Merge pull request jsonwebtoken#385 from panva/remote-jwk-lookup

better remote key fetch

Author: Sambego

src/editor/public-key-download.js

@@ -1,3 +1,5 @@
+import jose from 'node-jose';
+
 import { httpGet } from '../utils.js';
 
 function getKeyFromX5c(x5c) {
@@ -28,13 +30,13 @@ function getKeyFromX5Claims(claims) {
     } else {
       reject('x5c or x5u claims not available');
     }
-  });  
+  });
 }
 
 function getKeyFromJwkKeySetUrl(kid, url) {
   return httpGet(url).then(data => {
     data = JSON.parse(data);
-    
+
     if(!data || !data.keys || !(data.keys instanceof Array)) {
       throw new Error(`Could not get JWK key set from URL: ${url}`);
     }
@@ -66,10 +68,31 @@ export function downloadPublicKeyIfPossible(decodedToken) {
       resolve(getKeyFromJwkKeySetUrl(header.kid, header.jku));
     } else if(header.jwk) {
       resolve(getKeyFromX5Claims(header.jwk));
-    } else if(header.kid && payload.iss) {
-      //Auth0-specific scheme
-      const url = payload.iss + '.well-known/jwks.json';
-      resolve(getKeyFromJwkKeySetUrl(header.kid, url));
+    } else if(payload.iss) {
+      const url = payload.iss + (payload.iss.substr(-1) === '/' ? '.well-known/openid-configuration' : '/.well-known/openid-configuration')
+
+      httpGet(url).then(data => {
+        data = JSON.parse(data);
+
+        if(!data || !data.jwks_uri || typeof data.jwks_uri !== 'string') {
+          throw new Error(`Could not get jwks_uri from URL: ${url}`);
+        }
+
+        return httpGet(data.jwks_uri)
+      }).then(data => {
+        data = JSON.parse(data);
+
+        return jose.JWK.asKeyStore(data);
+      }).then(jwks => {
+
+        const keys = jwks.all({ alg: header.alg, kid: header.kid, use: 'sig' })
+
+        if (keys.length !== 1) {
+          throw new Error('Could not find a single definitive key in jwks_uri');
+        }
+
+        resolve(keys[0].toPEM())
+      }).catch(reject);
     } else {
       reject('No details about key');
     }

test/functional/editor.js

@@ -660,6 +660,13 @@ describe('Editor', function() {
       before(async function() {
         this.app = express();
 
+        this.app.get('/.well-known/openid-configuration', (req, res) => {
+          res.set('Access-Control-Allow-Origin', '*');
+          res.json({
+            jwks_uri: 'http://localhost:3000/.well-known/jwks.json'
+          });
+        });
+
         this.app.get('/.well-known/jwks.json', (req, res) => {
           res.set('Access-Control-Allow-Origin', '*');
           res.json(jwks);
@@ -715,7 +722,7 @@ describe('Editor', function() {
         const publicKey = await this.page.$eval('textarea[name="public-key"]',
           publicKeyElement => publicKeyElement.value);
 
-        expect(publicKey).to.include(jwks.keys[0].x5c[0]);
+        expect(publicKey).to.include(`-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd\nUWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs\nHUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D\no2kQ+X5xK9cipRgEKwIDAQAB\n-----END PUBLIC KEY-----\n`);
 
         const valid = await this.page.$eval('.validation-status', status => {
           return status.classList.contains('valid-token') &&

