From cef63b6a75abee6ea934daf62299b5457668b634 Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Wed, 21 Sep 2022 14:34:59 +0200 Subject: [PATCH] refactor!: default JAR mode is now strict instead of lax BREAKING CHANGE: Request Object use now defaults to its stricter definition from RFC 9101 rather than OIDC Core 1.0. This can be reverted using the `features.requestObjects.mode` configuration option. --- docs/README.md | 4 ++-- lib/helpers/defaults.js | 2 +- test/encryption/encryption.test.js | 2 ++ test/request/jwt_request.test.js | 10 ++++++++++ test/request/uri_request.test.js | 4 ++++ 5 files changed, 19 insertions(+), 3 deletions(-) diff --git a/docs/README.md b/docs/README.md index 36c94fdee..0ed72b4eb 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1580,7 +1580,7 @@ Enables the use and validations of the `request` and/or `request_uri` parameters _**default value**_: ```js { - mode: 'lax', + mode: 'strict', request: false, requestUri: true, requireSignedRequestObject: false, @@ -1602,7 +1602,7 @@ defines the provider's strategy when it comes to using regular OAuth 2.0 paramet _**default value**_: ```js -'lax' +'strict' ``` #### request diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js index 7db38db60..66ce00a0c 100644 --- a/lib/helpers/defaults.js +++ b/lib/helpers/defaults.js @@ -1766,7 +1766,7 @@ function getDefaults() { * Request Object are ignored. For FAPI and FAPI-CIBA this value is enforced. * */ - mode: 'lax', + mode: 'strict', }, /* diff --git a/test/encryption/encryption.test.js b/test/encryption/encryption.test.js index 03f2722c7..84056e38d 100644 --- a/test/encryption/encryption.test.js +++ b/test/encryption/encryption.test.js @@ -485,6 +485,7 @@ describe('encryption', () => { const client = await this.provider.Client.find('clientSymmetric'); const signed = await JWT.sign({ client_id: 'clientSymmetric', + scope: 'openid', response_type: 'id_token', nonce: 'foobar', redirect_uri: 'https://client.example.com/cb', @@ -578,6 +579,7 @@ describe('encryption', () => { const client = await this.provider.Client.find('clientSymmetric'); const signed = await JWT.sign({ client_id: 'clientSymmetric-dir', + scope: 'openid', response_type: 'id_token', nonce: 'foobar', redirect_uri: 'https://client.example.com/cb', diff --git a/test/request/jwt_request.test.js b/test/request/jwt_request.test.js index 7c06b88f2..2ee63083c 100644 --- a/test/request/jwt_request.test.js +++ b/test/request/jwt_request.test.js @@ -326,6 +326,7 @@ describe('request parameter features', () => { await JWT.sign({ client_id: 'client', response_type: 'code', + scope: 'openid', redirect_uri: 'https://client.example.com/cb', max_age: 300, }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer }).then((request) => this.wrap({ @@ -387,6 +388,7 @@ describe('request parameter features', () => { client_id: 'client', response_type: 'code', redirect_uri: 'https://client.example.com/cb', + scope: 'openid', claims, }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer }).then((request) => this.wrap({ agent: this.agent, @@ -417,6 +419,7 @@ describe('request parameter features', () => { response_type: 'code', redirect_uri: 'https://client.example.com/cb', claims: { id_token: { email: null } }, + scope: 'openid', }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer }).then((request) => this.wrap({ agent: this.agent, route, @@ -444,6 +447,7 @@ describe('request parameter features', () => { return JWT.sign({ iat: Math.ceil(Date.now() / 1000) + 5, client_id: 'client-with-HS-sig', + scope: 'openid', response_type: 'code', redirect_uri: 'https://client.example.com/cb', }, key, 'HS256', { issuer: 'client-with-HS-sig', audience: this.provider.issuer }).then((request) => this.wrap({ @@ -467,6 +471,7 @@ describe('request parameter features', () => { key = await importJWK(key); return JWT.sign({ client_id: 'client-with-HS-sig', + scope: 'openid', response_type: 'code', redirect_uri: 'https://client.example.com/cb', }, key, 'HS256', { issuer: 'client-with-HS-sig', audience: this.provider.issuer }).then((request) => this.wrap({ @@ -524,8 +529,10 @@ describe('request parameter features', () => { key = await importJWK(key); const request = await JWT.sign({ + client_id: 'client-with-HS-sig', response_type: 'code', redirect_uri: 'https://client.example.com/cb', + scope: 'openid', jti: `very-random-and-collision-resistant-${index}`, }, key, 'HS256', { issuer: 'client-with-HS-sig', audience: this.provider.issuer, expiresIn: 30 }); @@ -633,6 +640,7 @@ describe('request parameter features', () => { client_id: 'client', response_type: 'code', response_mode: 'fragment', + scope: 'openid', redirect_uri: 'https://client.example.com/cb', }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer }).then((request) => this.wrap({ agent: this.agent, @@ -834,6 +842,7 @@ describe('request parameter features', () => { return JWT.sign({ client_id: 'client-with-HS-sig', + scope: 'openid', response_type: 'code', redirect_uri: 'https://client.example.com/cb', }, Buffer.from('secret'), 'HS512', { issuer: 'client-with-HS-sig', audience: this.provider.issuer }).then((request) => this.wrap({ @@ -950,6 +959,7 @@ describe('request parameter features', () => { client_id: 'client-with-HS-sig', unrecognized: true, response_type: 'code', + scope: 'openid', redirect_uri: 'https://client.example.com/cb', }, key, 'HS256', { issuer: 'client-with-HS-sig', audience: this.provider.issuer }).then((request) => this.wrap({ agent: this.agent, diff --git a/test/request/uri_request.test.js b/test/request/uri_request.test.js index c243afe62..240e336b1 100644 --- a/test/request/uri_request.test.js +++ b/test/request/uri_request.test.js @@ -70,6 +70,7 @@ describe('request Uri features', () => { let [key] = client.symmetricKeyStore.selectForSign({ alg: 'HS256' }); key = await importJWK(key); const request = await JWT.sign({ + scope: 'openid', client_id: 'client-with-HS-sig', response_type: 'code', redirect_uri: 'https://client.example.com/cb', @@ -99,6 +100,7 @@ describe('request Uri features', () => { let [key] = client.symmetricKeyStore.selectForSign({ alg: 'HS256' }); key = await importJWK(key); const request = await JWT.sign({ + scope: 'openid', client_id: 'client-with-HS-sig', response_type: 'code', redirect_uri: 'https://client.example.com/cb', @@ -161,6 +163,7 @@ describe('request Uri features', () => { it('checks the allow list', async function () { const request = await JWT.sign({ client_id: 'client', + scope: 'openid', response_type: 'code', redirect_uri: 'https://client.example.com/cb', }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer }); @@ -187,6 +190,7 @@ describe('request Uri features', () => { it('allows for fragments to be provided', async function () { const request = await JWT.sign({ client_id: 'client', + scope: 'openid', response_type: 'code', redirect_uri: 'https://client.example.com/cb', }, Buffer.from('secret'), 'HS256', { issuer: 'client', audience: this.provider.issuer });