How to use idtoken-verifier - 3 common examples

To help you get started, we’ve selected a few idtoken-verifier examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github auth0 / auth0.js / src / web-auth / index.js View on Github external
}
      );
    }

    if (
      validationError.error !== 'invalid_token' ||
      (validationError.errorDescription &&
        validationError.errorDescription.indexOf(
          'Nonce (nonce) claim value mismatch in the ID token'
        ) > -1)
    ) {
      return callback(validationError);
    }

    // if it's an invalid_token error, decode the token
    var decodedToken = new IdTokenVerifier().decode(parsedHash.id_token);

    // if the alg is not HS256, return the raw error
    if (decodedToken.header.alg !== 'HS256') {
      return callback(validationError);
    }

    if ((decodedToken.payload.nonce || null) !== transactionNonce) {
      return callback({
        error: 'invalid_token',
        errorDescription:
          'Nonce (nonce) claim value mismatch in the ID token; expected "' +
          transactionNonce +
          '", found "' +
          decodedToken.payload.nonce +
          '"'
      });
github auth0 / auth0.js / src / web-auth / index.js View on Github external
return this.validateToken(parsedHash.id_token, transactionNonce, function(
    validationError,
    payload
  ) {
    if (!validationError) {
      if (!parsedHash.access_token) {
        return callback(null, payload);
      }
      // id_token's generated by non-oidc applications don't have at_hash
      if (!payload.at_hash) {
        return callback(null, payload);
      }
      // here we're absolutely sure that the id_token's alg is RS256
      // and that the id_token is valid, so we can check the access_token
      return new IdTokenVerifier().validateAccessToken(
        parsedHash.access_token,
        'RS256',
        payload.at_hash,
        function(err) {
          if (err) {
            return callback(error.invalidToken(err.message));
          }
          return callback(null, payload);
        }
      );
    }

    if (
      validationError.error !== 'invalid_token' ||
      (validationError.errorDescription &&
        validationError.errorDescription.indexOf(
github auth0 / auth0.js / src / web-auth / index.js View on Github external
WebAuth.prototype.validateToken = function(token, nonce, cb) {
  var verifier = new IdTokenVerifier({
    issuer: this.baseOptions.token_issuer,
    jwksURI: this.baseOptions.jwksURI,
    audience: this.baseOptions.clientID,
    leeway: this.baseOptions.leeway || 60,
    maxAge: this.baseOptions.maxAge,
    __clock: this.baseOptions.__clock || defaultClock
  });

  verifier.verify(token, nonce, function(err, payload) {
    if (err) {
      return cb(error.invalidToken(err.message));
    }

    cb(null, payload);
  });
};

idtoken-verifier

A lightweight library to decode and verify RS JWT meant for the browser.

MIT
Latest version published 6 months ago

Package Health Score

78 / 100
Full package analysis

Popular idtoken-verifier functions