diff --git a/README.md b/README.md index 3bd968f82..7d30284f5 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ The following draft specifications are implemented by oidc-provider. - [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens - draft 02][jwt-at] - [JWT Response for OAuth Token Introspection - draft 08][jwt-introspection] - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - draft 02][jarm] -- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - individual draft 02][dpop] +- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - individual draft 03][dpop] - [OAuth 2.0 JWT Secured Authorization Request (JAR)][jar] - [OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (MTLS) - draft 17][mtls] - [OAuth 2.0 Pushed Authorization Requests - draft 00][par] @@ -198,7 +198,7 @@ See the list of available emitted [event names](/docs/events.md) and their descr [suggest-feature]: https://github.com/panva/node-oidc-provider/issues/new?template=feature-request.md [bug]: https://github.com/panva/node-oidc-provider/issues/new?template=bug-report.md [mtls]: https://tools.ietf.org/html/draft-ietf-oauth-mtls-17 -[dpop]: https://tools.ietf.org/html/draft-fett-oauth-dpop-02 +[dpop]: https://tools.ietf.org/html/draft-fett-oauth-dpop-03 [resource-indicators]: https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-07 [jarm]: https://openid.net/specs/openid-financial-api-jarm-wd-02.html [jwt-at]: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-02 diff --git a/docs/README.md b/docs/README.md index d6d340677..8ca4e1774 100644 --- a/docs/README.md +++ b/docs/README.md @@ -708,7 +708,7 @@ _**default value**_: ### features.dPoP -[draft-fett-oauth-dpop-02](https://tools.ietf.org/html/draft-fett-oauth-dpop-02) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer +[draft-fett-oauth-dpop-03](https://tools.ietf.org/html/draft-fett-oauth-dpop-03) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer Enables `DPoP` - mechanism for sender-constraining tokens via a proof-of-possession mechanism on the application level diff --git a/example/my_adapter.js b/example/my_adapter.js index 0424cdfa8..145fbe20e 100644 --- a/example/my_adapter.js +++ b/example/my_adapter.js @@ -70,7 +70,7 @@ class MyAdapter { * - sid {string} - session identifier the token comes from * - 'x5t#S256' {string} - X.509 Certificate SHA-256 Thumbprint of a certificate bound access or * refresh token - * - 'jkt#S256' {string} - JWK SHA-256 Thumbprint (according to [RFC7638]) of a DPoP bound + * - 'jkt' {string} - JWK SHA-256 Thumbprint (according to [RFC7638]) of a DPoP bound * access or refresh token * - gty {string} - [AccessToken, RefreshToken only] space delimited grant values, indicating * the grant type(s) they originate from (implicit, authorization_code, refresh_token or diff --git a/lib/actions/grants/authorization_code.js b/lib/actions/grants/authorization_code.js index c3b6d5c76..24468db1c 100644 --- a/lib/actions/grants/authorization_code.js +++ b/lib/actions/grants/authorization_code.js @@ -138,8 +138,8 @@ module.exports.handler = async function authorizationCodeHandler(ctx, next) { }); if (ctx.oidc.client.tokenEndpointAuthMethod === 'none') { - if (at['jkt#S256']) { - rt['jkt#S256'] = at['jkt#S256']; + if (at.jkt) { + rt.jkt = at.jkt; } if (ctx.oidc.client.tlsClientCertificateBoundAccessTokens) { diff --git a/lib/actions/grants/device_code.js b/lib/actions/grants/device_code.js index c07f32848..5364fd81a 100644 --- a/lib/actions/grants/device_code.js +++ b/lib/actions/grants/device_code.js @@ -143,8 +143,8 @@ module.exports.handler = async function deviceCodeHandler(ctx, next) { }); if (ctx.oidc.client.tokenEndpointAuthMethod === 'none') { - if (at['jkt#S256']) { - rt['jkt#S256'] = at['jkt#S256']; + if (at.jkt) { + rt.jkt = at.jkt; } if (ctx.oidc.client.tlsClientCertificateBoundAccessTokens) { diff --git a/lib/actions/grants/refresh_token.js b/lib/actions/grants/refresh_token.js index 171297d23..d06e7e684 100644 --- a/lib/actions/grants/refresh_token.js +++ b/lib/actions/grants/refresh_token.js @@ -78,8 +78,8 @@ module.exports.handler = async function refreshTokenHandler(ctx, next) { ctx.assert(unique, new InvalidGrant('DPoP Token Replay detected')); } - if (refreshToken['jkt#S256'] && (!dPoP || refreshToken['jkt#S256'] !