fixing some todos

admin/proto/admin.proto

@@ -86,6 +86,7 @@ message CompleteLoginReply {
 message ConfirmConsentRequest {
   string interactionId = 1;
   repeated string scopes = 2;
+  repeated string rejected_claims = 3;
 }
 
 message ConfirmConsentReply {

admin/src/interaction.rs

@@ -151,6 +151,7 @@ impl InteractionService for InteractionServiceImpl {
                 &self.authorisation_service,
                 interaction_id,
                 scopes,
+                request.rejected_claims.into_iter().collect(),
                 txn.clone(),
             )
             .await

core/src/authorisation_request.rs

@@ -58,7 +58,7 @@ impl ValidatedAuthorisationRequest {
             .cloned()
             .unwrap_or_else(|| response_type.default_response_mode());
         if is_jarm_enabled {
-            //todo:server or client should enable jarm??
+            //TODO: server or client should enable jarm??
             response_mode.upgrade(response_type)
         } else {
             response_mode

core/src/claims.rs

@@ -1,4 +1,4 @@
-use std::collections::HashMap;
+use std::collections::{HashMap, HashSet};
 
 use serde_json::Value;
 
@@ -12,12 +12,12 @@ use crate::profile::ProfileData;
 pub(crate) fn get_id_token_claims<'a>(
     profile: &'a ProfileData,
     requested_claims: Option<&'a Claims>,
+    rejected_claims: &HashSet<String>,
 ) -> Result<HashMap<&'a str, &'a Value>, OpenIdError> {
-    //TODO: make possible to filter rejected claims
     let mut claims = HashMap::new();
     if let Some(requested_claims) = requested_claims {
         let id_token_claims = &requested_claims.id_token;
-        let filtered = filter_claims(profile, id_token_claims)?;
+        let filtered = filter_claims(profile, id_token_claims, rejected_claims)?;
         claims.extend(filtered);
     };
 
@@ -28,15 +28,15 @@ pub(crate) fn get_userinfo_claims<'a>(
     provider: &'a OpenIDProviderConfiguration,
     profile: &'a ProfileData,
     requested_claims: Option<&'a Claims>,
+    rejected_claims: &HashSet<String>,
     scopes: Option<&'a Scopes>,
 ) -> Result<HashMap<&'a str, &'a Value>, OpenIdError> {
-    //TODO: make possible to filter rejected claims
     let mut claims = scopes
         .map(|it| profile.claims(provider, it))
         .unwrap_or_default();
     if let Some(requested_claims) = requested_claims {
         let userinfo_claims = &requested_claims.userinfo;
-        let filtered = filter_claims(profile, userinfo_claims)?;
+        let filtered = filter_claims(profile, userinfo_claims, rejected_claims)?;
         claims.extend(filtered);
     };
     Ok(claims)
@@ -45,10 +45,16 @@ pub(crate) fn get_userinfo_claims<'a>(
 fn filter_claims<'a, 'b>(
     profile: &'a ProfileData,
     requested_claims: &'b HashMap<String, Option<ClaimOptions>>,
+    rejected_claims: &HashSet<String>,
 ) -> Result<HashMap<&'b str, &'a Value>, OpenIdError> {
     let mut claims = HashMap::new();
     if !requested_claims.is_empty() {
         for (claim, options) in requested_claims {
+            if rejected_claims.contains(claim) {
+                return Err(OpenIdError::invalid_grant(
+                    "Requested claims are not allowed",
+                ));
+            }
             if let Some(claim_value) = profile.claim(claim.as_str()) {
                 match options {
                     Some(options) if !options.validate(claim_value) => {

