Merge pull request #84 from cconcannon/support-private-cert-tls

handle optional request agentOptions

README.md

@@ -18,7 +18,8 @@ const jwksClient = require('jwks-rsa');
 const client = jwksClient({
   strictSsl: true, // Default value
   jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json',
-  requestHeaders: {} // Optional
+  requestHeaders: {}, // Optional
+  requestAgentOptions: {} // Optional
 });
 
 const kid = 'RkI5MjI5OUY5ODc1N0Q4QzM0OUYzNkVGMTJDOUEzQkFCOTU3NjE2Rg';
@@ -80,6 +81,27 @@ client.getSigningKey(kid, (err, key) => {
 });
 ```
 
+### Using AgentOptions for TLS/SSL Configuration
+
+The `requestAgentOptions` property can be used to configure SSL/TLS options. An
+example use case is providing a trusted private (i.e. enterprise/corporate) root
+certificate authority to establish TLS communication with the `jwks_uri`.
+
+```js
+const jwksClient = require("jwks-rsa");
+const client = jwksClient({
+  strictSsl: true, // Default value
+  jwksUri: 'https://my-enterprise-id-provider/.well-known/jwks.json',
+  requestHeaders: {}, // Optional
+  requestAgentOptions: {
+    ca: fs.readFileSync(caFile)
+  }
+});
+```
+
+For more information, see [the NodeJS request library `agentOptions`
+documentation](https://github.com/request/request#using-optionsagentoptions).
+
 ## Running Tests
 
 ```

index.d.ts

@@ -32,6 +32,23 @@ declare namespace JwksRsa {
     publicKey: string;
   }
 
+  interface AgentOptions {
+    [key: string]: string;
+  }
+
+  interface Options {
+    jwksUri: string;
+    rateLimit?: boolean;
+    cache?: boolean;
+    cacheMaxEntries?: number;
+    cacheMaxAge?: number;
+    jwksRequestsPerMinute?: number;
+    strictSsl?: boolean;
+    requestHeaders?: Headers;
+    requestAgentOptions?: AgentOptions;
+    handleSigningKeyError?(err: Error, cb: (err: Error) => void): any;
+  }
+
   interface RsaSigningKey {
     kid: string;
     nbf: string;

src/JwksClient.js

@@ -39,7 +39,8 @@ export class JwksClient {
       json: true,
       uri: this.options.jwksUri,
       strictSSL: this.options.strictSsl,
-      headers: this.options.requestHeaders
+      headers: this.options.requestHeaders,
+      agentOptions: this.options.requestAgentOptions
     }, (err, res) => {
       if (err || res.statusCode < 200 || res.statusCode >= 300) {
         this.logger('Failure:', res && res.body || err);

tests/jwksClient.tests.js

@@ -63,6 +63,44 @@ describe("JwksClient", () => {
       });
     });
 
+    it("should set request agentOptions when provided", done => {
+      nock(jwksHost)
+        .get("./well-known/jwks.json")
+        .reply(function() {
+          expect(this.req.agentOptions).not.to.be.null;
+          expect(this.req.agentOptions["ca"]).to.be.equal("loadCA()");
+          return 200;
+        });
+
+      const client = new JwksClient({
+        jwksUri: `${jwksHost}/.well-known/jwks.json`,
+        requestAgentOptions: {
+          ca: "loadCA()"
+        }
+      });
+
+      client.getKeys((err, keys) => {
+        done();
+      });
+    });
+
+    it("should not set request agentOptions by default", done => {
+      nock(jwksHost)
+        .get("/.well-known/jwks.json")
+        .reply(function() {
+          expect(this.req).to.not.have.property("agentOptions");
+          return 200;
+        });
+
+      const client = new JwksClient({
+        jwksUri: `${jwksHost}/.well-known/jwks.json`
+      });
+
+      client.getKeys((err, keys) => {
+        done();
+      });
+    });
+
     it("should send extra header", done => {
       nock(jwksHost)
         .get("/.well-known/jwks.json")