== dPoP.jwk.thumbprint)) { - throw new InvalidGrant('failed jkt#S256 verification'); + if (refreshToken.jkt && (!dPoP || refreshToken.jkt !== dPoP.jwk.thumbprint)) { + throw new InvalidGrant('failed jkt verification'); } ctx.oidc.entity('RefreshToken', refreshToken); @@ -126,7 +126,7 @@ module.exports.handler = async function refreshTokenHandler(ctx, next) { sessionUid: refreshToken.sessionUid, sid: refreshToken.sid, 'x5t#S256': refreshToken['x5t#S256'], - 'jkt#S256': refreshToken['jkt#S256'], + jkt: refreshToken.jkt, }); if (refreshToken.gty && !refreshToken.gty.endsWith(gty)) { diff --git a/lib/actions/introspection.js b/lib/actions/introspection.js index 7e59af3c6..c50ac8984 100644 --- a/lib/actions/introspection.js +++ b/lib/actions/introspection.js @@ -200,8 +200,8 @@ module.exports = function introspectionAction(provider) { ctx.body.cnf['x5t#S256'] = token['x5t#S256']; } - if (token['jkt#S256']) { - ctx.body.cnf['jkt#S256'] = token['jkt#S256']; + if (token.jkt) { + ctx.body.cnf.jkt = token.jkt; } await next(); diff --git a/lib/actions/userinfo.js b/lib/actions/userinfo.js index 874df8d48..72b3c593b 100644 --- a/lib/actions/userinfo.js +++ b/lib/actions/userinfo.js @@ -43,7 +43,7 @@ module.exports = [ if (err.expose) { let scheme; - if (/dpop/i.test(err.error_description) || (ctx.oidc.accessToken && ctx.oidc.accessToken['jkt#S256'])) { + if (/dpop/i.test(err.error_description) || (ctx.oidc.accessToken && ctx.oidc.accessToken.jkt)) { scheme = 'DPoP'; } else { scheme = 'Bearer'; @@ -103,8 +103,8 @@ module.exports = [ ctx.assert(unique, new InvalidToken('DPoP Token Replay detected')); } - if (accessToken['jkt#S256'] && (!dPoP || accessToken['jkt#S256'] !== dPoP.jwk.thumbprint)) { - throw new InvalidToken('failed jkt#S256 verification'); + if (accessToken.jkt && (!dPoP || accessToken.jkt !== dPoP.jwk.thumbprint)) { + throw new InvalidToken('failed jkt verification'); } await next(); diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js index 9439c2425..92a55eca8 100644 --- a/lib/helpers/defaults.js +++ b/lib/helpers/defaults.js @@ -355,7 +355,7 @@ const DEFAULTS = { /* * features.dPoP * - * title: [draft-fett-oauth-dpop-02](https://tools.ietf.org/html/draft-fett-oauth-dpop-02) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer + * title: [draft-fett-oauth-dpop-03](https://tools.ietf.org/html/draft-fett-oauth-dpop-03) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer * * description: Enables `DPoP` - mechanism for sender-constraining tokens via a * proof-of-possession mechanism on the application level diff --git a/lib/helpers/features.js b/lib/helpers/features.js index dd6399ce1..61d410a0f 100644 --- a/lib/helpers/features.js +++ b/lib/helpers/features.js @@ -41,8 +41,8 @@ const DRAFTS = new Map(Object.entries({ dPoP: { name: 'OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer', type: 'Individual draft', - url: 'https://tools.ietf.org/html/draft-fett-oauth-dpop-02', - version: 'id-02', + url: 'https://tools.ietf.org/html/draft-fett-oauth-dpop-03', + version: 'id-03', }, frontchannelLogout: { name: 'OpenID Connect Front-Channel Logout 1.0 - draft 02', diff --git a/lib/helpers/oidc_context.js b/lib/helpers/oidc_context.js index 12c47e86d..224331815 100644 --- a/lib/helpers/oidc_context.js +++ b/lib/helpers/oidc_context.js @@ -145,11 +145,11 @@ module.exports = function getContext(provider) { if (typeof payload.iat !