5.0.3 • Published 1 year ago

oidc-token-hash v5.0.3

Weekly downloads
311,661
License
MIT
Repository
github
Last release
1 year ago

oidc-token-hash

oidc-token-hash validates (and generates) ID Token _hash claims such as at_hash or c_hash

Its *_hash value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the token / state / code value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, hash the token / state / code value with SHA-256, then take the left-most 128 bits and base64url encode them. The *_hash value is a case sensitive string.

Matrix

JWS algorithmused hash algorithmNote
HS256, RS256, PS256, ES256, ES256Ksha256
HS384, RS384, PS384, ES384sha384
HS512, RS512, PS512, ES512sha512
EdDSA w/ Ed25519 curvesha512connect/issues#1125
EdDSA w/ Ed448 curveshake256connect/issues#1125

Usage

Validating

const oidcTokenHash = require('oidc-token-hash');

const access_token = 'YmJiZTAwYmYtMzgyOC00NzhkLTkyOTItNjJjNDM3MGYzOWIy9sFhvH8K_x8UIHj1osisS57f5DduL-ar_qw5jl3lthwpMjm283aVMQXDmoqqqydDSqJfbhptzw8rUVwkuQbolw';

oidcTokenHash.validate({ claim: 'at_hash', source: 'access_token' }, 'x7vk7f6BvQj0jQHYFIk4ag', access_token, 'RS256'); // => does not throw
oidcTokenHash.validate({ claim: 'at_hash', source: 'access_token' }, 'EGEAhGYyfuwDaVTifvrWSoD5MSy_5hZPy6I7Vm-7pTQ', access_token, 'EdDSA', 'Ed25519'); // => does not throw
oidcTokenHash.validate({ claim: 'at_hash', source: 'access_token' }, 'x7vk7f6BvQj0jQHYFIk4ag', 'foobar', 'RS256'); // => throws AssertionError, message: at_hash mismatch, expected w6uP8Tcg6K2QR905Rms8iQ, got: x7vk7f6BvQj0jQHYFIk4ag

Generating

// access_token from first example
oidcTokenHash.generate(access_token, 'RS256'); // => 'x7vk7f6BvQj0jQHYFIk4ag'
oidcTokenHash.generate(access_token, 'HS384'); // => 'ups_76_7CCye_J1WIyGHKVG7AAs2olYm'
oidcTokenHash.generate(access_token, 'ES512'); // => 'EGEAhGYyfuwDaVTifvrWSoD5MSy_5hZPy6I7Vm-7pTQ'
oidcTokenHash.generate(access_token, 'EdDSA', 'Ed25519'); // => 'EGEAhGYyfuwDaVTifvrWSoD5MSy_5hZPy6I7Vm-7pTQ'
oidcTokenHash.generate(access_token, 'EdDSA', 'Ed448'); // => 'jxsy68_eG9-91VnHsZ2VnCr_WqDMv4nspiSuUPRdNZnv1y5lNV3rPVYYWNiY_TbUB1JRwlgiDTzZ'

Changelog

  • 5.0.2 - avoid use of deprecated String.prototype.substr
  • 5.0.1 - use base64url native encoding in Node.js when available
  • 5.0.0 - fixed Ed448 and shake256 to use 114 bytes output
  • 4.0.0 - using sha512 for Ed25519 and shake256 for Ed448, refactored API, removed handling of none JWS alg
  • 3.0.2 - removed base64url dependency
  • 3.0.1 - base64url comeback
  • 3.0.0 - drop lts/4 support, replace base64url dependency
  • 2.0.0 - rather then assuming the alg based on the hash length #valid() now requires a third argument with the JOSE header alg value, resulting in strict validation
  • 1.0.0 - initial release
@infinitebrahmanuniverse/nolb-oisolid-oidc-providerlifeid-js-oidc-provider-coregita-ssopatched-openid-clientoidc-provideroidc-provider-cjsoidc-provider-custom-logoutoidc-provider-ilkkahoidc-provider-modoidc-provider-nodejsoidc-test-provideropenid-clientopenid-client-any-engineopenid-client-kingfisheropenid-client-requestopenid-client-request-es5core-idcycgods@ifanshx/cycgods@kognifai/oidc-provider-fork@privoro/openid-client@puyodead1/openid-client@lexamica-modules/openid-client@recro/easy-kubernetes-controller@viewsonic-mvb/oidc-provider@ainasoft/oidc-provider@everything-registry/sub-chunk-2372@strongnguyen/oidc-provider@anxing131/openid-client@astro-my/oidc-provider-astro@atproto-labs/oauth-provider@authing/node-oidc-provider@authing/oidc-provider@authok/oidc-providerarvm-bestdeveloperbaku-openid-client@circuitly/openid-client@ctbto/oidc-provider@definitelynotaworkaccount/openid-client@dextersjab/openid-client
5.0.3

1 year ago

5.0.2

1 year ago

5.0.1

3 years ago

5.0.0

4 years ago

4.0.0

4 years ago

3.0.2

5 years ago

3.0.1

6 years ago

3.0.0

6 years ago

2.0.0

7 years ago

1.0.2

7 years ago

1.0.1

8 years ago

1.0.0

8 years ago