diff --git a/README.md b/README.md index e42e1acec..679c57a1b 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,7 @@ The following draft specifications are implemented by oidc-provider. - [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens - draft 05][jwt-at] - [JWT Response for OAuth Token Introspection - draft 09][jwt-introspection] - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - draft 02][jarm] +- [OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response][iss-auth-resp] - [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 01][dpop] - [OAuth 2.0 JWT Secured Authorization Request (JAR)][jar] - [OAuth 2.0 Pushed Authorization Requests - draft 03][par] @@ -176,3 +177,4 @@ See the list of available emitted [event names](/docs/events.md) and their descr [support-sponsor]: https://github.com/sponsors/panva [par]: https://tools.ietf.org/html/draft-ietf-oauth-par-03 [rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-01.html +[iss-auth-resp]: https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00 diff --git a/docs/README.md b/docs/README.md index d50c8161b..a93a1c32f 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1110,6 +1110,20 @@ async function introspectionAllowedPolicy(ctx, client, token) { +### features.issAuthResp + +[draft-ietf-oauth-iss-auth-resp-00](https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00) - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response + +Enables `iss` authorization response parameter for responses without existing countermeasures against mix-up attacks. + + +_**default value**_: +```js +{ + enabled: false +} +``` + ### features.jwtIntrospection [draft-ietf-oauth-jwt-introspection-response-09](https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-09) - JWT Response for OAuth Token Introspection diff --git a/lib/actions/authorization/respond.js b/lib/actions/authorization/respond.js index e6a381b07..760906134 100644 --- a/lib/actions/authorization/respond.js +++ b/lib/actions/authorization/respond.js @@ -25,6 +25,10 @@ module.exports = async function respond(ctx, next) { out.session_state = processSessionState(ctx, params.redirect_uri); } + if (instance(ctx.oidc.provider).configuration('features.issAuthResp.enabled')) { + out.iss = ctx.oidc.provider.issuer; + } + ctx.oidc.provider.emit('authorization.success', ctx, out); debug('uid=%s %o', ctx.oidc.uid, out); diff --git a/lib/actions/discovery.js b/lib/actions/discovery.js index 5b0d31224..88a40bce6 100644 --- a/lib/actions/discovery.js +++ b/lib/actions/discovery.js @@ -22,6 +22,7 @@ module.exports = function discovery(ctx, next) { issuer: ctx.oidc.issuer, jwks_uri: ctx.oidc.urlFor('jwks'), registration_endpoint: features.registration.enabled ? ctx.oidc.urlFor('registration') : undefined, + authorization_response_iss_parameter_supported: features.issAuthResp.enabled ? true : undefined, response_modes_supported: ['form_post', 'fragment', 'query'], response_types_supported: config.responseTypes, scopes_supported: [...config.scopes].concat([...config.dynamicScopes].map((s) => s[DYNAMIC_SCOPE_LABEL]).filter(Boolean)), diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js index 5e16215ef..88af012dd 100644 --- a/lib/helpers/defaults.js +++ b/lib/helpers/defaults.js @@ -1594,6 +1594,16 @@ function getDefaults() { */ scriptNonce: webMessageResponseModeScriptNonce, }, + + /* + * features.issAuthResp + * + * title: [draft-ietf-oauth-iss-auth-resp-00](https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00) - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response + * + * description: Enables `iss` authorization response parameter for responses without + * existing countermeasures against mix-up attacks. + */ + issAuthResp: { enabled: false }, }, /* diff --git a/lib/helpers/features.js b/lib/helpers/features.js index 092ac5ca2..10c2c9172 100644 --- a/lib/helpers/features.js +++ b/lib/helpers/features.js @@ -82,6 +82,12 @@ const DRAFTS = new Map(Object.entries({ url: 'https://tools.ietf.org/html/draft-sakimura-oauth-wmrm-00', version: [0, 'id-00', 'individual-draft-00'], }, + issAuthResp: { + name: 'OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response - draft 00', + type: 'IETF OAuth Working Group draft', + url: 'https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00', + version: ['draft-00'], + }, })); module.exports = {