added missing headers check for 'inline' jwt_signing_profile

coupergateway · Nov 4, 2022 · 6aea25b · 6aea25b
1 parent c8d444d
commit 6aea25b
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/oauth2/client.go b/oauth2/client.go
@@ -128,6 +128,9 @@ func NewClient(grantType string, asConfig config.OAuth2AS, clientConfig config.O
 					return nil, err
 				}
 				headers = seetie.ValueToMap(v)
+				if _, exists := headers["alg"]; exists {
+					return nil, fmt.Errorf(`"alg" cannot be set via "headers"`)
+				}
 			}
 
 			tokenEndpoint, err := asConfig.GetTokenEndpoint()

diff --git a/server/http_oauth2_test.go b/server/http_oauth2_test.go
@@ -791,6 +791,30 @@ definitions {
 `,
 			"configuration error: be: client authentication key: read error: open ",
 		},
+		{
+			"alg header with client_secret_jwt",
+			`server {}
+definitions {
+  backend "be" {
+    oauth2 {
+      token_endpoint = "https://authorization.server/token"
+      client_id      = "my_client"
+      client_secret  = "my_client_secret"
+      grant_type     = "client_credentials"
+      token_endpoint_auth_method = "client_secret_jwt"
+      jwt_signing_profile {
+        signature_algorithm = "HS256"
+        ttl = "10s"
+        headers = {
+          alg = "some value"
+        }
+      }
+    }
+  }
+}
+`,
+			"configuration error: be: \"alg\" cannot be set via \"headers\"",
+		},
 	} {
 		var errMsg string
 		conf, err := configload.LoadBytes([]byte(tc.hcl), "couper.hcl")