fix: clientDefaults is now used in resolving defaults of some edge props

It can for instance control default `request_uris`, `web_message_uris`
as well as `tls_client_certificate_bound_access_tokens` and
`introspection_*` and `revocation_*` properties that follow their
`token_*` values when not defined

lib/helpers/client_schema.js

@@ -55,7 +55,7 @@ module.exports = function getSchema(provider) {
     DEFAULT.subject_type = 'pairwise';
   }
 
-  const tlsClientAuthEnabled = ['token', 'revocation', 'introspection']
+  const tlsClientAuthEnabled = clientAuthEndpoints
     .find(endpoint => configuration[`${endpoint}EndpointAuthMethods`].has('tls_client_auth'));
 
   if (tlsClientAuthEnabled) {
@@ -115,7 +115,7 @@ module.exports = function getSchema(provider) {
     RECOGNIZED_METADATA.push('request_uris');
 
     if (features.requestUri.requireUriRegistration) {
-      DEFAULT.request_uris = [];
+      DEFAULT.request_uris = 'request_uris' in configuration.clientDefaults ? configuration.clientDefaults.request_uris : [];
     }
   }
 
@@ -136,12 +136,12 @@ module.exports = function getSchema(provider) {
 
   if (features.webMessageResponseMode.enabled) {
     RECOGNIZED_METADATA.push('web_message_uris');
-    DEFAULT.web_message_uris = [];
+    DEFAULT.web_message_uris = 'web_message_uris' in configuration.clientDefaults ? configuration.clientDefaults.web_message_uris : [];
   }
 
   if (features.certificateBoundAccessTokens.enabled) {
     RECOGNIZED_METADATA.push('tls_client_certificate_bound_access_tokens');
-    DEFAULT.tls_client_certificate_bound_access_tokens = false;
+    DEFAULT.tls_client_certificate_bound_access_tokens = 'tls_client_certificate_bound_access_tokens' in configuration.clientDefaults ? configuration.clientDefaults.tls_client_certificate_bound_access_tokens : false;
   }
 
   instance(provider).RECOGNIZED_METADATA = RECOGNIZED_METADATA;
@@ -215,7 +215,7 @@ module.exports = function getSchema(provider) {
       ['revocation', 'introspection'].forEach((endpoint) => {
         if (metadata[`${endpoint}_endpoint_auth_method`] === undefined) {
           Object.assign(metadata, {
-            [`${endpoint}_endpoint_auth_method`]: metadata.token_endpoint_auth_method || 'client_secret_basic',
+            [`${endpoint}_endpoint_auth_method`]: metadata.token_endpoint_auth_method || configuration.clientDefaults.token_endpoint_auth_method,
           });
         }
         if (metadata[`${endpoint}_endpoint_auth_signing_alg`] === undefined && metadata.token_endpoint_auth_signing_alg) {

lib/helpers/configuration.js

@@ -36,6 +36,17 @@ function authEndpointDefaults(config) {
   });
 }
 
+function clientAuthDefaults(clientDefaults) {
+  ['token_endpoint_auth_method', 'token_endpoint_auth_signing_alg'].forEach((prop) => {
+    ['introspection', 'revocation'].forEach((endpoint) => {
+      const endpointProp = prop.replace('token_', `${endpoint}_`);
+      if (clientDefaults[prop] && !clientDefaults[endpointProp]) {
+        set(clientDefaults, endpointProp, get(clientDefaults, prop));
+      }
+    });
+  });
+}
+
 function filterHS(alg) {
   return alg.startsWith('HS');
 }
@@ -67,6 +78,7 @@ module.exports = class Configuration {
 
       return undefined;
     });
+    clientAuthDefaults(this.clientDefaults);
 
     this.ensureMaps();
     this.ensureSets();

test/configuration/client_metadata.test.js

@@ -1038,6 +1038,22 @@ describe('Client metadata validation', () => {
         token_endpoint_auth_method: 'client_secret_post',
       },
     });
+    defaultsTo('introspection_endpoint_auth_method', 'client_secret_post', undefined, {
+      features: {
+        introspection: { enabled: true },
+      },
+      clientDefaults: {
+        token_endpoint_auth_method: 'client_secret_post',
+      },
+    });
+    defaultsTo('introspection_endpoint_auth_signing_alg', 'HS384', { token_endpoint_auth_method: 'client_secret_jwt' }, {
+      features: {
+        introspection: { enabled: true },
+      },
+      clientDefaults: {
+        token_endpoint_auth_signing_alg: 'HS384',
+      },
+    });
     defaultsTo('id_token_signed_response_alg', 'PS256', undefined, {
       clientDefaults: {
         id_token_signed_response_alg: 'PS256',