Updated to work with B2C flows.

brandwe · brandwe · commit 654abe2f40fe · 2015-05-15T16:38:16.000-07:00
diff --git a/node-server/lib/metadata.js b/node-server/lib/metadata.js
@@ -21,6 +21,7 @@ var xml2js = require('xml2js');
 var request = require('request');
 var aadutils = require('./aadutils');
 var async = require('async');
+var ursa = require('ursa');
 
 // Logging
 
@@ -102,20 +103,56 @@ Metadata.prototype.updateSamlMetadata = function(doc, next) {
 Metadata.prototype.updateOidcMetadata = function(doc, next) {
   log.info('Request to update the Open ID Connect Metadata');
   try {
-    this.oidc = {};
-
-    this.oidc.issuer = doc['issuer'];
-    this.oidc.keyURL = doc['jwks_uri'];
-    this.oidc.algorithm = doc['id_token_signing_alg_values_supported'];
-
-    log.info("algorithm we will use is: ", this.oidc.algorithm);
-    log.info("the Keys are located at: ", this.oidc.keyURL);
+      this.oidc = {};
+      this.oidc.issuer = doc['issuer'];
+      this.oidc.algorithms = doc['id_token_signing_alg_values_supported'];
+      var jwksUri = doc.jwks_uri;
+
+      log.info('Algorithm retreived was: ', this.oidc.algorithms);
+      log.info('Issuer we are using is: ', this.oidc.issuer);
+      log.info('Key Endpoint will we use is: ', jwksUri);
+
+      var self = this;
+      var callback = next;
+
+      async.waterfall([
+        // fetch the signing keys
+        function(next){
+          request(jwksUri, function (err, response, body) {
+            if(err) {
+              next(err);
+            } else if(response.statusCode !== 200) {
+              next(new Error("Error:" + response.statusCode +  " Cannot get AAD Signing Keys"));
+            } else {
+              next(null, body);
+            }
+          });
+        },
+
+        function(body, next){
+          // parse the AAD Federation metadata xml
+          log.info("Parsing JSON retreived from the signing keys endpoint.");
+          try {
+            self.oidc.keys = JSON.parse(body).keys;
+            log.info("***** KEYS  ******");
+            log.info("");
+            log.info(self.oidc.keys);
+            log.info("");
+            log.info("***********");
+            next(null);
+          } catch (e) {
+            next(new Error(e));
+          }
+        },
+
+      ], function (err) {
+        callback(err);
+      });
 
-    next(null);
-  } catch (e) {
-    next(new Error('Invalid Open ID Connect Federation Metadata ' + e.message));
-  }
-};
+    } catch (e) {
+      next(new Error('Invalid Open ID Connect Federation Metadata ' + e.message));
+    }
+  };
 
 
 Metadata.prototype.updateWsfedMetadata = function(doc, next) {
@@ -147,6 +184,24 @@ Metadata.prototype.updateWsfedMetadata = function(doc, next) {
   }
 };
 
+Metadata.prototype.generateOidcPEM = function(kid) {
+  if (!this.oidc.keys) {
+    return null;
+  }
+  for (var i=0; i < this.oidc.keys.length; i++) {
+    if (this.oidc.keys[i].kid == kid) {
+      log.info('Working on key: ', this.oidc.keys[i])
+      var modulus = new Buffer(this.oidc.keys[i].n, 'base64');
+      var exponent = new Buffer(this.oidc.keys[i].e, 'base64');
+
+      var pubKey = ursa.createPublicKeyFromComponents(modulus, exponent);
+      return pubKey.toPublicPem('utf8');
+    }
+  }
+  return null;
+};
+
+
 Metadata.prototype.fetch = function(callback) {
   var self = this;
   log.info("Fetching metadata from the provided metadata URL: " + self.url);
@@ -159,7 +214,7 @@ Metadata.prototype.fetch = function(callback) {
         } else if(response.statusCode !== 200) {
           next(new Error("Error:" + response.statusCode +  " Cannot get AAD Federation metadata from " + self.url));
         } else {
-          log.info("***********");
+          log.info("***** METADATA ******");
           log.info("");
           log.info(body);
           log.info("");
@@ -185,29 +240,30 @@ Metadata.prototype.fetch = function(callback) {
 
     } else if(self.authtype == "oidc") {
       log.info("Parsing JSON retreived from the endpoint");
-      self.metadata =  JSON.parse(body);
+      self.metadata = JSON.parse(body);
+      next(null);
 
     } else { next(new Error("No Authentication type specified to metadata parser. Valid types are saml, wsfed, or odic")); }
 
