signing the token for the client in the browser
This commit is contained in:
tigerbot
parent
5d42f3e2cc
commit
516eda4ea6
113
oauth3.issuer.js
113
oauth3.issuer.js
|
|
@ -437,6 +437,39 @@ OAUTH3.authz.grants = function (providerUri, opts) {
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
function calcExpiration(exp, now) {
|
||||||
|
if (!exp) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (typeof exp === 'string') {
|
||||||
|
var match = /^(\d+\.?\d*) *(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|years?|yrs?|y)?$/i.exec(exp);
|
||||||
|
if (!match) {
|
||||||
|
return now;
|
||||||
|
}
|
||||||
|
var num = parseFloat(match[1]);
|
||||||
|
var type = (match[2] || 's').toLowerCase()[0];
|
||||||
|
switch (type) {
|
||||||
|
case 'y': num *= 365.25; /* falls through */
|
||||||
|
case 'd': num *= 24; /* falls through */
|
||||||
|
case 'h': num *= 60; /* falls through */
|
||||||
|
case 'm': num *= 60; /* falls through */
|
||||||
|
case 's': exp = num;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (typeof exp !== 'number') {
|
||||||
|
throw new Error('invalid expiration provided: '+exp);
|
||||||
|
}
|
||||||
|
|
||||||
|
now = now || Math.floor(Date.now() / 1000);
|
||||||
|
if (exp > now) {
|
||||||
|
return exp;
|
||||||
|
} else if (exp > 31557600) {
|
||||||
|
console.warn('tried to set expiration to more that a year');
|
||||||
|
exp = 31557600;
|
||||||
|
}
|
||||||
|
return now + exp;
|
||||||
|
}
|
||||||
OAUTH3.authz.redirectWithToken = function (providerUri, session, clientParams, scopes) {
|
OAUTH3.authz.redirectWithToken = function (providerUri, session, clientParams, scopes) {
|
||||||
if (!OAUTH3.url.checkRedirect(clientParams.client_uri, clientParams)) {
|
if (!OAUTH3.url.checkRedirect(clientParams.client_uri, clientParams)) {
|
||||||
return;
|
return;
|
||||||
|
|
@ -466,25 +499,66 @@ OAUTH3.authz.redirectWithToken = function (providerUri, session, clientParams, s
|
||||||
}
|
}
|
||||||
|
|
||||||
return prom.then(function () {
|
return prom.then(function () {
|
||||||
return OAUTH3.discover(providerUri, { client_id: providerUri, debug: clientParams.debug });
|
return OAUTH3.hooks.keyPairs.get(session.token.sub);
|
||||||
}).then(function (directive) {
|
}).then(function (keyPair) {
|
||||||
return OAUTH3.request(OAUTH3.urls.clientToken(directive, {
|
if (!keyPair) {
|
||||||
method: 'POST'
|
return OAUTH3.discover(providerUri, {
|
||||||
, session: session
|
client_id: providerUri
|
||||||
, referrer: clientParams.referrer
|
, debug: clientParams.debug
|
||||||
, response_type: clientParams.response_type
|
}).then(function (directive) {
|
||||||
, client_id: clientParams.client_uri
|
return OAUTH3.request(OAUTH3.urls.clientToken(directive, {
|
||||||
, azp: clientParams.client_uri
|
method: 'POST'
|
||||||
, aud: clientParams.aud
|
, session: session
|
||||||
, exp: clientParams.exp
|
, referrer: clientParams.referrer
|
||||||
, refresh_token: clientParams.refresh_token
|
, response_type: clientParams.response_type
|
||||||
, refresh_exp: clientParams.refresh_exp
|
, client_id: clientParams.client_uri
|
||||||
, debug: clientParams.debug
|
, azp: clientParams.client_uri
|
||||||
}));
|
, aud: clientParams.aud
|
||||||
}).then(function (results) {
|
, exp: clientParams.exp
|
||||||
|
, refresh_token: clientParams.refresh_token
|
||||||
|
, refresh_exp: clientParams.refresh_exp
|
||||||
|
, debug: clientParams.debug
|
||||||
|
})).then(function (result) {
|
||||||
|
return result.originalData || result.data;
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
return OAUTH3.hooks.grants.get(keyPair.sub, clientParams.client_uri).then(function (grant) {
|
||||||
|
var now = Math.floor(Date.now()/1000);
|
||||||
|
var payload = {
|
||||||
|
iat: now
|
||||||
|
, iss: providerUri
|
||||||
|
, aud: clientParams.aud || providerUri
|
||||||
|
, azp: clientParams.client_uri
|
||||||
|
, sub: grant.azpSub
|
||||||
|
, scope: OAUTH3.scope.stringify(grant.scope)
|
||||||
|
, };
|
||||||
|
|
||||||
|
var signProms = [];
|
||||||
|
signProms.push(OAUTH3.jwt.sign(Object.assign({
|
||||||
|
exp: calcExpiration(clientParams.exp || '1h', now)
|
||||||
|
}, payload)));
|
||||||
|
// if (clientParams.refresh_token) {
|
||||||
|
signProms.push(OAUTH3.jwt.sign(Object.assign({
|
||||||
|
exp: calcExpiration(clientParams.refresh_exp, now)
|
||||||
|
}, payload)));
|
||||||
|
// }
|
||||||
|
return OAUTH3.PromiseA.all(signProms).then(function (tokens) {
|
||||||
|
return {
|
||||||
|
access_token: tokens[0]
|
||||||
|
, refresh_token: tokens[1]
|
||||||
|
, scope: OAUTH3.scope.stringify(grant.scope)
|
||||||
|
, token_type: 'bearer'
|
||||||
|
};
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}).then(function (session) {
|
||||||
// TODO limit refresh token to an expirable token
|
// TODO limit refresh token to an expirable token
|
||||||
// TODO inform client not to persist token
|
// TODO inform client not to persist token
|
||||||
OAUTH3.url.redirect(clientParams, scopes, results.originalData || results.data);
|
OAUTH3.url.redirect(clientParams, scopes, session);
|
||||||
|
}, function (err) {
|
||||||
|
OAUTH3.url.redirect(clientParams, scopes, {error: err});
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -650,12 +724,15 @@ OAUTH3.hooks.session.get = function (providerUri, id) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var now = Math.floor(Date.now()/1000);
|
||||||
var payload = {
|
var payload = {
|
||||||
iss: providerUri
|
iat: now
|
||||||
|
, iss: providerUri
|
||||||
, aud: providerUri
|
, aud: providerUri
|
||||||
, azp: providerUri
|
, azp: providerUri
|
||||||
, sub: pair.sub || id
|
, sub: pair.sub || id
|
||||||
, scope: ''
|
, scope: ''
|
||||||
|
, exp: now + 3600
|
||||||
};
|
};
|
||||||
return OAUTH3.jwt.sign(payload, pair.privateKey).then(function (token) {
|
return OAUTH3.jwt.sign(payload, pair.privateKey).then(function (token) {
|
||||||
return OAUTH3.hooks.session.refresh(
|
return OAUTH3.hooks.session.refresh(
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue