-
-
Notifications
You must be signed in to change notification settings - Fork 55
/
Copy pathfapi2-message-signing.diff
75 lines (67 loc) · 2.61 KB
/
fapi2-message-signing.diff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
diff --git a/examples/fapi2.ts b/examples/fapi2-message-signing.ts
index bba1f24..e08d049 100644
--- a/examples/fapi2.ts
+++ b/examples/fapi2-message-signing.ts
@@ -25,6 +25,11 @@ let DPoPKeys!: oauth.CryptoKeyPair
* client authentication method.
*/
let clientPrivateKey!: oauth.CryptoKey
+/**
+ * A key that is pre-registered at the Authorization Server that the client is supposed to sign its
+ * Request Objects with.
+ */
+let jarPrivateKey!: oauth.CryptoKey
// End of prerequisites
@@ -45,8 +50,8 @@ const code_challenge_method = 'S256'
const code_verifier = oauth.generateRandomCodeVerifier()
const code_challenge = await oauth.calculatePKCECodeChallenge(code_verifier)
-// Pushed Authorization Request & Response (PAR)
-let request_uri: string
+// Signed Request Object (JAR)
+let request: string
{
const params = new URLSearchParams()
params.set('client_id', client.client_id)
@@ -54,7 +59,18 @@ let request_uri: string
params.set('code_challenge_method', code_challenge_method)
params.set('redirect_uri', redirect_uri)
params.set('response_type', 'code')
- params.set('scope', 'api:read')
+ params.set('scope', 'openid api:read')
+ params.set('response_mode', 'jwt')
+
+ request = await oauth.issueRequestObject(as, client, params, jarPrivateKey)
+}
+
+// Pushed Authorization Request & Response (PAR)
+let request_uri: string
+{
+ const params = new URLSearchParams()
+ params.set('client_id', client.client_id)
+ params.set('request', request)
const pushedAuthorizationRequest = () =>
oauth.pushedAuthorizationRequest(as, client, clientAuth, params, {
@@ -90,7 +106,7 @@ let request_uri: string
let access_token: string
{
const currentUrl: URL = getCurrentUrl()
- const params = oauth.validateAuthResponse(as, client, currentUrl)
+ const params = await oauth.validateJwtAuthResponse(as, client, currentUrl)
const authorizationCodeGrantRequest = () =>
oauth.authorizationCodeGrantRequest(
@@ -106,7 +122,7 @@ let access_token: string
let response = await authorizationCodeGrantRequest()
const processAuthorizationCodeResponse = () =>
- oauth.processAuthorizationCodeResponse(as, client, response)
+ oauth.processAuthorizationCodeResponse(as, client, response, { requireIdToken: true })
let result = await processAuthorizationCodeResponse().catch(async (err) => {
if (oauth.isDPoPNonceError(err)) {
@@ -117,6 +133,9 @@ let access_token: string
throw err
})
+ // Check ID Token signature for non-repudiation purposes
+ await oauth.validateApplicationLevelSignature(as, response)
+
console.log('Access Token Response', result)
;({ access_token } = result)
}