== 'number' || !payload.iat) { throw new Error('must have a iat number property'); } - if (payload.http_method !== this.ctx.method) { - throw new Error('http_method mismatch'); + if (payload.htm !== this.ctx.method) { + throw new Error('htm mismatch'); } - if (payload.http_uri !== `${this.ctx.origin}${this.ctx.path}`) { - throw new Error('http_uri mismatch'); + if (payload.htu !== `${this.ctx.origin}${this.ctx.path}`) { + throw new Error('htu mismatch'); } try { diff --git a/lib/models/formats/jwt.js b/lib/models/formats/jwt.js index 09e96f996..a39142aeb 100644 --- a/lib/models/formats/jwt.js +++ b/lib/models/formats/jwt.js @@ -45,7 +45,7 @@ module.exports = (provider, { opaque }) => { async getValueAndPayload() { const [, payload] = await opaque.getValueAndPayload.call(this); const { - jti, iat, exp, scope, aud, clientId: azp, 'x5t#S256': x5t, 'jkt#S256': jkt, extra, + jti, iat, exp, scope, aud, clientId: azp, 'x5t#S256': x5t, jkt, extra, } = payload; let { accountId: sub } = payload; @@ -82,7 +82,7 @@ module.exports = (provider, { opaque }) => { tokenPayload.cnf['x5t#S256'] = x5t; } if (jkt) { - tokenPayload.cnf['jkt#S256'] = jkt; + tokenPayload.cnf.jkt = jkt; } const structuredToken = { diff --git a/lib/models/formats/jwt_ietf.js b/lib/models/formats/jwt_ietf.js index 07e93356b..289e1964e 100644 --- a/lib/models/formats/jwt_ietf.js +++ b/lib/models/formats/jwt_ietf.js @@ -12,7 +12,7 @@ module.exports = (provider, { opaque, jwt }) => ({ async getValueAndPayload() { const [, payload] = await opaque.getValueAndPayload.call(this); const { - jti, iat, exp, scope, clientId, 'x5t#S256': x5t, 'jkt#S256': jkt, extra, + jti, iat, exp, scope, clientId, 'x5t#S256': x5t, jkt, extra, } = payload; let { aud, accountId: sub } = payload; @@ -59,7 +59,7 @@ module.exports = (provider, { opaque, jwt }) => ({ tokenPayload.cnf['x5t#S256'] = x5t; } if (jkt) { - tokenPayload.cnf['jkt#S256'] = jkt; + tokenPayload.cnf.jkt = jkt; } const structuredToken = { diff --git a/lib/models/formats/paseto.js b/lib/models/formats/paseto.js index 4034c2680..d5512cabd 100644 --- a/lib/models/formats/paseto.js +++ b/lib/models/formats/paseto.js @@ -33,7 +33,7 @@ module.exports = (provider, { opaque }) => { } const [, payload] = await opaque.getValueAndPayload.call(this); const { - jti, iat, exp, scope, clientId, 'x5t#S256': x5t, 'jkt#S256': jkt, extra, + jti, iat, exp, scope, clientId, 'x5t#S256': x5t, jkt, extra, } = payload; let { aud, accountId: sub } = payload; @@ -84,7 +84,7 @@ module.exports = (provider, { opaque }) => { tokenPayload.cnf['x5t#S256'] = x5t; } if (jkt) { - tokenPayload.cnf['jkt#S256'] = jkt; + tokenPayload.cnf.jkt = jkt; } const structuredToken = { diff --git a/lib/models/mixins/is_sender_constrained.js b/lib/models/mixins/is_sender_constrained.js index 9d02e33e2..e2c69486a 100644 --- a/lib/models/mixins/is_sender_constrained.js +++ b/lib/models/mixins/is_sender_constrained.js @@ -1,5 +1,5 @@ const x5t = 'x5t#S256'; -const jkt = 'jkt#S256'; +const jkt = 'jkt'; const { [x5t]: thumbprint } = require('../../helpers/calculate_thumbprint'); diff --git a/test/dpop/dpop.test.js b/test/dpop/dpop.test.js index 6ea39c940..0f890f8da 100644 --- a/test/dpop/dpop.test.js +++ b/test/dpop/dpop.test.js @@ -23,7 +23,7 @@ describe('features.dPoP', () => { }); }); before(function () { - this.proof = (uri, method, jwk = this.jwk) => JWT.sign({ http_uri: uri, http_method: method, jti: nanoid() }, jwk, { kid: false, header: { typ: 'dpop+jwt', jwk: JWK.asKey(jwk) } }); + this.proof = (uri, method, jwk = this.jwk) => JWT.sign({ htu: uri, htm: method, jti: nanoid() }, jwk, { kid: false, header: { typ: 'dpop+jwt', jwk: JWK.asKey(jwk) } }); }); it('validates the way DPoP Proof JWT is provided', async function () { @@ -125,20 +125,20 @@ describe('features.dPoP', () => { } await this.agent.get('/me') // eslint-disable-line no-await-in-loop - .set('DPoP', JWT.sign({ jti: 'foo', http_method: 'POST' }, key, { kid: false, header: { typ: 'dpop+jwt', jwk: key } })) + .set('DPoP', JWT.sign({ jti: 'foo', htm: 'POST' }, key, { kid: false, header: { typ: 'dpop+jwt', jwk: key } })) .set('Authorization', 'DPoP foo') .expect(400) - .expect({ error: 'invalid_request', error_description: 'invalid DPoP Proof JWT (http_method mismatch)' }); + .expect({ error: 'invalid_request', error_description: 'invalid DPoP Proof JWT (htm mismatch)' }); await this.agent.get('/me') // eslint-disable-line no-await-in-loop - .set('DPoP', JWT.sign({ jti: 'foo', http_method: 'GET', http_uri: 'foo' }, key, { kid: false, header: { typ: 'dpop+jwt', jwk: key } })) + .set('DPoP', JWT.sign({ jti: 'foo', htm: 'GET', htu: 'foo' }, key, { kid: false, header: { typ: 'dpop+jwt', jwk: key } })) .set('Authorization', 'DPoP foo') .expect(400) - .expect({ error: 'invalid_request', error_description: 'invalid DPoP Proof JWT (http_uri mismatch)' }); + .expect({ error: 'invalid_request', error_description: 'invalid DPoP Proof JWT (htu mismatch)' }); await this.agent.get('/me') // eslint-disable-line no-await-in-loop .set('DPoP', JWT.sign({ - jti: 'foo', http_method: 'GET', http_uri: `${this.provider.issuer}/me`, iat: epochTime() - 61, + jti: 'foo', htm: 'GET', htu: `${this.provider.issuer}/me`, iat: epochTime() - 61, }, key, { kid: false, iat: false, header: { typ: 'dpop+jwt', jwk: key } })) .set('Authorization', 'DPoP foo') .expect(400) @@ -146,7 +146,7 @@ describe('features.dPoP', () => { await this.agent.get('/me') // eslint-disable-line no-await-in-loop .set('DPoP', JWT.sign({ - jti: 'foo', http_method: 'GET', http_uri: `${this.provider.issuer}/me`, + jti: 'foo', htm: 'GET', htu: `${this.provider.issuer}/me`, }, key, { kid: false, header: { typ: 'dpop+jwt', jwk: await JWK.generate('EC') } })) .set('Authorization', 'DPoP foo') .expect(400) @@ -194,7 +194,7 @@ describe('features.dPoP', () => { .expect(401); expect(spy).to.have.property('calledOnce', true); - expect(spy.args[0][1]).to.have.property('error_detail', 'failed jkt#S256 verification'); + expect(spy.args[0][1]).to.have.property('error_detail', 'failed jkt verification'); spy = sinon.spy(); this.provider.once('userinfo.error', spy); @@ -205,7 +205,7 @@ describe('features.dPoP', () => { .expect(401); expect(spy).to.have.property('calledOnce', true); - expect(spy.args[0][1]).to.have.property('error_detail', 'failed jkt#S256 verification'); + expect(spy.args[0][1]).to.have.property('error_detail', 'failed jkt verification'); }); }); @@ -228,7 +228,7 @@ describe('features.dPoP', () => { .expect(({ body }) => { expect(body).to.have.property('cnf'); expect(body).to.have.property('token_type', 'DPoP'); - expect(body.cnf).to.have.property('jkt#S256'); + expect(body.cnf).to.have.property('jkt'); }); }); }); @@ -266,8 +266,8 @@ describe('features.dPoP', () => { expect(spy).to.have.property('calledOnce', true); const { oidc: { entities: { AccessToken, RefreshToken } } } = spy.args[0][0]; - expect(AccessToken).to.have.property('jkt#S256', expectedS256); - expect(RefreshToken).not.to.have.property('jkt#S256'); + expect(AccessToken).to.have.property('jkt', expectedS256); + expect(RefreshToken).not.to.have.property('jkt'); }); it('binds the refresh token to the jwk for public clients', async function () { @@ -291,8 +291,8 @@ describe('features.dPoP', () => { expect(spy).to.have.property('calledOnce', true); const { oidc: { entities: { AccessToken, RefreshToken } } } = spy.args[0][0]; - expect(AccessToken).to.have.property('jkt#S256', expectedS256); - expect(RefreshToken).to.have.property('jkt#S256', expectedS256); + expect(AccessToken).to.have.property('jkt', expectedS256); + expect(RefreshToken).to.have.property('jkt', expectedS256); }); }); @@ -334,8 +334,8 @@ describe('features.dPoP', () => { expect(spy).to.have.property('calledOnce', true); const { oidc: { entities: { AccessToken, RefreshToken } } } = spy.args[0][0]; - expect(AccessToken).to.have.property('jkt#S256', expectedS256); - expect(RefreshToken).not.to.have.property('jkt#S256'); + expect(AccessToken).to.have.property('jkt', expectedS256); + expect(RefreshToken).not.to.have.property('jkt'); }); }); @@ -371,8 +371,8 @@ describe('features.dPoP', () => { expect(spy).to.have.property('calledOnce', true); const { oidc: { entities: { AccessToken, RefreshToken } } } = spy.args[0][0]; - expect(AccessToken).to.have.property('jkt#S256', expectedS256); - expect(RefreshToken['jkt#S256']).to.be.undefined; + expect(AccessToken).to.have.property('jkt', expectedS256); + expect(RefreshToken.jkt).to.be.undefined; }); }); }); @@ -416,8 +416,8 @@ describe('features.dPoP', () => { expect(spy).to.have.property('calledOnce', true); const { oidc: { entities: { AccessToken, RefreshToken } } } = spy.args[0][0]; - expect(AccessToken).to.have.property('jkt#S256', expectedS256); - expect(RefreshToken).to.have.property('jkt#S256', expectedS256); + expect(AccessToken).to.have.property('jkt', expectedS256); + expect(RefreshToken).to.have.property('jkt', expectedS256); }); }); @@ -453,8 +453,8 @@ describe('features.dPoP', () => { expect(spy).to.have.property('calledOnce', true); const { oidc: { entities: { AccessToken, RefreshToken } } } = spy.args[0][0]; - expect(AccessToken).to.have.property('jkt#S256', expectedS256); - expect(RefreshToken).to.have.property('jkt#S256', expectedS256); + expect(AccessToken).to.have.property('jkt', expectedS256); + expect(RefreshToken).to.have.property('jkt', expectedS256); }); it('verifies the request made with the same cert jwk', async function () { @@ -474,7 +474,7 @@ describe('features.dPoP', () => { .expect({ error: 'invalid_grant', error_description: 'grant request is invalid' }); expect(spy).to.have.property('calledOnce', true); - expect(spy.args[0][1]).to.have.property('error_detail', 'failed jkt#S256 verification'); + expect(spy.args[0][1]).to.have.property('error_detail', 'failed jkt verification'); }); }); }); @@ -493,7 +493,7 @@ describe('features.dPoP', () => { expect(spy).to.have.property('calledOnce', true); const { oidc: { entities: { ClientCredentials } } } = spy.args[0][0]; - expect(ClientCredentials).to.have.property('jkt#S256', expectedS256); + expect(ClientCredentials).to.have.property('jkt', expectedS256); }); }); }); diff --git a/test/formats/jwt.test.js b/test/formats/jwt.test.js index e75432506..c5f6cd609 100644 --- a/test/formats/jwt.test.js +++ b/test/formats/jwt.test.js @@ -53,7 +53,7 @@ if (FORMAT === 'jwt') { accountId, claims, clientId, grantId, scope, sid, consumed, acr, amr, authTime, nonce, redirectUri, codeChallenge, codeChallengeMethod, aud, error, errorDescription, params, userCode, deviceInfo, gty, resource, policies, sessionUid, expiresWithSession, - 'x5t#S256': s256, inFlight, iiat, rotations, extra, 'jkt#S256': s256, + 'x5t#S256': s256, inFlight, iiat, rotations, extra, jkt: s256, }; /* eslint-enable object-property-newline */ @@ -88,7 +88,7 @@ if (FORMAT === 'jwt') { scope, sid, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, sessionUid, expiresWithSession, extra, @@ -110,7 +110,7 @@ if (FORMAT === 'jwt') { sub: accountId, cnf: { 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, }, }); }); @@ -137,7 +137,7 @@ if (FORMAT === 'jwt') { scope, sid, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, sessionUid, expiresWithSession, extra, @@ -159,7 +159,7 @@ if (FORMAT === 'jwt') { sub: 'pairwise-sub', cnf: { 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, }, }); }); @@ -180,7 +180,7 @@ if (FORMAT === 'jwt') { kind, scope, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, extra, }); @@ -199,7 +199,7 @@ if (FORMAT === 'jwt') { scope, cnf: { 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, }, }); }); diff --git a/test/formats/jwt_ietf.test.js b/test/formats/jwt_ietf.test.js index 74046b773..ed83db06c 100644 --- a/test/formats/jwt_ietf.test.js +++ b/test/formats/jwt_ietf.test.js @@ -53,7 +53,7 @@ if (FORMAT === 'jwt-ietf') { accountId, claims, clientId, grantId, scope, sid, consumed, acr, amr, authTime, nonce, redirectUri, codeChallenge, codeChallengeMethod, aud, error, errorDescription, params, userCode, deviceInfo, gty, resource, policies, sessionUid, expiresWithSession, - 'x5t#S256': s256, inFlight, iiat, rotations, extra, 'jkt#S256': s256, + 'x5t#S256': s256, inFlight, iiat, rotations, extra, jkt: s256, }; /* eslint-enable object-property-newline */ @@ -88,7 +88,7 @@ if (FORMAT === 'jwt-ietf') { scope, sid, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, sessionUid, expiresWithSession, extra, @@ -110,7 +110,7 @@ if (FORMAT === 'jwt-ietf') { sub: accountId, cnf: { 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, }, }); }); @@ -137,7 +137,7 @@ if (FORMAT === 'jwt-ietf') { scope, sid, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, sessionUid, expiresWithSession, extra, @@ -159,7 +159,7 @@ if (FORMAT === 'jwt-ietf') { sub: 'pairwise-sub', cnf: { 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, }, }); }); @@ -180,7 +180,7 @@ if (FORMAT === 'jwt-ietf') { kind, scope, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, extra, }); @@ -200,7 +200,7 @@ if (FORMAT === 'jwt-ietf') { scope, cnf: { 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, }, }); }); diff --git a/test/formats/opaque.test.js b/test/formats/opaque.test.js index 95dd89dfb..b1bb4c145 100644 --- a/test/formats/opaque.test.js +++ b/test/formats/opaque.test.js @@ -46,7 +46,7 @@ if (FORMAT === 'opaque') { accountId, claims, clientId, grantId, scope, sid, consumed, acr, amr, authTime, nonce, redirectUri, codeChallenge, codeChallengeMethod, aud, error, errorDescription, params, userCode, deviceInfo, gty, resource, policies, sessionUid, expiresWithSession, - 'x5t#S256': s256, inFlight, iiat, rotations, extra, 'jkt#S256': s256, + 'x5t#S256': s256, inFlight, iiat, rotations, extra, jkt: s256, }; /* eslint-enable object-property-newline */ @@ -81,7 +81,7 @@ if (FORMAT === 'opaque') { scope, sid, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, sessionUid, expiresWithSession, extra, @@ -186,7 +186,7 @@ if (FORMAT === 'opaque') { scope, sid, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, sessionUid, expiresWithSession, }); @@ -208,7 +208,7 @@ if (FORMAT === 'opaque') { kind, scope, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, extra, }); }); diff --git a/test/formats/paseto.test.js b/test/formats/paseto.test.js index fc672cc4b..65634db7f 100644 --- a/test/formats/paseto.test.js +++ b/test/formats/paseto.test.js @@ -53,7 +53,7 @@ if (FORMAT === 'paseto') { accountId, claims, clientId, grantId, scope, sid, consumed, acr, amr, authTime, nonce, redirectUri, codeChallenge, codeChallengeMethod, aud, error, errorDescription, params, userCode, deviceInfo, gty, resource, policies, sessionUid, expiresWithSession, - 'x5t#S256': s256, inFlight, iiat, rotations, extra, 'jkt#S256': s256, + 'x5t#S256': s256, inFlight, iiat, rotations, extra, jkt: