running tests with/without webid

Author: bourgeoa

src/DpopIDToken.js

@@ -41,7 +41,7 @@ class DpopIDToken extends JWT {
   static issue (provider, options) {
     let { issuer, keys } = provider
 
-    let { aud, azp, sub, at_hash, c_hash, cnf } = options
+    let { aud, azp, sub, at_hash, c_hash, cnf, scope } = options
 
     let alg = options.alg || DEFAULT_SIG_ALGORITHM
     let jti = options.jti || random(8)
@@ -57,8 +57,8 @@ class DpopIDToken extends JWT {
     let header = { alg, kid }
     let payload = { iss, aud, azp, sub, exp, iat, jti }
 
-    // Add webid claim for Solid OIDC compliance
-    if (sub) {
+    // Add webid claim for Solid OIDC compliance when webid scope is requested
+    if (sub && scope && (scope.includes('webid') || scope.split(' ').includes('webid'))) {
       payload.webid = sub
     }
 
@@ -81,21 +81,29 @@ class DpopIDToken extends JWT {
     let alg = client['id_token_signed_response_alg'] || DEFAULT_SIG_ALGORITHM
     let jti = random(8)
     let iat = Math.floor(Date.now() / 1000)
-    let aud, azp, sub, max
+    let aud, azp, sub, max, scope
 
     // authentication request
     if (!code) {
-      aud = client['client_id']
+      aud = [client['client_id'], 'solid']
       azp = client['client_id']
-      sub = subject['_id']
+      // Use WebID URL for sub if available (Solid OIDC compliance), otherwise use database ID
+      sub = subject?.webId || subject['_id']
       max = parseInt(params['max_age']) || client['default_max_age'] || DEFAULT_MAX_AGE
+      scope = params.scope // Get the requested scope
 
     // token request
     } else {
-      aud = code.aud
-      azp = code.azp || aud
+      // Ensure aud is array containing both client_id and 'solid'
+      if (Array.isArray(code.aud) && code.aud.includes('solid')) {
+        aud = code.aud
+      } else {
+        aud = [code.aud, 'solid']
+      }
+      azp = code.azp || (Array.isArray(aud) ? aud[0] : aud)
       sub = code.sub
       max = parseInt(code['max']) || client['default_max_age'] || DEFAULT_MAX_AGE
+      scope = code.scope // Get the scope from authorization code
     }
 
     let len = alg.match(/(256|384|512)$/)[0]
@@ -110,7 +118,7 @@ class DpopIDToken extends JWT {
       .then(hashes => {
         let [at_hash, c_hash] = hashes
 
-        let options = { alg, aud, azp, sub, iat, jti, at_hash, c_hash }
+        let options = { alg, aud, azp, sub, iat, jti, at_hash, c_hash, scope }
 
         if (request.cnfKey) {
           options.cnf = { jwk: request.cnfKey }

src/IDToken.js

@@ -41,7 +41,7 @@ class IDToken extends JWT {
   static issue (provider, options) {
     let { issuer, keys } = provider
 
-    let { aud, azp, sub, nonce, at_hash, c_hash, cnf } = options
+    let { aud, azp, sub, nonce, at_hash, c_hash, cnf, scope } = options
 
     let alg = options.alg || DEFAULT_SIG_ALGORITHM
     let jti = options.jti || random(8)
@@ -57,8 +57,8 @@ class IDToken extends JWT {
     let header = { alg, kid }
     let payload = { iss, aud, azp, sub, exp, iat, jti, nonce }
 
-    // Add webid claim for Solid OIDC compliance
-    if (sub) {
+    // Add webid claim for Solid OIDC compliance only if webid scope is requested
+    if (sub && scope && (scope.includes('webid') || scope.split(' ').includes('webid'))) {
       payload.webid = sub
     }
 
@@ -80,23 +80,26 @@ class IDToken extends JWT {
     let alg = client['id_token_signed_response_alg'] || DEFAULT_SIG_ALGORITHM
     let jti = random(8)
     let iat = Math.floor(Date.now() / 1000)
-    let aud, azp, sub, max, nonce
+    let aud, azp, sub, max, nonce, scope
 
     // authentication request
     if (!code) {
-      aud = client['client_id']
+      aud = [client['client_id'], 'solid']
       azp = client['client_id']
-      sub = subject['_id']
+      // Use WebID URL for sub if available (Solid OIDC compliance), otherwise use database ID
+      sub = subject?.webId || subject['_id']
       max = parseInt(params['max_age']) || client['default_max_age'] || DEFAULT_MAX_AGE
       nonce = params.nonce
+      scope = params.scope // Get the requested scope
 
