refactor: default enabled JWAs

This removes HS256 as a default-enabled value from the following configuration values so that all AS-issued assertions are firm to only come from the AS - whitelistedJWA.idTokenSigningAlgValues - whitelistedJWA.userinfoSigningAlgValues - whitelistedJWA.introspectionSigningAlgValues - whitelistedJWA.authorizationSigningAlgValues This also revises the default JWE algorithms BREAKING CHANGE: Removed HS256 as a default-enabled algorithm from the following configuration values so that all AS-issued assertions are firm to only come from the AS: `whitelistedJWA.idTokenSigningAlgValues`, `whitelistedJWA.userinfoSigningAlgValues`, `whitelistedJWA.introspectionSigningAlgValues`, `whitelistedJWA.authorizationSigningAlgValues` BREAKING CHANGE: Default JWE Algorithms ("alg") now includes "dir". BREAKING CHANGE: ECDH-ES KW variants are not enabled by default anymore.
panva · Sep 11, 2020 · d8ebde0 · d8ebde0
1 parent 4cc28ef
commit d8ebde0
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 53 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -3152,9 +3152,8 @@ _**default value**_:
   'A128KW',
   'A256KW',
   'ECDH-ES',
-  'ECDH-ES+A128KW',
-  'ECDH-ES+A256KW',
-  'RSA-OAEP'
+  'RSA-OAEP',
+  'dir'
 ]
 ```
 <a id="whitelisted-jwa-authorization-encryption-alg-values-supported-values-list"></a><details><summary>(Click to expand) Supported values list
@@ -3210,7 +3209,6 @@ JWA algorithms the provider supports to sign JWT Authorization Responses with
 _**default value**_:
 ```js
 [
-  'HS256',
   'RS256',
   'PS256',
   'ES256',
@@ -3222,11 +3220,11 @@ _**default value**_:
 
 ```js
 [
-  'HS256', 'HS384', 'HS512',
   'RS256', 'RS384', 'RS512',
   'PS256', 'PS384', 'PS512',
   'ES256', 'ES256K', 'ES384', 'ES512',
   'EdDSA',
+  'HS256', 'HS384', 'HS512',
 ]
 ```
 </details>
@@ -3271,9 +3269,8 @@ _**default value**_:
   'A128KW',
   'A256KW',
   'ECDH-ES',
-  'ECDH-ES+A128KW',
-  'ECDH-ES+A256KW',
-  'RSA-OAEP'
+  'RSA-OAEP',
+  'dir'
 ]
 ```
 <a id="whitelisted-jwa-id-token-encryption-alg-values-supported-values-list"></a><details><summary>(Click to expand) Supported values list
@@ -3329,7 +3326,6 @@ JWA algorithms the provider supports to sign ID Tokens with
 _**default value**_:
 ```js
 [
-  'HS256',
   'RS256',
   'PS256',
   'ES256',
@@ -3341,12 +3337,12 @@ _**default value**_:
 
 ```js
 [
-  'none',
-  'HS256', 'HS384', 'HS512',
   'RS256', 'RS384', 'RS512',
   'PS256', 'PS384', 'PS512',
   'ES256', 'ES256K', 'ES384', 'ES512',
   'EdDSA',
+  'HS256', 'HS384', 'HS512',
+  'none',
 ]
 ```
 </details>
@@ -3363,9 +3359,8 @@ _**default value**_:
   'A128KW',
   'A256KW',
   'ECDH-ES',
-  'ECDH-ES+A128KW',
-  'ECDH-ES+A256KW',
-  'RSA-OAEP'
+  'RSA-OAEP',
+  'dir'
 ]
 ```
 <a id="whitelisted-jwa-introspection-encryption-alg-values-supported-values-list"></a><details><summary>(Click to expand) Supported values list
@@ -3433,11 +3428,11 @@ _**default value**_:
 
 ```js
 [
-  'HS256', 'HS384', 'HS512',
   'RS256', 'RS384', 'RS512',
   'PS256', 'PS384', 'PS512',
   'ES256', 'ES256K', 'ES384', 'ES512',
   'EdDSA',
+  'HS256', 'HS384', 'HS512',
 ]
 ```
 </details>
@@ -3451,7 +3446,6 @@ JWA algorithms the provider supports to sign JWT Introspection responses with
 _**default value**_:
 ```js
 [
-  'HS256',
   'RS256',
   'PS256',
   'ES256',
@@ -3463,12 +3457,12 @@ _**default value**_:
 
 ```js
 [
-  'none',
-  'HS256', 'HS384', 'HS512',
   'RS256', 'RS384', 'RS512',
   'PS256', 'PS384', 'PS512',
   'ES256', 'ES256K', 'ES384', 'ES512',
   'EdDSA',
+  'HS256', 'HS384', 'HS512',
+  'none',
 ]
 ```
 </details>
@@ -3485,9 +3479,8 @@ _**default value**_:
   'A128KW',
   'A256KW',
   'ECDH-ES',
-  'ECDH-ES+A128KW',
-  'ECDH-ES+A256KW',
-  'RSA-OAEP'
+  'RSA-OAEP',
+  'dir'
 ]
 ```
 <a id="whitelisted-jwa-request-object-encryption-alg-values-supported-values-list"></a><details><summary>(Click to expand) Supported values list
@@ -3555,12 +3548,12 @@ _**default value**_:
 
