fix: forbid "none" id token algorithm when backchannel logout is used

panva · Dec 6, 2019 · 797919e · 797919e
1 parent bb86ab8
commit 797919e
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
@@ -249,6 +249,7 @@ module.exports = function getSchema(provider) {
       this.redirectUris();
       this.webMessageUris();
       this.checkContacts();
+      this.backchannelLogoutNeedsIdTokenAlg();
 
       // max_age and client_secret_expires_at format
       ['default_max_age', 'client_secret_expires_at'].forEach((prop) => {
@@ -583,6 +584,12 @@ module.exports = function getSchema(provider) {
       });
     }
 
+    backchannelLogoutNeedsIdTokenAlg() {
+      if (this.backchannel_logout_uri && this.id_token_signed_response_alg === 'none') {
+        this.invalidate('id_token_signed_response_alg must not be "none" when backchannel_logout_uri is used');
+      }
+    }
+
     scopes() {
       if (this.scope) {
         const parsed = new Set(this.scope.split(' '));

diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
@@ -1014,6 +1014,7 @@ describe('Client metadata validation', () => {
       defaultsTo(this.title, undefined);
       mustBeString(this.title, undefined, undefined, configuration);
       mustBeUri(this.title, ['http', 'https'], configuration);
+      rejects(this.title, 'https://rp.example.com/bcl', 'id_token_signed_response_alg must not be "none" when backchannel_logout_uri is used', { id_token_signed_response_alg: 'none' }, configuration);
     });
 
     context('backchannel_logout_session_required', function () {