Get basic cert auth happy path implemented.

Author: RandalliLama

lib/authentication-context.js

@@ -335,8 +335,15 @@ AuthenticationContext.prototype.acquireTokenWithRefreshToken = function(refreshT
   });
 };
 
-
-AuthenticationContext.prototype.acquireTokenWithCertificate = function(resource, clientId, certificate, callback) {
+/**
+ * Gets a new access token using via a certificate credential.
+ * @param  {string}   resource                            A URI that identifies the resource for which the token is valid.
+ * @param  {string}   clientId                            The OAuth client id of the calling application.
+ * @param  {string}   certificate                         A PEM encoded certificate private key.
+ * @param  {string}   thumbprint                          A hex encoded thumbprint of the certificate.
+ * @param  {AcquireTokenCallback}   callback              The callback function.
+ */
+AuthenticationContext.prototype.acquireTokenWithCertificate = function(resource, clientId, certificate, thumbprint, callback) {
   argument.validateCallbackType(callback);
   try {
     argument.validateStringParameter(resource, 'resource');
@@ -348,7 +355,7 @@ AuthenticationContext.prototype.acquireTokenWithCertificate = function(resource,
 
   this._acquireToken(callback, function() {
     var tokenRequest = new TokenRequest(this._callContext, this, clientId, resource);
-    tokenRequest.getTokenWithCertificate(certificate);
+    tokenRequest.getTokenWithCertificate(certificate, thumbprint, callback);
   });
 };
 

lib/constants.js

@@ -24,6 +24,8 @@ var Constants = {
   OAuth2 : {
       Parameters : {
         GRANT_TYPE : 'grant_type',
+        CLIENT_ASSERTION : 'client_assertion',
+        CLIENT_ASSERTION_TYPE : 'client_assertion_type',
         CLIENT_ID : 'client_id',
         CLIENT_SECRET : 'client_secret',
         REDIRECT_URI : 'redirect_uri',
@@ -41,6 +43,7 @@ var Constants = {
         AUTHORIZATION_CODE : 'authorization_code',
         REFRESH_TOKEN : 'refresh_token',
         CLIENT_CREDENTIALS : 'client_credentials',
+        JWT_BEARER : 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
         PASSWORD : 'password',
         SAML1 : 'urn:ietf:params:oauth:grant-type:saml1_1-bearer',
         SAML2 : 'urn:ietf:params:oauth:grant-type:saml2-bearer'
@@ -101,12 +104,12 @@ var Constants = {
 
     Jwt : {
       SELF_SIGNED_JWT_LIFETIME : 10, // 10 mins in mins
-      ACTOR_TOKEN : 'actortoken',
       AUDIENCE : 'aud',
       ISSUER : 'iss',
       SUBJECT : 'sub',
       NOT_BEFORE : 'nbf',
-      EXPIRES_ON : 'exp'
+      EXPIRES_ON : 'exp',
+      JWT_ID : 'jti'
     },
 
     AADConstants : {

lib/self-signed-jwt.js

@@ -24,54 +24,96 @@ var jwtConstants = require('./constants').Jwt;
 var Logger = require('./log').Logger;
 var util = require('./util');
 
-var crypto = require('crypto');
 require('date-utils');
+var jws = require('jws');
 var uuid = require('node-uuid');
 
+/**
+ * JavaScript dates are in milliseconds, but JWT dates are in seconds.
+ * This function does the conversion.
+ * @param  {Date}   date
+ * @return {string}
+ */
+function dateGetTimeInSeconds(date) {
+  return Math.floor(date.getTime()/1000);
+}
+
+/**
+ * Constructs a new SelfSignedJwt object.
+ * @param {object}    callContext    Context specific to this token request.
+ * @param {Authority} authority      The authority to be used as the JWT audience.
+ * @param {string}    clientId       The client id of the calling app.
+ */
 function SelfSignedJwt(callContext, authority, clientId) {
   this._log = new Logger('SelfSignedJwt', callContext._logContext);
   this._callContext = callContext;
 
+  this._authority = authority;
   this._tokenEndpoint = authority.tokenEndpoint;
   this._clientId = clientId;
 }
+/**
+ * A regular certificate thumbprint is a hex encode string of the binary certificate
+ * hash.  For some reason teh x5t value in a JWT is a url save base64 encoded string
+ * instead.  This function does the conversion.
+ * @param  {string} thumbprint  A hex encoded certificate thumbprint.
+ * @return {string} A url safe base64 encoded certificate thumbprint.
+ */
+SelfSignedJwt.prototype._createx5tValue = function(thumbprint) {
+    var hexString = thumbprint.replace(/:/g, '').replace(/ /g, '');
+    var base64 = (new Buffer(hexString, 'hex')).toString('base64');
+    return util.convertRegularToUrlSafeBase64EncodedString(base64);
+};
 
