fix(DPoP,mTLS): reject client configuration in which binding is requi…

…red but response types include an implicit token response
panva · Mar 26, 2024 · cd7e0f4 · cd7e0f4
1 parent 1b073c0
commit cd7e0f4
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
@@ -273,14 +273,18 @@ export default function getSchema(provider) {
       }
 
       {
-        const { length } = [
-          this.tls_client_certificate_bound_access_tokens,
-          this.dpop_bound_access_tokens,
-        ].filter(Boolean);
+        const { 0: pop, length } = [
+          'tls_client_certificate_bound_access_tokens',
+          'dpop_bound_access_tokens',
+        ].filter((conf) => this[conf]);
 
         if (length > 1) {
           this.invalidate('only one proof of possession mechanism can be made required at a time');
         }
+
+        if (length !== 0 && responseTypes.includes('token')) {
+          this.invalidate(`response_types must not include "token" when ${pop} is used`);
+        }
       }
 
       {

diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
@@ -1554,6 +1554,7 @@ describe('Client metadata validation', () => {
             enabled: true,
           },
         },
+        responseTypes: ['code', 'code token'],
       };
       mustBeBoolean(this.title, undefined, configuration);
       mustBeBoolean(this.title, undefined, configuration);
@@ -1562,6 +1563,7 @@ describe('Client metadata validation', () => {
         ...configuration,
         clientDefaults: { dpop_bound_access_tokens: true },
       });
+      rejects(this.title, true, 'response_types must not include "token" when dpop_bound_access_tokens is used', { grant_types: ['authorization_code', 'implicit'], response_types: ['code', 'code token'] }, configuration);
     });
   });
 
@@ -1842,11 +1844,13 @@ describe('Client metadata validation', () => {
         features: {
           mTLS: { enabled: true, certificateBoundAccessTokens: true },
         },
+        responseTypes: ['code', 'code token'],
       };
 
       defaultsTo(this.title, false, undefined, configuration);
       defaultsTo(this.title, undefined);
       mustBeBoolean(this.title, undefined, configuration);
+      rejects(this.title, true, 'response_types must not include "token" when tls_client_certificate_bound_access_tokens is used', { grant_types: ['authorization_code', 'implicit'], response_types: ['code', 'code token'] }, configuration);
     });
   });