Add support for OIDC type tokens.

lib/helpers.js

@@ -16,7 +16,7 @@ const {generateId} = require('bnid');
 // load config defaults
 require('./config');
 
-const TOKEN_TYPES = ['password', 'nonce', 'challenge', 'totp'];
+const TOKEN_TYPES = ['password', 'nonce', 'challenge', 'totp', 'oidc'];
 
 // numeric-only digits for human readibility and easy mobile entry
 const NUMERIC_DIGITS = '0123456789';

lib/index.js

@@ -77,7 +77,7 @@ const PERMISSIONS = bedrock.config.permission.permissions;
 api.set = async ({
   actor, account, email, type, clientId, serviceId, hash,
   authenticationMethod = type, requiredAuthenticationMethods = [],
-  notify = true, typeOptions = {entryStyle: 'human'}
+  notify = true, typeOptions = {entryStyle: 'human'}, userId
 } = {}) => {
   assert.optionalString(account, 'account');
   assert.optionalString(email, 'email');
@@ -118,6 +118,8 @@ api.set = async ({
     validateBcryptHash(hash);
     token.salt = getBcryptSalt(hash);
     token.sha256 = prefixedHash(hash);
+  } else if(type === 'oidc') {
+    token.userId = userId;
   } else if(type === 'nonce') {
     // FIXME: may need to allow up to N tokens, one per `clientId` if
     // `clientId` is set
@@ -504,7 +506,7 @@ api.verify = async ({
   }
 
   assert.optionalString(challenge, 'challenge');
-  if(!(hash || challenge)) {
+  if(type !== 'oidc' && !(hash || challenge)) {
     throw new SyntaxError(
       'One of "hash" or "challenge" must be provided.');
   }
@@ -537,6 +539,7 @@ api.verify = async ({
   }
 
   let tokenValue = record.meta['bedrock-authn-token'].tokens[type];
+
   const now = new Date();
   if(type === 'nonce') {
     for(const token of tokenValue) {
@@ -597,6 +600,8 @@ api.verify = async ({
     verified = crypto.timingSafeEqual(
       new Buffer(token.sha256, 'base64'),
       new Buffer(prefixedHash(hash), 'base64'));
+  } else if(type === 'oidc') {
+    verified = token.userId === challenge;
   } else if(type === 'totp') {
     const cfg = config['authn-token'];
     const {window} = cfg.totp;