CD2H gitForager

auth0/idtoken-verifier

Name: idtoken-verifier

Owner: Auth0

Description: Lightweight RSA JWT verification

Created: 2016-12-29 18:36:42.0

Updated: 2018-05-14 10:45:35.0

Pushed: 2018-05-04 21:43:35.0

Homepage:

Size: 674

Language: JavaScript

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

idtoken-verifier

A lightweight library to decode and verify RS JWT meant for the browser.

Usage

IdTokenVerifier = require('idtoken-verifier');

verifier = new IdTokenVerifier({
issuer: 'https://my.auth0.com/',
audience: 'gYSNlU4YC4V1YPdqq8zPQcup6rJw1Mbt'


fier.verify(id_token, nonce, function(error, payload) {
...


decoded = verifier.decode(id_token);

IdTokenVerifier

Initializes the verifier.

Parameters:

configuration
- issuer: the issuer you trust to sign the tokens.
- audience: the audience the token is issued for.
- leeway: when there is a clock skew times between the signing and verifying servers. The leeway should not be biger than a minute.
- jwksCache: the verifier will try to fetch the JWKS from the /.well-known/jwks.json endpoint each time it verifies a token. You can provide a cache to store the keys and avoid repeated requests. For the contract, check this example.
- jwksURI: A valid, direct URI to fetch the JSON Web Key Set (JWKS). Defaults to ${id_token.iss}/.well-known/jwks.json
callback
- error: the validation error if any, null otherwise
- payload: the decoded jwt payload

verifier.verify

This method will decode the token, verify the issuer, audience, expiration, algorithm and nonce claims and after that will verify the token signature.

Parameters

id_token: the id_token to verify.
nonce: the nonce previously sent to tha authorization server.
callback

verifier.decode

This method will decode the token header and payload WITHOUT doing any verification.

Parameters

id_token: the id_token to decode.

Return

header: the decoded header.
payload: the decoded payload.
encoded: the parts without decode
- header: the header string.
- payload: the payload string.
- signature: the signature string.

Support

To make it as lightweight as posible, it only provides support for RS256 tokens. It can be easily extensible to other RS* algorithms.

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Author

Auth0

License

This project is licensed under the MIT license. See the LICENSE file for more info.

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.