fix: handle server_error on expired unsigned request objects

Author: panva

lib/actions/authorization/process_request_object.js

@@ -141,9 +141,13 @@ module.exports = async function processRequestObject(PARAM_LIST, ctx, next) {
     }
   }
 
-  if (alg === 'none') {
+  try {
     JWT.assertPayload(payload, opts);
-  } else {
+  } catch (err) {
+    throw new InvalidRequestObject(`Request Object claims are invalid (${err.message})`);
+  }
+
+  if (alg !== 'none') {
     try {
       await JWT.verify(params.request, client.keystore, opts);
       trusted = true;

test/request/jwt_request.test.js

@@ -484,6 +484,37 @@ describe('request parameter features', () => {
         });
       }
 
+      it('handles JWT claim assertions', function () {
+        const spy = sinon.spy();
+        this.provider.once(errorEvt, spy);
+
+        return JWT.sign({
+          client_id: 'client',
+          response_type: 'code',
+          redirect_uri: 'https://client.example.com/cb',
+          exp: 1,
+        }, null, 'none', { issuer: 'client', audience: this.provider.issuer }).then((request) => this.wrap({
+          agent: this.agent,
+          route,
+          verb,
+          auth: {
+            request,
+            scope: 'openid',
+            client_id: 'client',
+            response_type: 'code',
+          },
+        })
+          .expect(errorCode)
+          .expect(() => {
+            expect(spy.calledOnce).to.be.true;
+            expect(spy.args[0][1]).to.have.property('message', 'invalid_request_object');
+            expect(spy.args[0][1]).to.have.property(
+              'error_description',
+              'Request Object claims are invalid (jwt expired)',
+            );
+          }));
+      });
+
       it('doesnt allow client_id to differ', function () {
         const spy = sinon.spy();
         this.provider.once(errorEvt, spy);