-
-
Notifications
You must be signed in to change notification settings - Fork 54
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: allow to skip JWT signature validation on select responses
This is in-spec behaviour which is useful in javascript runtimes where it is not possible to reliably cache the Authorization Server's JSON Web Key Set between invocations. These are distributed systems that run JavaScript at the edge, e.g. Cloudflare Workers or Deno Deploy. This also allows to run this library outside of its currently supported JWS algorithms, e.g. HMAC JWS Algorithms, or algorithms that aren't supported by Web Cryptography API.
- Loading branch information
Showing
20 changed files
with
802 additions
and
309 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
docs/interfaces/ProcessAuthorizationCodeOpenIDResponseOptions.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Interface: ProcessAuthorizationCodeOpenIDResponseOptions | ||
|
||
[💗 Help the project](https://github.com/sponsors/panva) | ||
|
||
## Table of contents | ||
|
||
### Properties | ||
|
||
- [headers](ProcessAuthorizationCodeOpenIDResponseOptions.md#headers) | ||
- [signal](ProcessAuthorizationCodeOpenIDResponseOptions.md#signal) | ||
- [skipJwtSignatureCheck](ProcessAuthorizationCodeOpenIDResponseOptions.md#skipjwtsignaturecheck) | ||
|
||
## Properties | ||
|
||
### headers | ||
|
||
• `Optional` **headers**: [`Headers`]( https://developer.mozilla.org/en-US/docs/Web/API/Headers ) | ||
|
||
A Headers instance to additionally send with the HTTP Request(s) triggered by this function's | ||
invocation. | ||
|
||
___ | ||
|
||
### signal | ||
|
||
• `Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) | ||
|
||
An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by | ||
this function's invocation. | ||
|
||
**`example`** A 5000ms timeout AbortSignal for every request | ||
|
||
```js | ||
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes. | ||
``` | ||
|
||
___ | ||
|
||
### skipJwtSignatureCheck | ||
|
||
• `Optional` **skipJwtSignatureCheck**: `boolean` | ||
|
||
DANGER ZONE | ||
|
||
When JWT assertions are received via direct communication between the Client and the | ||
Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and | ||
exposed functions) the TLS server validation MAY be used to validate the issuer in place of | ||
checking the assertion's signature. | ||
|
||
Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed | ||
Introspection, or JWT Signed UserInfo Response). | ||
|
||
Setting this to `true` also means that: | ||
|
||
- The Authorization Server's JSON Web Key Set will not be requested. That is useful for | ||
javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of | ||
the JSON Web Key Set in between invocations. | ||
- Any JWS Algorithm may be used, not just the [supported ones](../types/JWSAlgorithm.md). | ||
|
||
Default is `false`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Interface: ProcessDeviceCodeResponseOptions | ||
|
||
[💗 Help the project](https://github.com/sponsors/panva) | ||
|
||
## Table of contents | ||
|
||
### Properties | ||
|
||
- [headers](ProcessDeviceCodeResponseOptions.md#headers) | ||
- [signal](ProcessDeviceCodeResponseOptions.md#signal) | ||
- [skipJwtSignatureCheck](ProcessDeviceCodeResponseOptions.md#skipjwtsignaturecheck) | ||
|
||
## Properties | ||
|
||
### headers | ||
|
||
• `Optional` **headers**: [`Headers`]( https://developer.mozilla.org/en-US/docs/Web/API/Headers ) | ||
|
||
A Headers instance to additionally send with the HTTP Request(s) triggered by this function's | ||
invocation. | ||
|
||
___ | ||
|
||
### signal | ||
|
||
• `Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) | ||
|
||
An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by | ||
this function's invocation. | ||
|
||
**`example`** A 5000ms timeout AbortSignal for every request | ||
|
||
```js | ||
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes. | ||
``` | ||
|
||
___ | ||
|
||
### skipJwtSignatureCheck | ||
|
||
• `Optional` **skipJwtSignatureCheck**: `boolean` | ||
|
||
DANGER ZONE | ||
|
||
When JWT assertions are received via direct communication between the Client and the | ||
Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and | ||
exposed functions) the TLS server validation MAY be used to validate the issuer in place of | ||
checking the assertion's signature. | ||
|
||
Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed | ||
Introspection, or JWT Signed UserInfo Response). | ||
|
||
Setting this to `true` also means that: | ||
|
||
- The Authorization Server's JSON Web Key Set will not be requested. That is useful for | ||
javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of | ||
the JSON Web Key Set in between invocations. | ||
- Any JWS Algorithm may be used, not just the [supported ones](../types/JWSAlgorithm.md). | ||
|
||
Default is `false`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Interface: ProcessIntrospectionResponseOptions | ||
|
||
[💗 Help the project](https://github.com/sponsors/panva) | ||
|
||
## Table of contents | ||
|
||
### Properties | ||
|
||
- [headers](ProcessIntrospectionResponseOptions.md#headers) | ||
- [signal](ProcessIntrospectionResponseOptions.md#signal) | ||
- [skipJwtSignatureCheck](ProcessIntrospectionResponseOptions.md#skipjwtsignaturecheck) | ||
|
||
## Properties | ||
|
||
### headers | ||
|
||
• `Optional` **headers**: [`Headers`]( https://developer.mozilla.org/en-US/docs/Web/API/Headers ) | ||
