Add jwksURI override option (#717)

* Add jwksURI override

* adding missing test

* fixing tests

package.json

@@ -65,6 +65,7 @@
     "mocha-multi": "^0.10.0",
     "mocha-parallel-tests": "^1.2.5",
     "prettier": "^1.3.1",
+    "proxyquire": "^2.0.1",
     "selenium-webdriver": "^3.0.1",
     "semver": "^5.3.0",
     "sinon": "^1.17.6",

src/web-auth/index.js

@@ -75,8 +75,13 @@ function WebAuth(options) {
       options.overrides,
       { type: 'object', message: 'overrides option is not valid' },
       {
-        __tenant: { type: 'string', message: '__tenant option is required' },
-        __token_issuer: { type: 'string', message: '__token_issuer option is required' }
+        __tenant: { optional: true, type: 'string', message: '__tenant option is required' },
+        __token_issuer: {
+          optional: true,
+          type: 'string',
+          message: '__token_issuer option is required'
+        },
+        __jwks_uri: { optional: true, type: 'string', message: '__jwks_uri is required' }
       }
     );
   }
@@ -101,6 +106,8 @@ function WebAuth(options) {
     (this.baseOptions.overrides && this.baseOptions.overrides.__token_issuer) ||
     'https://' + this.baseOptions.domain + '/';
 
+  this.baseOptions.jwksURI = this.baseOptions.overrides && this.baseOptions.overrides.__jwks_uri;
+
   this.transactionManager = new TransactionManager(this.baseOptions.transaction);
 
   this.client = new Authentication(this.baseOptions);
@@ -319,6 +326,7 @@ function buildParseHashResponse(qsParams, appState, token) {
 WebAuth.prototype.validateToken = function(token, nonce, cb) {
   var verifier = new IdTokenVerifier({
     issuer: this.baseOptions.token_issuer,
+    jwksURI: this.baseOptions.jwksURI,
     audience: this.baseOptions.clientID,
     leeway: this.baseOptions.leeway || 0,
     __disableExpirationCheck: this.baseOptions.__disableExpirationCheck

test/web-auth/web-auth.test.js

@@ -1,3 +1,4 @@
+var proxyquire = require('proxyquire');
 var expect = require('expect.js');
 var stub = require('sinon').stub;
 var spy = require('sinon').spy;
@@ -57,12 +58,14 @@ describe('auth0.WebAuth', function() {
         _timesToRetryFailedRequests: 2,
         overrides: {
           __tenant: 'tenant1',
-          __token_issuer: 'issuer1'
+          __token_issuer: 'issuer1',
+          __jwks_uri: 'jwks_uri'
         }
       });
 
       expect(webAuth.baseOptions.tenant).to.be('tenant1');
       expect(webAuth.baseOptions.token_issuer).to.be('issuer1');
+      expect(webAuth.baseOptions.jwksURI).to.be('jwks_uri');
     });
   });
   context('nonce validation', function() {
@@ -2417,4 +2420,45 @@ describe('auth0.WebAuth', function() {
       });
     });
   });
+
+  context('validateToken', function() {
+    it('should use undefined jwksURI, allowing it to be overwritten later', function(done) {
+      var idTokenVerifierMock = function(opts) {
+        expect(opts.jwksURI).to.be(undefined);
+        done();
+      };
+      var ProxiedWebAuth = proxyquire('../../src/web-auth', {
+        'idtoken-verifier': idTokenVerifierMock
+      });
+      var webAuth = new ProxiedWebAuth({
+        domain: 'brucke.auth0.com',
+        redirectUri: 'http://example.com/callback',
+        clientID: 'k5u3o2fiAA8XweXEEX604KCwCjzjtMU6',
+        responseType: 'token id_token',
+        __disableExpirationCheck: true
+      });
+
+      webAuth.validateToken('token', 'nonce', function() {});
+    });
+    it('should use correct jwksURI when overriden', function(done) {
+      var idTokenVerifierMock = function(opts) {
+        expect(opts.jwksURI).to.be('jwks_uri');
+        done();
+      };
+      var ProxiedWebAuth = proxyquire('../../src/web-auth', {
+        'idtoken-verifier': idTokenVerifierMock
+      });
+      var webAuth = new ProxiedWebAuth({
+        domain: 'brucke.auth0.com',
+        redirectUri: 'http://example.com/callback',
+        clientID: 'k5u3o2fiAA8XweXEEX604KCwCjzjtMU6',
+        responseType: 'token id_token',
+        __disableExpirationCheck: true,
+        overrides: {
+          __jwks_uri: 'jwks_uri'
+        }
+      });
+      webAuth.validateToken('token', 'nonce', function() {});
+    });
+  });
 });

yarn.lock

@@ -1374,6 +1374,13 @@ filename-regex@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/filename-regex/-/filename-regex-2.0.0.tgz#996e3e80479b98b9897f15a8a58b3d084e926775"
 
