JCL-444: Improve support for RFC 9207

Author: acoburn

openid/src/main/java/com/inrupt/client/openid/Metadata.java

@@ -112,4 +112,9 @@ public class Metadata {
      * A list of DPoP signing algorithm values supported by the given OpenID Connect provider.
      */
     public List<String> dpopSigningAlgValuesSupported;
+
+    /**
+     * Indication of whether the OpenID Connect provider supports RFC-9207.
+     */
+    public boolean authorizationResponseIssParameterSupported;
 }

openid/src/main/java/com/inrupt/client/openid/OpenIdProvider.java

@@ -211,6 +211,13 @@ ErrorResponse tryParseError(final InputStream input) {
     }
 
     private Request tokenRequest(final Metadata metadata, final TokenRequest request) {
+        if (request.getIssuer() != null) {
+            if (!request.getIssuer().equals(metadata.issuer)) {
+                throw new OpenIdException("Issuer mismatch. " +
+                        "Please verify that the designated OpenID issuer is correct");
+            }
+        }
+
         if (!metadata.grantTypesSupported.contains(request.getGrantType())) {
             throw new OpenIdException("Grant type [" + request.getGrantType() + "] is not supported by this provider.");
         }

openid/src/main/java/com/inrupt/client/openid/TokenRequest.java

@@ -38,6 +38,7 @@ public final class TokenRequest {
     private final String clientSecret;
     private final String authMethod;
     private final URI redirectUri;
+    private final URI issuer;
     private final List<String> scopes;
 
     /**
@@ -58,6 +59,15 @@ public List<String> getScopes() {
         return scopes;
     }
 
+    /**
+     * Get the issuer.
+     *
+     * @return the issuer, may be {@code null}
+     */
+    public URI getIssuer() {
+        return issuer;
+    }
+
     /**
      * Get the authentication method.
      *
@@ -123,7 +133,8 @@ public static Builder newBuilder() {
 
     /* package-private */
     TokenRequest(final String clientId, final String clientSecret, final URI redirectUri, final String grantType,
-            final String authMethod, final String code, final String codeVerifier, final List<String> scopes) {
+            final String authMethod, final String code, final String codeVerifier, final URI issuer,
+            final List<String> scopes) {
         this.clientId = clientId;
         this.clientSecret = clientSecret;
         this.redirectUri = redirectUri;
@@ -132,6 +143,7 @@ public static Builder newBuilder() {
         this.code = code;
         this.codeVerifier = codeVerifier;
         this.scopes = scopes;
+        this.issuer = issuer;
     }
 
     /**
@@ -146,6 +158,7 @@ public static class Builder {
         private String builderCode;
         private String builderCodeVerifier;
         private URI builderRedirectUri;
+        private URI builderIssuer;
         private List<String> builderScopes = new ArrayList<>();
 
         /**
@@ -181,6 +194,17 @@ public Builder scopes(final String... scopes) {
             return this;
         }
 
+        /**
+         * Set the issuer URI.
+         *
+         * @param issuer the issuer value
+         * @return this builder
+         */
+        public Builder issuer(final URI issuer) {
+            builderIssuer = issuer;
+            return this;
+        }
+
         /**
          * Set the authentication method for the token endpoint.
          *
@@ -240,7 +264,7 @@ public TokenRequest build(final String grantType, final String clientId) {
             }
 
             return new TokenRequest(clientId, builderClientSecret, builderRedirectUri, grant, builderAuthMethod,
-                    builderCode, builderCodeVerifier, builderScopes);
+                    builderCode, builderCodeVerifier, builderIssuer, builderScopes);
         }
     }
 }

openid/src/test/java/com/inrupt/client/openid/OpenIdProviderTest.java

@@ -114,6 +114,43 @@ void tokenRequestIllegalArgumentsTest() {
             () -> builder.build("myGrantType", null));
     }
 
+    @Test
+    void tokenIssuerMismatch() {
+        final TokenRequest tokenReq = TokenRequest.newBuilder()
+            .code("someCode")
+            .codeVerifier("myCodeverifier")
+            .issuer(URI.create("https://issuer.test"))
+            .redirectUri(URI.create("https://example.test/redirectUri"))
+            .build(
+                "authorization_code",
+                "myClientId"
+            );
+
+        final CompletionException ex = assertThrows(CompletionException.class, openIdProvider.token(tokenReq)
+            .toCompletableFuture()::join);
+        assertTrue(ex.getCause() instanceof OpenIdException);
+        final OpenIdException cause = (OpenIdException) ex.getCause();
+        assertTrue(cause.getMessage().contains("Issuer mismatch"));
+    }
+
+    @Test
+    void tokenIssuerMatch() {
+        final TokenRequest tokenReq = TokenRequest.newBuilder()
+            .code("someCode")
+            .codeVerifier("myCodeverifier")
+            .issuer(URI.create("http://example.test"))
+            .redirectUri(URI.create("https://example.test/redirectUri"))
+            .build(
+                "authorization_code",
+                "myClientId"
+            );
+        final TokenResponse token = openIdProvider.token(tokenReq)
+            .toCompletableFuture().join();
+        assertEquals("123456", token.accessToken);
+        assertNotNull(token.idToken);
+        assertEquals("Bearer", token.tokenType);
+    }
+
     @Test
     void tokenNoClientSecretTest() {
         final TokenRequest tokenReq = TokenRequest.newBuilder()

openid/src/test/resources/metadata.json

@@ -69,5 +69,6 @@
     ],
     "dpop_signing_alg_values_supported":[
         "RS256", "ES256"
-    ]
+    ],
+    "authorization_response_iss_parameter_supported": true
 }