Skip to content

Commit

Permalink
fix: claims parameter encoding in issued request objects
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Nov 21, 2022
1 parent 80e8442 commit 3eb165a
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 2 deletions.
16 changes: 16 additions & 0 deletions src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1157,6 +1157,22 @@ export async function issueRequestObject(
claims.resource = resource
}

if (parameters.has('claims')) {
const value = parameters.get('claims')!
if (value === '[object Object]') {
throw new OPE('"claims" parameter must be passed as a UTF-8 encoded JSON')
}
try {
claims.claims = JSON.parse(value)
} catch {
throw new OPE('failed to parse the "claims" parameter as JSON')
}

if (!isJsonObject(claims.claims)) {
throw new OPE('"claims" parameter must be a top level object')
}
}

return jwt(
{
alg: determineJWSAlgorithm(key),
Expand Down
50 changes: 48 additions & 2 deletions tap/request_object.ts
Original file line number Diff line number Diff line change
Expand Up @@ -49,12 +49,58 @@ export default (QUnit: QUnit) => {
{ key: kp.privateKey },
)

const { payload, protectedHeader } = await jose.jwtVerify(jwt, kp.publicKey)
t.propEqual(protectedHeader, { alg: 'ES256', typ: 'oauth-authz-req+jwt' })
const { payload } = await jose.jwtVerify(jwt, kp.publicKey)
const { resource } = payload
t.propEqual(resource, ['urn:example:resource', 'urn:example:resource-2'])
})

test('issueRequestObject() - claims parameter', async (t) => {
const kp = await keys.ES256

await t.rejects(
lib.issueRequestObject(issuer, client, new URLSearchParams([['claims', <string>{}]]), {
key: kp.privateKey,
}),
/must be passed as a UTF-8 encoded JSON/,
)

await t.rejects(
lib.issueRequestObject(issuer, client, new URLSearchParams([['claims', '"']]), {
key: kp.privateKey,
}),
/failed to parse the "claims" parameter as JSON/,
)

await t.rejects(
lib.issueRequestObject(issuer, client, new URLSearchParams([['claims', 'null']]), {
key: kp.privateKey,
}),
/parameter must be a top level object/,
)

const jwt = await lib.issueRequestObject(
issuer,
client,
new URLSearchParams([
[
'claims',
JSON.stringify({
userinfo: { nickname: null },
id_token: { email: null },
}),
],
]),
{ key: kp.privateKey },
)

const { payload } = await jose.jwtVerify(jwt, kp.publicKey)
const { claims } = payload
t.propEqual(claims, {
userinfo: { nickname: null },
id_token: { email: null },
})
})

test('issueRequestObject() signature kid', async (t) => {
const kp = await keys.ES256
const jwt = await lib.issueRequestObject(issuer, client, new URLSearchParams(), {
Expand Down

0 comments on commit 3eb165a

Please sign in to comment.