Allow verifying access tokens

.npmignore

@@ -1,4 +1,3 @@
-src/
 test/
 demo/
-build/test/
+build/test/

package.json

@@ -8,12 +8,13 @@
     "test": "node build/test/test-agent.js",
     "check": "gts check",
     "clean": "gts clean",
-    "compile": "tsc -p .",
+    "compile": "npx -p typescript@^2.6.1 tsc -p .",
     "fix": "gts fix",
     "prepare": "npm run compile",
     "pretest": "npm run compile",
     "posttest": "npm run check",
-    "prepublish": "npm run prepare"
+    "prepublish": "npm run prepare",
+    "prepack": "npm run prepare"
   },
   "repository": {
     "type": "git",

src/index.ts

@@ -17,7 +17,7 @@ export class Validator {
    *
    */
   constructor(
-      private iss: string, private aud: string, private fakeAuth = false) {}
+      private iss: string, private aud: string, private token_use: string = 'id', private fakeAuth = false) {}
 
   /**
    *
@@ -41,7 +41,7 @@ export class Validator {
         debug('PEMs generated from JWKs.');
       }
       tokenPayload =
-          await validateIdToken(token, this.pems, this.iss, this.aud);
+          await validateIdToken(token, this.pems, this.iss, this.aud, this.token_use);
     }
 
     debug('JWT token validated.');

src/utils.ts

@@ -6,7 +6,7 @@ import {JWK, JWT, PemDictionary, PolicyDocument, PolicyStatement} from './models
 
 
 export const validateIdToken =
-    async (jwtToken: string, pems: PemDictionary, iss: string, aud: string) => {
+    async (jwtToken: string, pems: PemDictionary, iss: string, aud: string, token_use: string) => {
   const decodedJwt = jwt.decode(jwtToken, {complete: true}) as JWT;
   // Fail if the token is not jwt
   if (!decodedJwt) {
@@ -19,12 +19,12 @@ export const validateIdToken =
   }
 
   // Reject the jwt if it's not an id token
-  if (!(decodedJwt.payload.token_use === 'id')) {
+  if (!(decodedJwt.payload.token_use === token_use)) {
     throw new Error('Invalid token_use: ' + decodedJwt.payload.token_use);
   }
 
-  // Fail if token audience is invalid
-  if (decodedJwt.payload.aud !== aud) {
+  // Fail if token audience is invalid and using id token
+  if (decodedJwt.payload.aud !== aud && token_use === 'id') {
     throw new Error('Invalid aud: ' + decodedJwt.payload.aud);
   }
 

test/test-agent.ts

@@ -11,7 +11,7 @@ async function testToken(iss: string, aud: string, rl: readline.ReadLine) {
            });
          })
       .then((token) => {
-        const validator = new Validator(iss, aud);
+        const validator = new Validator(iss, aud, 'id');
         return validator.validate(token);
       });
 }

tsconfig.json

@@ -5,7 +5,7 @@
     "allowUnusedLabels": false,
     "declaration": true,
     "forceConsistentCasingInFileNames": true,
-    "lib": ["es2015"],
+    "lib": ["es2015","esnext"],
     "noFallthroughCasesInSwitch": true,
     "noEmitOnError": true,
     "noImplicitReturns": true,