauth3.issuer.js b/oauth3.issuer.js index dfacf07..680044c 100644 --- a/oauth3.issuer.js +++ b/oauth3.issuer.js @@ -420,6 +420,17 @@ OAUTH3.authz.redirectWithToken = function (providerUri, session, clientParams, s , debug: clientParams.debug }).then(function (results) { + // TODO limit refresh token to an expirable token + // TODO inform client not to persist token + /* + if (clientParams.dnsTxt) { + Object.keys(results).forEach(function (key) { + if (/refresh/.test(key)) { + results[key] = undefined; + } + }); + } + */ OAUTH3.url.redirect(clientParams, scopes, results); }); } From abb788780d1769093ddf5f1bff0865124cd4b40a Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Wed, 22 Mar 2017 20:13:06 -0400 Subject: [PATCH 2/2] bugfix: refresh session and assign sub from sub, acs.id, or axs[0].appScopedId --- oauth3.core.js | 10 ++++++++-- oauth3.issuer.js | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/oauth3.core.js b/oauth3.core.js index dd3fea9..ed19c50 100644 --- a/oauth3.core.js +++ b/oauth3.core.js @@ -445,13 +445,19 @@ // info about the newly-discovered token oldSession.token = OAUTH3.jwt.decode(oldSession.access_token).payload; - oldSession.token.sub = oldSession.token.sub || oldSession.token.acx.id; + oldSession.token.sub = oldSession.token.sub + || (oldSession.token.acx && oldSession.token.acx.id) + || (oldSession.token.axs && oldSession.token.axs[0] && oldSession.token.axs[0].appScopedId) + ; oldSession.token.client_uri = clientUri; oldSession.token.provider_uri = providerUri; if (oldSession.refresh_token) { oldSession.refresh = OAUTH3.jwt.decode(oldSession.refresh_token).payload; - oldSession.refresh.sub = oldSession.refresh.sub || oldSession.refresh.acx.id; + oldSession.refresh.sub = oldSession.refresh.sub + || (oldSession.refresh.acx && oldSession.refresh.acx.id) + || (oldSession.refresh.axs && oldSession.refresh.axs[0] && oldSession.refresh.axs[0].appScopedId) + ; oldSession.refresh.provider_uri = providerUri; } diff --git a/oauth3.issuer.js b/oauth3.issuer.js index 680044c..57672d8 100644 --- a/oauth3.issuer.js +++ b/oauth3.issuer.js @@ -207,7 +207,7 @@ OAUTH3.urls.grants = function (directive, opts) { var url = OAUTH3.url.resolve(directive.issuer, directive.grants.url) .replace(/(:azp|:client_id)/g, OAUTH3.uri.normalize(opts.client_id || opts.client_uri)) - .replace(/(:sub|:account_id)/g, opts.session.token.sub) + .replace(/(:sub|:account_id)/g, opts.session.token.sub || 'ISSUER:GRANT:TOKEN_SUB:UNDEFINED') ; var data = { client_id: opts.client_id