refactor!: renamed client auth related configuration

`Client.prototype.clientAuthMethod` and `Client.prototype.clientAuthSigningAlg` prototype getters were added as as aliases to the client's `tokenEndpointAuthMethod` and `tokenEndpointAuthSigningAlg` getters. BREAKING CHANGE: The `tokenEndpointAuthMethods` configuration method was renamed to `clientAuthMethods`. BREAKING CHANGE: The `enabledJWA.tokenEndpointAuthSigningAlgValues` configuration method was renamed to `enabledJWA.clientAuthSigningAlgValues`.
panva · Dec 1, 2022 · b8e8ce9 · b8e8ce9
1 parent a6433d0
commit b8e8ce9
Show file tree

Hide file tree

Showing 19 changed files with 166 additions and 167 deletions.
diff --git a/certification/fapi/index.js b/certification/fapi/index.js
@@ -18,7 +18,7 @@ const OFFICIAL_CERTIFICATION = 'https://www.certification.openid.net';
 const { PORT = 3000, ISSUER = `http://localhost:${PORT}`, SUITE_BASE_URL = OFFICIAL_CERTIFICATION } = process.env;
 
 const ALGS = ['PS256'];
-const tokenEndpointAuthMethods = ['private_key_jwt', 'self_signed_tls_client_auth'];
+const clientAuthMethods = ['private_key_jwt', 'self_signed_tls_client_auth'];
 
 const normalize = (cert) => cert.toString().replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g, '');
 
@@ -217,12 +217,12 @@ const fapi = new Provider(ISSUER, {
     },
   },
   responseTypes: ['code id_token', 'code'],
-  tokenEndpointAuthMethods,
+  clientAuthMethods,
   enabledJWA: {
     authorizationSigningAlgValues: ALGS,
     idTokenSigningAlgValues: ALGS,
     requestObjectSigningAlgValues: ALGS,
-    tokenEndpointAuthSigningAlgValues: ALGS,
+    clientAuthSigningAlgValues: ALGS,
     userinfoSigningAlgValues: ALGS,
   },
   extraClientMetadata: {

diff --git a/certification/oidc/configuration.js b/certification/oidc/configuration.js
@@ -11,7 +11,7 @@ function filterOutNone(conf, prop) {
 Object.keys(enabledJWA).forEach(filterOutNone.bind(undefined, enabledJWA));
 
 const timeout = parseInt(process.env.TIMEOUT, 10);
-const tokenEndpointAuthMethods = [
+const clientAuthMethods = [
   'none',
   'client_secret_basic',
   'client_secret_jwt',
@@ -173,7 +173,7 @@ module.exports = {
   ttl: {
     RegistrationAccessToken: 1 * 24 * 60 * 60,
   },
-  tokenEndpointAuthMethods,
+  clientAuthMethods,
   httpOptions(gotOptions) {
     gotOptions.timeout = timeout || gotOptions.timeout; // eslint-disable-line no-param-reassign
     return gotOptions;
@@ -183,7 +183,7 @@ module.exports = {
       return false;
     }
 
-    return code.scopes.has('offline_access') || (client.applicationType === 'web' && client.tokenEndpointAuthMethod === 'none');
+    return code.scopes.has('offline_access') || (client.applicationType === 'web' && client.clientAuthMethod === 'none');
   },
   enabledJWA,
   pkce: {

diff --git a/docs/README.md b/docs/README.md
@@ -468,7 +468,7 @@ location / {
 - [sectorIdentifierUriValidate](#sectoridentifierurivalidate)
 - [scopes](#scopes)
 - [subjectTypes](#subjecttypes)
-- [tokenEndpointAuthMethods](#tokenendpointauthmethods)
+- [clientAuthMethods](#clientauthmethods)
 - [ttl ❗](#ttl)
 - [enabledJWA](#enabledjwa)
 
