diff --git a/docs/README.md b/docs/README.md index 751a4f87f..ebbc61d7d 100644 --- a/docs/README.md +++ b/docs/README.md @@ -3152,9 +3152,8 @@ _**default value**_: 'A128KW', 'A256KW', 'ECDH-ES', - 'ECDH-ES+A128KW', - 'ECDH-ES+A256KW', - 'RSA-OAEP' + 'RSA-OAEP', + 'dir' ] ```
(Click to expand) Supported values list @@ -3210,7 +3209,6 @@ JWA algorithms the provider supports to sign JWT Authorization Responses with _**default value**_: ```js [ - 'HS256', 'RS256', 'PS256', 'ES256', @@ -3222,11 +3220,11 @@ _**default value**_: ```js [ - 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', + 'HS256', 'HS384', 'HS512', ] ```
@@ -3271,9 +3269,8 @@ _**default value**_: 'A128KW', 'A256KW', 'ECDH-ES', - 'ECDH-ES+A128KW', - 'ECDH-ES+A256KW', - 'RSA-OAEP' + 'RSA-OAEP', + 'dir' ] ```
(Click to expand) Supported values list @@ -3329,7 +3326,6 @@ JWA algorithms the provider supports to sign ID Tokens with _**default value**_: ```js [ - 'HS256', 'RS256', 'PS256', 'ES256', @@ -3341,12 +3337,12 @@ _**default value**_: ```js [ - 'none', - 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', + 'HS256', 'HS384', 'HS512', + 'none', ] ```
@@ -3363,9 +3359,8 @@ _**default value**_: 'A128KW', 'A256KW', 'ECDH-ES', - 'ECDH-ES+A128KW', - 'ECDH-ES+A256KW', - 'RSA-OAEP' + 'RSA-OAEP', + 'dir' ] ```
(Click to expand) Supported values list @@ -3433,11 +3428,11 @@ _**default value**_: ```js [ - 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', + 'HS256', 'HS384', 'HS512', ] ```
@@ -3451,7 +3446,6 @@ JWA algorithms the provider supports to sign JWT Introspection responses with _**default value**_: ```js [ - 'HS256', 'RS256', 'PS256', 'ES256', @@ -3463,12 +3457,12 @@ _**default value**_: ```js [ - 'none', - 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', + 'HS256', 'HS384', 'HS512', + 'none', ] ``` @@ -3485,9 +3479,8 @@ _**default value**_: 'A128KW', 'A256KW', 'ECDH-ES', - 'ECDH-ES+A128KW', - 'ECDH-ES+A256KW', - 'RSA-OAEP' + 'RSA-OAEP', + 'dir' ] ```
(Click to expand) Supported values list @@ -3555,12 +3548,12 @@ _**default value**_: ```js [ - 'none', - 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', + 'HS256', 'HS384', 'HS512', + 'none', ] ```
@@ -3586,11 +3579,11 @@ _**default value**_: ```js [ - 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', + 'HS256', 'HS384', 'HS512', ] ``` @@ -3616,11 +3609,11 @@ _**default value**_: ```js [ - 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', + 'HS256', 'HS384', 'HS512', ] ``` @@ -3637,9 +3630,8 @@ _**default value**_: 'A128KW', 'A256KW', 'ECDH-ES', - 'ECDH-ES+A128KW', - 'ECDH-ES+A256KW', - 'RSA-OAEP' + 'RSA-OAEP', + 'dir' ] ```
(Click to expand) Supported values list @@ -3695,7 +3687,6 @@ JWA algorithms the provider supports to sign UserInfo responses with _**default value**_: ```js [ - 'HS256', 'RS256', 'PS256', 'ES256', @@ -3707,12 +3698,12 @@ _**default value**_: ```js [ - 'none', - 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512', 'ES256', 'ES256K', 'ES384', 'ES512', 'EdDSA', + 'HS256', 'HS384', 'HS512', + 'none', ] ```