core/src/configuration/provider.rs

@@ -78,6 +78,9 @@ pub struct OpenIDProviderConfiguration {
     #[getset(skip)]
     #[get_copy = "pub"]
     jwt_secure_response_mode: bool,
+    #[getset(skip)]
+    #[get_copy = "pub"]
+    jwt_response_mode_exp: Duration,
     issuer: Issuer,
     grant_types_supported: Vec<GrantType>,
     scopes_supported: Scopes,
@@ -135,6 +138,9 @@ pub struct OpenIDProviderConfiguration {
     #[builder(setter(skip))]
     pairwise_resolver: PairwiseResolver,
     mtls: MTLSConfiguration,
+    #[getset(skip)]
+    #[get_copy = "pub"]
+    session_signing_key: [u8; 32],
 }
 
 impl OpenIDProviderConfigurationBuilder {
@@ -213,6 +219,7 @@ impl Default for OpenIDProviderConfiguration {
             ],
             response_modes_supported: vec![ResponseMode::Query, ResponseMode::Fragment],
             jwt_secure_response_mode: false,
+            jwt_response_mode_exp: Duration::minutes(5),
             issuer: Issuer::new(DEFAULT_ISSUER),
             scopes_supported: scopes!("openid"),
             grant_types_supported: vec![
@@ -372,6 +379,7 @@ impl Default for OpenIDProviderConfiguration {
             ],
             pairwise_resolver: PairwiseResolver::default(),
             mtls: MTLSConfiguration::default(),
+            session_signing_key: [0; 32],
         }
     }
 }

core/src/grant_type/authorization_code.rs

@@ -108,7 +108,8 @@ impl AuthorisationCodeGrantResolver {
             let profile = ProfileData::get(&self.provider, &grant, client.as_ref())
                 .await
                 .map_err(OpenIdError::server_error)?;
-            let claims = get_id_token_claims(&profile, grant.claims().as_ref())?;
+            let claims =
+                get_id_token_claims(&profile, grant.claims().as_ref(), grant.rejected_claims())?;
 
             let alg = client.id_token_signing_alg();
             let keystore = self.keystore_service.server_keystore(client.as_ref(), alg);

core/src/grant_type/refresh_token.rs

@@ -115,7 +115,8 @@ impl RefreshTokenGrantResolver {
             let profile = ProfileData::get(&self.provider, &grant, client.as_ref())
                 .await
                 .map_err(OpenIdError::server_error)?;
-            let claims = get_id_token_claims(&profile, grant.claims().as_ref())?;
+            let claims =
+                get_id_token_claims(&profile, grant.claims().as_ref(), grant.rejected_claims())?;
 
             let alg = client.id_token_signing_alg();
             let keystore = self.keystore_service.server_keystore(client.as_ref(), alg);

core/src/response_mode/encoder/jwt.rs

@@ -2,7 +2,6 @@ use indexmap::IndexMap;
 use josekit::jws::JwsHeader;
 use josekit::jwt::JwtPayload;
 use josekit::Value;
-use time::Duration;
 
 use oidc_types::jose::jws::JwsHeaderExt;
 use oidc_types::jose::jwt2::{SignedJWT, JWT};
@@ -16,8 +15,6 @@ use crate::response_mode::encoder::EncodingContext;
 use crate::response_mode::encoder::{AuthorisationResult, ResponseModeEncoder};
 use crate::response_mode::error::{Error, Result};
 
-const EXP_IN_MINUTES: i64 = 5i64;
-
 pub(crate) struct JwtEncoder;
 
 impl ResponseModeEncoder for JwtEncoder {
@@ -65,7 +62,7 @@ impl JwtEncoder {
         let mut payload = JwtPayload::new();
         payload.set_issuer(provider.issuer());
         payload.set_audience(vec![context.client.id().to_string()]);
-        let exp = clock.now() + Duration::minutes(EXP_IN_MINUTES); //TODO: review this exp
+        let exp = clock.now() + provider.jwt_response_mode_exp();
         payload.set_expires_at(&exp.into());
         for (key, value) in parameters {
             payload

