From e1b54d1326939a1ee9779b1b7e1131631bc63a1c Mon Sep 17 00:00:00 2001
From: lboyette-okta <lboyette@okta.com>
Date: Mon, 24 Oct 2016 17:59:29 -0700
Subject: [PATCH] Remove idToken validation for getWithRedirect,
 getWithoutPrompt and getWithPopup

---
 lib/crypto.js          | 2 ++
 lib/token.js           | 9 +++++----
 test/util/oauthUtil.js | 3 ---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/crypto.js b/lib/crypto.js
index ff3314b8a0..70ed2f89ac 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -24,6 +24,8 @@ function verifyToken(idToken, key) {
   var usages = ['verify'];
 
   // https://connect.microsoft.com/IE/feedback/details/2242108/webcryptoapi-importing-jwk-with-use-field-fails
+  // This is a metadata tag that specifies the intent of how the key should be used.
+  // It's not necessary to properly verify the jwt's signature.
   delete key.use;
 
   return crypto.subtle.importKey(
diff --git a/lib/token.js b/lib/token.js
index f3c722b759..f912566082 100644
--- a/lib/token.js
+++ b/lib/token.js
@@ -92,7 +92,7 @@ function verifyIdToken(sdk, idToken, options) {
     });
 }
 
-function verifyToken(sdk, token, nonce) {
+function verifyToken(sdk, token, nonce, ignoreSignature) {
   return new Q()
   .then(function() {
     if (!token || !token.idToken) {
@@ -104,8 +104,9 @@ function verifyToken(sdk, token, nonce) {
     // Standard claim validation
     oauthUtil.validateClaims(sdk, jwt.payload, token.clientId, token.issuer, nonce);
 
-    // If the browser doesn't support native crypto, bail early
-    if (!sdk.features.isTokenVerifySupported()) {
+    // If the browser doesn't support native crypto or we choose not 
+    // to verify the signature, bail early
+    if (ignoreSignature || !sdk.features.isTokenVerifySupported()) {
       return token;
     }
 
@@ -238,7 +239,7 @@ function handleOAuthResponse(sdk, oauthParams, res, urls) {
         clientId: clientId
       };
 
-      return verifyToken(sdk, idToken, oauthParams.nonce)
+      return verifyToken(sdk, idToken, oauthParams.nonce, true)
       .then(function(token) {
         if (Array.isArray(tokenTypes)) {
           tokenDict['id_token'] = idToken;
diff --git a/test/util/oauthUtil.js b/test/util/oauthUtil.js
index 51baee67aa..cfabc031ed 100644
--- a/test/util/oauthUtil.js
+++ b/test/util/oauthUtil.js
@@ -135,7 +135,6 @@ define(function(require) {
     }
 
     util.warpToUnixTime(getTime(opts.time));
-    oauthUtil.loadWellKnownAndKeysCache();
 
     if (opts.hrefMock) {
       util.mockGetWindowLocation(authClient, opts.hrefMock);
@@ -347,7 +346,6 @@ define(function(require) {
     });
 
     util.warpToUnixTime(getTime(opts.time));
-    oauthUtil.loadWellKnownAndKeysCache();
     util.mockGetLocationHash(client, opts.hashMock);
     util.mockGetCookie(opts.oauthCookie);
     var setCookieMock = util.mockSetCookie();
@@ -400,7 +398,6 @@ define(function(require) {
 
     // warp to time to ensure tokens aren't expired
     util.warpToUnixTime(tokens.standardIdTokenClaims.exp - 1);
-    oauthUtil.loadWellKnownAndKeysCache();
 
     return new Q({
       client: client,