fix: bring paseto token claims inline with jwt-ietf

panva · Aug 12, 2019 · 265e400 · 265e400
1 parent 938dfac
commit 265e400
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 644 deletions.
diff --git a/lib/models/formats/paseto.js b/lib/models/formats/paseto.js
@@ -28,7 +28,7 @@ module.exports = (provider, { opaque }) => {
     async getValueAndPayload() {
       const [, payload] = await opaque.getValueAndPayload.call(this);
       const {
-        jti, accountId: sub, iat, exp, scope, clientId: azp, 'x5t#S256': x5t, 'jkt#S256': jkt, extra,
+        jti, accountId: sub, iat, exp, scope, clientId, 'x5t#S256': x5t, 'jkt#S256': jkt, extra,
       } = payload;
       let { aud } = payload;
 
@@ -51,14 +51,16 @@ module.exports = (provider, { opaque }) => {
         const tokenPayload = {
           ...extra,
           jti,
-          sub,
+          sub: sub || clientId,
           kid,
           iat: iat ? new Date(iat * 1000).toISOString() : undefined,
           exp: exp ? new Date(exp * 1000).toISOString() : undefined,
           scope,
+          client_id: clientId,
           iss: provider.issuer,
-          ...(aud ? { aud, azp } : { aud: azp }),
+          ...(aud ? { aud } : { aud: clientId }),
           ...(x5t || jkt ? { cnf: {} } : undefined),
+          // TODO: make auth_time, acr, amr available
         };
 
         if (x5t) {

diff --git a/test/storage/jwt.test.js b/test/storage/jwt.test.js
@@ -57,7 +57,7 @@ if (FORMAT === 'jwt') {
 
     afterEach(function () {
       [
-        'AuthorizationCode', 'AccessToken', 'RefreshToken', 'ClientCredentials', 'InitialAccessToken', 'RegistrationAccessToken', 'DeviceCode',
+        'AccessToken', 'ClientCredentials',
       ].forEach((model) => {
         if (this.TestAdapter.for(model).upsert.restore) {
           this.TestAdapter.for(model).upsert.restore();
@@ -113,156 +113,6 @@ if (FORMAT === 'jwt') {
       });
     });
 
