Skip to content

Commit

Permalink
refactor: FAPIClient is renamed to FAPI1Client
Browse files Browse the repository at this point in the history
BREAKING CHANGE: FAPIClient is renamed to FAPI1Client
BREAKING CHANGE: FAPI1Client has default algorithms set to PS256 rather
than RS256
BREAKING CHANGE: FAPI1Client has default tls_client_certificate_bound_access_tokens
set to true
BREAKING CHANGE: FAPI1Client has default response_types set to
`id_token code` and grant_types accordingly
BREAKING CHANGE: FAPI1Client has no token_endpoint_auth_method set,
one must be set explicitly
  • Loading branch information
panva committed Oct 27, 2021
1 parent c9579e7 commit 59a4e73
Show file tree
Hide file tree
Showing 11 changed files with 267 additions and 140 deletions.
171 changes: 129 additions & 42 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
- name: Checkout
uses: actions/checkout@master
- name: Setup node
uses: actions/setup-node@v2-beta
uses: actions/setup-node@v2
with:
node-version: 12
- name: Store node version variable
Expand Down Expand Up @@ -57,7 +57,7 @@ jobs:
- name: Checkout
uses: actions/checkout@master
- name: Setup node
uses: actions/setup-node@v2-beta
uses: actions/setup-node@v2
with:
node-version: ${{ matrix.node-version }}
- name: Store node version variable
Expand Down Expand Up @@ -87,7 +87,7 @@ jobs:
- windows-latest
steps:
- uses: actions/checkout@master
- uses: actions/setup-node@v1
- uses: actions/setup-node@v2
with:
node-version: 12
- name: Store node version variable
Expand All @@ -105,59 +105,146 @@ jobs:
if: ${{ steps.node_modules.outputs.cache-hit != 'true' }}
- run: npx xvfb-maybe npx electron@${{ matrix.electron-version }} ./test/electron test/**/*.test.js

oidc-conformance:
build-conformance-suite:
runs-on: ubuntu-latest
env:
VERSION: release-v4.1.35
steps:
- run: |
docker pull panvafs/oidc-certification-rp-ci
docker run -d -p 8080:8080 panvafs/oidc-certification-rp-ci
while ! curl -sk https://127.0.0.1:8080 >/dev/null; do sleep 2; done
- run: git clone --depth 1 --single-branch --branch five https://github.com/panva/openid-client-conformance-tests.git .
- uses: actions/setup-node@v1
- name: Checkout
uses: actions/checkout@master
- name: Load Cached Conformance Suite Build
uses: actions/cache@v2
id: cache
with:
node-version: 12
- run: npx panva/npm-install-retry
- run: npm install ${{ github.repository }}#${{ github.sha }}
- run: npm run test
path: ./conformance-suite
key: suite-${{ hashFiles('**/test.yml') }}
- name: Conformance Suite Checkout
if: ${{ steps.cache.outputs.cache-hit != 'true' }}
run: git clone --depth 1 --single-branch --branch $VERSION https://gitlab.com/openid/conformance-suite.git
- name: Conformance Suite Build
working-directory: ./conformance-suite
if: ${{ steps.cache.outputs.cache-hit != 'true' }}
env:
ISSUER: https://localhost:8080
NODE_TLS_REJECT_UNAUTHORIZED: 0
CI: true

fapi-conformance:
runs-on: ubuntu-latest
steps:
- run: git clone --depth 1 --single-branch --branch release-v4.1.32 https://gitlab.com/openid/conformance-suite.git
- env:
MAVEN_CACHE: ./m2
run: |
sed -i -e 's/localhost/localhost.emobix.co.uk/g' src/main/resources/application.properties
sed -i -e 's/-B/-B -DskipTests=true/g' builder-compose.yml
sed -i -e 's/-B clean/-B -DskipTests=true/g' builder-compose.yml
docker-compose -f builder-compose.yml run builder
conformance-suite:
runs-on: ubuntu-latest
needs:
- test
- electron
- build-conformance-suite
env:
NODE_TLS_REJECT_UNAUTHORIZED: 0
DEBUG: runner,moduleId*
SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
PLAN_NAME: ${{ matrix.setup.plan }}
VARIANT: ${{ toJSON(matrix.setup) }}
strategy:
fail-fast: false
matrix:
setup:
# OIDC BASIC
- plan: oidcc-client-basic-certification-test-plan

