feat: update pushed request objects to b6cd952

lib/actions/authorization/process_request_object.js

@@ -117,6 +117,12 @@ module.exports = async function processRequestObject(PARAM_LIST, rejectDupesMidd
     throw new InvalidRequestObject('request client_id must equal the one in request parameters');
   }
 
+  if (ctx.oidc.route === 'request_object') {
+    if (request.client_id !== ctx.oidc.client.clientId) {
+      throw new InvalidRequestObject('request client_id must equal the authenticated client\'s client_id');
+    }
+  }
+
   const pushedRequestObject = 'RequestObject' in ctx.oidc.entities;
 
   if (!(alg === 'none' && (pushedRequestObject || ctx.oidc.route === 'request_object'))) {

lib/actions/authorization/request_object_response.js

@@ -12,12 +12,11 @@ const JWT = require('../../helpers/jwt');
 module.exports = async function requestObjectResponse(ctx, next) {
   const { request } = ctx.oidc.body;
   const now = epochTime();
-  let { payload: { exp } } = JWT.decode(request);
+  const { payload: { exp } } = JWT.decode(request);
   let ttl = exp - now;
 
   if (!ttl) {
     ttl = 300;
-    exp = now + ttl;
   }
 
   const requestObject = new ctx.oidc.provider.RequestObject({ request });
@@ -28,9 +27,7 @@ module.exports = async function requestObjectResponse(ctx, next) {
 
   ctx.status = 201;
   ctx.body = {
-    iss: ctx.oidc.provider.issuer,
-    aud: ctx.oidc.client.clientId,
-    exp,
+    expires_in: ttl,
     request_uri: `${PUSHED_REQUEST_URN}${id}`,
   };
 

lib/helpers/features.js

@@ -62,12 +62,12 @@ const DRAFTS = new Map(Object.entries({
     url: 'https://openid.net/specs/openid-financial-api-jarm-wd-02.html',
     version: [1, 2],
   },
-  // TODO: push this to README.md once published by IETF
+  // TODO: push this to README.md once published by IETF and/or OIDC
   pushedRequestObjects: {
     name: 'Pushed Request Object',
     type: 'OIDF FAPI WG draft',
-    url: 'https://bitbucket.org/openid/fapi/src/37426f5/Financial_API_Pushed_Request_Object.md',
-    version: '37426f5',
+    url: 'https://bitbucket.org/openid/fapi/src/b6cd952/Financial_API_Pushed_Request_Object.md',
+    version: 'b6cd952',
   },
   resourceIndicators: {
     name: 'Resource Indicators for OAuth 2.0 - draft 05',

test/pushed_request_objects/pushed_request_objects.test.js

@@ -70,16 +70,31 @@ describe('Pushed Request Object', () => {
         })
         .expect(201)
         .expect(({ body }) => {
-          expect(body).to.have.keys('aud', 'exp', 'iss', 'request_uri');
-          expect(body).to.have.property('aud', 'client');
-          expect(body).to.have.property('exp').and.is.a('number').above(Math.floor(Date.now() / 1000));
-          expect(body).to.have.property('iss', this.provider.issuer);
+          expect(body).to.have.keys('expires_in', 'request_uri');
+          expect(body).to.have.property('expires_in', 300);
           expect(body).to.have.property('request_uri').and.match(/^urn:ietf:params:oauth:request_uri:(.+)$/);
         });
 
       expect(spy).to.have.property('calledOnce', true);
     });
 
+    it('requires the request object client_id to equal the authenticated client one', async function () {
+      return this.agent.post(route)
+        .auth('client', 'secret')
+        .type('form')
+        .send({
+          request: await JWT.sign({
+            response_type: 'code',
+            client_id: 'client-foo',
+          }, this.key, 'HS256'),
+        })
+        .expect(400)
+        .expect({
+          error: 'invalid_request_object',
+          error_description: "request client_id must equal the authenticated client's client_id",
+        });
+    });
+
     it('remaps request validation errors to be related to the request object', async function () {
       return this.agent.post(route)
         .auth('client', 'secret')