fix: _jwt client auth method alg no longer mixes up (a)symmetrical

panva · Apr 3, 2019 · 1771655 · 1771655
1 parent b3a50ac
commit 1771655
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 16 deletions.
diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
@@ -160,7 +160,16 @@ module.exports = function getSchema(provider) {
     response_types: () => configuration.responseTypes,
     subject_type: () => configuration.subjectTypes,
     token_endpoint_auth_method: () => configuration.tokenEndpointAuthMethods,
-    token_endpoint_auth_signing_alg: () => configuration.tokenEndpointAuthSigningAlgValues,
+    token_endpoint_auth_signing_alg: ({ token_endpoint_auth_method: method }) => {
+      switch (method) {
+        case 'private_key_jwt':
+          return configuration.tokenEndpointAuthSigningAlgValues.filter(x => !x.startsWith('HS'));
+        case 'client_secret_jwt':
+          return configuration.tokenEndpointAuthSigningAlgValues.filter(x => x.startsWith('HS'));
+        default:
+          return [];
+      }
+    },
     userinfo_encrypted_response_alg: () => configuration.userinfoEncryptionAlgValues,
     userinfo_encrypted_response_enc: () => configuration.userinfoEncryptionEncValues,
     userinfo_signed_response_alg: () => configuration.userinfoSigningAlgValues,
@@ -173,11 +182,27 @@ module.exports = function getSchema(provider) {
 
     // must be after token_* specific
     introspection_endpoint_auth_method: () => configuration.introspectionEndpointAuthMethods,
-    introspection_endpoint_auth_signing_alg:
-      () => configuration.introspectionEndpointAuthSigningAlgValues,
+    introspection_endpoint_auth_signing_alg: ({ introspection_endpoint_auth_method: method }) => {
+      switch (method) {
+        case 'private_key_jwt':
+          return configuration.introspectionEndpointAuthSigningAlgValues.filter(x => !x.startsWith('HS'));
+        case 'client_secret_jwt':
+          return configuration.introspectionEndpointAuthSigningAlgValues.filter(x => x.startsWith('HS'));
+        default:
+          return [];
+      }
+    },
     revocation_endpoint_auth_method: () => configuration.revocationEndpointAuthMethods,
-    revocation_endpoint_auth_signing_alg:
-      () => configuration.revocationEndpointAuthSigningAlgValues,
+    revocation_endpoint_auth_signing_alg: ({ revocation_endpoint_auth_method: method }) => {
+      switch (method) {
+        case 'private_key_jwt':
+          return configuration.revocationEndpointAuthSigningAlgValues.filter(x => !x.startsWith('HS'));
+        case 'client_secret_jwt':
+          return configuration.revocationEndpointAuthSigningAlgValues.filter(x => x.startsWith('HS'));
+        default:
+          return [];
+      }
+    },
   };
 
   const requestSignAlgRequiringJwks = /^(RS|ES)/;

diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
@@ -524,18 +524,30 @@ describe('Client metadata validation', () => {
 
     const endpointAuthSigningAlgProperty = endpointAuthMethodProperty.replace('_method', '_signing_alg');
     context(endpointAuthSigningAlgProperty, function () {
-      allows(this.title, 'RS256', {
-        [endpointAuthMethodProperty]: 'client_secret_jwt',
-      }, configuration);
+      Object.entries({
+        client_secret_jwt: ['HS', 'RS'],
+        private_key_jwt: ['RS', 'HS', { jwks: { keys: [sigKey] } }],
+      }).forEach(([method, [accepted, rejected, additional]]) => {
+        allows(this.title, `${accepted}256`, {
+          [endpointAuthMethodProperty]: method,
+          ...additional,
+        }, configuration);
 
-      const confProperty = `${camelCase(endpointAuthSigningAlgProperty)}Values`;
-      rejects(this.title, 'RS384', new RegExp(`^${endpointAuthSigningAlgProperty} must be one of`), {
-        [endpointAuthMethodProperty]: 'client_secret_jwt',
-      }, Object.assign({}, {
-        whitelistedJWA: {
-          [confProperty]: pull(cloneDeep(whitelistedJWA[confProperty]), 'RS384'),
-        },
-      }, configuration));
+        rejects(this.title, `${rejected}256`, new RegExp(`^${endpointAuthSigningAlgProperty} must be one of`), {
+          [endpointAuthMethodProperty]: method,
+          ...additional,
+        }, configuration);
+
+        const confProperty = `${camelCase(endpointAuthSigningAlgProperty)}Values`;
+        rejects(this.title, `${accepted}384`, new RegExp(`^${endpointAuthSigningAlgProperty} must be one of`), {
+          [endpointAuthMethodProperty]: method,
+          ...additional,
+        }, Object.assign({}, {
+          whitelistedJWA: {
+            [confProperty]: pull(cloneDeep(whitelistedJWA[confProperty]), `${accepted}384`),
+          },
+        }, configuration));
+      });
     });
   });