 ```js
 [
-  'none',
-  'HS256', 'HS384', 'HS512',
   'RS256', 'RS384', 'RS512',
   'PS256', 'PS384', 'PS512',
   'ES256', 'ES256K', 'ES384', 'ES512',
   'EdDSA',
+  'HS256', 'HS384', 'HS512',
+  'none',
 ]
 ```
 </details>
@@ -3586,11 +3579,11 @@ _**default value**_:
 
 ```js
 [
-  'HS256', 'HS384', 'HS512',
   'RS256', 'RS384', 'RS512',
   'PS256', 'PS384', 'PS512',
   'ES256', 'ES256K', 'ES384', 'ES512',
   'EdDSA',
+  'HS256', 'HS384', 'HS512',
 ]
 ```
 </details>
@@ -3616,11 +3609,11 @@ _**default value**_:
 
 ```js
 [
-  'HS256', 'HS384', 'HS512',
   'RS256', 'RS384', 'RS512',
   'PS256', 'PS384', 'PS512',
   'ES256', 'ES256K', 'ES384', 'ES512',
   'EdDSA',
+  'HS256', 'HS384', 'HS512',
 ]
 ```
 </details>
@@ -3637,9 +3630,8 @@ _**default value**_:
   'A128KW',
   'A256KW',
   'ECDH-ES',
-  'ECDH-ES+A128KW',
-  'ECDH-ES+A256KW',
-  'RSA-OAEP'
+  'RSA-OAEP',
+  'dir'
 ]
 ```
 <a id="whitelisted-jwa-userinfo-encryption-alg-values-supported-values-list"></a><details><summary>(Click to expand) Supported values list
@@ -3695,7 +3687,6 @@ JWA algorithms the provider supports to sign UserInfo responses with
 _**default value**_:
 ```js
 [
-  'HS256',
   'RS256',
   'PS256',
   'ES256',
@@ -3707,12 +3698,12 @@ _**default value**_:
 
 ```js
 [
-  'none',
-  'HS256', 'HS384', 'HS512',
   'RS256', 'RS384', 'RS512',
   'PS256', 'PS384', 'PS512',
   'ES256', 'ES256K', 'ES384', 'ES512',
   'EdDSA',
+  'HS256', 'HS384', 'HS512',
+  'none',
 ]
 ```
 </details>

diff --git a/lib/helpers/configuration.js b/lib/helpers/configuration.js
@@ -52,6 +52,8 @@ function filterHS(alg) {
   return alg.startsWith('HS');
 }
 
+const filterAsymmetricSig = RegExp.prototype.test.bind(/^(?:PS(?:256|384|512)|RS(?:256|384|512)|ES(?:256K?|384|512)|EdDSA)$/);
+
 function filterHSandNone(alg) {
   return alg.startsWith('HS') || alg === 'none';
 }
@@ -295,10 +297,14 @@ class Configuration {
 
     if (!this[`${endpoint}EndpointAuthMethods`].has('client_secret_jwt')) {
       remove(this[`${endpoint}EndpointAuthSigningAlgValues`], filterHS);
+    } else if (!this[`${endpoint}EndpointAuthSigningAlgValues`].find(filterHS)) {
+      this[`${endpoint}EndpointAuthMethods`].delete('client_secret_jwt');
     }
 
     if (!this[`${endpoint}EndpointAuthMethods`].has('private_key_jwt')) {
-      remove(this[`${endpoint}EndpointAuthSigningAlgValues`], RegExp.prototype.test.bind(/^(?:PS(?:256|384|512)|RS(?:256|384|512)|ES(?:256K?|384|512)|EdDSA)$/));
+      remove(this[`${endpoint}EndpointAuthSigningAlgValues`], filterAsymmetricSig);
+    } else if (!this[`${endpoint}EndpointAuthSigningAlgValues`].find(filterAsymmetricSig)) {
+      this[`${endpoint}EndpointAuthMethods`].delete('private_key_jwt');
     }
 
     if (!this[`${endpoint}EndpointAuthSigningAlgValues`].length) {