s256, }; /* eslint-enable object-property-newline */ @@ -88,7 +88,7 @@ if (FORMAT === 'paseto') { scope, sid, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, sessionUid, expiresWithSession, extra, @@ -109,7 +109,7 @@ if (FORMAT === 'paseto') { sub: accountId, cnf: { 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, }, }); }); @@ -136,7 +136,7 @@ if (FORMAT === 'paseto') { scope, sid, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, sessionUid, expiresWithSession, extra, @@ -157,7 +157,7 @@ if (FORMAT === 'paseto') { sub: 'pairwise-sub', cnf: { 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, }, }); }); @@ -178,7 +178,7 @@ if (FORMAT === 'paseto') { kind, scope, 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, extra, }); @@ -197,7 +197,7 @@ if (FORMAT === 'paseto') { scope, cnf: { 'x5t#S256': s256, - 'jkt#S256': s256, + jkt: s256, }, }); }); diff --git a/types/index.d.ts b/types/index.d.ts index a0bc6d906..d07298388 100644 --- a/types/index.d.ts +++ b/types/index.d.ts @@ -347,7 +347,7 @@ declare class RefreshToken extends BaseToken { sessionUid?: string; expiresWithSession?: boolean; 'x5t#S256'?: string; - 'jkt#S256'?: string; + jkt?: string; grantId: string; gty: string; [key: string]: any; @@ -367,7 +367,7 @@ declare class RefreshToken extends BaseToken { sessionUid?: string; expiresWithSession?: boolean; 'x5t#S256'?: string; - 'jkt#S256'?: string; + jkt?: string; grantId?: string; gty?: string; consumed: any; @@ -395,7 +395,7 @@ declare class AuthorizationCode extends BaseToken { sessionUid?: string; expiresWithSession?: boolean; 'x5t#S256'?: string; - 'jkt#S256'?: string; + jkt?: string; grantId: string; gty: string; [key: string]: any; @@ -416,7 +416,7 @@ declare class AuthorizationCode extends BaseToken { sessionUid?: string; expiresWithSession?: boolean; 'x5t#S256'?: string; - 'jkt#S256'?: string; + jkt?: string; grantId?: string; gty?: string; @@ -475,7 +475,7 @@ declare class ClientCredentials extends BaseToken { aud: string | string[]; readonly tokenType: string; 'x5t#S256'?: string; - 'jkt#S256'?: string; + jkt?: string; setAudiences(audience: string | string[]): void; isSenderConstrained(): boolean; @@ -508,7 +508,7 @@ declare class AccessToken extends BaseToken { sessionUid?: string; expiresWithSession?: boolean; 'x5t#S256'?: string; - 'jkt#S256'?: string; + jkt?: string; grantId: string; gty: string; [key: string]: any; @@ -526,7 +526,7 @@ declare class AccessToken extends BaseToken { expiresWithSession?: boolean; readonly tokenType: string; 'x5t#S256'?: string; - 'jkt#S256'?: string; + jkt?: string; setAudiences(audience: string | string[]): void; isSenderConstrained(): boolean; @@ -780,7 +780,7 @@ export interface AdapterPayload { transient?: boolean; uid?: string; userCode?: string; - 'jkt#S256'?: string; + jkt?: string; 'jwt-ietf'?: string; 'x5t#S256'?: string; } @@ -896,7 +896,7 @@ export interface Configuration { whitelist?: string[] | Set; }; }; - dPoP?: { enabled?: boolean, iatTolerance?: number, ack?: 'id-02' }, + dPoP?: { enabled?: boolean, iatTolerance?: number, ack?: 'id-03' }, sessionManagement?: { enabled?: boolean, keepHeaders?: boolean, ack?: 28 }, diff --git a/types/oidc-provider-tests.ts b/types/oidc-provider-tests.ts index 7fc288b85..efe9f4f5a 100644 --- a/types/oidc-provider-tests.ts +++ b/types/oidc-provider-tests.ts @@ -336,7 +336,7 @@ const provider = new Provider('https://op.example.com', { clientCredentials: { enabled: false }, backchannelLogout: { enabled: false, ack: 4 }, ietfJWTAccessTokenProfile: { enabled: false, ack: 2 }, - dPoP: { enabled: false, ack: 'id-02', iatTolerance: 120 }, + dPoP: { enabled: false, ack: 'id-03', iatTolerance: 120 }, frontchannelLogout: { ack: 2, enabled: false,