Added two further checks for the JWT and the JWS

Philip Skinner · Philip Skinner · commit 49424896667e · 2017-04-20T14:47:18.000+01:00
diff --git a/lib/strategy.js b/lib/strategy.js
@@ -97,11 +97,14 @@ Strategy.prototype.authenticate = function(req, options) {
 
         var idTokenSegments = idToken.split('.')
           , jwtClaimsStr
-          , jwtClaims;
+          , jwtClaims
+          , joseHeader;
 
         try {
           jwtClaimsStr = new Buffer(idTokenSegments[1], 'base64').toString();
           jwtClaims = JSON.parse(jwtClaimsStr);
+
+          joseHeader = JSON.parse(new Buffer(idTokenSegments[0], 'base64').toString());
         } catch (ex) {
           return self.error(ex);
         }
@@ -144,6 +147,12 @@ Strategy.prototype.authenticate = function(req, options) {
           return self.error(new Error('Invalid nonce in id_token'));
         }
 
+        // http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation - check 10
+        if (jwtClaims.iat >= jwtClaims.exp) return self.error(new Error('id token has expired'));
+
+        // http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation - check 7-ish
+        if (!joseHeader.alg || typeof(joseHeader.alg) === 'undefined') return self.error(new Error('Invalid algorithm type'));
+
         var iss = jwtClaims.iss;
         var sub = jwtClaims.sub;
         // Prior to OpenID Connect Basic Client Profile 1.0 - draft 22, the