# OIDC IMPLICIT
- plan: oidcc-client-implicit-certification-test-plan

# OIDC HYBRID
- plan: oidcc-client-hybrid-certification-test-plan

# OIDC CONFIG
- plan: oidcc-client-config-certification-test-plan

# OIDC DYNAMIC
- plan: oidcc-client-dynamic-certification-test-plan

# FAPI 1.0 ID-2
- plan: fapi-rw-id2-client-test-plan
client_auth_type: mtls
- plan: fapi-rw-id2-client-test-plan
client_auth_type: private_key_jwt

# FAPI 1.0 Advanced Final
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: private_key_jwt
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: mtls
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: mtls
fapi_auth_request_method: pushed
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: private_key_jwt
fapi_auth_request_method: pushed
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: mtls
fapi_response_mode: jarm
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: private_key_jwt
fapi_response_mode: jarm
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: mtls
fapi_auth_request_method: pushed
fapi_response_mode: jarm
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: private_key_jwt
fapi_auth_request_method: pushed
fapi_response_mode: jarm
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: mtls
fapi_auth_request_method: pushed
fapi_response_mode: jarm
fapi_jarm_type: plain_oauth
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: mtls
fapi_response_mode: jarm
fapi_jarm_type: plain_oauth
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: private_key_jwt
fapi_auth_request_method: pushed
fapi_response_mode: jarm
fapi_jarm_type: plain_oauth
- plan: fapi1-advanced-final-client-test-plan
client_auth_type: private_key_jwt
fapi_response_mode: jarm
fapi_jarm_type: plain_oauth

steps:
- name: Load Cached Conformance Suite Build
uses: actions/cache@v2
id: cache
with:
path: ./conformance-suite
key: suite-${{ hashFiles('**/test.yml') }}
- name: Run Conformance Suite
working-directory: ./conformance-suite
run: |
docker-compose -f docker-compose-dev.yml up -d
while ! curl -skfail https://localhost.emobix.co.uk:8443/api/runner/available >/dev/null; do sleep 2; done
working-directory: ./conformance-suite
- run: git clone --depth 1 --single-branch --branch five https://github.com/panva/openid-client-fapi-certification.git runner
- uses: actions/setup-node@v1
- run: git clone --depth 1 --single-branch --branch five https://github.com/panva/openid-client-certification-suite.git runner
- uses: actions/setup-node@v2
with:
node-version: 12
- run: npx panva/npm-install-retry
working-directory: ./runner
- run: npm install ${{ github.repository }}#${{ github.sha }}
working-directory: ./runner
- name: run mtls variant
run: npm run test
working-directory: ./runner
env:
NODE_TLS_REJECT_UNAUTHORIZED: 0
DEBUG: runner,fapi-rw-id2-*
VARIANT: '{"client_auth_type":"mtls","fapi_profile":"plain_fapi"}'
SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
- name: run private_key_jwt variant
run: npm run test
- run: npm run test
working-directory: ./runner
env:
NODE_TLS_REJECT_UNAUTHORIZED: 0
DEBUG: runner,fapi-rw-id2-*
VARIANT: '{"client_auth_type":"private_key_jwt","fapi_profile":"plain_fapi"}'
SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
- name: Upload test artifacts
uses: actions/upload-artifact@v2
with:
path: runner/export-*.zip
name: ${{ matrix.setup.plan }} failed html results
if-no-files-found: ignore
if: ${{ failure() }}
- name: Upload test logs
uses: actions/upload-artifact@v2
with:
if-no-files-found: warn
name: ${{ matrix.setup.plan }} runner logs
path: runner/logs/*.log
if: ${{ failure() }}
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ openid-client.
- [RFC9126 - OAuth 2.0 Pushed Authorization Requests (PAR)][feature-par]
- [OpenID Connect Session Management 1.0 - draft 28][feature-rp-logout]
- RP-Initiated Logout
- [Financial-grade API - Part 2: Read and Write API Security Profile (FAPI) - ID2][feature-fapi]
- [Financial-grade API Security Profile 1.0 - Part 2: Advanced (FAPI)][feature-fapi]
- [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - ID1][feature-jarm]
- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][feature-dpop]

