Skip to content

Commit

Permalink
fix: clientDefaults is now used in resolving defaults of some edge props
Browse files Browse the repository at this point in the history
It can for instance control default `request_uris`, `web_message_uris`
as well as `tls_client_certificate_bound_access_tokens` and
`introspection_*` and `revocation_*` properties that follow their
`token_*` values when not defined
  • Loading branch information
panva committed Jun 18, 2019
1 parent 9ce95b3 commit e7bcfd2
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 5 deletions.
10 changes: 5 additions & 5 deletions lib/helpers/client_schema.js
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ module.exports = function getSchema(provider) {
DEFAULT.subject_type = 'pairwise';
}

const tlsClientAuthEnabled = ['token', 'revocation', 'introspection']
const tlsClientAuthEnabled = clientAuthEndpoints
.find(endpoint => configuration[`${endpoint}EndpointAuthMethods`].has('tls_client_auth'));

if (tlsClientAuthEnabled) {
Expand Down Expand Up @@ -115,7 +115,7 @@ module.exports = function getSchema(provider) {
RECOGNIZED_METADATA.push('request_uris');

if (features.requestUri.requireUriRegistration) {
DEFAULT.request_uris = [];
DEFAULT.request_uris = 'request_uris' in configuration.clientDefaults ? configuration.clientDefaults.request_uris : [];
}
}

Expand All @@ -136,12 +136,12 @@ module.exports = function getSchema(provider) {

if (features.webMessageResponseMode.enabled) {
RECOGNIZED_METADATA.push('web_message_uris');
DEFAULT.web_message_uris = [];
DEFAULT.web_message_uris = 'web_message_uris' in configuration.clientDefaults ? configuration.clientDefaults.web_message_uris : [];
}

if (features.certificateBoundAccessTokens.enabled) {
RECOGNIZED_METADATA.push('tls_client_certificate_bound_access_tokens');
DEFAULT.tls_client_certificate_bound_access_tokens = false;
DEFAULT.tls_client_certificate_bound_access_tokens = 'tls_client_certificate_bound_access_tokens' in configuration.clientDefaults ? configuration.clientDefaults.tls_client_certificate_bound_access_tokens : false;
}

instance(provider).RECOGNIZED_METADATA = RECOGNIZED_METADATA;
Expand Down Expand Up @@ -215,7 +215,7 @@ module.exports = function getSchema(provider) {
['revocation', 'introspection'].forEach((endpoint) => {
if (metadata[`${endpoint}_endpoint_auth_method`] === undefined) {
Object.assign(metadata, {
[`${endpoint}_endpoint_auth_method`]: metadata.token_endpoint_auth_method || 'client_secret_basic',
[`${endpoint}_endpoint_auth_method`]: metadata.token_endpoint_auth_method || configuration.clientDefaults.token_endpoint_auth_method,
});
}
if (metadata[`${endpoint}_endpoint_auth_signing_alg`] === undefined && metadata.token_endpoint_auth_signing_alg) {
Expand Down
12 changes: 12 additions & 0 deletions lib/helpers/configuration.js
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,17 @@ function authEndpointDefaults(config) {
});
}

function clientAuthDefaults(clientDefaults) {
['token_endpoint_auth_method', 'token_endpoint_auth_signing_alg'].forEach((prop) => {
['introspection', 'revocation'].forEach((endpoint) => {
const endpointProp = prop.replace('token_', `${endpoint}_`);
if (clientDefaults[prop] && !clientDefaults[endpointProp]) {
set(clientDefaults, endpointProp, get(clientDefaults, prop));
}
});
});
}

function filterHS(alg) {
return alg.startsWith('HS');
}
Expand Down Expand Up @@ -67,6 +78,7 @@ module.exports = class Configuration {

return undefined;
});
clientAuthDefaults(this.clientDefaults);

this.ensureMaps();
this.ensureSets();
Expand Down
16 changes: 16 additions & 0 deletions test/configuration/client_metadata.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -1038,6 +1038,22 @@ describe('Client metadata validation', () => {
token_endpoint_auth_method: 'client_secret_post',
},
});
defaultsTo('introspection_endpoint_auth_method', 'client_secret_post', undefined, {
features: {
introspection: { enabled: true },
},
clientDefaults: {
token_endpoint_auth_method: 'client_secret_post',
},
});
defaultsTo('introspection_endpoint_auth_signing_alg', 'HS384', { token_endpoint_auth_method: 'client_secret_jwt' }, {
features: {
introspection: { enabled: true },
},
clientDefaults: {
token_endpoint_auth_signing_alg: 'HS384',
},
});
defaultsTo('id_token_signed_response_alg', 'PS256', undefined, {
clientDefaults: {
id_token_signed_response_alg: 'PS256',
Expand Down

0 comments on commit e7bcfd2

Please sign in to comment.