     // token request
     } else {
-      aud = code.aud
-      azp = code.azp || aud
+      aud = Array.isArray(code.aud) ? [...code.aud, 'solid'] : [code.aud, 'solid']
+      azp = code.azp || (Array.isArray(code.aud) ? code.aud[0] : code.aud)
       sub = code.sub
       max = parseInt(code['max']) || client['default_max_age'] || DEFAULT_MAX_AGE
       nonce = code.nonce
+      scope = code.scope // Get the scope from authorization code
     }
 
     let len = alg.match(/(256|384|512)$/)[0]
@@ -111,7 +114,7 @@ class IDToken extends JWT {
       .then(hashes => {
         let [at_hash, c_hash] = hashes
 
-        let options = { alg, aud, azp, sub, iat, jti, nonce, at_hash, c_hash }
+        let options = { alg, aud, azp, sub, iat, jti, nonce, at_hash, c_hash, scope }
 
         if (request.cnfKey) {
           options.cnf = { jwk: request.cnfKey }

src/Provider.js

@@ -35,7 +35,8 @@ const DEFAULT_GRANT_TYPES_SUPPORTED = [
 ]
 const DEFAULT_SCOPES_SUPPORTED = [
   'openid',
-  'offline_access'
+  'offline_access',
+  'webid'
 ]
 const DEFAULT_SUBJECT_TYPES_SUPPORTED = ['public']
 
@@ -93,7 +94,7 @@ class Provider {
       data.token_endpoint_auth_signing_alg_values_supported || ['RS256']
     this.display_values_supported = data.display_values_supported || []
     this.claim_types_supported = data.claim_types_supported || ['normal']
-    this.claims_supported = data.claims_supported || []
+    this.claims_supported = data.claims_supported || ['sub', 'iss', 'aud', 'exp', 'iat', 'webid']
     this.service_documentation = data.service_documentation
     this.claims_locales_supported = data.claims_locales_supported
     this.ui_locales_supported = data.ui_locales_supported

test/IDTokenSpec.js

@@ -50,7 +50,7 @@ describe('IDToken', () => {
     describe('authentication request', () => {
       beforeEach(() => {
         client = { 'client_id': 'client123' }
-        params = { nonce: 'nonce123' }
+        params = { nonce: 'nonce123', scope: 'openid webid' }
         cnfKey = {
           'kty': 'RSA',
           'alg': 'RS256',
@@ -74,7 +74,7 @@ describe('IDToken', () => {
             expect(token.payload.iss).to.equal(providerUri)
             expect(token.payload.sub).to.equal('user123')
             expect(token.payload.webid).to.equal('user123')
-            expect(token.payload.aud).to.equal('client123')
+            expect(token.payload.aud).to.deep.equal(['client123', 'solid'])
             expect(token.payload.azp).to.equal('client123')
             expect(token.payload.cnf).to.eql({ jwk: cnfKey })
           })
@@ -87,7 +87,8 @@ describe('IDToken', () => {
         code = {
           aud: 'client123',
           sub: 'user123',
-          nonce: 'nonce123'
+          nonce: 'nonce123',
+          scope: 'openid webid'
         }
         cnfKey = {}
         request = { params, code, provider, client, subject, cnfKey }
@@ -108,7 +109,7 @@ describe('IDToken', () => {
             expect(token.payload.iss).to.equal(providerUri)
             expect(token.payload.sub).to.equal('user123')
             expect(token.payload.webid).to.equal('user123')
-            expect(token.payload.aud).to.equal('client123')
+            expect(token.payload.aud).to.deep.equal(['client123', 'solid'])
             expect(token.payload.azp).to.equal('client123')
             expect(token.payload.nonce).to.equal('nonce123')
             expect(token.payload.at_hash).to.equal('tGwJZ3NDJh8LQ5pHJCIiXg')
@@ -130,7 +131,8 @@ describe('IDToken', () => {
         nonce: 'n0nce',
         at_hash: 'athash123',
         c_hash: 'chash123',
-        cnf: { jwk: {} }
+        cnf: { jwk: {} },
+        scope: 'openid webid'
       }
     })
 

test/config/provider.json

@@ -26,7 +26,8 @@
   ],
   "scopes_supported": [
     "openid",
-    "offline_access"
+    "offline_access",
+    "webid"
   ],
   "subject_types_supported": [
     "public"
@@ -47,7 +48,14 @@
   "claim_types_supported": [
     "normal"
   ],
-  "claims_supported": "",
+  "claims_supported": [
+    "sub",
+    "iss", 
+    "aud",
+    "exp",
+    "iat",
+    "webid"
+  ],
   "claims_parameter_supported": false,
   "request_parameter_supported": false,
   "request_uri_parameter_supported": true,