@@ -1149,7 +1149,7 @@ Helper function used to determine whether the client/RS (client argument) is all
 _**default value**_:
 ```js
 async function introspectionAllowedPolicy(ctx, client, token) {
-  if (client.tokenEndpointAuthMethod === 'none' && token.clientId !== ctx.oidc.client.clientId) {
+  if (client.clientAuthMethod === 'none' && token.clientId !== ctx.oidc.client.clientId) {
     return false;
   }
   return true;
@@ -1320,7 +1320,7 @@ function getCertificate(ctx) {
 
 #### selfSignedTlsClientAuth
 
-Enables section 2.2. Self-Signed Certificate Mutual TLS client authentication method `self_signed_tls_client_auth` for use in the server's `tokenEndpointAuthMethods` configuration.  
+Enables section 2.2. Self-Signed Certificate Mutual TLS client authentication method `self_signed_tls_client_auth` for use in the server's `clientAuthMethods` configuration.  
 
 
 _**default value**_:
@@ -1330,7 +1330,7 @@ false
 
 #### tlsClientAuth
 
-Enables section 2.1. PKI Mutual TLS client authentication method `tls_client_auth` for use in the server's `tokenEndpointAuthMethods` configuration.  
+Enables section 2.1. PKI Mutual TLS client authentication method `tls_client_auth` for use in the server's `clientAuthMethods` configuration.  
 
 
 _**default value**_:
@@ -2004,6 +2004,34 @@ See [/recipes/claim_configuration.md](/recipes/claim_configuration.md)
 
 </details>
 
+### clientAuthMethods
+
+Array of supported Client Authentication methods  
+
+
+_**default value**_:
+```js
+[
+  'client_secret_basic',
+  'client_secret_jwt',
+  'client_secret_post',
+  'private_key_jwt',
+  'none'
+]
+```
+<a id="client-auth-methods-supported-values-list"></a><details><summary>(Click to expand) Supported values list
+</summary><br>
+
+```js
+[
+  'none',
+  'client_secret_basic', 'client_secret_post',
+  'client_secret_jwt', 'private_key_jwt',
+  'tls_client_auth', 'self_signed_tls_client_auth', // these methods are only available when features.mTLS is configured
+]
+```
+</details>
+
 ### clientBasedCORS
 
 Function used to check whether a given CORS request should be allowed based on the request's client.   
@@ -2661,7 +2689,7 @@ async issueRefreshToken(ctx, client, code) {
   if (!client.grantTypeAllowed('refresh_token')) {
     return false;
   }
-  return code.scopes.has('offline_access') || (client.applicationType === 'web' && client.tokenEndpointAuthMethod === 'none');
+  return code.scopes.has('offline_access') || (client.applicationType === 'web' && client.clientAuthMethod === 'none');
 }
 ```
 </details>
@@ -2834,7 +2862,7 @@ function rotateRefreshToken(ctx) {
     return false;
   }
   // rotate non sender-constrained public client refresh tokens
-  if (client.tokenEndpointAuthMethod === 'none' && !refreshToken.isSenderConstrained()) {
+  if (client.clientAuthMethod === 'none' && !refreshToken.isSenderConstrained()) {
     return true;
   }
   // rotate if the token is nearing expiration (it's beyond 70% of its lifetime)
@@ -2905,34 +2933,6 @@ _**default value**_:
 ]
 ```
 
-### tokenEndpointAuthMethods
-
-Array of Client Authentication methods supported by this OP's Token Endpoint  
-
-
-_**default value**_:
-```js
-[
-  'client_secret_basic',
-  'client_secret_jwt',
-  'client_secret_post',
-  'private_key_jwt',
-  'none'
-]
-```
-<a id="token-endpoint-auth-methods-supported-values-list"></a><details><summary>(Click to expand) Supported values list
-</summary><br>
-
-```js
-[
-  'none',
-  'client_secret_basic', 'client_secret_post',
-  'client_secret_jwt', 'private_key_jwt',
-  'tls_client_auth', 'self_signed_tls_client_auth', // these methods are only available when features.mTLS is configured
-]
-```
-</details>
-
 ### ttl
 
 description: Expirations for various token and session types. The value can be a number (in seconds) or a synchronous function that dynamically returns value based on the context.   
@@ -2974,7 +2974,7 @@ _**default value**_:
     if (
       ctx && ctx.oidc.entities.RotatedRefreshToken
       && client.applicationType === 'web'
-      && client.tokenEndpointAuthMethod === 'none'
+      && client.clientAuthMethod === 'none'
       && !token.isSenderConstrained()
     ) {
       // Non-Sender Constrained SPA RefreshTokens do not have infinite expiration through rotation
@@ -3102,6 +3102,36 @@ _**default value**_:
 ```
 </details>
 
+### enabledJWA.clientAuthSigningAlgValues
+
+JWS "alg" Algorithm values the provider supports for signed JWT Client Authentication   
+  
+
+
+_**default value**_:
+```js
+[
+  'HS256',
+  'RS256',
+  'PS256',
+  'ES256',
+  'EdDSA'
+]
+```
+<a id="enabled-jwa-client-auth-signing-alg-values-supported-values-list"></a><details><summary>(Click to expand) Supported values list
+</summary><br>
+
+```js
+[
+  'RS256', 'RS384', 'RS512',
+  'PS256', 'PS384', 'PS512',
+  'ES256', 'ES256K', 'ES384', 'ES512',
+  'EdDSA',
+  'HS256', 'HS384', 'HS512',
+]
+```
+</details>
+
 ### enabledJWA.dPoPSigningAlgValues
 
