nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Return a default token_endpoint_auth_method when the client gives none in its OpenID Connect registration request

Browse source 
Since we announce it in the supported metadata, some clients expect to be told what to use and don't fallback to the spec standard of
client_secret_basic on their own.
This commit is contained in:
Jonne Haß 2020-01-24 11:02:02 +01:00
parent 500763294d
commit 0935451cd8
2 changed files with 25 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
app/models/api/openid_connect/o_auth_application.rb
View file

@ -46,7 +46,8 @@ module Api
def as_json(opts={}) def as_json(opts={})
data = super data = super
data[:client_secret_expires_at] = 0 data["client_secret_expires_at"] = 0
data["token_endpoint_auth_method"] ||= "client_secret_post"
data data
end end

26
spec/controllers/api/openid_connect/clients_controller_spec.rb
View file

@ -3,7 +3,7 @@
describe Api::OpenidConnect::ClientsController, type: :controller, suppress_csrf_verification: :none do describe Api::OpenidConnect::ClientsController, type: :controller, suppress_csrf_verification: :none do
describe "#create" do describe "#create" do
context "when valid parameters are passed" do context "when valid parameters are passed" do
it "should return a client id" do before do
stub_request(:get, "http://example.com/uris") stub_request(:get, "http://example.com/uris")
.with(headers: { .with(headers: {
"Accept" => "*/*", "Accept" => "*/*",
@ -15,15 +15,27 @@ describe Api::OpenidConnect::ClientsController, type: :controller, suppress_csrf
response_types: [], grant_types: [], application_type: "web", contacts: [], response_types: [], grant_types: [], application_type: "web", contacts: [],
logo_uri: "http://example.com/logo.png", client_uri: "http://example.com/client", logo_uri: "http://example.com/logo.png", client_uri: "http://example.com/client",
policy_uri: "http://example.com/policy", tos_uri: "http://example.com/tos", policy_uri: "http://example.com/policy", tos_uri: "http://example.com/tos",
sector_identifier_uri: "http://example.com/uris", subject_type: "pairwise"} sector_identifier_uri: "http://example.com/uris", subject_type: "pairwise"} end
it "should return a client id" do
client_json = JSON.parse(response.body) client_json = JSON.parse(response.body)
expect(client_json["client_id"].length).to eq(32) expect(client_json["client_id"].length).to eq(32)
expect(client_json["ppid"]).to eq(true) expect(client_json["ppid"]).to eq(true)
end end
it "should return a client secret expiration time" do
client_json = JSON.parse(response.body)
expect(client_json["client_secret_expires_at"]).to eq(0)
end
it "should return a default token endpoint authentication method" do
client_json = JSON.parse(response.body)
expect(client_json["token_endpoint_auth_method"]).to eq("client_secret_post")
end
end end
context "when valid parameters with jwks is passed" do context "when valid parameters with jwks is passed" do
it "should return a client id" do before do
stub_request(:get, "http://example.com/uris") stub_request(:get, "http://example.com/uris")
.with(headers: { .with(headers: {
"Accept" => "*/*", "Accept" => "*/*",
@ -77,10 +89,18 @@ describe Api::OpenidConnect::ClientsController, type: :controller, suppress_csrf
} }
] ]
}} }}
end
it "should return a client id" do
client_json = JSON.parse(response.body) client_json = JSON.parse(response.body)
expect(client_json["client_id"].length).to eq(32) expect(client_json["client_id"].length).to eq(32)
expect(client_json["ppid"]).to eq(true) expect(client_json["ppid"]).to eq(true)
end end
it "should retain the token endpoint authentication method" do
client_json = JSON.parse(response.body)
expect(client_json["token_endpoint_auth_method"]).to eq("private_key_jwt")
end
end end
context "when valid parameters with jwks_uri is passed" do context "when valid parameters with jwks_uri is passed" do