|
||
A Headers instance to additionally send with the HTTP Request(s) triggered by this function's | ||
invocation. | ||
|
||
___ | ||
|
||
### signal | ||
|
||
• `Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) | ||
|
||
An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by | ||
this function's invocation. | ||
|
||
**`example`** A 5000ms timeout AbortSignal for every request | ||
|
||
```js | ||
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes. | ||
``` | ||
|
||
___ | ||
|
||
### skipJwtSignatureCheck | ||
|
||
• `Optional` **skipJwtSignatureCheck**: `boolean` | ||
|
||
DANGER ZONE | ||
|
||
When JWT assertions are received via direct communication between the Client and the | ||
Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and | ||
exposed functions) the TLS server validation MAY be used to validate the issuer in place of | ||
checking the assertion's signature. | ||
|
||
Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed | ||
Introspection, or JWT Signed UserInfo Response). | ||
|
||
Setting this to `true` also means that: | ||
|
||
- The Authorization Server's JSON Web Key Set will not be requested. That is useful for | ||
javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of | ||
the JSON Web Key Set in between invocations. | ||
- Any JWS Algorithm may be used, not just the [supported ones](../types/JWSAlgorithm.md). | ||
|
||
Default is `false`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Interface: ProcessRefreshTokenResponseOptions | ||
|
||
[💗 Help the project](https://github.com/sponsors/panva) | ||
|
||
## Table of contents | ||
|
||
### Properties | ||
|
||
- [headers](ProcessRefreshTokenResponseOptions.md#headers) | ||
- [signal](ProcessRefreshTokenResponseOptions.md#signal) | ||
- [skipJwtSignatureCheck](ProcessRefreshTokenResponseOptions.md#skipjwtsignaturecheck) | ||
|
||
## Properties | ||
|
||
### headers | ||
|
||
• `Optional` **headers**: [`Headers`]( https://developer.mozilla.org/en-US/docs/Web/API/Headers ) | ||
|
||
A Headers instance to additionally send with the HTTP Request(s) triggered by this function's | ||
invocation. | ||
|
||
___ | ||
|
||
### signal | ||
|
||
• `Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) | ||
|
||
An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by | ||
this function's invocation. | ||
|
||
**`example`** A 5000ms timeout AbortSignal for every request | ||
|
||
```js | ||
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes. | ||
``` | ||
|
||
___ | ||
|
||
### skipJwtSignatureCheck | ||
|
||
• `Optional` **skipJwtSignatureCheck**: `boolean` | ||
|
||
DANGER ZONE | ||
|
||
When JWT assertions are received via direct communication between the Client and the | ||
Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and | ||
exposed functions) the TLS server validation MAY be used to validate the issuer in place of | ||
checking the assertion's signature. | ||
|
||
Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed | ||
Introspection, or JWT Signed UserInfo Response). | ||
|
||
Setting this to `true` also means that: | ||
|
||
- The Authorization Server's JSON Web Key Set will not be requested. That is useful for | ||
javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of | ||
the JSON Web Key Set in between invocations. | ||
- Any JWS Algorithm may be used, not just the [supported ones](../types/JWSAlgorithm.md). | ||
|
||
Default is `false`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Interface: ProcessUserInfoResponseOptions | ||
|
||
[💗 Help the project](https://github.com/sponsors/panva) | ||
|
||
## Table of contents | ||
|
||
### Properties | ||
|
||
- [headers](ProcessUserInfoResponseOptions.md#headers) | ||
- [signal](ProcessUserInfoResponseOptions.md#signal) | ||
- [skipJwtSignatureCheck](ProcessUserInfoResponseOptions.md#skipjwtsignaturecheck) | ||
|
||
## Properties | ||
|
||
### headers | ||
|
||
• `Optional` **headers**: [`Headers`]( https://developer.mozilla.org/en-US/docs/Web/API/Headers ) | ||
|
||
A Headers instance to additionally send with the HTTP Request(s) triggered by this function's | ||
invocation. | ||
|
||
___ | ||
|
||
### signal | ||
|
||
• `Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/en-US/docs/Web/API/AbortSignal ) | ||
|
||
An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by | ||
this function's invocation. | ||
|
||
**`example`** A 5000ms timeout AbortSignal for every request | ||
|
||
```js | ||
const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes. | ||
``` | ||
|
||
___ | ||
|
||
### skipJwtSignatureCheck | ||
|
||
• `Optional` **skipJwtSignatureCheck**: `boolean` | ||
|
||
DANGER ZONE | ||
|
||
When JWT assertions are received via direct communication between the Client and the | ||
Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and | ||
exposed functions) the TLS server validation MAY be used to validate the issuer in place of | ||
checking the assertion's signature. | ||
|
||
Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed | ||
Introspection, or JWT Signed UserInfo Response). | ||
|
||
Setting this to `true` also means that: | ||
|
||
- The Authorization Server's JSON Web Key Set will not be requested. That is useful for | ||
javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of | ||
the JSON Web Key Set in between invocations. | ||
- Any JWS Algorithm may be used, not just the [supported ones](../types/JWSAlgorithm.md). | ||
|
||
Default is `false`. |
Oops, something went wrong.