refactor!: default JAR mode is now strict instead of lax

BREAKING CHANGE: Request Object use now defaults to its stricter definition from RFC 9101 rather than OIDC Core 1.0. This can be reverted using the `features.requestObjects.mode` configuration option.
panva · Dec 1, 2022 · cef63b6 · cef63b6
1 parent e654fe6
commit cef63b6
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 3 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -1580,7 +1580,7 @@ Enables the use and validations of the `request` and/or `request_uri` parameters
 _**default value**_:
 ```js
 {
-  mode: 'lax',
+  mode: 'strict',
   request: false,
   requestUri: true,
   requireSignedRequestObject: false,
@@ -1602,7 +1602,7 @@ defines the provider's strategy when it comes to using regular OAuth 2.0 paramet
 
 _**default value**_:
 ```js
-'lax'
+'strict'
 ```
 
 #### request

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -1766,7 +1766,7 @@ function getDefaults() {
          *   Request Object are ignored. For FAPI and FAPI-CIBA this value is enforced.
          *
          */
-        mode: 'lax',
+        mode: 'strict',
       },
 
       /*

diff --git a/test/encryption/encryption.test.js b/test/encryption/encryption.test.js
@@ -485,6 +485,7 @@ describe('encryption', () => {
           const client = await this.provider.Client.find('clientSymmetric');
           const signed = await JWT.sign({
             client_id: 'clientSymmetric',
+            scope: 'openid',
             response_type: 'id_token',
             nonce: 'foobar',
             redirect_uri: 'https://client.example.com/cb',
@@ -578,6 +579,7 @@ describe('encryption', () => {
           const client = await this.provider.Client.find('clientSymmetric');
           const signed = await JWT.sign({
             client_id: 'clientSymmetric-dir',
+            scope: 'openid',
             response_type: 'id_token',
             nonce: 'foobar',
             redirect_uri: 'https://client.example.com/cb',

diff --git a/test/request/jwt_request.test.js b/test/request/jwt_request.test.js
@@ -326,6 +326,7 @@ describe('request parameter features', () => {
         await JWT.sign({
           client_id: 'client',
           response_type: 'code',
+          scope: 'openid',
           redirect_uri: 'https://client.example.com/cb',
           max_age: 300,
         }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer }).then((request) => this.wrap({
@@ -387,6 +388,7 @@ describe('request parameter features', () => {
           client_id: 'client',
           response_type: 'code',
           redirect_uri: 'https://client.example.com/cb',
+          scope: 'openid',
           claims,
         }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer }).then((request) => this.wrap({
           agent: this.agent,
@@ -417,6 +419,7 @@ describe('request parameter features', () => {
           response_type: 'code',
           redirect_uri: 'https://client.example.com/cb',
           claims: { id_token: { email: null } },
+          scope: 'openid',
         }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer }).then((request) => this.wrap({
           agent: this.agent,
           route,
@@ -444,6 +447,7 @@ describe('request parameter features', () => {
         return JWT.sign({
           iat: Math.ceil(Date.now() / 1000) + 5,
           client_id: 'client-with-HS-sig',
+          scope: 'openid',
           response_type: 'code',
           redirect_uri: 'https://client.example.com/cb',
         }, key, 'HS256', { issuer: 'client-with-HS-sig', audience: this.provider.issuer }).then((request) => this.wrap({
@@ -467,6 +471,7 @@ describe('request parameter features', () => {
         key = await importJWK(key);
         return JWT.sign({
           client_id: 'client-with-HS-sig',
+          scope: 'openid',
           response_type: 'code',
           redirect_uri: 'https://client.example.com/cb',
         }, key, 'HS256', { issuer: 'client-with-HS-sig', audience: this.provider.issuer }).then((request) => this.wrap({
@@ -524,8 +529,10 @@ describe('request parameter features', () => {
         key = await importJWK(key);
 
         const request = await JWT.sign({
+          client_id: 'client-with-HS-sig',
           response_type: 'code',
           redirect_uri: 'https://client.example.com/cb',
+          scope: 'openid',
           jti: `very-random-and-collision-resistant-${index}`,
         }, key, 'HS256', { issuer: 'client-with-HS-sig', audience: this.provider.issuer, expiresIn: 30 });
 
@@ -633,6 +640,7 @@ describe('request parameter features', () => {
             client_id: 'client',
             response_type: 'code',
             response_mode: 'fragment',
+            scope: 'openid',
             redirect_uri: 'https://client.example.com/cb',
           }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer }).then((request) => this.wrap({
             agent: this.agent,
@@ -834,6 +842,7 @@ describe('request parameter features', () => {
 
         return JWT.sign({
           client_id: 'client-with-HS-sig',
+          scope: 'openid',
           response_type: 'code',
           redirect_uri: 'https://client.example.com/cb',
         }, Buffer.from('secret'), 'HS512', { issuer: 'client-with-HS-sig', audience: this.provider.issuer }).then((request) => this.wrap({
@@ -950,6 +959,7 @@ describe('request parameter features', () => {
           client_id: 'client-with-HS-sig',
           unrecognized: true,
           response_type: 'code',
+          scope: 'openid',
           redirect_uri: 'https://client.example.com/cb',
         }, key, 'HS256', { issuer: 'client-with-HS-sig', audience: this.provider.issuer }).then((request) => this.wrap({
           agent: this.agent,

diff --git a/test/request/uri_request.test.js b/test/request/uri_request.test.js
@@ -70,6 +70,7 @@ describe('request Uri features', () => {
         let [key] = client.symmetricKeyStore.selectForSign({ alg: 'HS256' });
         key = await importJWK(key);
         const request = await JWT.sign({
+          scope: 'openid',
           client_id: 'client-with-HS-sig',
           response_type: 'code',
           redirect_uri: 'https://client.example.com/cb',
@@ -99,6 +100,7 @@ describe('request Uri features', () => {
         let [key] = client.symmetricKeyStore.selectForSign({ alg: 'HS256' });
         key = await importJWK(key);
         const request = await JWT.sign({
+          scope: 'openid',
           client_id: 'client-with-HS-sig',
           response_type: 'code',
           redirect_uri: 'https://client.example.com/cb',
@@ -161,6 +163,7 @@ describe('request Uri features', () => {
         it('checks the allow list', async function () {
           const request = await JWT.sign({
             client_id: 'client',
+            scope: 'openid',
             response_type: 'code',
             redirect_uri: 'https://client.example.com/cb',
           }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer });
@@ -187,6 +190,7 @@ describe('request Uri features', () => {
         it('allows for fragments to be provided', async function () {
           const request = await JWT.sign({
             client_id: 'client',
+            scope: 'openid',
             response_type: 'code',
             redirect_uri: 'https://client.example.com/cb',
           }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer });
-Original file line number
+Diff line change
@@ Expand Up / @@ -1766,7 +1766,7 @@ function getDefaults() { @@
              *   Request Object are ignored. For FAPI and FAPI-CIBA this value is enforced.
              *
              */
-            mode: 'lax',
+            mode: 'strict',
           },
           /*
@@ Expand Down @@