fixup! feat: remove jsrsasign dependancy

Author: Fabian Wiles

package.json

@@ -29,13 +29,10 @@
     "@angular/platform-browser": "6.0.0",
     "@angular/platform-browser-dynamic": "6.0.0",
     "@angular/router": "6.0.0",
-    "@types/jsonwebtoken": "^7.2.7",
     "@webcomponents/custom-elements": "^1.1.0",
     "angular-oauth2-oidc": "^2.1.8",
     "bootstrap": "^3.3.7",
     "core-js": "^2.5.1",
-    "jsonwebtoken": "^8.3.0",
-    "jwk-to-pem": "^2.0.0",
     "rxjs": "6.1.0",
     "rxjs-compat": "^6.0.0-rc.0",
     "zone.js": "^0.8.26"
@@ -64,7 +61,7 @@
     "protractor": "~5.2.0",
     "ts-node": "~3.3.0",
     "tslint": "~5.8.0",
-    "typescript": "^2.7.2",
+    "typescript": "2.7.2",
     "webpack": "^4.4.1"
   }
 }

projects/lib/ng-package.json

@@ -3,12 +3,7 @@
   "dest": "../../dist/lib",
   "deleteDestPath": false,
   "lib": {
+    "languageLevel": ["dom", "es2017"],
     "entryFile": "src/public_api.ts"
-  },
-  "whitelistedNonPeerDependencies": [
-    "jsonwebtoken",
-    "jwk-to-pem",
-    "@types/jsonwebtoken"
-  ]
-
+  }
 }

projects/lib/ng-package.prod.json

@@ -3,10 +3,5 @@
   "dest": "../../dist/lib",
   "lib": {
     "entryFile": "src/public_api.ts"
-  },
-  "whitelistedNonPeerDependencies": [
-    "jsonwebtoken",
-    "jwk-to-pem",
-    "@types/jsonwebtoken"
-  ]
+  }
 }

projects/lib/package.json

@@ -6,11 +6,6 @@
   },
   "version": "4.0.2",
   "repository": "manfredsteyer/angular-oauth2-oidc",
-  "dependencies": {
-    "jsonwebtoken": "^8.3.0",
-    "jwk-to-pem": "^2.0.0",
-    "@types/jsonwebtoken": "^7.2.7"
-  },
   "peerDependencies": {
     "@angular/common": "^6.0.0",
     "@angular/core": "^6.0.0"

projects/lib/src/oauth-service.ts

@@ -331,14 +331,14 @@ export class OAuthService extends AuthConfig {
 
     /**
      * DEPRECATED. Use a provider for OAuthStorage instead:
-     * 
+     *
      * { provide: OAuthStorage, useValue: localStorage }
-     * 
+     *
      * Sets a custom storage used to store the received
      * tokens on client side. By default, the browser's
      * sessionStorage is used.
      * @ignore
-     * 
+     *
      * @param storage
      */
     public setStorage(storage: OAuthStorage): void {
@@ -845,7 +845,7 @@ export class OAuthService extends AuthConfig {
         const redirectUri = this.silentRefreshRedirectUri || this.redirectUri;
         this.createLoginUrl(null, null, redirectUri, noPrompt, params).then(url => {
             iframe.setAttribute('src', url);
-            
+
             if (!this.silentRefreshShowIFrame) {
                 iframe.style['display'] = 'none';
             }
@@ -1529,26 +1529,29 @@ export class OAuthService extends AuthConfig {
             loadKeys: () => this.loadJwks()
         };
 
-        if (
-            !this.disableAtHashCheck &&
-            this.requestAccessToken &&
-            !this.checkAtHash(validationParams)
-        ) {
-            const err = 'Wrong at_hash';
-            console.warn(err);
-            return Promise.reject(err);
-        }
-
-        return this.checkSignature(validationParams).then(_ => {
-            const result: ParsedIdToken = {
-                idToken: idToken,
-                idTokenClaims: claims,
-                idTokenClaimsJson: claimsJson,
-                idTokenHeader: header,
-                idTokenHeaderJson: headerJson,
-                idTokenExpiresAt: expiresAtMSec
-            };
-            return result;
+        return this.checkAtHash(validationParams)
+          .then(atHashValid => {
+            if (
+              !this.disableAtHashCheck &&
+              this.requestAccessToken &&
+              !atHashValid
+          ) {
+              const err = 'Wrong at_hash';
+              console.warn(err);
+              return Promise.reject(err);
+          }
+
+          return this.checkSignature(validationParams).then(_ => {
+              const result: ParsedIdToken = {
+                  idToken: idToken,
+                  idTokenClaims: claims,
+                  idTokenClaimsJson: claimsJson,
+                  idTokenHeader: header,
+                  idTokenHeaderJson: headerJson,
+                  idTokenExpiresAt: expiresAtMSec
+              };
+              return result;
+          });
         });
     }
 