diff --git a/lib/helpers/configuration.js b/lib/helpers/configuration.js index 4d28b20f9..ab78ed869 100644 --- a/lib/helpers/configuration.js +++ b/lib/helpers/configuration.js @@ -52,6 +52,8 @@ function filterHS(alg) { return alg.startsWith('HS'); } +const filterAsymmetricSig = RegExp.prototype.test.bind(/^(?:PS(?:256|384|512)|RS(?:256|384|512)|ES(?:256K?|384|512)|EdDSA)$/); + function filterHSandNone(alg) { return alg.startsWith('HS') || alg === 'none'; } @@ -295,10 +297,14 @@ class Configuration { if (!this[`${endpoint}EndpointAuthMethods`].has('client_secret_jwt')) { remove(this[`${endpoint}EndpointAuthSigningAlgValues`], filterHS); + } else if (!this[`${endpoint}EndpointAuthSigningAlgValues`].find(filterHS)) { + this[`${endpoint}EndpointAuthMethods`].delete('client_secret_jwt'); } if (!this[`${endpoint}EndpointAuthMethods`].has('private_key_jwt')) { - remove(this[`${endpoint}EndpointAuthSigningAlgValues`], RegExp.prototype.test.bind(/^(?:PS(?:256|384|512)|RS(?:256|384|512)|ES(?:256K?|384|512)|EdDSA)$/)); + remove(this[`${endpoint}EndpointAuthSigningAlgValues`], filterAsymmetricSig); + } else if (!this[`${endpoint}EndpointAuthSigningAlgValues`].find(filterAsymmetricSig)) { + this[`${endpoint}EndpointAuthMethods`].delete('private_key_jwt'); } if (!this[`${endpoint}EndpointAuthSigningAlgValues`].length) { diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js index 9313a6720..15b0fe13e 100644 --- a/lib/helpers/defaults.js +++ b/lib/helpers/defaults.js @@ -2291,11 +2291,11 @@ function getDefaults() { * example: Supported values list * ```js * [ - * 'HS256', 'HS384', 'HS512', * 'RS256', 'RS384', 'RS512', * 'PS256', 'PS384', 'PS512', * 'ES256', 'ES256K', 'ES384', 'ES512', * 'EdDSA', + * 'HS256', 'HS384', 'HS512', * ] * ``` */ @@ -2311,11 +2311,11 @@ function getDefaults() { * example: Supported values list * ```js * [ - * 'HS256', 'HS384', 'HS512', * 'RS256', 'RS384', 'RS512', * 'PS256', 'PS384', 'PS512', * 'ES256', 'ES256K', 'ES384', 'ES512', * 'EdDSA', + * 'HS256', 'HS384', 'HS512', * ] * ``` */ @@ -2331,11 +2331,11 @@ function getDefaults() { * example: Supported values list * ```js * [ - * 'HS256', 'HS384', 'HS512', * 'RS256', 'RS384', 'RS512', * 'PS256', 'PS384', 'PS512', * 'ES256', 'ES256K', 'ES384', 'ES512', * 'EdDSA', + * 'HS256', 'HS384', 'HS512', * ] * ``` */ @@ -2351,17 +2351,17 @@ function getDefaults() { * example: Supported values list * ```js * [ - * 'none', - * 'HS256', 'HS384', 'HS512', * 'RS256', 'RS384', 'RS512', * 'PS256', 'PS384', 'PS512', * 'ES256', 'ES256K', 'ES384', 'ES512', * 'EdDSA', + * 'HS256', 'HS384', 'HS512', + * 'none', * ] * ``` */ idTokenSigningAlgValues: [ - 'HS256', 'RS256', 'PS256', 'ES256', 'EdDSA', + 'RS256', 'PS256', 'ES256', 'EdDSA', ], /* @@ -2372,12 +2372,12 @@ function getDefaults() { * example: Supported values list * ```js * [ - * 'none', - * 'HS256', 'HS384', 'HS512', * 'RS256', 'RS384', 'RS512', * 'PS256', 'PS384', 'PS512', * 'ES256', 'ES256K', 'ES384', 'ES512', * 'EdDSA', + * 'HS256', 'HS384', 'HS512', + * 'none', * ] * ``` */ @@ -2393,17 +2393,17 @@ function getDefaults() { * example: Supported values list * ```js * [ - * 'none', - * 'HS256', 'HS384', 'HS512', * 'RS256', 'RS384', 'RS512', * 'PS256', 'PS384', 'PS512', * 'ES256', 'ES256K', 'ES384', 'ES512', * 'EdDSA', + * 'HS256', 'HS384', 'HS512', + * 'none', * ] * ``` */ userinfoSigningAlgValues: [ - 'HS256', 'RS256', 'PS256', 'ES256', 'EdDSA', + 'RS256', 'PS256', 'ES256', 'EdDSA', ], /* @@ -2414,17 +2414,17 @@ function getDefaults() { * example: Supported values list * ```js * [ - * 'none', - * 'HS256', 'HS384', 'HS512', * 'RS256', 'RS384', 'RS512', * 'PS256', 'PS384', 'PS512', * 'ES256', 'ES256K', 'ES384', 'ES512', * 'EdDSA', + * 'HS256', 'HS384', 'HS512', + * 'none', * ] * ``` */ introspectionSigningAlgValues: [ - 'HS256', 'RS256', 'PS256', 'ES256', 'EdDSA', + 'RS256', 'PS256', 'ES256', 'EdDSA', ], /* @@ -2435,16 +2435,16 @@ function getDefaults() { * example: Supported values list * ```js * [ - * 'HS256', 'HS384', 'HS512', * 'RS256', 'RS384', 'RS512', * 'PS256', 'PS384', 'PS512', * 'ES256', 'ES256K', 'ES384', 'ES512', * 'EdDSA', + * 'HS256', 'HS384', 'HS512', * ] * ``` */ authorizationSigningAlgValues: [ - 'HS256', 'RS256', 'PS256', 'ES256', 'EdDSA', + 'RS256', 'PS256', 'ES256', 'EdDSA', ], /* @@ -2469,7 +2469,7 @@ function getDefaults() { * ``` */ idTokenEncryptionAlgValues: [ - 'A128KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW', 'RSA-OAEP', + 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'dir', ], /* @@ -2495,7 +2495,7 @@ function getDefaults() { * ``` */ requestObjectEncryptionAlgValues: [ - 'A128KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW', 'RSA-OAEP', + 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'dir', ], /* @@ -2520,7 +2520,7 @@ function getDefaults() { * ``` */ userinfoEncryptionAlgValues: [ - 'A128KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW', 'RSA-OAEP', + 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'dir', ], /* @@ -2546,7 +2546,7 @@ function getDefaults() { * ``` */ introspectionEncryptionAlgValues: [ - 'A128KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW', 'RSA-OAEP', + 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'dir', ], /* @@ -2572,7 +2572,7 @@ function getDefaults() { * ``` */ authorizationEncryptionAlgValues: [ - 'A128KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A256KW', 'RSA-OAEP', + 'A128KW', 'A256KW', 'ECDH-ES', 'RSA-OAEP', 'dir', ], /* diff --git a/test/client_auth/client_auth.test.js b/test/client_auth/client_auth.test.js index ed9a9ca68..41d1f855a 100644 --- a/test/client_auth/client_auth.test.js +++ b/test/client_auth/client_auth.test.js @@ -56,6 +56,40 @@ describe('client authentication options', () => { expect(i(provider).configuration('revocationEndpointAuthSigningAlgValues')).to.be.undefined; }); + it('removes client_secret_jwt when no HMAC based alg is enabled', () => { + const provider = new Provider('http://localhost', { + tokenEndpointAuthMethods: [ + 'none', + 'client_secret_jwt', + 'private_key_jwt', + 'client_secret_basic', + 'client_secret_post', + ], + whitelistedJWA: { + tokenEndpointAuthSigningAlgValues: ['PS256'], + }, + }); + + expect(i(provider).configuration('tokenEndpointAuthMethods')).not.to.include('client_secret_jwt'); + }); + + it('removes private_key_jwt when no public key crypto based alg is enabled', () => { + const provider = new Provider('http://localhost', { + tokenEndpointAuthMethods: [ + 'none', + 'client_secret_jwt', + 'private_key_jwt', + 'client_secret_basic', + 'client_secret_post', + ], + whitelistedJWA: { + tokenEndpointAuthSigningAlgValues: ['HS256'], + }, + }); + + expect(i(provider).configuration('tokenEndpointAuthMethods')).not.to.include('private_key_jwt'); + }); + it('pushes only symmetric algs when client_secret_jwt is enabled', () => { const provider = new Provider('http://localhost', { tokenEndpointAuthMethods: [ diff --git a/test/provider/provider_instance.test.js b/test/provider/provider_instance.test.js index 96694f6b1..b6a381951 100644 --- a/test/provider/provider_instance.test.js +++ b/test/provider/provider_instance.test.js @@ -85,6 +85,7 @@ describe('provider instance', () => { }, }, whitelistedJWA: { + tokenEndpointAuthSigningAlgValues: ['HS256'], idTokenEncryptionAlgValues: ['dir'], }, }); @@ -135,6 +136,7 @@ describe('provider instance', () => { }, }, whitelistedJWA: { + tokenEndpointAuthSigningAlgValues: ['HS256'], idTokenEncryptionAlgValues: ['dir'], }, });