xtuple / oauth2orize-jwt-bearer Goto Github PK

"This exchange middleware is used to by clients to request an access token" seems very wrong to me, the example below generates an access token right? So this isn't used by clients but rather by the server side of things right?

It looks more like this should say "This exchange middleware handles a JWT client request in order to validate and if successful, return an access token" ?

Which parts make up the client side? When I look at passport.-jwt-bearer, it seems to look up a client, which would also be on the sever, or more specific, the Auth side. Maybe a reference to an example somewhere would guide users. Somewhat like there is for the other OAuth2 (oauth2orize) services? I'll like to contribute one but right now I'm trying to understand the descriptions.

Hi,

I have implemented jwt server exchange in my oauth flow and I see that this method server.exchange('urn:ietf:params:oauth:grant-type:jwt-bearer', jwtBearer(function(client, data, signature, done) does not get invoked as mentioned in the README. Any clue?

Currently the debug dependency has a "regular expression denial of service" vulnerability for any version below 2.6.9. This dependency is being brought in by oauth2orize ("debug": 0.7.4).
Upgrading oauth2orize from 0.1.0 to ^1.12.0 will help resolve this issue.

In attempting to put in the pieces for the RSA SHA encryption handling, I cannot get the signature to verify as verifier.verify always seems to return false. If anyone has cleared this hurdle, a little help would be super.

What I've done:
Created the private / public keys:
openssl genrsa -out private.pem 1024
//extract public key
openssl rsa -in private.pem -out public.pem -outform PEM -pubout

now the data to sign:
{"alg":"RS256","typ":"JWT"}{"iss": "myclient"}
I've tried multiple ways as to how to sign this, too many to list here, but my understanding of the correct signature is to sign the bas64 encoding of these items, so i ran base64 on {"alg":"RS256","typ":"JWT"} and base64 on {"iss": "myclient"} then ran base64 on those encodings. So the result is:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9
eyJpc3MiOiAibXljbGllbnQifQ
then encode:
{eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9}.{eyJpc3MiOiAibXljbGllbnQifQ}
which gives me:
e2V5SmhiR2NpT2lKU1V6STFOaUlzSW5SNWNDSTZJa3BYVkNKOX0ue2V5SnBjM01pT2lBaWJYbGpiR2xsYm5RaWZRfQ

At this point i sign the above base64 by doing:
openssl sha -sha256 -sign priv.pem < signThis > signedData
Then I run base64 on that to get the data to pass into the signature part of the assertion.
I then pass in the object:
{
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"assertion": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiAibXljbGllbnQifQ.signedData"
}

now in the code base I have:
var crypto = require('crypto')
, fs = require('fs')
, pub = fs.readFileSync('/path/to/pub.pem')
, verifier = crypto.createVerify("RSA-SHA256");

verifier.update(JSON.stringify(data));

var result = verifier.verify(pub, signature, 'base64');
console.log('vf: ', result);

however, result is always false.

I do properly receive the data, the signature variable in the code is a match for what I'm passing in, I just always receive false and have exhausted all options I can think of on how to tweak this to get verifier.verify to return true. Thank you for the time and help!

I'm trying to implement this according to standards, and when looking at your example you mention that it would be a good idea to validate client_id, scope and expiration. I'm trying to do that in my implementation, but I can't seem to find a good way to return an error in the exchange.

How do you do return done(some error descriping what is wrong))?