@@ -1774,7 +1777,7 @@ export class OAuthService extends AuthConfig {
         });
     }
 
-    private checkAtHash(params: ValidationParams): boolean {
+    private async checkAtHash(params: ValidationParams): Promise<boolean> {
         if (!this.tokenValidationHandler) {
             console.warn(
                 'No tokenValidationHandler configured. Cannot check at_hash.'

projects/lib/src/token-validation/jwks-validation-handler.ts

@@ -2,9 +2,6 @@ import {
   AbstractValidationHandler,
   ValidationParams
 } from './validation-handler';
-import * as jwkToPem from 'jwk-to-pem';
-import * as jwt from 'jsonwebtoken';
-
 
 /**
  * Validates the signature of an id_token against one
@@ -36,7 +33,10 @@ export class JwksValidationHandler extends AbstractValidationHandler {
    */
   gracePeriodInSec = 600;
 
-  validateSignature(params: ValidationParams, retry = false): Promise<any> {
+  private cyptoObj: Crypto = window.crypto || (window as any).msCrypto // for IE11
+  private textEncoder = new (window as any).TextEncoder();
+
+  async validateSignature(params: ValidationParams, retry = false): Promise<any> {
     if (!params.idToken) throw new Error('Parameter idToken expected!');
     if (!params.idTokenHeader)
       throw new Error('Parameter idTokenHandler expected.');
@@ -53,8 +53,8 @@ export class JwksValidationHandler extends AbstractValidationHandler {
     // console.debug('validateSignature: retry', retry);
 
     let kid: string = params.idTokenHeader['kid'];
-    let keys: object[] = params.jwks['keys'];
-    let key: object;
+    let keys: JsonWebKey[] = params.jwks['keys'];
+    let key: JsonWebKey;
 
     let alg = params.idTokenHeader['alg'];
 
@@ -107,17 +107,28 @@ export class JwksValidationHandler extends AbstractValidationHandler {
       return Promise.reject(error);
     }
 
-    const pem = jwkToPem(key);
-    try {
-      jwt.verify(
-        params.idToken,
-        pem,
-        {algorithms: this.allowedAlgorithms, clockTolerance: this.gracePeriodInSec}
-      );
-    } catch (err) {
+    const [header, body, sig] = params.idToken.split(',');
+
+    const cyptokey = await this.cyptoObj.subtle.importKey('jwk', key as any, alg, true, ['verify']);
+    const isValid = await this.cyptoObj.subtle.verify(alg, cyptokey, this.textEncoder.encode(sig), this.textEncoder.encode(body));
+
+    if(isValid) {
+      return Promise.resolve();
+    }else {
       return Promise.reject('Signature not valid');
     }
-    return Promise.resolve();
+
+    // const pem = jwkToPemAsAny(key);
+    // try {
+    //   jwt.verify(
+    //     params.idToken,
+    //     pem,
+    //     {algorithms: this.allowedAlgorithms, clockTolerance: this.gracePeriodInSec}
+    //   );
+    // } catch (err) {
+    //   return Promise.reject('Signature not valid');
+    // }
+    // return Promise.resolve();
   }
 
   private alg2kty(alg: string) {
@@ -132,9 +143,8 @@ export class JwksValidationHandler extends AbstractValidationHandler {
   }
 
   async calcHash(valueToHash: string, algorithm: string): Promise<string> {
-    const encoder = new TextEncoder();
-    const valueAsBytes = encoder.encode(valueToHash);
-    const resultBytes = await window.crypto.subtle.digest(algorithm, valueAsBytes);
+    const valueAsBytes = this.textEncoder.encode(valueToHash);
+    const resultBytes = await this.cyptoObj.subtle.digest(algorithm, valueAsBytes);
     // the returned bytes are encoded as UTF-16
     return String.fromCharCode.apply(null, new Uint16Array(resultBytes));
   }