+fill-keys@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/fill-keys/-/fill-keys-1.0.2.tgz#9a8fa36f4e8ad634e3bf6b4f3c8882551452eb20"
+  dependencies:
+    is-object "~1.0.1"
+    merge-descriptors "~1.0.0"
+
 fill-range@^2.1.0:
   version "2.2.3"
   resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-2.2.3.tgz#50b77dfd7e469bc7492470963699fe7a8485a723"
@@ -2147,6 +2154,10 @@ is-number@^2.0.2, is-number@^2.1.0:
   dependencies:
     kind-of "^3.0.2"
 
+is-object@~1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/is-object/-/is-object-1.0.1.tgz#8952688c5ec2ffd6b03ecc85e769e02903083470"
+
 is-path-cwd@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/is-path-cwd/-/is-path-cwd-1.0.0.tgz#d225ec23132e89edd38fda767472e62e65f1106d"
@@ -2805,7 +2816,7 @@ meow@^3.7.0:
     redent "^1.0.0"
     trim-newlines "^1.0.0"
 
-merge-descriptors@1.0.1:
+merge-descriptors@1.0.1, merge-descriptors@~1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/merge-descriptors/-/merge-descriptors-1.0.1.tgz#b00aaa556dd8b44568150ec9d1b953f3f90cbb61"
 
@@ -2930,6 +2941,10 @@ mocha@^3.2.0:
     mkdirp "0.5.1"
     supports-color "3.1.2"
 
+module-not-found-error@^1.0.0:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/module-not-found-error/-/module-not-found-error-1.0.1.tgz#cf8b4ff4f29640674d6cdd02b0e3bc523c2bbdc0"
+
 ms@0.7.1:
   version "0.7.1"
   resolved "https://registry.yarnpkg.com/ms/-/ms-0.7.1.tgz#9cd13c03adbff25b65effde7ce864ee952017098"
@@ -3289,6 +3304,10 @@ path-key@^2.0.0:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/path-key/-/path-key-2.0.1.tgz#411cadb574c5a140d3a4b1910d40d80cc9f40b40"
 
+path-parse@^1.0.5:
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/path-parse/-/path-parse-1.0.5.tgz#3c1adf871ea9cd6c9431b6ea2bd74a0ff055c4c1"
+
 path-root-regex@^0.1.0:
   version "0.1.2"
   resolved "https://registry.yarnpkg.com/path-root-regex/-/path-root-regex-0.1.2.tgz#bfccdc8df5b12dc52c8b43ec38d18d72c04ba96d"
@@ -3405,6 +3424,14 @@ proxy-addr@~1.1.3:
     forwarded "~0.1.0"
     ipaddr.js "1.2.0"
 
+proxyquire@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/proxyquire/-/proxyquire-2.0.1.tgz#958d732be13d21d374cc2256645a5ff97c76a669"
+  dependencies:
+    fill-keys "^1.0.2"
+    module-not-found-error "^1.0.0"
+    resolve "~1.5.0"
+
 prr@~0.0.0:
   version "0.0.0"
   resolved "https://registry.yarnpkg.com/prr/-/prr-0.0.0.tgz#1a84b85908325501411853d0081ee3fa86e2926a"
@@ -3682,6 +3709,12 @@ resolve@1.1.x, resolve@^1.1.6, resolve@^1.1.7:
   version "1.1.7"
   resolved "https://registry.yarnpkg.com/resolve/-/resolve-1.1.7.tgz#203114d82ad2c5ed9e8e0411b3932875e889e97b"
 
+resolve@~1.5.0:
+  version "1.5.0"
+  resolved "https://registry.yarnpkg.com/resolve/-/resolve-1.5.0.tgz#1f09acce796c9a762579f31b2c1cc4c3cddf9f36"
+  dependencies:
+    path-parse "^1.0.5"
+
 restore-cursor@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/restore-cursor/-/restore-cursor-1.0.1.tgz#34661f46886327fed2991479152252df92daa541"