-    it('for AuthorizationCode', async function () {
-      const kind = 'AuthorizationCode';
-      const upsert = spy(this.TestAdapter.for('AuthorizationCode'), 'upsert');
-      const token = new this.provider.AuthorizationCode(fullPayload);
-      const jwt = await token.save();
-
-      assert.calledWith(upsert, string, {
-        accountId,
-        acr,
-        amr,
-        authTime,
-        claims,
-        clientId,
-        codeChallenge,
-        codeChallengeMethod,
-        consumed,
-        exp: number,
-        grantId,
-        iat: number,
-        jti: upsert.getCall(0).args[0],
-        jwt: string,
-        kind,
-        nonce,
-        redirectUri,
-        resource,
-        scope,
-        sid,
-        sessionUid,
-        expiresWithSession,
-      });
-
-      const { iat, jti, exp } = upsert.getCall(0).args[1];
-      const header = decode(jwt.split('.')[0]);
-      expect(header).to.have.property('typ', 'JWT');
-      const payload = decode(jwt.split('.')[1]);
-      expect(payload).to.eql({
-        aud: clientId,
-        exp,
-        iat,
-        iss: this.provider.issuer,
-        jti,
-        scope,
-        sub: accountId,
-      });
-    });
-
-    it('for RefreshToken', async function () {
-      const kind = 'RefreshToken';
-      const upsert = spy(this.TestAdapter.for('RefreshToken'), 'upsert');
-      const token = new this.provider.RefreshToken(fullPayload);
-      const jwt = await token.save();
-
-      assert.calledWith(upsert, string, {
-        accountId,
-        acr,
-        iiat,
-        rotations,
-        amr,
-        authTime,
-        claims,
-        clientId,
-        consumed,
-        exp: number,
-        grantId,
-        gty,
-        iat: number,
-        jti: upsert.getCall(0).args[0],
-        jwt: string,
-        kind,
-        nonce,
-        resource,
-        scope,
-        sid,
-        'x5t#S256': s256,
-        'jkt#S256': s256,
-        sessionUid,
-        expiresWithSession,
-      });
-
-      const { iat, jti, exp } = upsert.getCall(0).args[1];
-      const header = decode(jwt.split('.')[0]);
-      expect(header).to.have.property('typ', 'JWT');
-      const payload = decode(jwt.split('.')[1]);
-      expect(payload).to.eql({
-        aud: clientId,
-        exp,
-        iat,
-        iss: this.provider.issuer,
-        jti,
-        scope,
-        sub: accountId,
-        cnf: {
-          'x5t#S256': s256,
-          'jkt#S256': s256,
-        },
-      });
-    });
-
-    it('for DeviceCode', async function () {
-      const kind = 'DeviceCode';
-      const upsert = spy(this.TestAdapter.for('DeviceCode'), 'upsert');
-      const token = new this.provider.DeviceCode(fullPayload);
-      const jwt = await token.save();
-
-      assert.calledWith(upsert, string, {
-        accountId,
-        acr,
-        amr,
-        authTime,
-        claims,
-        clientId,
-        codeChallenge,
-        codeChallengeMethod,
-        consumed,
-        deviceInfo,
-        error,
-        errorDescription,
-        exp: number,
-        grantId,
-        gty,
-        iat: number,
-        jti: upsert.getCall(0).args[0],
-        jwt: string,
-        kind,
-        nonce,
-        params,
-        resource,
-        scope,
-        sid,
-        userCode,
-        sessionUid,
-        expiresWithSession,
-        inFlight,
-      });
-
-      const { iat, jti, exp } = upsert.getCall(0).args[1];
-      const header = decode(jwt.split('.')[0]);
-      expect(header).to.have.property('typ', 'JWT');
-      const payload = decode(jwt.split('.')[1]);
-      expect(payload).to.eql({
-        aud: clientId,
-        exp,
-        iat,
-        iss: this.provider.issuer,
-        jti,
-        scope,
-        sub: accountId,
-      });
-    });
-
     it('for ClientCredentials', async function () {
       const kind = 'ClientCredentials';
       const upsert = spy(this.TestAdapter.for('ClientCredentials'), 'upsert');
@@ -303,68 +153,6 @@ if (FORMAT === 'jwt') {
       });
     });
 
-    it('for InitialAccessToken', async function () {
-      const kind = 'InitialAccessToken';
-      const upsert = spy(this.TestAdapter.for('InitialAccessToken'), 'upsert');
-      const token = new this.provider.InitialAccessToken({
-        expiresIn: 100,
-        ...fullPayload,
-      });
-      const jwt = await token.save();
-
-      assert.calledWith(upsert, string, {
-        exp: number,
-        iat: number,
-        jti: upsert.getCall(0).args[0],
-        jwt: string,
-        kind,
-        policies,
-      });
-
-      const { iat, jti, exp } = upsert.getCall(0).args[1];
-      const header = decode(jwt.split('.')[0]);
-      expect(header).to.have.property('typ', 'JWT');
-      const payload = decode(jwt.split('.')[1]);
-      expect(payload).to.eql({
-        exp,
-        iat,
-        iss: this.provider.issuer,
-        jti,
-      });
-    });
-
-    it('for RegistrationAccessToken', async function () {
-      const kind = 'RegistrationAccessToken';
-      const upsert = spy(this.TestAdapter.for('RegistrationAccessToken'), 'upsert');
-      const token = new this.provider.RegistrationAccessToken({
-        expiresIn: 100,
-        ...fullPayload,
-      });
-      const jwt = await token.save();
-
-      assert.calledWith(upsert, string, {
-        clientId,
-        policies,
-        exp: number,
-        iat: number,
-        jti: upsert.getCall(0).args[0],
-        jwt: string,
-        kind,
-      });
-
-      const { iat, jti, exp } = upsert.getCall(0).args[1];
-      const header = decode(jwt.split('.')[0]);
-      expect(header).to.have.property('typ', 'JWT');
-      const payload = decode(jwt.split('.')[1]);
-      expect(payload).to.eql({
-        aud: clientId,
-        exp,
-        iat,
-        iss: this.provider.issuer,
-        jti,
-      });
-    });
-
     describe('invalid signing alg resolved', () => {
       before(bootstrap(__dirname));