|
| 1 | +## Classes |
| 2 | + |
| 3 | +<dl> |
| 4 | +<dt><a href="#JwtBearerGrantType">JwtBearerGrantType</a> ⇐ <code>AbstractGrantType</code></dt> |
| 5 | +<dd><p>The JWT bearer authorization grant (RFC 7521 §4.1, RFC 7523 §2.1/§3): a signed |
| 6 | +JWT <em>is</em> the authorization grant. The assertion's <code>iss</code> identifies a trusted |
| 7 | +issuer (whose key verifies the assertion) and <code>sub</code> identifies the principal |
| 8 | +the access token is issued for. Unlike JWT <em>client authentication</em>, <code>sub</code> is |
| 9 | +the user/principal — not the client — and <code>iss</code>/<code>sub</code> are not bound to the |
| 10 | +client id.</p> |
| 11 | +<p>This is an extension grant; register it via <code>extendedGrantTypes</code>. The |
| 12 | +requested <code>scope</code> is taken from the body parameter (RFC 7521 §4.1), and no |
| 13 | +refresh token is issued (RFC 7521 §5.2).</p> |
| 14 | +<p>The model must implement:</p> |
| 15 | +<ul> |
| 16 | +<li><code>getJWTBearerIssuer(issuer)</code> → <code>{ audience, jwks | jwksUri | secret }</code> (or |
| 17 | +falsy for an untrusted issuer) — the verification key material and the |
| 18 | +expected <code>aud</code>.</li> |
| 19 | +<li><code>getJWTBearerUser({ issuer, subject, client, scope, jti, assertionId, exp })</code> → the |
| 20 | +authorized user (or falsy to deny). Replay (<code>jti</code>) can be enforced here.</li> |
| 21 | +</ul> |
| 22 | +</dd> |
| 23 | +</dl> |
| 24 | + |
| 25 | +## Constants |
| 26 | + |
| 27 | +<dl> |
| 28 | +<dt><a href="#GRANT_TYPE">GRANT_TYPE</a></dt> |
| 29 | +<dd><p>The <code>grant_type</code> value for the JWT bearer authorization grant.</p> |
| 30 | +</dd> |
| 31 | +</dl> |
| 32 | + |
| 33 | +<a name="JwtBearerGrantType"></a> |
| 34 | + |
| 35 | +## JwtBearerGrantType ⇐ <code>AbstractGrantType</code> |
| 36 | +The JWT bearer authorization grant (RFC 7521 §4.1, RFC 7523 §2.1/§3): a signed |
| 37 | +JWT *is* the authorization grant. The assertion's `iss` identifies a trusted |
| 38 | +issuer (whose key verifies the assertion) and `sub` identifies the principal |
| 39 | +the access token is issued for. Unlike JWT *client authentication*, `sub` is |
| 40 | +the user/principal — not the client — and `iss`/`sub` are not bound to the |
| 41 | +client id. |
| 42 | + |
| 43 | +This is an extension grant; register it via `extendedGrantTypes`. The |
| 44 | +requested `scope` is taken from the body parameter (RFC 7521 §4.1), and no |
| 45 | +refresh token is issued (RFC 7521 §5.2). |
| 46 | + |
| 47 | +The model must implement: |
| 48 | + - `getJWTBearerIssuer(issuer)` → `{ audience, jwks | jwksUri | secret }` (or |
| 49 | + falsy for an untrusted issuer) — the verification key material and the |
| 50 | + expected `aud`. |
| 51 | + - `getJWTBearerUser({ issuer, subject, client, scope, jti, assertionId, exp })` → the |
| 52 | + authorized user (or falsy to deny). Replay (`jti`) can be enforced here. |
| 53 | + |
| 54 | +**Kind**: global class |
| 55 | +**Extends**: <code>AbstractGrantType</code> |
| 56 | +**See** |
| 57 | + |
| 58 | +- https://datatracker.ietf.org/doc/html/rfc7521#section-4.1 |