test/functional/jwks.json

@@ -8,7 +8,9 @@
         "MIIDBjCCAe4CCQCu9p2owjWCFjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJVUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTE5MDMxNjExMzYyOVoXDTIwMDMxNTExMzYyOVowRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ88orNWY3zQdGwYChTEr75E7cJbwbGiau0ucAPpM3lTlaVVsJFnVYWuLN/FzP6Wv8q+O2r+/s91U5rw0cgB3Gk/dsIURBaS7/XI+ZU3iUom8q/zK5v2LYwmVVoGjmCIcK18Ci6j6/9dYp1rAJHyMrbx1k8WWBHFy4AFxblLmkt7hfYBIjUMMxk1Nb9BapKkwa+AfJ1txwjeO11LtLfGNHvpX+LODsUGsFg+/Sff+Xd0ctL21dwJtRbRiYibzsEbCH1QoQ6WErU3B0wjKrb1m1ei9dQVpKcxl0luB7+N6mvhkmDg9kFOvDG+faEpNjgfgbTi6SaH5mxhBoL5sMgiPTMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAQItHIdKxBhnG6yqZIq9inhwQZJ2D/YV/FJfhLsHcvj/OnOvu/sZPn2SEwsi4w4LobS1MH2bxX15m+pK0sUdLxWysLr3afDEOIlI1pHPxPv4sXeJ2g/N2Wzr7ZMTEXSlCWgU+4Q9aIvNOlaAS5EBhQXTDZqwLer+tgeC+7da8rihuOnQWQraWGGXpKVHb2kbBpVZi61cjmvic6Caun4AZjL+UOEWpzPtFnvgTKJRD7Vh0fUfhxnKXHLAV/kcdcRPEeTg+ZDAWTThj20rDyxkWU87bptvI9VmxaummGwD/iknuiu84x3fiuEtwHbTCA4bz8ce6jzKQ2qBllvgfcVf4Dw=="
       ],
       "kid": "1",
-      "x5t": "1"
+      "x5t": "1",
+      "e": "AQAB",
+      "n": "3ZWrUY0Y6IKN1qI4BhxR2C7oHVFgGPYkd38uGq1jQNSqEvJFcN93CYm16_G78FAFKWqwsJb3Wx-nbxDn6LtP4AhULB1H0K0g7_jLklDAHvI8yhOKlvoyvsUFPWtNxlJyh5JJXvkNKV_4Oo12e69f8QCuQ6NpEPl-cSvXIqUYBCs"
     }
   ]
 }

test/unit/editor/public-key-download.js

@@ -4,7 +4,7 @@ import _ from 'lodash';
 import sinon from 'sinon';
 import sinonChai from 'sinon-chai';
 
-import publicKeyDownloadInjector from 
+import publicKeyDownloadInjector from
   'inject-loader!../../../src/editor/public-key-download.js';
 
 chai.use(chaiAsPromised);
@@ -26,44 +26,54 @@ describe('Public key downloader', function() {
 
   const jwks = {
     keys: [{
-      kid: 1,
-      x5c: ['test-x5c-key']
+      kty: 'RSA',
+      kid: '1',
+      e: 'AQAB',
+      n: '1GPz-Er5h7PCk4v3pSlnaLYNYrp4sVc6Tx7FVz9d8m4zIS2qzcTM_6dRbMgZ4hBdD35NpYzU4z-d8lN27-J_jOzHnCiMdkY-w52dCofAkICh6ftkFlG9bFQyH8Jz5UtpVkZyy1dxCRz_sbRAzUdjUYsGvrKXg-3UYCL5SBCnt0ycrvr3iKX9k8IlMrFRB8lBJ6eQVzkzGsuivPaThXjVZ_OpY7W-XsDjut7cFgPKIc843tW4CNaDJ6j3afm-RFOok__xLQH5uA7HXS_yqfEchvzXfYfMxJY2d-Eqw4xTurm3TT07RnwJuN9slDJUrTH9EKkJkjZ7dn7fZtGjGTpaDQ',
+      x5c: ['test-x5c-key'],
     }]
   };
 
+  const keyAsPEM = `-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1GPz+Er5h7PCk4v3pSln\r\naLYNYrp4sVc6Tx7FVz9d8m4zIS2qzcTM/6dRbMgZ4hBdD35NpYzU4z+d8lN27+J/\r\njOzHnCiMdkY+w52dCofAkICh6ftkFlG9bFQyH8Jz5UtpVkZyy1dxCRz/sbRAzUdj\r\nUYsGvrKXg+3UYCL5SBCnt0ycrvr3iKX9k8IlMrFRB8lBJ6eQVzkzGsuivPaThXjV\r\nZ/OpY7W+XsDjut7cFgPKIc843tW4CNaDJ6j3afm+RFOok//xLQH5uA7HXS/yqfEc\r\nhvzXfYfMxJY2d+Eqw4xTurm3TT07RnwJuN9slDJUrTH9EKkJkjZ7dn7fZtGjGTpa\r\nDQIDAQAB\r\n-----END PUBLIC KEY-----\r\n`;
+
   function httpGetMock(data) {
     return (url) => data ? Promise.resolve(data) : Promise.reject();
   }
 
   it('Finds keys in iss + .well-known URL', function(done) {
     const decodedToken = _.defaultsDeep({}, decodedBaseToken, {
       header: {
-        kid: 1
+        kid: '1'
       },
       payload: {
         iss: baseUrl
       }
     });
 
