From 3575584ca6a33e97a1288af6fba3669c21ad65ce Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Tue, 29 Nov 2022 16:39:07 +0100 Subject: [PATCH] refactor!: disable request_uri support by default BREAKING CHANGE: `request_uri` parameter support is now disabled by default. This can be reverted using the `features.requestObjects.requestUri` configuration option. --- docs/README.md | 4 +- lib/helpers/defaults.js | 2 +- test/configuration/client_metadata.test.js | 62 ++++++++++++++++------ test/id_token_claims/conform.config.js | 2 + 4 files changed, 50 insertions(+), 20 deletions(-) diff --git a/docs/README.md b/docs/README.md index cd3d72313..bfeff9bc4 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1608,7 +1608,7 @@ _**default value**_: { mode: 'strict', request: false, - requestUri: true, + requestUri: false, requireSignedRequestObject: false, requireUriRegistration: true } @@ -1648,7 +1648,7 @@ Enables the use and validations of the `request_uri` parameter. _**default value**_: ```js -true +false ``` #### requireSignedRequestObject diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js index aecfcae09..de00e8122 100644 --- a/lib/helpers/defaults.js +++ b/lib/helpers/defaults.js @@ -1731,7 +1731,7 @@ function makeDefaults() { * * description: Enables the use and validations of the `request_uri` parameter. */ - requestUri: true, + requestUri: false, /* * features.requestObjects.requireUriRegistration diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js index 97af882fe..8f867a7c6 100644 --- a/test/configuration/client_metadata.test.js +++ b/test/configuration/client_metadata.test.js @@ -256,7 +256,7 @@ describe('Client metadata validation', () => { }, }, }); - mustBeBoolean(this.title); + mustBeBoolean(this.title, undefined, configuration()); defaultsTo(this.title, undefined, undefined, configuration(false, false)); defaultsTo(this.title, false, undefined, configuration()); defaultsTo(this.title, true, undefined, configuration(true)); @@ -451,15 +451,37 @@ describe('Client metadata validation', () => { }); context('request_object_signing_alg', function () { - mustBeString(this.title); - [ - 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', - 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'EdDSA', - ].forEach((alg) => { - allows(this.title, alg, { jwks: { keys: [sigKey] } }); - }); - rejects(this.title, 'not-an-alg'); - rejects(this.title, 'none'); + // eslint-disable-next-line no-restricted-syntax + for (const configuration of [ + { + features: { + requestObjects: { requestUri: true, request: false }, + pushedAuthorizationRequests: { enabled: false }, + }, + }, + { + features: { + requestObjects: { requestUri: false, request: true }, + pushedAuthorizationRequests: { enabled: false }, + }, + }, + { + features: { + requestObjects: { requestUri: false, request: false }, + pushedAuthorizationRequests: { enabled: true }, + }, + }, + ]) { + mustBeString(this.title, undefined, undefined, configuration); + [ + 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', + 'PS256', 'PS384', 'PS512', 'ES256', 'ES384', 'ES512', 'EdDSA', + ].forEach((alg) => { + allows(this.title, alg, { jwks: { keys: [sigKey] } }, configuration); + }); + rejects(this.title, 'not-an-alg', undefined, undefined, configuration); + rejects(this.title, 'none', undefined, undefined, configuration); + } }); context('request_uris', function () { @@ -476,14 +498,19 @@ describe('Client metadata validation', () => { }, }, }); - mustBeArray(this.title); + const configuration = { + features: { + requestObjects: { requestUri: true }, + }, + }; + mustBeArray(this.title, undefined, configuration); - allows(this.title, ['https://a-web-uri']); - allows(this.title, ['http://a-web-uri'], /must only contain https uris$/); - rejects(this.title, [123], /must only contain strings$/); - rejects(this.title, ['not a uri'], /request_uris must only contain web uris$/); - rejects(this.title, ['custom-scheme://not-a-web-uri'], /request_uris must only contain web uris$/); - rejects(this.title, ['urn:example'], /request_uris must only contain web uris$/); + allows(this.title, ['https://a-web-uri'], undefined, configuration); + allows(this.title, ['http://a-web-uri'], /must only contain https uris$/, configuration); + rejects(this.title, [123], /must only contain strings$/, undefined, configuration); + rejects(this.title, ['not a uri'], /request_uris must only contain web uris$/, undefined, configuration); + rejects(this.title, ['custom-scheme://not-a-web-uri'], /request_uris must only contain web uris$/, undefined, configuration); + rejects(this.title, ['urn:example'], /request_uris must only contain web uris$/, undefined, configuration); }); context('web_message_uris', function () { @@ -1109,6 +1136,7 @@ describe('Client metadata validation', () => { encryption: { enabled: true }, jwtUserinfo: { enabled: true }, ciba: { enabled: true }, + requestObjects: { request: true }, }, }; diff --git a/test/id_token_claims/conform.config.js b/test/id_token_claims/conform.config.js index 62318aa84..08ec3729c 100644 --- a/test/id_token_claims/conform.config.js +++ b/test/id_token_claims/conform.config.js @@ -6,6 +6,7 @@ const config = getConfig(); merge(config.features, { claimsParameter: { enabled: true }, + jwtUserinfo: { enabled: true }, }); export default { @@ -19,5 +20,6 @@ export default { 'code id_token token', 'code id_token', 'code token', 'code', 'id_token token', 'id_token', ], redirect_uris: ['https://client.example.com/cb'], + userinfo_signed_response_alg: 'HS256', }], };