 JWS "alg" Algorithm values the provider supports to verify signed DPoP Proof JWTs with   
@@ -3401,36 +3431,6 @@ _**default value**_:
 ```
 </details>
 
-### enabledJWA.tokenEndpointAuthSigningAlgValues
-
-JWS "alg" Algorithm values the provider supports for signed JWT Client Authentication   
-  
-
-
-_**default value**_:
-```js
-[
-  'HS256',
-  'RS256',
-  'PS256',
-  'ES256',
-  'EdDSA'
-]
-```
-<a id="enabled-jwa-token-endpoint-auth-signing-alg-values-supported-values-list"></a><details><summary>(Click to expand) Supported values list
-</summary><br>
-
-```js
-[
-  'RS256', 'RS384', 'RS512',
-  'PS256', 'PS384', 'PS512',
-  'ES256', 'ES256K', 'ES384', 'ES512',
-  'EdDSA',
-  'HS256', 'HS384', 'HS512',
-]
-```
-</details>
-
 ### enabledJWA.userinfoEncryptionAlgValues
 
 JWE "alg" Algorithm values the provider supports for UserInfo Response encryption   

diff --git a/lib/actions/authorization/process_request_object.js b/lib/actions/authorization/process_request_object.js
@@ -246,7 +246,7 @@ module.exports = async function processRequestObject(PARAM_LIST, rejectDupesMidd
     await ctx.oidc.entities.PushedAuthorizationRequest.destroy();
   }
 
-  if (trusted || (pushedRequestObject && client.tokenEndpointAuthMethod !== 'none')) {
+  if (trusted || (pushedRequestObject && client.clientAuthMethod !== 'none')) {
     ctx.oidc.trusted = Object.keys(request);
   } else if (ctx.oidc.insecureRequestUri) {
     throw new InvalidRequestObject('Request Object from insecure request_uri must be signed and/or symmetrically encrypted');

diff --git a/lib/actions/discovery.js b/lib/actions/discovery.js
@@ -25,8 +25,8 @@ module.exports = function discovery(ctx, next) {
     response_types_supported: config.responseTypes,
     scopes_supported: [...config.scopes],
     subject_types_supported: [...config.subjectTypes],
-    token_endpoint_auth_methods_supported: [...config.tokenEndpointAuthMethods],
-    token_endpoint_auth_signing_alg_values_supported: config.tokenEndpointAuthSigningAlgValues,
+    token_endpoint_auth_methods_supported: [...config.clientAuthMethods],
+    token_endpoint_auth_signing_alg_values_supported: config.clientAuthSigningAlgValues,
     token_endpoint: ctx.oidc.urlFor('token'),
   };
 

diff --git a/lib/actions/grants/authorization_code.js b/lib/actions/grants/authorization_code.js
@@ -165,7 +165,7 @@ module.exports.handler = async function authorizationCodeHandler(ctx, next) {
       sid: code.sid,
     });
 
-    if (ctx.oidc.client.tokenEndpointAuthMethod === 'none') {
+    if (ctx.oidc.client.clientAuthMethod === 'none') {
       if (at.jkt) {
         rt.jkt = at.jkt;
       }

diff --git a/lib/actions/grants/ciba.js b/lib/actions/grants/ciba.js
@@ -170,7 +170,7 @@ module.exports.handler = async function cibaHandler(ctx, next) {
       sid: request.sid,
     });
 
-    if (ctx.oidc.client.tokenEndpointAuthMethod === 'none') {
+    if (ctx.oidc.client.clientAuthMethod === 'none') {
       if (at.jkt) {
         rt.jkt = at.jkt;
       }

diff --git a/lib/actions/grants/device_code.js b/lib/actions/grants/device_code.js
@@ -169,7 +169,7 @@ module.exports.handler = async function deviceCodeHandler(ctx, next) {
       sid: code.sid,
     });
 
-    if (ctx.oidc.client.tokenEndpointAuthMethod === 'none') {
+    if (ctx.oidc.client.clientAuthMethod === 'none') {
       if (at.jkt) {
         rt.jkt = at.jkt;
       }

diff --git a/lib/consts/jwa.js b/lib/consts/jwa.js
@@ -24,7 +24,7 @@ const encryptionEncValues = [
 ];
 
 module.exports = {
-  tokenEndpointAuthSigningAlgValues: [...signingAlgValues],
+  clientAuthSigningAlgValues: [...signingAlgValues],
 
   idTokenSigningAlgValues: [...signingAlgValues, 'none'],
   requestObjectSigningAlgValues: [...signingAlgValues, 'none'],

diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
@@ -59,7 +59,7 @@ module.exports = function getSchema(provider) {
