forked from panva/oauth4webapi
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdpop.diff
49 lines (44 loc) · 1.78 KB
/
dpop.diff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
diff --git a/examples/code.ts b/examples/dpop.ts
index 98576c1..aa2cb90 100644
--- a/examples/code.ts
+++ b/examples/dpop.ts
@@ -1,5 +1,9 @@
import * as oauth from '../src/index.js'
+// in order to take full advantage of DPoP you shall generate a random private key for every session
+// in the browser environment you shall use IndexedDB to persist the generated CryptoKeyPair
+const DPoP = await oauth.generateKeyPair('ES256')
+
const issuer = new URL('https://example.as.com')
const as = await oauth
.discoveryRequest(issuer)
@@ -54,6 +58,7 @@ let access_token: string
params,
redirect_uri,
code_verifier,
+ { DPoP },
)
let challenges: oauth.WWWAuthenticateChallenge[] | undefined
@@ -67,6 +72,9 @@ let access_token: string
const result = await oauth.processAuthorizationCodeOpenIDResponse(as, client, response)
if (oauth.isOAuth2Error(result)) {
console.log('error', result)
+ if (result.error === 'use_dpop_nonce') {
+ // the AS-signalled nonce is now cached, you should retry
+ }
throw new Error() // Handle OAuth 2.0 response body error
}
@@ -79,12 +87,15 @@ let access_token: string
// fetch userinfo response
{
- const response = await oauth.userInfoRequest(as, client, access_token)
+ const response = await oauth.userInfoRequest(as, client, access_token, { DPoP })
let challenges: oauth.WWWAuthenticateChallenge[] | undefined
if ((challenges = oauth.parseWwwAuthenticateChallenges(response))) {
for (const challenge of challenges) {
console.log('challenge', challenge)
+ if (challenge.scheme === 'dpop' && challenge.parameters.error === 'use_dpop_nonce') {
+ // the AS-signalled nonce is now cached, you should retry
+ }
}
throw new Error() // Handle www-authenticate challenges as needed
}