From cd7e0f4a8e7b847ab3ada8af7a4ffaecfcdcfe0f Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Tue, 26 Mar 2024 11:22:04 +0100
Subject: [PATCH] fix(DPoP,mTLS): reject client configuration in which binding
 is required but response types include an implicit token response

---
 lib/helpers/client_schema.js               | 12 ++++++++----
 test/configuration/client_metadata.test.js |  4 ++++
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
index fdea4be09..e8cf62ae5 100644
--- a/lib/helpers/client_schema.js
+++ b/lib/helpers/client_schema.js
@@ -273,14 +273,18 @@ export default function getSchema(provider) {
       }
 
       {
-        const { length } = [
-          this.tls_client_certificate_bound_access_tokens,
-          this.dpop_bound_access_tokens,
-        ].filter(Boolean);
+        const { 0: pop, length } = [
+          'tls_client_certificate_bound_access_tokens',
+          'dpop_bound_access_tokens',
+        ].filter((conf) => this[conf]);
 
         if (length > 1) {
           this.invalidate('only one proof of possession mechanism can be made required at a time');
         }
+
+        if (length !== 0 && responseTypes.includes('token')) {
+          this.invalidate(`response_types must not include "token" when ${pop} is used`);
+        }
       }
 
       {
diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
index c54c3fdf6..c66177dde 100644
--- a/test/configuration/client_metadata.test.js
+++ b/test/configuration/client_metadata.test.js
@@ -1554,6 +1554,7 @@ describe('Client metadata validation', () => {
             enabled: true,
           },
         },
+        responseTypes: ['code', 'code token'],
       };
       mustBeBoolean(this.title, undefined, configuration);
       mustBeBoolean(this.title, undefined, configuration);
@@ -1562,6 +1563,7 @@ describe('Client metadata validation', () => {
         ...configuration,
         clientDefaults: { dpop_bound_access_tokens: true },
       });
+      rejects(this.title, true, 'response_types must not include "token" when dpop_bound_access_tokens is used', { grant_types: ['authorization_code', 'implicit'], response_types: ['code', 'code token'] }, configuration);
     });
   });
 
@@ -1842,11 +1844,13 @@ describe('Client metadata validation', () => {
         features: {
           mTLS: { enabled: true, certificateBoundAccessTokens: true },
         },
+        responseTypes: ['code', 'code token'],
       };
 
       defaultsTo(this.title, false, undefined, configuration);
       defaultsTo(this.title, undefined);
       mustBeBoolean(this.title, undefined, configuration);
+      rejects(this.title, true, 'response_types must not include "token" when tls_client_certificate_bound_access_tokens is used', { grant_types: ['authorization_code', 'implicit'], response_types: ['code', 'code token'] }, configuration);
     });
   });