OIDC improvements in prep of OIDC-QR reciprocation (#4149)

* Add `device_authorization_endpoint` field to OIDC issuer well-known metadata Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Allow `validateIdToken` to skip handling nonce when none is present Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Tweak registerOidcClient to check OIDC grant_types_supported before registration Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --------- Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
2025-07-30 04:23:07 +03:00 · 2024-04-08 15:07:00 +01:00
parent 0ff0093380
commit 5cdd524da7
5 changed files with 79 additions and 29 deletions
--- a/spec/test-utils/oidc.ts
+++ b/spec/test-utils/oidc.ts
@ -44,6 +44,7 @@ export const mockOpenIdConfiguration = (issuer = "https://auth.org/"): Validated
    token_endpoint: issuer + "token",
    authorization_endpoint: issuer + "auth",
    registration_endpoint: issuer + "registration",
+    device_authorization_endpoint: issuer + "device",
    jwks_uri: issuer + "jwks",
    response_types_supported: ["code"],
    grant_types_supported: ["authorization_code", "refresh_token"],
--- a/spec/unit/oidc/register.spec.ts
+++ b/spec/unit/oidc/register.spec.ts
@ -90,4 +90,31 @@ describe("registerOidcClient()", () => {
            OidcError.DynamicRegistrationInvalid,
        );
    });
+
+    it("should throw when required endpoints are unavailable", async () => {
+        await expect(() =>
+            registerOidcClient(
+                {
+                    ...delegatedAuthConfig,
+                    registrationEndpoint: undefined,
+                },
+                metadata,
+            ),
+        ).rejects.toThrow(OidcError.DynamicRegistrationNotSupported);
+    });
+
+    it("should throw when required scopes are unavailable", async () => {
+        await expect(() =>
+            registerOidcClient(
+                {
+                    ...delegatedAuthConfig,
+                    metadata: {
+                        ...delegatedAuthConfig.metadata,
+                        grant_types_supported: [delegatedAuthConfig.metadata.grant_types_supported[0]],
+                    },
+                },
+                metadata,
+            ),
+        ).rejects.toThrow(OidcError.DynamicRegistrationNotSupported);
+    });
 });