chore: bump issAuthResp draft to -04

emramir · Dec 5, 2021 · a8ee83b · a8ee83b
1 parent 05ac3a8
commit a8ee83b
Show file tree

Hide file tree

Showing 8 changed files with 223 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -46,7 +46,7 @@ The following draft specifications are implemented by oidc-provider:
 - [JWT Response for OAuth Token Introspection - draft 10][jwt-introspection]
 - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - Implementer's Draft 01][jarm]
 - [Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA) - Implementer's Draft 01][fapi-ciba]
-- [OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response - draft 01][iss-auth-resp]
+- [OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response - draft 04][iss-auth-resp]
 - [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][dpop]
 - [OpenID Connect Back-Channel Logout 1.0 - draft 06][backchannel-logout]
 - [OpenID Connect RP-Initiated Logout 1.0 - draft 01][rpinitiated-logout]
@@ -147,7 +147,7 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a
 [support-sponsor]: https://github.com/sponsors/panva
 [par]: https://www.rfc-editor.org/rfc/rfc9126.html
 [rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-01.html
-[iss-auth-resp]: https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-01
+[iss-auth-resp]: https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-04
 [fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0.html
 [ciba]: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html
 [fapi-ciba]: https://openid.net/specs/openid-financial-api-ciba-ID1.html
diff --git a/docs/README.md b/docs/README.md
@@ -1147,7 +1147,7 @@ async function introspectionAllowedPolicy(ctx, client, token) {
 
 ### features.issAuthResp
 
-[draft-ietf-oauth-iss-auth-resp-01](https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-01) - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response  
+[draft-ietf-oauth-iss-auth-resp-04](https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-04) - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response  
 
 Enables `iss` authorization response parameter for responses without existing countermeasures against mix-up attacks.   
 

diff --git a/lib/actions/authorization/respond.js b/lib/actions/authorization/respond.js
@@ -18,7 +18,7 @@ module.exports = async function respond(ctx, next) {
     out.state = params.state;
   }
 
-  if (instance(ctx.oidc.provider).configuration('features.issAuthResp.enabled')) {
+  if (!out.id_token && instance(ctx.oidc.provider).configuration('features.issAuthResp.enabled')) {
     out.iss = ctx.oidc.provider.issuer;
   }
 

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -1839,7 +1839,7 @@ function getDefaults() {
       /*
        * features.issAuthResp
        *
-       * title: [draft-ietf-oauth-iss-auth-resp-01](https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-01) - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response
+       * title: [draft-ietf-oauth-iss-auth-resp-04](https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-04) - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response
        *
        * description: Enables `iss` authorization response parameter for responses without
        * existing countermeasures against mix-up attacks.

diff --git a/lib/helpers/features.js b/lib/helpers/features.js
@@ -51,10 +51,10 @@ const DRAFTS = new Map(Object.entries({
     version: [0, 'id-00', 'individual-draft-00'],
   },
   issAuthResp: {
-    name: 'OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response - draft 01',
+    name: 'OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response - draft 04',
     type: 'IETF OAuth Working Group draft',
-    url: 'https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-01',
-    version: ['draft-00', 'draft-01'],
+    url: 'https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-04',
+    version: ['draft-00', 'draft-01', 'draft-02', 'draft-03', 'draft-04'],
   },
 }));
 

