OIDC improvements in prep of OIDC-QR reciprocation (#4149)

* Add `device_authorization_endpoint` field to OIDC issuer well-known metadata Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Allow `validateIdToken` to skip handling nonce when none is present Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Tweak registerOidcClient to check OIDC grant_types_supported before registration Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --------- Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
2025-11-23 17:02:25 +03:00 · 2024-04-08 15:07:00 +01:00
parent 0ff0093380
commit 5cdd524da7
5 changed files with 79 additions and 29 deletions
--- a/src/oidc/register.ts
+++ b/src/oidc/register.ts
@@ -50,23 +50,31 @@ interface OidcRegistrationRequestBody {
 }

 /**
- * Make the client registration request
- * @param registrationEndpoint - URL as returned from issuer ./well-known/openid-configuration
- * @param clientMetadata - registration metadata
- * @returns resolves to the registered client id when registration is successful
- * @throws An `Error` with `message` set to an entry in {@link OidcError},
- *      when the registration request fails, or the response is invalid.
+ * Attempts dynamic registration against the configured registration endpoint
+ * @param delegatedAuthConfig - Auth config from {@link discoverAndValidateOIDCIssuerWellKnown}
+ * @param clientMetadata - The metadata for the client which to register
+ * @returns Promise<string> resolved with registered clientId
+ * @throws when registration is not supported, on failed request or invalid response
 */
-const doRegistration = async (
-    registrationEndpoint: string,
+export const registerOidcClient = async (
+    delegatedAuthConfig: OidcClientConfig,
    clientMetadata: OidcRegistrationClientMetadata,
 ): Promise<string> => {
+    if (!delegatedAuthConfig.registrationEndpoint) {
+        throw new Error(OidcError.DynamicRegistrationNotSupported);
+    }
+
+    const grantTypes: NonEmptyArray<string> = ["authorization_code", "refresh_token"];
+    if (grantTypes.some((scope) => !delegatedAuthConfig.metadata.grant_types_supported.includes(scope))) {
+        throw new Error(OidcError.DynamicRegistrationNotSupported);
+    }
+
    // https://openid.net/specs/openid-connect-registration-1_0.html
    const metadata: OidcRegistrationRequestBody = {
        client_name: clientMetadata.clientName,
        client_uri: clientMetadata.clientUri,
        response_types: ["code"],
-        grant_types: ["authorization_code", "refresh_token"],
+        grant_types: grantTypes,
        redirect_uris: clientMetadata.redirectUris,
        id_token_signed_response_alg: "RS256",
        token_endpoint_auth_method: "none",
@@ -82,7 +90,7 @@ const doRegistration = async (
    };

    try {
-        const response = await fetch(registrationEndpoint, {
+        const response = await fetch(delegatedAuthConfig.registrationEndpoint, {
            method: Method.Post,
            headers,
            body: JSON.stringify(metadata),
@@ -108,20 +116,3 @@ const doRegistration = async (
        }
    }
 };
-
-/**
- * Attempts dynamic registration against the configured registration endpoint
- * @param delegatedAuthConfig - Auth config from {@link discoverAndValidateOIDCIssuerWellKnown}
- * @param clientMetadata - The metadata for the client which to register
- * @returns Promise<string> resolved with registered clientId
- * @throws when registration is not supported, on failed request or invalid response
- */
-export const registerOidcClient = async (
-    delegatedAuthConfig: OidcClientConfig,
-    clientMetadata: OidcRegistrationClientMetadata,
-): Promise<string> => {
-    if (!delegatedAuthConfig.registrationEndpoint) {
-        throw new Error(OidcError.DynamicRegistrationNotSupported);
-    }
-    return doRegistration(delegatedAuthConfig.registrationEndpoint, clientMetadata);
-};
--- a/src/oidc/validate.ts
+++ b/src/oidc/validate.ts
@@ -83,6 +83,7 @@ export const validateOIDCIssuerWellKnown = (wellKnown: unknown): ValidatedIssuer
        requiredStringProperty(wellKnown, "revocation_endpoint"),
        optionalStringProperty(wellKnown, "registration_endpoint"),
        optionalStringProperty(wellKnown, "account_management_uri"),
+        optionalStringProperty(wellKnown, "device_authorization_endpoint"),
        optionalStringArrayProperty(wellKnown, "account_management_actions_supported"),
        requiredArrayValue(wellKnown, "response_types_supported", "code"),
        requiredArrayValue(wellKnown, "grant_types_supported", "authorization_code"),
@@ -118,6 +119,7 @@ export type ValidatedIssuerMetadata = Partial<OidcMetadata> &
        | "response_types_supported"
        | "grant_types_supported"
        | "code_challenge_methods_supported"
+        | "device_authorization_endpoint"
    > & {
        // MSC2965 extensions to the OIDC spec
        account_management_uri?: string;
@@ -176,7 +178,12 @@ const decodeIdToken = (token: string): IdTokenClaims => {
 * @param nonce - nonce used in the authentication request
 * @throws when id token is invalid
 */
-export const validateIdToken = (idToken: string | undefined, issuer: string, clientId: string, nonce: string): void => {
+export const validateIdToken = (
+    idToken: string | undefined,
+    issuer: string,
+    clientId: string,
+    nonce: string | undefined,
+): void => {
    try {
        if (!idToken) {
            throw new Error("No ID token");
@@ -201,7 +208,7 @@ export const validateIdToken = (idToken: string | undefined, issuer: string, cli
         * If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked
         * to verify that it is the same value as the one that was sent in the Authentication Request.
         */
-        if (claims.nonce !== nonce) {
+        if (nonce !== undefined && claims.nonce !== nonce) {
            throw new Error("Invalid nonce");
        }