Validate account_management_uri and account_management_actions_supported from OIDC Issuer well-known (#4074)

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
2025-11-23 17:02:25 +03:00 · 2024-02-21 14:56:11 +00:00
parent b474439256
commit c27c357688
2 changed files with 28 additions and 4 deletions
--- a/src/oidc/validate.ts
+++ b/src/oidc/validate.ts
@@ -31,6 +31,8 @@ export type ValidatedIssuerConfig = {
    authorizationEndpoint: string;
    tokenEndpoint: string;
    registrationEndpoint?: string;
+    accountManagementEndpoint?: string;
+    accountManagementActionsSupported?: string[];
 };

 /**
@@ -74,6 +76,16 @@ const optionalStringProperty = (wellKnown: Record<string, unknown>, key: string)
    }
    return true;
 };
+const optionalStringArrayProperty = (wellKnown: Record<string, unknown>, key: string): boolean => {
+    if (
+        !!wellKnown[key] &&
+        (!Array.isArray(wellKnown[key]) || !(<unknown[]>wellKnown[key]).every((v) => typeof v === "string"))
+    ) {
+        logger.error(`Invalid property: ${key}`);
+        return false;
+    }
+    return true;
+};
 const requiredArrayValue = (wellKnown: Record<string, unknown>, key: string, value: any): boolean => {
    const array = wellKnown[key];
    if (!array || !Array.isArray(array) || !array.includes(value)) {
@@ -102,6 +114,8 @@ export const validateOIDCIssuerWellKnown = (wellKnown: unknown): ValidatedIssuer
        requiredStringProperty(wellKnown, "token_endpoint"),
        requiredStringProperty(wellKnown, "revocation_endpoint"),
        optionalStringProperty(wellKnown, "registration_endpoint"),
+        optionalStringProperty(wellKnown, "account_management_uri"),
+        optionalStringArrayProperty(wellKnown, "account_management_actions_supported"),
        requiredArrayValue(wellKnown, "response_types_supported", "code"),
        requiredArrayValue(wellKnown, "grant_types_supported", "authorization_code"),
        requiredArrayValue(wellKnown, "code_challenge_methods_supported", "S256"),
@@ -109,10 +123,12 @@ export const validateOIDCIssuerWellKnown = (wellKnown: unknown): ValidatedIssuer

    if (!isInvalid) {
        return {
-            authorizationEndpoint: wellKnown["authorization_endpoint"],
-            tokenEndpoint: wellKnown["token_endpoint"],
-            registrationEndpoint: wellKnown["registration_endpoint"],
-        } as ValidatedIssuerConfig;
+            authorizationEndpoint: <string>wellKnown["authorization_endpoint"],
+            tokenEndpoint: <string>wellKnown["token_endpoint"],
+            registrationEndpoint: <string>wellKnown["registration_endpoint"],
+            accountManagementEndpoint: <string>wellKnown["account_management_uri"],
+            accountManagementActionsSupported: <string[]>wellKnown["account_management_actions_supported"],
+        };
    }

    logger.error("Issuer configuration not valid");