diff --git a/test/iss/iss.config.js b/test/iss/iss.config.js
@@ -0,0 +1,29 @@
+const cloneDeep = require('lodash/cloneDeep');
+const merge = require('lodash/merge');
+
+const config = cloneDeep(require('../default.config'));
+
+merge(config.features, {
+  issAuthResp: { enabled: true },
+  jwtResponseModes: { enabled: true },
+});
+
+module.exports = {
+  config,
+  clients: [{
+    client_id: 'client',
+    token_endpoint_auth_method: 'none',
+    redirect_uris: ['https://client.example.com/cb'],
+    grant_types: ['authorization_code', 'implicit'],
+    scope: 'openid',
+    response_types: [
+      'code id_token token',
+      'code id_token',
+      'code token',
+      'code',
+      'id_token token',
+      'id_token',
+      'none',
+    ],
+  }],
+};
diff --git a/test/iss/iss.test.js b/test/iss/iss.test.js
@@ -0,0 +1,179 @@
+const { expect } = require('chai');
+
+const bootstrap = require('../test_helper');
+
+describe('features.issAuthResp', () => {
+  before(bootstrap(__dirname));
+
+  describe('enriched discovery', () => {
+    it('shows the url now', function () {
+      return this.agent.get('/.well-known/openid-configuration')
+        .expect(200)
+        .expect((response) => {
+          expect(response.body).to.have.property('authorization_response_iss_parameter_supported', true);
+        });
+    });
+  });
+
+  describe('OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response', () => {
+    before(function () { return this.login(); });
+
+    it('response_type=code', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'code',
+        scope: 'openid',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validatePresence(['iss'], false))
+        .expect(auth.validateClientLocation)
+        .expect(auth.validateIss);
+    });
+
+    it('response_type=code token', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'code token',
+        scope: 'openid',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validateFragment)
+        .expect(auth.validatePresence(['iss'], false))
+        .expect(auth.validateClientLocation)
+        .expect(auth.validateIss);
+    });
+
+    it('response_type=code id_token', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'code id_token',
+        scope: 'openid',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validateFragment)
+        .expect(auth.validatePresence(['code', 'state', 'id_token']))
+        .expect(auth.validateClientLocation);
+    });
+
+    it('response_type=code id_token token', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'code id_token token',
+        scope: 'openid',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validateFragment)
+        .expect(auth.validatePresence(['code', 'state', 'id_token', 'access_token', 'token_type', 'expires_in', 'scope']))
+        .expect(auth.validateClientLocation);
+    });
+
+    it('response_type=id_token token', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'id_token token',
+        scope: 'openid',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validateFragment)
+        .expect(auth.validatePresence(['state', 'id_token', 'access_token', 'token_type', 'expires_in', 'scope']))
+        .expect(auth.validateClientLocation);
+    });
+
+    it('response_type=id_token', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'id_token',
+        scope: 'openid',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validateFragment)
+        .expect(auth.validatePresence(['state', 'id_token']))
+        .expect(auth.validateClientLocation);
+    });
+
+    it('response_type=none', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'none',
+        scope: 'openid',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validatePresence(['state', 'iss']))
+        .expect(auth.validateClientLocation)
+        .expect(auth.validateIss);
+    });
+
+    it('response_mode=jwt', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'code',
+        response_mode: 'jwt',
+        scope: 'openid',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validatePresence(['response']))
+        .expect(auth.validateClientLocation);
+    });
+
+    it('error with regular response modes', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'code',
+        scope: 'openid profile',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validatePresence(['error', 'iss'], false))
+        .expect(auth.validateClientLocation)
+        .expect(auth.validateIss);
+    });
+
+    it('error with response_type none', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'none',
+        scope: 'openid profile',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validatePresence(['error', 'iss'], false))
+        .expect(auth.validateClientLocation)
+        .expect(auth.validateIss);
+    });
+
+    it('error with response_mode=jwt', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'code',
+        response_mode: 'jwt',
+        scope: 'openid profile',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validatePresence(['response']))
+        .expect(auth.validateClientLocation);
+    });
+
+    it('error with response_mode=jwt fragment', function () {
+      const auth = new this.AuthorizationRequest({
+        response_type: 'code id_token',
+        response_mode: 'jwt',
+        scope: 'openid profile',
+      });
+
+      return this.wrap({ route: '/auth', verb: 'get', auth })
+        .expect(303)
+        .expect(auth.validateFragment)
+        .expect(auth.validatePresence(['response']))
+        .expect(auth.validateClientLocation);
+    });
+  });
+});
diff --git a/test/test_helper.js b/test/test_helper.js
@@ -222,6 +222,13 @@ module.exports = function testHelper(dir, {
           },
         });
 
+        Object.defineProperty(this, 'validateIss', {
+          value: (response) => {
+            const { query: { iss } } = parse(response.headers.location, true);
+            expect(iss).to.equal(issuerIdentifier);
+          },
+        });
+
         Object.defineProperty(this, 'validateInteractionRedirect', {
           value: (response) => {
             const { hostname, search, query } = parse(response.headers.location);