-
-
Notifications
You must be signed in to change notification settings - Fork 771
/
Copy pathclient_credentials.js
92 lines (74 loc) · 2.7 KB
/
client_credentials.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
import instance from '../../helpers/weak_cache.js';
import {
InvalidGrant, InvalidTarget, InvalidScope, InvalidRequest,
} from '../../helpers/errors.js';
import dpopValidate, { DPOP_OK_WINDOW } from '../../helpers/validate_dpop.js';
import checkResource from '../../shared/check_resource.js';
import epochTime from '../../helpers/epoch_time.js';
export const handler = async function clientCredentialsHandler(ctx, next) {
const { client } = ctx.oidc;
const { ClientCredentials, ReplayDetection } = ctx.oidc.provider;
const {
features: {
mTLS: { getCertificate },
dPoP: { allowReplay },
},
scopes: statics,
} = instance(ctx.oidc.provider).configuration();
const dPoP = await dpopValidate(ctx);
if (ctx.oidc.params.authorization_details) {
throw new InvalidRequest('authorization_details is unsupported for this grant_type');
}
await checkResource(ctx, () => {});
const scopes = ctx.oidc.params.scope ? [...new Set(ctx.oidc.params.scope.split(' '))] : [];
if (client.scope) {
const allowList = new Set(client.scope.split(' '));
for (const scope of scopes.filter(Set.prototype.has.bind(statics))) {
if (!allowList.has(scope)) {
throw new InvalidScope('requested scope is not allowed', scope);
}
}
}
const token = new ClientCredentials({
client,
scope: scopes.join(' ') || undefined,
});
const { 0: resourceServer, length } = Object.values(ctx.oidc.resourceServers);
if (resourceServer) {
if (length !== 1) {
throw new InvalidTarget('only a single resource indicator value is supported for this grant type');
}
token.resourceServer = resourceServer;
token.scope = scopes.filter(Set.prototype.has.bind(new Set(resourceServer.scope.split(' ')))).join(' ') || undefined;
}
if (client.tlsClientCertificateBoundAccessTokens) {
const cert = getCertificate(ctx);
if (!cert) {
throw new InvalidGrant('mutual TLS client certificate not provided');
}
token.setThumbprint('x5t', cert);
}
if (dPoP) {
if (!allowReplay) {
const unique = await ReplayDetection.unique(
client.clientId,
dPoP.jti,
epochTime() + DPOP_OK_WINDOW,
);
ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
}
token.setThumbprint('jkt', dPoP.thumbprint);
} else if (ctx.oidc.client.dpopBoundAccessTokens) {
throw new InvalidGrant('DPoP proof JWT not provided');
}
ctx.oidc.entity('ClientCredentials', token);
const value = await token.save();
ctx.body = {
access_token: value,
expires_in: token.expiration,
token_type: token.tokenType,
scope: token.scope || undefined,
};
await next();
};
export const parameters = new Set(['scope']);