feat: add a helper allowing custom claims parameter validations

panva · Jan 16, 2024 · ec2a1f5 · ec2a1f5
1 parent 53babe6
commit ec2a1f5
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 2 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -831,10 +831,30 @@ Enables the use and validations of `claims` parameter as described in the specif
 _**default value**_:
 ```js
 {
+  assertClaimsParameter: [AsyncFunction: assertClaimsParameter], // see expanded details below
   enabled: false
 }
 ```
 
+<details><summary>(Click to expand) features.claimsParameter options details</summary><br>
+
+
+#### assertClaimsParameter
+
+Helper function used to validate the claims parameter beyond what the OpenID Connect 1.0 specification requires.  
+
+
+_**default value**_:
+```js
+async function assertClaimsParameter(ctx, claims, client) {
+  // @param ctx - koa request context
+  // @param claims - parsed claims parameter
+  // @param client - the Client instance
+}
+```
+
+</details>
+
 ### features.clientCredentials
 
 [`RFC6749`](https://www.rfc-editor.org/rfc/rfc6749.html#section-1.3.4) - Client Credentials  

diff --git a/lib/actions/authorization/check_claims.js b/lib/actions/authorization/check_claims.js
@@ -13,7 +13,7 @@ import isPlainObject from '../../helpers/_/is_plain_object.js';
  *
  * Merges requested claims with acr as requested if acr_values is provided
  */
-export default function checkClaims(ctx, next) {
+export default async function checkClaims(ctx, next) {
   const { params } = ctx.oidc;
 
   if (params.claims !== undefined) {
@@ -55,6 +55,12 @@ export default function checkClaims(ctx, next) {
       if (params.response_type === 'id_token' && claims.userinfo) {
         throw new InvalidRequest('claims.userinfo should not be used if access_token is not issued');
       }
+
+      await claimsParameter.assertClaimsParameter?.(
+        ctx,
+        claims,
+        ctx.oidc.client,
+      );
     }
   }
 

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -544,6 +544,12 @@ async function triggerAuthenticationDevice(ctx, request, account, client) {
   throw new Error('features.ciba.triggerAuthenticationDevice not implemented');
 }
 
+async function assertClaimsParameter(ctx, claims, client) {
+  // @param ctx - koa request context
+  // @param claims - parsed claims parameter
+  // @param client - the Client instance
+}
+
 async function assertJwtClaimsAndHeader(ctx, claims, header, client) {
   // @param ctx - koa request context
   // @param claims - parsed Request Object JWT Claims Set as object
@@ -1153,7 +1159,16 @@ function makeDefaults() {
        * specification.
        *
        */
-      claimsParameter: { enabled: false },
+      claimsParameter: {
+        enabled: false,
+
+        /**
+         * features.claimsParameter.assertClaimsParameter
+         *
+         * description: Helper function used to validate the claims parameter beyond what the OpenID Connect 1.0 specification requires.
+         */
+        assertClaimsParameter,
+      },
 
       /*
        * features.clientCredentials