add id_token validation logic for code flow

brockallen · brockallen · commit 2c2c3d8d7596 · 2018-12-07T12:44:56.000-05:00
diff --git a/src/JoseUtil.js b/src/JoseUtil.js
@@ -62,7 +62,7 @@ export class JoseUtil {
         }
     }
 
-    static _validateJwt(jwt, key, issuer, audience, clockSkew, now) {
+    static validateJwtAttributes(jwt, issuer, audience, clockSkew, now) {
         if (!clockSkew) {
             clockSkew = 0;
         }
@@ -91,6 +91,10 @@ export class JoseUtil {
             Log.error("JoseUtil._validateJwt: Invalid audience in token", payload.aud);
             return Promise.reject(new Error("Invalid audience in token: " + payload.aud));
         }
+        if (payload.azp && payload.azp !== audience) {
+            Log.error("JoseUtil._validateJwt: Invalid azp in token", payload.azp);
+            return Promise.reject(new Error("Invalid azp in token: " + payload.azp));
+        }
 
         var lowerNow = now + clockSkew;
         var upperNow = now - clockSkew;
@@ -118,18 +122,25 @@ export class JoseUtil {
             return Promise.reject(new Error("exp is in the past:" + payload.exp));
         }
 
-        try {
-            if (!jws.JWS.verify(jwt, key, AllowedSigningAlgs)) {
-                Log.error("JoseUtil._validateJwt: signature validation failed");
+        return Promise.resolve(payload);
+    }
+
+    static _validateJwt(jwt, key, issuer, audience, clockSkew, now) {
+
+        return JoseUtil.validateJwtAttributes(jwt, issuer, audience, clockSkew, now).then(payload => {
+            try {
+                if (!jws.JWS.verify(jwt, key, AllowedSigningAlgs)) {
+                    Log.error("JoseUtil._validateJwt: signature validation failed");
+                    return Promise.reject(new Error("signature validation failed"));
+                }
+
+                return payload;
+            }
+            catch (e) {
+                Log.error(e && e.message || e);
                 return Promise.reject(new Error("signature validation failed"));
             }
-        }
-        catch (e) {
-            Log.error(e && e.message || e);
-            return Promise.reject(new Error("signature validation failed"));
-        }
-
-        return Promise.resolve();
+        });
     }
 
     static hashString(value, alg) {
diff --git a/src/ResponseValidator.js b/src/ResponseValidator.js
@@ -249,10 +249,8 @@ export class ResponseValidator {
             }
 
             if (response.id_token) {
-                Log.debug("ResponseValidator._processCode: token response successful, parsing id_token");
-                var jwt = this._joseUtil.parseJwt(response.id_token);
-                response.profile = jwt.payload;
-                //return this._validateIdToken(state, response);
+                Log.debug("ResponseValidator._processCode: token response successful, processing id_token");
+                return this._validateIdTokenAttributes(state, response);
             }
             else {
                 Log.debug("ResponseValidator._processCode: token response successful, returning response");
@@ -262,6 +260,31 @@ export class ResponseValidator {
         });
     }
 
+    _validateIdTokenAttributes(state, response) {
+        return this._metadataService.getIssuer().then(issuer => {
+
+            let audience = state.client_id;
+            let clockSkewInSeconds = this._settings.clockSkew;
+            Log.debug("ResponseValidator._validateIdTokenAttributes: Validaing JWT attributes; using clock skew (in seconds) of: ", clockSkewInSeconds);
+
+            return this._joseUtil.validateJwtAttributes(response.id_token, issuer, audience, clockSkewInSeconds).then(payload => {
+            
+                if (state.nonce && state.nonce !== payload.nonce) {
+                    Log.error("ResponseValidator._validateIdTokenAttributes: Invalid nonce in id_token");
+                    return Promise.reject(new Error("Invalid nonce in id_token"));
+                }
+
+                if (!payload.sub) {
+                    Log.error("ResponseValidator._validateIdTokenAttributes: No sub present in id_token");
+                    return Promise.reject(new Error("No sub present in id_token"));
+                }
+
+                response.profile = payload;
+                return response;
+            });
+        });
+    }
+
     _validateIdTokenAndAccessToken(state, response) {
         return this._validateIdToken(state, response).then(response => {
             return this._validateAccessToken(response);