     RECOGNIZED_METADATA.push('tls_client_auth_san_email');
   }
 
-  if (configuration.tokenEndpointAuthSigningAlgValues) {
+  if (configuration.clientAuthSigningAlgValues) {
     RECOGNIZED_METADATA.push('token_endpoint_auth_signing_alg');
   }
 
@@ -177,14 +177,14 @@ module.exports = function getSchema(provider) {
         }
       }
 
-      return configuration.tokenEndpointAuthMethods;
+      return configuration.clientAuthMethods;
     },
     token_endpoint_auth_signing_alg: ({ token_endpoint_auth_method: method }) => {
       switch (method) {
         case 'private_key_jwt':
-          return configuration.tokenEndpointAuthSigningAlgValues.filter((x) => !x.startsWith('HS'));
+          return configuration.clientAuthSigningAlgValues.filter((x) => !x.startsWith('HS'));
         case 'client_secret_jwt':
-          return configuration.tokenEndpointAuthSigningAlgValues.filter((x) => x.startsWith('HS'));
+          return configuration.clientAuthSigningAlgValues.filter((x) => x.startsWith('HS'));
         default:
           return [];
       }

diff --git a/lib/helpers/configuration.js b/lib/helpers/configuration.js
@@ -89,7 +89,7 @@ class Configuration {
 
   ensureSets() {
     [
-      'scopes', 'subjectTypes', 'extraParams', 'acrValues', 'tokenEndpointAuthMethods', 'features.ciba.deliveryModes',
+      'scopes', 'subjectTypes', 'extraParams', 'acrValues', 'clientAuthMethods', 'features.ciba.deliveryModes',
     ].forEach((prop) => {
       if (!(get(this, prop) instanceof Set)) {
         if (!Array.isArray(get(this, prop))) {
@@ -268,22 +268,22 @@ class Configuration {
 
     this.setAlgs('dPoPSigningAlgValues', allowList.dPoPSigningAlgValues.slice(), 'dPoP.enabled');
 
-    this.tokenEndpointAuthSigningAlgValues = this.enabledJWA.tokenEndpointAuthSigningAlgValues;
+    this.clientAuthSigningAlgValues = this.enabledJWA.clientAuthSigningAlgValues;
 
-    if (!this.tokenEndpointAuthMethods.has('client_secret_jwt')) {
-      remove(this.tokenEndpointAuthSigningAlgValues, filterHS);
-    } else if (!this.tokenEndpointAuthSigningAlgValues.find(filterHS)) {
-      this.tokenEndpointAuthMethods.delete('client_secret_jwt');
+    if (!this.clientAuthMethods.has('client_secret_jwt')) {
+      remove(this.clientAuthSigningAlgValues, filterHS);
+    } else if (!this.clientAuthSigningAlgValues.find(filterHS)) {
+      this.clientAuthMethods.delete('client_secret_jwt');
     }
 
-    if (!this.tokenEndpointAuthMethods.has('private_key_jwt')) {
-      remove(this.tokenEndpointAuthSigningAlgValues, filterAsymmetricSig);
-    } else if (!this.tokenEndpointAuthSigningAlgValues.find(filterAsymmetricSig)) {
-      this.tokenEndpointAuthMethods.delete('private_key_jwt');
+    if (!this.clientAuthMethods.has('private_key_jwt')) {
+      remove(this.clientAuthSigningAlgValues, filterAsymmetricSig);
+    } else if (!this.clientAuthSigningAlgValues.find(filterAsymmetricSig)) {
+      this.clientAuthMethods.delete('private_key_jwt');
     }
 
-    if (!this.tokenEndpointAuthSigningAlgValues.length) {
-      this.tokenEndpointAuthSigningAlgValues = undefined;
+    if (!this.clientAuthSigningAlgValues.length) {
+      this.clientAuthSigningAlgValues = undefined;
     }
   }
 
@@ -421,10 +421,10 @@ class Configuration {
       authMethods.add('self_signed_tls_client_auth');
     }
 
-    if (this.tokenEndpointAuthMethods) {
-      this.tokenEndpointAuthMethods.forEach((method) => {
+    if (this.clientAuthMethods) {
+      this.clientAuthMethods.forEach((method) => {
         if (!authMethods.has(method)) {
-          throw new TypeError(`only supported tokenEndpointAuthMethods are ${formatters.formatList([...authMethods])}`);
+          throw new TypeError(`only supported clientAuthMethods are ${formatters.formatList([...authMethods])}`);
         }
       });
     }