feat: add a helper for asserting JWT Client Auth claims and header

panva · Nov 21, 2024 · 82d4e50 · 82d4e50
1 parent 05f6bf4
commit 82d4e50
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 1 deletion.
diff --git a/docs/README.md b/docs/README.md
@@ -470,6 +470,7 @@ location / {
   - [userinfo](#featuresuserinfo)
 - [acrValues](#acrvalues)
 - [allowOmittingSingleRegisteredRedirectUri](#allowomittingsingleregisteredredirecturi)
+- [assertJwtClientAuthClaimsAndHeader](#assertjwtclientauthclaimsandheader)
 - [claims ❗](#claims)
 - [clientBasedCORS](#clientbasedcors)
 - [clientDefaults](#clientdefaults)
@@ -2183,6 +2184,21 @@ _**default value**_:
 true
 ```
 
+### assertJwtClientAuthClaimsAndHeader
+
+Helper function used to validate the JWT Client Authentication Assertion Claims Set and Header beyond what its specification mandates.  
+
+
+_**default value**_:
+```js
+async function assertJwtClientAuthClaimsAndHeader(ctx, claims, header, client) {
+  // @param ctx - koa request context
+  // @param claims - parsed JWT Client Authentication Assertion Claims Set as object
+  // @param header - parsed JWT Client Authentication Assertion Headers as object
+  // @param client - the Client instance
+}
+```
+
 ### claims
 
 Describes the claims that the OpenID Provider MAY be able to supply values for.   

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -550,6 +550,13 @@ async function assertClaimsParameter(ctx, claims, client) {
   // @param client - the Client instance
 }
 
+async function assertJwtClientAuthClaimsAndHeader(ctx, claims, header, client) {
+  // @param ctx - koa request context
+  // @param claims - parsed JWT Client Authentication Assertion Claims Set as object
+  // @param header - parsed JWT Client Authentication Assertion Headers as object
+  // @param client - the Client instance
+}
+
 async function assertJwtClaimsAndHeader(ctx, claims, header, client) {
   // @param ctx - koa request context
   // @param claims - parsed Request Object JWT Claims Set as object
@@ -2821,6 +2828,14 @@ function makeDefaults() {
         'ES256', 'EdDSA',
       ],
     },
+
+    /**
+     * assertJwtClientAuthClaimsAndHeader
+     *
+     * description: Helper function used to validate the JWT Client Authentication Assertion Claims Set and Header beyond
+     * what its specification mandates.
+     */
+    assertJwtClientAuthClaimsAndHeader,
   };
 
   return defaults;

diff --git a/lib/shared/token_jwt_auth.js b/lib/shared/token_jwt_auth.js
@@ -3,7 +3,7 @@ import instance from '../helpers/weak_cache.js';
 import * as JWT from '../helpers/jwt.js';
 
 export default function getTokenJwtAuth(provider) {
-  const clockTolerance = instance(provider).configuration('clockTolerance');
+  const { clockTolerance, assertJwtClientAuthClaimsAndHeader } = instance(provider).configuration();
   return async function tokenJwtAuth(
     ctx,
     keystore,
@@ -53,6 +53,13 @@ export default function getTokenJwtAuth(provider) {
       throw new InvalidClientAuth(err.message);
     }
 
+    await assertJwtClientAuthClaimsAndHeader(
+      ctx,
+      structuredClone(payload),
+      structuredClone(header),
+      ctx.oidc.client,
+    );
+
     const unique = await provider.ReplayDetection.unique(
       payload.iss,
       payload.jti,