matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-28 11:02:02 +03:00
Code Activity

Don't enforce RS256 ID Token signing alg in provider metadata

Browse Source
This commit is contained in:
Kévin Commaille
2022-12-18 15:44:07 +01:00
committed by Quentin Gliech
parent f2d6fe1250
commit 01a7febee2
1 changed files with 2 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
crates/oauth2-types/src/oidc.rs
View File

@ -362,7 +362,7 @@ pub struct ProviderMetadata {
/// JSON array containing a list of the JWS signing algorithms (`alg` /// JSON array containing a list of the JWS signing algorithms (`alg`
/// values) supported by the OP for the ID Token. /// values) supported by the OP for the ID Token.
/// ///
/// This field is required and must contain [`JsonWebSignatureAlg::Rs256`]. /// This field is required.
pub id_token_signing_alg_values_supported: Option<Vec<JsonWebSignatureAlg>>, pub id_token_signing_alg_values_supported: Option<Vec<JsonWebSignatureAlg>>,
/// JSON array containing a list of the JWE encryption algorithms (`alg` /// JSON array containing a list of the JWE encryption algorithms (`alg`
@ -585,15 +585,6 @@ impl ProviderMetadata {
validate_url("userinfo_endpoint", url, ExtraUrlRestrictions::None)?; validate_url("userinfo_endpoint", url, ExtraUrlRestrictions::None)?;
} }
if !metadata
.id_token_signing_alg_values_supported()
.contains(&JsonWebSignatureAlg::Rs256)
{
return Err(
ProviderMetadataVerificationError::SigningAlgValuesMissingRs256("id_token"),
);
}
if let Some(url) = &metadata.pushed_authorization_request_endpoint { if let Some(url) = &metadata.pushed_authorization_request_endpoint {
validate_url( validate_url(
"pushed_authorization_request_endpoint", "pushed_authorization_request_endpoint",
@ -970,10 +961,6 @@ pub enum ProviderMetadataVerificationError {
/// allowed. /// allowed.
#[error("{0} signing algorithm values contain `none`")] #[error("{0} signing algorithm values contain `none`")]
SigningAlgValuesWithNone(&'static str), SigningAlgValuesWithNone(&'static str),
/// `RS256` is missing from the given endpoint's signing algorithm values.
#[error("missing RS256 in {0} signing algorithm values")]
SigningAlgValuesMissingRs256(&'static str),
} }
/// Possible extra restrictions on a URL. /// Possible extra restrictions on a URL.
@ -1540,15 +1527,7 @@ mod tests {
Err(ProviderMetadataVerificationError::MissingIdTokenSigningAlgValuesSupported) Err(ProviderMetadataVerificationError::MissingIdTokenSigningAlgValuesSupported)
); );
// Err - No RS256 // Ok - Present
metadata.id_token_signing_alg_values_supported = Some(vec![JsonWebSignatureAlg::EdDsa]);
let endpoint = assert_matches!(
metadata.clone().validate(&issuer),
Err(ProviderMetadataVerificationError::SigningAlgValuesMissingRs256(endpoint)) => endpoint
);
assert_eq!(endpoint, "id_token");
// Ok - With RS256
metadata.id_token_signing_alg_values_supported = metadata.id_token_signing_alg_values_supported =
Some(vec![JsonWebSignatureAlg::Rs256, JsonWebSignatureAlg::EdDsa]); Some(vec![JsonWebSignatureAlg::Rs256, JsonWebSignatureAlg::EdDsa]);
metadata.validate(&issuer).unwrap(); metadata.validate(&issuer).unwrap();