fix: ignore secret and expiration timestamp on dynamic create edge case

panva · Aug 27, 2019 · d532fb2 · d532fb2
1 parent e3fa143
commit d532fb2
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/lib/actions/registration.js b/lib/actions/registration.js
@@ -108,7 +108,13 @@ module.exports = {
 
       if (secretRequired) {
         Object.assign(properties, {
-          client_secret: secretFactory(), client_secret_expires_at: 0,
+          client_secret: secretFactory(),
+          client_secret_expires_at: 0,
+        });
+      } else {
+        Object.assign(properties, {
+          client_secret: undefined,
+          client_secret_expires_at: undefined,
         });
       }
 

diff --git a/test/dynamic_registration/dynamic_registration.test.js b/test/dynamic_registration/dynamic_registration.test.js
@@ -53,6 +53,23 @@ describe('registration features', () => {
         });
     });
 
+    it('omits the client_secret generation when it is not needed and in doing so ignores provided client_secret and client_secret_expires_at', function () {
+      return this.agent.post('/reg')
+        .send({
+          token_endpoint_auth_method: 'none',
+          redirect_uris: ['https://client.example.com/cb'],
+          response_types: ['id_token'],
+          grant_types: ['implicit'],
+          client_secret: 'foo',
+          client_secret_expires_at: 123,
+        })
+        .expect(201)
+        .expect((response) => {
+          expect(response.body).not.to.have.property('client_secret');
+          expect(response.body).not.to.have.property('client_secret_expires_at');
+        });
+    });
+
     it('issues the client_secret when needed for sig', function () {
       return this.agent.post('/reg')
         .send({