+/**
+ * Creates the JWT header.
+ * @param  {string} thumbprint  A hex encoded certificate thumbprint.
+ * @return {object}
+ */
 SelfSignedJwt.prototype._createHeader = function(thumbprint) {
-    var header = { typ: 'JWT', alg: 'RS256', x5t : thumbprint };
+  var x5t = this.createx5tValue(thumbprint);
+  var header = { typ: 'JWT', alg: 'RS256', x5t : x5t };
 
-    this._log.verbose('Creating self signed JWT header.  Thumbprint: ' + thumbprint);
+  this._log.verbose('Creating self signed JWT header.  x5t: ' + x5t);
 
-    return header;
+  return header;
 };
 
+/**
+ * Creates the JWT payload.
+ * @return {object}
+ */
 SelfSignedJwt.prototype._createPayload = function() {
   var now = new Date();
   var expires = (new Date()).addMinutes(jwtConstants.SELF_SIGNED_JWT_LIFETIME);
 
   this._log.verbose('Creating self signed JWT payload.  Expires: ' + expires + ' NotBefore: ' + now);
 
   var jwtPayload = {};
-  jwtPayload[jwtConstants.AUDIENCE] = this._authority;
+  jwtPayload[jwtConstants.AUDIENCE] = this._tokenEndpoint;
   jwtPayload[jwtConstants.ISSUER] = this._clientId;
   jwtPayload[jwtConstants.SUBJECT] = this._clientId;
-  jwtPayload[jwtConstants.NOT_BEFORE] = now.getTime();
-  jwtPayload[jwtConstants.EXPIRES_ON] = expires.getTime();
+  jwtPayload[jwtConstants.NOT_BEFORE] = dateGetTimeInSeconds(now);
+  jwtPayload[jwtConstants.EXPIRES_ON] = dateGetTimeInSeconds(expires);
   jwtPayload[jwtConstants.JWT_ID] = uuid.v4();
 
   return jwtPayload;
 };
 
+/**
+ * Creates a self signed JWT that can be used as a client_assertion.
+ * @param  {string}  certificate   A PEM encoded certificate private key.
+ * @param  {string}  thumbprint    A hex encoded thumbprint of the certificate.
+ * @return {string}  A self signed JWT token.
+ */
 SelfSignedJwt.prototype.create = function(certificate, thumbprint) {
   var header = this._createHeader(thumbprint);
-  var payload = this._createPayload();
 
-  var headerString = util.base64EncodeStringUrlSafe(JSON.stringify(header));
-  var payloadString = util.base64EncodeStringUrlSafe(JSON.stringify(payload));
-  var stringToSign = headerString + '.' + payloadString;
+  var payload = this._createPayload();
 
-  var signature = util.base64EncodeStringUrlSafe(crypto.createSign('RSA-SHA256').update(stringToSign).sign(certificate, 'base64'));
+  var jwt = jws.sign({ header : header, payload : payload, secret : certificate});
 
-	return stringToSign + '.' + signature;
+  return jwt;
 };
 
 module.exports.SelfSignedJwt = SelfSignedJwt;

lib/token-request.js

@@ -25,6 +25,7 @@ var CacheDriver = require('./cache-driver');
 var Logger = require('./log').Logger;
 var Mex = require('./mex');
 var OAuth2Client = require('./oauth2client');
+var SelfSignedJwt = require('./self-signed-jwt').SelfSignedJwt;
 var UserRealm = require('./user-realm');
 var WSTrustRequest = require('./wstrust-request');
 
@@ -118,7 +119,8 @@ TokenRequest.prototype._createCacheQuery = function() {
   return query;
 };
 
-TokenRequest.prototype._getToken = function(callback, getTokenFunc) {
+
+TokenRequest.prototype._getTokenWithCacheWrapper = function(callback, getTokenFunc) {
   var self = this;
   this._cacheDriver = this._createCacheDriver();
   var cacheQuery = this._createCacheQuery();
@@ -353,24 +355,24 @@ TokenRequest.prototype.getTokenWithUsernamePassword = function(username, passwor
   this._log.info('Acquiring token with username password');
 
   this._userId = username;
-  this._getToken(callback, function(innerCallback) {
+  this._getTokenWithCacheWrapper(callback, function(getTokenCompleteCallback) {
     var self = this;
     this._userRealm = this._createUserRealmRequest(username);
     this._userRealm.discover(function(err) {
       if (err) {
-        innerCallback(err);
+        getTokenCompleteCallback(err);
         return;
       }
 
       switch(self._userRealm.accountType) {
         case AccountType.Managed:
-          self._getTokenUsernamePasswordManaged(username, password, innerCallback);
+          self._getTokenUsernamePasswordManaged(username, password, getTokenCompleteCallback);
           return;
         case AccountType.Federated:
-          self._getTokenUsernamePasswordFederated(username, password, innerCallback);
+          self._getTokenUsernamePasswordFederated(username, password, getTokenCompleteCallback);
           return;
         default:
-          innerCallback(self._log.createError('Server returned an unknown AccountType: ' + self._userRealm.AccountType));
+          getTokenCompleteCallback(self._log.createError('Server returned an unknown AccountType: ' + self._userRealm.AccountType));
       }
     });
   });
@@ -385,12 +387,12 @@ TokenRequest.prototype.getTokenWithUsernamePassword = function(username, passwor
 TokenRequest.prototype.getTokenWithClientCredentials = function(clientSecret, callback) {
   this._log.info('Getting token with client credentials.');
 