   },
-    function(next){
-      if(self.authtype == "saml") {
-      // update the SAML SSO endpoints and certs from the metadata
-      self.updateSamlMetadata(self.metatdata, next);
-    }},
-    function(next){
-      if(self.authtype == "wsfed") {
-      // update the SAML SSO endpoints and certs from the metadata
-      self.updateWsfedMetadata(self.metatdata, next);
-    }},
-    function(next){
-      if(self.authtype == "oidc") {
-      self.updateOidcMetadata(self.metadata, next);
-    }}
-  ], function (err) {
-    // return err or success (err === null) to callback
-    callback(err);
-  });
-};
+  function(next){
+
+        console.log('updating metadata...');
+
+        if(self.authtype == "saml") {
+          self.updateSamlMetadata(self.metatdata, next);
+        }
+        else if(self.authtype == "wsfed") {
+          self.updateWsfedMetadata(self.metatdata, next);
+      }
+        else if(self.authtype == "oidc") {
+          self.updateOidcMetadata(self.metadata, next);
+        }
+      },
+    ], function (err) {
+      callback(err);
+      log.info('Goodbye from Metadata');
+    });
+  };
 
 exports.Metadata = Metadata;
diff --git a/node-server/lib/oidc_strategy.js b/node-server/lib/oidc_strategy.js
@@ -28,6 +28,8 @@ var async = require('async');
 var jwt = require('jsonwebtoken');
 var request = require('request');
 var Metadata = require('./metadata').Metadata;
+var ursa = require('ursa');
+var jws = require('jws');
 
 var log = bunyan.createLogger({name: 'Microsoft OpenID Connect: Passport Strategy'});
 /**
@@ -88,7 +90,7 @@ if(options.publicCert) {
 
 if(options.metadataurl) {
 
-  log.info(options.metadataurl, 'metadata url provided to Strategy');
+  log.info('Metadata url provided to Strategy was: ', options.metadataurl);
   this.metadata = new Metadata(options.metadataurl, "oidc");
 }
 
@@ -97,45 +99,30 @@ if (!options.certificate && !options.metadataurl) {
    throw new TypeError('OIDCBearerStrategy requires either a PEM encoded public key or a metadata location that contains cert data for RSA and ECDSA callback.');
  }
 
+ if (typeof options == 'function') {
+    verify = options;
+    options = {};
+  }
 
     // Passport requires a verify function
 
     if (!verify) {
       throw new TypeError('OIDCBearerStrategy requires a verify callback. Do not cheat!');
     }
 
-    this.certs = [];
-
     // Token validation settings. Hopefully most of these will be pulled from the metadata and this is not needed
 
 
-
-// fetch metadata
-
-    if(this.metadata) {
     this.metadata.fetch(function(err) {
-      if(err) {
-        log.warn('Error parsing metadata.', err);
-        return err;
-      } else {
-        log.info(this.metadata,'Metadata returned');
-        this.oidc = self.metadata.oidc;
-        this.keyURL = oidc.keyURL;
-        this.algothims = oidc.algorithm;
-      }
-    }); };
-
-  // fetch keys
-
-
+        if (err) {
+          throw new Error("Unable to fetch metadata: " + err);
+        }
 
-  var config = {
- // The URL of the metadata document for your app. We will put the keys for token validation from the URL found in the jwks_uri tag of the in the metadata.
-algorithms: this.algorithms
+      });
 
-};
 
   function jwtVerify(req, token, done) {
+
   if (!options.passReqToCallback) {
     token = arguments[0];
     done = arguments[1];
@@ -144,11 +131,30 @@ algorithms: this.algorithms
   }
 
 
+var decoded = jws.decode(token);
+    if (decoded == null) {
+      done(null, false, "Invalid JWT token.");
+    }
+
+ log.info(decoded, 'was token decrypted. But is it valid?');
+
 
-  var PEMkey = pem.certToPEM(this._oidc.certs[0]);
-  log.info(PEMkey, 'was the PEM returned');
+// We have two different types of token signatures we have to validate here. One provides x5t and the other a kid. We need to call the right one.
+       if (decoded.header.x5t) {
+         var PEMkey = this.metadata.generateOidcPEM(decoded.header.x5t);
+         }
+       else if (decoded.header.kid) {
+         var PEMkey = this.metadata.generateOidcPEM(decoded.header.x5t);
+         }
+       else { throw new TypeError('We did not reveive a token we know how to validate');
+     }
 
-  jwt.verify(token, PEMkey, config, function (err, token) {
+
+
+       options.issuer = this.metadata.oidc.issuer;
+       options.algorithms = ['RS256'];
+
+  jwt.verify(token, PEMkey, options, function (err, token) {
       if (err) {
         if (err instanceof jwt.TokenExpiredError) {
           log.warn("Access token expired");
@@ -176,6 +182,10 @@ algorithms: this.algorithms
     });
 }
 
+var opts = {};
+  opts.passReqToCallback = true;
+
+  console.log('Req: ' + options.passReqToCallback);
 
     BearerStrategy.call(this, options, jwtVerify);
 
diff --git a/node-server/test/metadata_tests.js b/node-server/test/metadata_tests.js
@@ -119,9 +119,8 @@ exports['metadata'] = {
         var m = new Metadata(oidc_metadataUrl, "oidc"); // this indicates to parse JSON vs. XML
         m.fetch(function(err) {
           test.ifError(err, 'method had error before testing properties');
-          test.ok(m.oidc.certs.length > 0, 'fetch should obtain 1 or more saml x509 certificates');
-          test.ok(m.oidc.loginEndpoint, 'fetch should obtain saml login endpoint');
-          test.ok(m.oidc.logoutEndpoint, 'fetch should obtain saml logout endpoint');
+          test.ok(m.oidc.algorithm, 'fetch should obtain odic algorithm');
+          test.ok(m.oidc.keyURL, 'fetch should obtain odic Key URL');
         });
       },
       Error,
