Remove idToken validation for getWithRedirect, getWithoutPrompt and g…

…etWithPopup
okta · Oct 25, 2016 · e1b54d1 · e1b54d1
1 parent 5d469ac
commit e1b54d1
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/lib/crypto.js b/lib/crypto.js
@@ -24,6 +24,8 @@ function verifyToken(idToken, key) {
   var usages = ['verify'];
 
   // https://connect.microsoft.com/IE/feedback/details/2242108/webcryptoapi-importing-jwk-with-use-field-fails
+  // This is a metadata tag that specifies the intent of how the key should be used.
+  // It's not necessary to properly verify the jwt's signature.
   delete key.use;
 
   return crypto.subtle.importKey(

diff --git a/lib/token.js b/lib/token.js
@@ -92,7 +92,7 @@ function verifyIdToken(sdk, idToken, options) {
     });
 }
 
-function verifyToken(sdk, token, nonce) {
+function verifyToken(sdk, token, nonce, ignoreSignature) {
   return new Q()
   .then(function() {
     if (!token || !token.idToken) {
@@ -104,8 +104,9 @@ function verifyToken(sdk, token, nonce) {
     // Standard claim validation
     oauthUtil.validateClaims(sdk, jwt.payload, token.clientId, token.issuer, nonce);
 
-    // If the browser doesn't support native crypto, bail early
-    if (!sdk.features.isTokenVerifySupported()) {
+    // If the browser doesn't support native crypto or we choose not 
+    // to verify the signature, bail early
+    if (ignoreSignature || !sdk.features.isTokenVerifySupported()) {
       return token;
     }
 
@@ -238,7 +239,7 @@ function handleOAuthResponse(sdk, oauthParams, res, urls) {
         clientId: clientId
       };
 
-      return verifyToken(sdk, idToken, oauthParams.nonce)
+      return verifyToken(sdk, idToken, oauthParams.nonce, true)
       .then(function(token) {
         if (Array.isArray(tokenTypes)) {
           tokenDict['id_token'] = idToken;

diff --git a/test/util/oauthUtil.js b/test/util/oauthUtil.js
@@ -135,7 +135,6 @@ define(function(require) {
     }
 
     util.warpToUnixTime(getTime(opts.time));
-    oauthUtil.loadWellKnownAndKeysCache();
 
     if (opts.hrefMock) {
       util.mockGetWindowLocation(authClient, opts.hrefMock);
@@ -347,7 +346,6 @@ define(function(require) {
     });
 
     util.warpToUnixTime(getTime(opts.time));
-    oauthUtil.loadWellKnownAndKeysCache();
     util.mockGetLocationHash(client, opts.hashMock);
     util.mockGetCookie(opts.oauthCookie);
     var setCookieMock = util.mockSetCookie();
@@ -400,7 +398,6 @@ define(function(require) {
 
     // warp to time to ensure tokens aren't expired
     util.warpToUnixTime(tokens.standardIdTokenClaims.exp - 1);
-    oauthUtil.loadWellKnownAndKeysCache();
 
     return new Q({
       client: client,