-  this._getToken(callback, function(innerCallback) {
+  this._getTokenWithCacheWrapper(callback, function(getTokenCompleteCallback) {
     var oauthParameters = this._createOAuthParameters(OAuth2GrantType.CLIENT_CREDENTIALS);
 
     oauthParameters[OAuth2Parameters.CLIENT_SECRET] = clientSecret;
 
-    this._oauthGetToken(oauthParameters, innerCallback);
+    this._oauthGetToken(oauthParameters, getTokenCompleteCallback);
   });
 };
 
@@ -455,11 +457,33 @@ TokenRequest.prototype.getTokenFromCacheWithRefresh = function(userId, callback)
   this._log.info('Getting token from cache with refresh if necessary.');
 
   this._userId = userId;
-  this._getToken(callback, function(innerCallback){
+  this._getTokenWithCacheWrapper(callback, function(getTokenCompleteCallback) {
     // If this method was called then no cached entry was found.  Since
     // this particular version of acquireToken can only retrieve tokens
     // from the cache, return an error.
-    innerCallback(self._log.createError('Entry not found in cache.'));
+    getTokenCompleteCallback(self._log.createError('Entry not found in cache.'));
+  });
+};
+
+/**
+ * Obtains a token via a certificate.  The certificate is used to generate a self signed
+ * JWT token that is passed as a client_assertion.
+ * @param  {string}                 certificate   A PEM encoded certificate private key.
+ * @param  {string}                 thumbprint    A hex encoded thumbprint of the certificate.
+ * @param  {AcquireTokenCallback}   callback
+ */
+TokenRequest.prototype.getTokenWithCertificate = function(certificate, thumbprint, callback) {
+  this._log.info('Getting a new token from a refresh token.');
+
+  var authorityUrl = this._authenticationContext._authority;
+  var jwt = new SelfSignedJwt(this._callContext, authorityUrl, this._clientId, certificate);
+
+  var oauthParameters = this._createOAuthParameters(OAuth2GrantType.CLIENT_CREDENTIALS);
+  oauthParameters[OAuth2Parameters.CLIENT_ASSERTION_TYPE] = OAuth2GrantType.JWT_BEARER;
+  oauthParameters[OAuth2Parameters.CLIENT_ASSERTION] = jwt.create(certificate, thumbprint);  // TODO: Check error!
+
+  this._getTokenWithCacheWrapper(callback, function(getTokenCompleteCallback) {
+    this._oauthGetToken(oauthParameters, getTokenCompleteCallback);
   });
 };
 

lib/util.js

@@ -163,11 +163,11 @@ function copyUrl(urlSource) {
 }
 
 function convertUrlSafeToRegularBase64EncodedString(str) {
-  return str.replace('-', '+').replace('_', '/');
+  return str.replace(/-/g, '+').replace(/_/g, '/');
 }
 
 function convertRegularToUrlSafeBase64EncodedString(str) {
-  return str.replace('+', '-').replace('/', '_').replace('=', '');
+  return str.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
 }
 
 function base64DecodeStringUrlSafe(str) {
@@ -176,7 +176,9 @@ function base64DecodeStringUrlSafe(str) {
 }
 
 function base64EncodeStringUrlSafe(str) {
-  return convertRegularToUrlSafeBase64EncodedString((new Buffer(str).toString('base64')));
+  var base64 = (new Buffer(str, 'utf8').toString('base64'));
+  var converted = convertRegularToUrlSafeBase64EncodedString(base64);
+  return converted;
 }
 
 module.exports.adalInit = adalInit;
@@ -185,4 +187,5 @@ module.exports.createRequestHandler = createRequestHandler;
 module.exports.createRequestOptions = createRequestOptions;
 module.exports.copyUrl = copyUrl;
 module.exports.base64DecodeStringUrlSafe = base64DecodeStringUrlSafe;
-module.exports.base64EncodeStringUrlSafe = base64EncodeStringUrlSafe;
+module.exports.base64EncodeStringUrlSafe = base64EncodeStringUrlSafe;
+module.exports.convertRegularToUrlSafeBase64EncodedString = convertRegularToUrlSafeBase64EncodedString;

package.json

@@ -23,6 +23,7 @@
   "licenses": [ { "type": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0" } ],
   "dependencies": {
     "date-utils": "*",
+    "jws": "1.x.x",
     "node-uuid": "1.4.1",
     "request": ">= 2.9.203",
     "underscore": ">= 1.3.1",

test/username-password.js

@@ -677,6 +677,8 @@ suite('username-password', function() {
   });
 
   test('bad-id-token-base64-in-response', function(done) {
+    console.log('HEY');
+    util.turnOnLogging();
     var foundWarning = false;
     var preRequests = util.setupExpectedUserRealmResponseCommon(false);
     var response = util.createResponse();