| 59 | +- https://datatracker.ietf.org/doc/html/rfc7523#section-2.1 |
| 60 | +- https://datatracker.ietf.org/doc/html/rfc7523#section-3 |
| 61 | + |
| 62 | + |
| 63 | +* [JwtBearerGrantType](#JwtBearerGrantType) ⇐ <code>AbstractGrantType</code> |
| 64 | + * [new JwtBearerGrantType()](#new_JwtBearerGrantType_new) |
| 65 | + * [.handle(request, client)](#JwtBearerGrantType+handle) |
| 66 | + * [.verifyAssertion()](#JwtBearerGrantType+verifyAssertion) |
| 67 | + * [.getKey()](#JwtBearerGrantType+getKey) |
| 68 | + * [.getUser()](#JwtBearerGrantType+getUser) |
| 69 | + * [.saveToken()](#JwtBearerGrantType+saveToken) |
| 70 | + |
| 71 | +<a name="new_JwtBearerGrantType_new"></a> |
| 72 | + |
| 73 | +### new JwtBearerGrantType() |
| 74 | +**Example** |
| 75 | +```js |
| 76 | +new OAuth2Server({ |
| 77 | + model, |
| 78 | + extendedGrantTypes: { |
| 79 | + 'urn:ietf:params:oauth:grant-type:jwt-bearer': JwtBearerGrantType |
| 80 | + }, |
| 81 | + // typically a public requester; identify it with `client_id`: |
| 82 | + requireClientAuthentication: { 'urn:ietf:params:oauth:grant-type:jwt-bearer': false } |
| 83 | +}); |
| 84 | +``` |
| 85 | +<a name="JwtBearerGrantType+handle"></a> |
| 86 | + |
| 87 | +### jwtBearerGrantType.handle(request, client) |
| 88 | +Handle the JWT bearer grant. |
| 89 | + |
| 90 | +**Kind**: instance method of [<code>JwtBearerGrantType</code>](#JwtBearerGrantType) |
| 91 | +**See**: https://datatracker.ietf.org/doc/html/rfc7523#section-2.1 |
| 92 | + |
| 93 | +| Param | Type | |
| 94 | +| --- | --- | |
| 95 | +| request | <code>Request</code> | |
| 96 | +| client | <code>ClientData</code> | |
| 97 | + |
| 98 | +<a name="JwtBearerGrantType+verifyAssertion"></a> |
| 99 | + |
| 100 | +### jwtBearerGrantType.verifyAssertion() |
| 101 | +Verify the `assertion` and return its (trusted) claims. |
| 102 | + |
| 103 | +**Kind**: instance method of [<code>JwtBearerGrantType</code>](#JwtBearerGrantType) |
| 104 | +<a name="JwtBearerGrantType+getKey"></a> |
| 105 | + |
| 106 | +### jwtBearerGrantType.getKey() |
| 107 | +Resolve the verification key for the issuer (HMAC secret or asymmetric JWKS). |
| 108 | + |
| 109 | +**Kind**: instance method of [<code>JwtBearerGrantType</code>](#JwtBearerGrantType) |
| 110 | +<a name="JwtBearerGrantType+getUser"></a> |
| 111 | + |
| 112 | +### jwtBearerGrantType.getUser() |
| 113 | +Resolve and authorize the principal (`sub`) the token is issued for. |
| 114 | + |
| 115 | +**Kind**: instance method of [<code>JwtBearerGrantType</code>](#JwtBearerGrantType) |
| 116 | +<a name="JwtBearerGrantType+saveToken"></a> |
| 117 | + |
| 118 | +### jwtBearerGrantType.saveToken() |
| 119 | +Save and return the access token. No refresh token is issued (RFC 7521 §5.2). |
| 120 | + |
| 121 | +**Kind**: instance method of [<code>JwtBearerGrantType</code>](#JwtBearerGrantType) |
| 122 | +<a name="GRANT_TYPE"></a> |
| 123 | + |
| 124 | +## GRANT\_TYPE |
| 125 | +The `grant_type` value for the JWT bearer authorization grant. |
| 126 | + |
| 127 | +**Kind**: global constant |
| 128 | +**See**: https://datatracker.ietf.org/doc/html/rfc7523#section-2.1 |
0 commit comments