From 0935451cd80cf6020540a62030b09dac9e49ba14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonne=20Ha=C3=9F?= Date: Fri, 24 Jan 2020 11:02:02 +0100 Subject: [PATCH] Return a default token_endpoint_auth_method when the client gives none in its OpenID Connect registration request Since we announce it in the supported metadata, some clients expect to be told what to use and don't fallback to the spec standard of client_secret_basic on their own. --- .../api/openid_connect/o_auth_application.rb | 3 ++- .../openid_connect/clients_controller_spec.rb | 26 ++++++++++++++++--- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/app/models/api/openid_connect/o_auth_application.rb b/app/models/api/openid_connect/o_auth_application.rb index d29856601..8d4005c39 100644 --- a/app/models/api/openid_connect/o_auth_application.rb +++ b/app/models/api/openid_connect/o_auth_application.rb @@ -46,7 +46,8 @@ module Api def as_json(opts={}) data = super - data[:client_secret_expires_at] = 0 + data["client_secret_expires_at"] = 0 + data["token_endpoint_auth_method"] ||= "client_secret_post" data end diff --git a/spec/controllers/api/openid_connect/clients_controller_spec.rb b/spec/controllers/api/openid_connect/clients_controller_spec.rb index 63beab027..ce51fee21 100644 --- a/spec/controllers/api/openid_connect/clients_controller_spec.rb +++ b/spec/controllers/api/openid_connect/clients_controller_spec.rb @@ -3,7 +3,7 @@ describe Api::OpenidConnect::ClientsController, type: :controller, suppress_csrf_verification: :none do describe "#create" do context "when valid parameters are passed" do - it "should return a client id" do + before do stub_request(:get, "http://example.com/uris") .with(headers: { "Accept" => "*/*", @@ -15,15 +15,27 @@ describe Api::OpenidConnect::ClientsController, type: :controller, suppress_csrf response_types: [], grant_types: [], application_type: "web", contacts: [], logo_uri: "http://example.com/logo.png", client_uri: "http://example.com/client", policy_uri: "http://example.com/policy", tos_uri: "http://example.com/tos", - sector_identifier_uri: "http://example.com/uris", subject_type: "pairwise"} + sector_identifier_uri: "http://example.com/uris", subject_type: "pairwise"} end + + it "should return a client id" do client_json = JSON.parse(response.body) expect(client_json["client_id"].length).to eq(32) expect(client_json["ppid"]).to eq(true) end + + it "should return a client secret expiration time" do + client_json = JSON.parse(response.body) + expect(client_json["client_secret_expires_at"]).to eq(0) + end + + it "should return a default token endpoint authentication method" do + client_json = JSON.parse(response.body) + expect(client_json["token_endpoint_auth_method"]).to eq("client_secret_post") + end end context "when valid parameters with jwks is passed" do - it "should return a client id" do + before do stub_request(:get, "http://example.com/uris") .with(headers: { "Accept" => "*/*", @@ -77,10 +89,18 @@ describe Api::OpenidConnect::ClientsController, type: :controller, suppress_csrf } ] }} + end + + it "should return a client id" do client_json = JSON.parse(response.body) expect(client_json["client_id"].length).to eq(32) expect(client_json["ppid"]).to eq(true) end + + it "should retain the token endpoint authentication method" do + client_json = JSON.parse(response.body) + expect(client_json["token_endpoint_auth_method"]).to eq("private_key_jwt") + end end context "when valid parameters with jwks_uri is passed" do