feat: include nbf in FAPIClient Request Objects

panva · Mar 10, 2021 · 0be56ba · 0be56ba
1 parent a4c926a
commit 0be56ba
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 4 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -91,11 +91,16 @@ Returns the `<Client>` class tied to this issuer.
 #### `issuer.FAPIClient`
 
 Returns the `<FAPIClient>` class tied to this issuer. `<FAPIClient>` inherits from `<Client>` and
-adds necessary FAPI related checks. `s_hash` presence in authorization endpoint response ID Tokens
-as well as authorization endpoint `iat` not being too far in the past (fixed to be 1 hour).
+adds necessary FAPI behaviours:
 
 - Returns: `<FAPIClient>`
 
+The behaviours are:
+- `s_hash` presence and value checks in authorization endpoint response ID Tokens
+- authorization endpoint response ID Tokens `iat` must not be too far in the past (fixed to be
+  1 hour)
+- Request Objects include `nbf` (with the same value as `iat`)
+
 ---
 
 #### `issuer.metadata`

diff --git a/lib/client.js b/lib/client.js
@@ -1487,14 +1487,17 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
     let signed;
     let key;
 
+    const fapi = this.constructor.name === 'FAPIClient';
+    const unix = now();
     const header = { alg: signingAlgorithm, typ: 'oauth-authz-req+jwt' };
     const payload = JSON.stringify(defaults({}, requestObject, {
       iss: this.client_id,
       aud: this.issuer.issuer,
       client_id: this.client_id,
       jti: random(),
-      iat: now(),
-      exp: now() + 300,
+      iat: unix,
+      exp: unix + 300,
+      ...(fapi ? { nbf: unix } : undefined),
     }));
 
     if (signingAlgorithm === 'none') {

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -3891,6 +3891,20 @@ describe('Client', () => {
           expect(err.message).to.eql('requestObject must be a plain object');
         });
       });
+
+      describe('FAPIClient', function () {
+        it('includes nbf by default', function () {
+          const client = new this.issuer.FAPIClient({ client_id: 'identifier', request_object_signing_alg: 'PS256' }, this.keystore.toJWKS(true));
+          return client.requestObject({})
+            .then((signed) => {
+              const { iat, exp, nbf } = JSON.parse(base64url.decode(signed.split('.')[1]));
+
+              expect(iat).to.be.ok;
+              expect(exp).to.eql(iat + 300);
+              expect(nbf).to.eql(iat);
+            });
+        });
+      });
     });
 
     describe('#requestObject (encryption when multiple keys match)', function () {