core/src/response_type/resolver/id_token.rs

@@ -55,7 +55,11 @@ impl ResponseTypeResolver for IDTokenResolver<'_> {
         let profile = ProfileData::get(context.provider, &context.grant, &context.client)
             .await
             .map_err(OpenIdError::server_error)?;
-        let claims = get_id_token_claims(&profile, context.grant.claims().as_ref())?;
+        let claims = get_id_token_claims(
+            &profile,
+            context.grant.claims().as_ref(),
+            context.grant.rejected_claims(),
+        )?;
 
         let ttl = context.provider.ttl();
 

core/src/services/interaction.rs

@@ -141,6 +141,7 @@ impl InteractionService {
         auth_service: &AuthorisationService<R>,
         interaction_id: Uuid,
         scopes: Scopes,
+        rejected_claims: HashSet<String>,
         txn: TransactionId,
     ) -> Result<Url, InteractionError>
     where
@@ -172,7 +173,7 @@ impl InteractionService {
                     .auth_time(user.auth_time())
                     .max_age(request.max_age)
                     .redirect_uri(request.redirect_uri.clone())
-                    .rejected_claims(HashSet::new()) //todo: implement rejected claims
+                    .rejected_claims(rejected_claims)
                     .claims(claims)
                     .build()
                     .map_err(|err| Internal(err.into()))?;

core/src/services/userinfo.rs

@@ -49,6 +49,7 @@ impl UserInfoService {
             &self.provider,
             &profile,
             grant.claims().as_ref(),
+            grant.rejected_claims(),
             at.scopes(),
         )?
         .into_iter()

example/src/main.rs

@@ -286,6 +286,7 @@ async fn consent(
     let request = GrpcRequest::new(ConfirmConsentRequest {
         interaction_id,
         scopes: interaction_info.request.unwrap().scopes,
+        rejected_claims: vec![],
     });
     let res = interaction_client
         .confirm_consent(request)

server/src/routes/discovery.rs

@@ -41,7 +41,7 @@ pub async fn discovery<'a>(
             provider.token_endpoint_auth_signing_alg_values_supported(),
         )
         .introspection_endpoint(url(issuer, routes.introspect))
-        .introspection_endpoint_auth_methods_supported(
+        .introspection_endpoint_auth_method_supported(
             provider.token_endpoint_auth_methods_supported(),
         )
         .introspection_endpoint_auth_signing_alg_values_supported(
@@ -64,7 +64,9 @@ pub async fn discovery<'a>(
         )
         .claim_types_supported(provider.claim_types_supported().as_ref())
         .claims_parameter_supported(provider.claims_parameter_supported())
-        .tls_client_certificate_bound_access_tokens(false) //todo: implement mtls
+        .tls_client_certificate_bound_access_tokens(
+            provider.mtls().certificate_bound_access_token(),
+        )
         .request_parameter_supported(provider.request_object().request)
         .request_uri_parameter_supported(provider.request_object().request_uri)
         .require_request_uri_registration(provider.request_object().require_uri_registration)

server/src/routes/mod.rs

@@ -47,6 +47,6 @@ pub(crate) fn oidc_router(
             .add_extension(provider.clone())
             .layer(TraceLayer::new_for_http())
             .layer(CookieManagerLayer::new())
-            .layer(SessionManagerLayer::signed(&[0; 32])), //TODO: key configuration
+            .layer(SessionManagerLayer::signed(&provider.session_signing_key())),
     )
 }

types/src/discovery.rs

@@ -26,7 +26,7 @@ pub struct OIDCProviderMetadata<'a> {
     token_endpoint_auth_methods_supported: &'a Vec<AuthMethod>,
     introspection_endpoint: Url,
     introspection_endpoint_auth_signing_alg_values_supported: &'a Vec<SigningAlgorithm>,
-    introspection_endpoint_auth_methods_supported: &'a Vec<AuthMethod>,
+    introspection_endpoint_auth_method_supported: &'a Vec<AuthMethod>,
     userinfo_endpoint: Url,
     userinfo_signing_alg_values_supported: &'a Vec<SigningAlgorithm>,
     response_types_supported: &'a Vec<ResponseType>,