-    const httpGetStub = sinon.stub().resolves(JSON.stringify(jwks));
+    const httpGetStub = sinon.stub()
+      .onCall(0).resolves(JSON.stringify({ jwks_uri: '/.well-known/jwks.json' }))
+      .onCall(1).resolves(JSON.stringify(jwks));
+
     const downloadPublicKeyIfPossible = publicKeyDownloadInjector({
       '../utils.js': {
         httpGet: httpGetStub
       }
     }).downloadPublicKeyIfPossible;
 
     downloadPublicKeyIfPossible(decodedToken)
-      .should.eventually.include(jwks.keys[0].x5c[0])
+      .should.eventually.include(keyAsPEM)
       .then(() => {
+        httpGetStub.should.have.been
+                   .calledWith(baseUrl + '.well-known/openid-configuration');
         httpGetStub.should.have.been
                    .calledWith(baseUrl + '.well-known/jwks.json');
-      }).should.notify(done);    
+      }).should.notify(done);
   });
 
   it('Finds keys in jwk header claim', function(done) {
     const decodedToken = _.defaultsDeep({}, decodedBaseToken, {
       header: {
-        kid: 1,
+        kid: '1',
         jwk: jwks.keys[0]
       }
     });
@@ -79,13 +89,13 @@ describe('Public key downloader', function() {
       .should.eventually.include(jwks.keys[0].x5c[0])
       .then(() => {
         httpGetStub.should.have.callCount(0);
-      }).should.notify(done);    
+      }).should.notify(done);
   });
 
   it('Finds keys in jku header claim', function(done) {
     const decodedToken = _.defaultsDeep({}, decodedBaseToken, {
       header: {
-        kid: 1,
+        kid: '1',
         jku: baseUrl
       }
     });
@@ -101,7 +111,7 @@ describe('Public key downloader', function() {
       .should.eventually.include(jwks.keys[0].x5c[0])
       .then(() => {
         httpGetStub.should.have.been.calledWith(baseUrl);
-      }).should.notify(done);    
+      }).should.notify(done);
   });
 
   it('Finds keys in x5u header claim', function(done) {
@@ -122,7 +132,7 @@ describe('Public key downloader', function() {
       .should.eventually.include(jwks.keys[0].x5c[0])
       .then(() => {
         httpGetStub.should.have.been.calledWith(baseUrl);
-      }).should.notify(done);    
+      }).should.notify(done);
   });
 
   it('Finds keys in x5c string header claim', function(done) {
@@ -143,7 +153,7 @@ describe('Public key downloader', function() {
       .should.eventually.include(jwks.keys[0].x5c[0])
       .then(() => {
         httpGetStub.should.have.callCount(0);
-      }).should.notify(done);    
+      }).should.notify(done);
   });
 
   it('Finds keys in x5c array header claim', function(done) {
@@ -164,13 +174,13 @@ describe('Public key downloader', function() {
       .should.eventually.include(jwks.keys[0].x5c[0])
       .then(() => {
         httpGetStub.should.have.callCount(0);
-      }).should.notify(done);    
+      }).should.notify(done);
   });
 
   it('Rejects the promise when HTTP request fails', function(done) {
     const decodedToken = _.defaultsDeep({}, decodedBaseToken, {
       header: {
-        kid: 1,
+        kid: '1',
         jku: baseUrl
       }
     });
@@ -186,14 +196,14 @@ describe('Public key downloader', function() {
       .should.be.rejected
       .then(() => {
         httpGetStub.should.have.been.calledWith(baseUrl);
-      }).should.notify(done);    
+      }).should.notify(done);
   });
 
-  describe('Rejects the promise when invalid data ' + 
+  describe('Rejects the promise when invalid data ' +
            'is in jku claim URL', function() {
     const decodedToken = _.defaultsDeep({}, decodedBaseToken, {
       header: {
-        kid: 1,
+        kid: '1',
         jku: baseUrl
       }
     });
@@ -216,9 +226,9 @@ describe('Public key downloader', function() {
           httpGetStub.should.have.been.calledWith(baseUrl);
         }).should.notify(done);
     });
-      
+
     it('when the keys object does not exist', function(done) {
-      httpGetStub = sinon.stub().resolves({      
+      httpGetStub = sinon.stub().resolves({
       });
 
       downloadPublicKeyIfPossible(decodedToken)
@@ -227,7 +237,7 @@ describe('Public key downloader', function() {
           httpGetStub.should.have.been.calledWith(baseUrl);
         }).should.notify(done);
     });
-    
+
     it('when there is no kid', function(done) {
       httpGetStub = sinon.stub().resolves({
         keys: [{
@@ -241,11 +251,11 @@ describe('Public key downloader', function() {
           httpGetStub.should.have.been.calledWith(baseUrl);
         }).should.notify(done);
     });
-    
+
     it('when there are no x5u or x5c claims', function(done) {
       httpGetStub = sinon.stub().resolves({
         keys: [{
-          kid: 1
+          kid: '1'
         }]
       });