Expand Down Expand Up @@ -286,7 +286,7 @@ See [Customizing (docs)](https://github.com/panva/node-openid-client/blob/master
[feature-device-flow]: https://tools.ietf.org/html/rfc8628
[feature-rp-logout]: https://openid.net/specs/openid-connect-session-1_0.html#RPLogout
[feature-jarm]: https://openid.net/specs/openid-financial-api-jarm-ID1.html
[feature-fapi]: https://openid.net/specs/openid-financial-api-part-2-ID2.html
[feature-fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0.html
[feature-dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-03
[feature-par]: https://www.rfc-editor.org/rfc/rfc9126.html
[feature-jar]: https://www.rfc-editor.org/rfc/rfc9101.html
Expand Down
15 changes: 10 additions & 5 deletions docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ If you or your business use openid-client, please consider becoming a [sponsor][
- [Class: <Issuer>](#class-issuer)
- [new Issuer(metadata)](#new-issuermetadata)
- [issuer.Client](#issuerclient)
- [issuer.FAPIClient](#issuerfapiclient)
- [issuer.FAPI1Client](#issuerfapi1client)
- [issuer.metadata](#issuermetadata)
- [Issuer.discover(issuer)](#issuerdiscoverissuer)
- [Issuer.webfinger(input)](#issuerwebfingerinput)
Expand Down Expand Up @@ -87,12 +87,12 @@ Returns the `<Client>` class tied to this issuer.

---

#### `issuer.FAPIClient`
#### `issuer.FAPI1Client`

Returns the `<FAPIClient>` class tied to this issuer. `<FAPIClient>` inherits from `<Client>` and
adds necessary FAPI behaviours:
Returns the `<FAPI1Client>` class tied to this issuer. `<FAPI1Client>` inherits from `<Client>` and
adds necessary [Financial-grade API Security Profile 1.0 - Part 2: Advanced][] behaviours:

- Returns: `<FAPIClient>`
- Returns: `<FAPI1Client>`

The behaviours are:
- `s_hash` presence and value checks in authorization endpoint response ID Tokens
Expand Down Expand Up @@ -292,6 +292,10 @@ Performs the callback for Authorization Server's authorization response.
- `max_age`: `<number>` When provided the authorization response's ID Token auth_time parameter
will be checked to be conform to the max_age value. Use of this check is required if you sent a
max_age parameter into an authorization request. **Default:** uses client's `default_max_age`.
- `scope`: `<string>` (FAPI1Client only) When provided the Token Endpoint Authorization Code
exchange response `scope` will be checked to be either an exact match, or containing a subset of
the scope sent in the authorization request.

- `extras`: `<Object>`
- `exchangeBody`: `<Object>` extra request body properties to be sent to the AS during code
exchange.
Expand Down Expand Up @@ -1029,6 +1033,7 @@ request instance.
[webfinger-discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
[got-library]: https://github.com/sindresorhus/got/tree/v11.8.0
[client-authentication]: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
[Financial-grade API Security Profile 1.0 - Part 2: Advanced]: https://openid.net/specs/openid-financial-api-part-2-1_0.html

[^dpop-exception]: Ed25519, Ed448, and all Elliptic Curve keys have a fixed algorithm. RSA and RSA-PSS keys
look for an algorithm supported by the issuer metadata, if none is found PS256 is used as fallback.
Loading

0 comments on commit 59a4e73

Please sign in to comment.