feat: better keystore handling

Enables verification with multiple keys present. Lays the way forward to more easily add fetched jwks data from the jwks_uri parameter.
microsoft-healthcare-madison · Sep 10, 2021 · e6b530e · e6b530e
1 parent e18e025
commit e6b530e
Showing 1 changed file with 16 additions and 16 deletions.
diff --git a/src/TokenHandler.js b/src/TokenHandler.js
@@ -172,19 +172,25 @@ class TokenHandler extends SMARTHandler {
                 if (this.request.body.client_assertion_type != assertionType) {
                     console.error(`Missing expected request body field: client_assertion_type="${assertionType}"`);
                 }
-                var jwks = JSON.parse(token.context.jwks);
+
+                const keys = await jose.JWK.asKeyStore(token.context.jwks);
                 // TODO: don't crash if jwks is missing or malformed.
                 const uri = token.context.jwks_uri;
-                // TODO: if uri, fetch and replace jwks.
-                const key = await jose.JWK.asKey(jwks.keys[0], "public");
-                // TODO: if multiple keys, try them all.
+                // TODO: if uri, fetch and replace / add to jwks.
                 const jwt = this.request.body.client_assertion;
-                const validated = await jose.JWS.createVerify(key).verify(jwt);
-
-                // Note: at this point the signature is cryptographically verified.
+                const validated = await jose.JWS.createVerify(keys).verify(jwt);
 
                 // Inspect the verification result for standards compliance.
-                const payload = JSON.parse(validated.payload);
+
+                const kid = validated.header['kid'];
+                const key = keys.get(kid);
+                if (key.kid !== kid) {
+                    throw Lib.OAuthError.from({
+                        code : 403,
+                        error: 'invalid key',
+                        msg  : `Expected JWT kid (${kid}) to match (${key.kid})`,
+                    }, key.kid, kid);
+                }
                 const typ = validated.header['typ'];
                 if (typ !== 'JWT') {
                     throw Lib.OAuthError.from({
@@ -201,15 +207,9 @@ class TokenHandler extends SMARTHandler {
                         msg  : `Expected one of ('ES384', 'RS384'), found: '${alg}'.`,
                     }, 'expected ES384 or RS384', alg);
                 }
-                const kid = validated.header['kid'];
-                if (key.kid !== kid) {
-                    throw Lib.OAuthError.from({
-                        code : 403,
-                        error: 'invalid key',
-                        msg  : `Expected JWT kid (${kid}) to match (${key.kid})`,
-                    }, key.kid, kid);
-                }
+
                 const fiveMinutesFromNow = Math.floor(Date.now() / 1000) + 300;
+                const payload = JSON.parse(validated.payload);
                 if (payload.exp > fiveMinutesFromNow) {
                     throw Lib.OAuthError.from({
                         code : 403,