refactor: use a single client assertion audience (#2024)

Co-authored-by: Filip Skokan <[email protected]>
Co-authored-by: Tushar Pandey <[email protected]>
Co-authored-by: Tushar Pandey <[email protected]>

Author: 3 people

package-lock.json

@@ -125,8 +125,8 @@
     "debug": "^4.3.4",
     "joi": "^17.6.0",
     "jose": "^4.15.5",
-    "oauth4webapi": "^2.3.0",
-    "openid-client": "^5.6.5",
+    "oauth4webapi": "^2.17.0",
+    "openid-client": "^5.7.1",
     "tslib": "^2.4.0",
     "url-join": "^4.0.1"
   },

package.json

@@ -96,7 +96,25 @@ export class EdgeClient extends AbstractClient {
     const [as, client] = await this.getClient();
 
     if (this.config.pushedAuthorizationRequests) {
-      const response = await oauth.pushedAuthorizationRequest(as, client, parameters as Record<string, string>);
+      const { clientAssertionSigningKey, clientAssertionSigningAlg } = this.config;
+
+      let clientPrivateKey = clientAssertionSigningKey as CryptoKey | undefined;
+      /* c8 ignore next 3 */
+      if (clientPrivateKey && !(clientPrivateKey instanceof CryptoKey)) {
+        clientPrivateKey = await jose.importPKCS8<CryptoKey>(clientPrivateKey, clientAssertionSigningAlg || 'RS256');
+      }
+
+      const response = await oauth.pushedAuthorizationRequest(as, client, parameters as Record<string, string>, {
+        ...(clientPrivateKey && {
+          clientPrivateKey,
+          [oauth.modifyAssertion](_header: Record<string, oauth.JsonValue>, payload: Record<string, oauth.JsonValue>) {
+            if (Array.isArray(payload.aud)) {
+              payload.aud = as.issuer;
+            }
+          }
+        }),
+        ...this.httpOptions()
+      });
       const result = await oauth.processPushedAuthorizationResponse(as, client, response);
       if (oauth.isOAuth2Error(result)) {
         throw new IdentityProviderError({
@@ -163,7 +181,14 @@ export class EdgeClient extends AbstractClient {
       checks.code_verifier as string,
       {
         additionalParameters: extras.exchangeBody,
-        ...(clientPrivateKey && { clientPrivateKey }),
+        ...(clientPrivateKey && {
+          clientPrivateKey,
+          [oauth.modifyAssertion](_header: Record<string, oauth.JsonValue>, payload: Record<string, oauth.JsonValue>) {
+            if (Array.isArray(payload.aud)) {
+              payload.aud = as.issuer;
+            }
+          }
+        }),
         ...this.httpOptions()
       }
     );
@@ -233,8 +258,25 @@ export class EdgeClient extends AbstractClient {
 
   async refresh(refreshToken: string, extras: { exchangeBody: Record<string, any> }): Promise<TokenEndpointResponse> {
     const [as, client] = await this.getClient();
+
+    const { clientAssertionSigningKey, clientAssertionSigningAlg } = this.config;
+
+    let clientPrivateKey = clientAssertionSigningKey as CryptoKey | undefined;
+    /* c8 ignore next 3 */
+    if (clientPrivateKey && !(clientPrivateKey instanceof CryptoKey)) {
+      clientPrivateKey = await jose.importPKCS8<CryptoKey>(clientPrivateKey, clientAssertionSigningAlg || 'RS256');
+    }
+
     const res = await oauth.refreshTokenGrantRequest(as, client, refreshToken, {
       additionalParameters: extras.exchangeBody,
+      ...(clientPrivateKey && {
+        clientPrivateKey,
+        [oauth.modifyAssertion](_header: Record<string, oauth.JsonValue>, payload: Record<string, oauth.JsonValue>) {
+          if (Array.isArray(payload.aud)) {
+            payload.aud = as.issuer;
+          }
+        }
+      }),
       ...this.httpOptions()
     });
     const result = await oauth.processRefreshTokenResponse(as, client, res);