erlef · maennchen · Dec 18, 2023 · Dec 17, 2023 · Dec 17, 2023 · Dec 18, 2023
diff --git a/src/oidcc_auth_util.erl b/src/oidcc_auth_util.erl
@@ -48,7 +48,9 @@ add_client_authentication(
     case select_preferred_auth(PreferredAuthMethods, SupportedAuthMethods) of
         {ok, AuthMethod} ->
             case
-                add_authentication(QueryList0, Header0, AuthMethod, AllowAlgorithms, ClientContext)
+                add_authentication(
+                    QueryList0, Header0, AuthMethod, AllowAlgorithms, Opts, ClientContext
+                )
             of
                 {ok, {QueryList, Header}} ->
                     {ok, {QueryList, Header}};
@@ -71,6 +73,7 @@ add_client_authentication(
     Header,
     AuthMethod,
     AllowAlgorithms,
+    Opts,
     ClientContext
 ) ->
     {ok, {oidcc_http_util:query_params(), [oidcc_http_util:http_header()]}}
@@ -80,12 +83,14 @@ when
     Header :: [oidcc_http_util:http_header()],
     AuthMethod :: auth_method(),
     AllowAlgorithms :: [binary()] | undefined,
+    Opts :: map(),
     ClientContext :: oidcc_client_context:t().
 add_authentication(
     QsBodyList,
     Header,
     none,
     _AllowArgs,
+    _Opts,
     #oidcc_client_context{client_id = ClientId}
 ) ->
     NewBodyList = [{<<"client_id">>, ClientId} | QsBodyList],
@@ -95,6 +100,7 @@ add_authentication(
     _Header,
     _Method,
     _AllowAlgs,
+    _Opts,
     #oidcc_client_context{client_secret = unauthenticated}
 ) ->
     {error, auth_method_not_possible};
@@ -103,6 +109,7 @@ add_authentication(
     Header,
     client_secret_basic,
     _AllowAlgs,
+    _Opts,
     #oidcc_client_context{client_id = ClientId, client_secret = ClientSecret}
 ) ->
     NewHeader = [oidcc_http_util:basic_auth_header(ClientId, ClientSecret) | Header],
@@ -112,6 +119,7 @@ add_authentication(
     Header,
     client_secret_post,
     _AllowAlgs,
+    _Opts,
     #oidcc_client_context{client_id = ClientId, client_secret = ClientSecret}
 ) ->
     NewBodyList =
@@ -122,6 +130,7 @@ add_authentication(
     Header,
     client_secret_jwt,
     AllowAlgorithms,
+    Opts,
     ClientContext
 ) ->
     #oidcc_client_context{
@@ -139,6 +148,7 @@ add_authentication(
         {ok, ClientAssertion} ?=
             signed_client_assertion(
                 AllowAlgorithms,
+                Opts,
                 ClientContext,
                 OctJwk
             ),
@@ -152,6 +162,7 @@ add_authentication(
     Header,
     private_key_jwt,
     AllowAlgorithms,
+    Opts,
     ClientContext
 ) ->
     #oidcc_client_context{
@@ -162,7 +173,7 @@ add_authentication(
         [_ | _] ?= AllowAlgorithms,
         #jose_jwk{} ?= ClientJwks,
         {ok, ClientAssertion} ?=
-            signed_client_assertion(AllowAlgorithms, ClientContext, ClientJwks),
+            signed_client_assertion(AllowAlgorithms, Opts, ClientContext, ClientJwks),
         {ok, add_jwt_bearer_assertion(ClientAssertion, QsBodyList, Header, ClientContext)}
     else
         _ ->
@@ -186,23 +197,26 @@ select_preferred_auth(PreferredAuthMethods, AuthMethodsSupported) ->
             {error, no_supported_auth_method}
     end.
 
--spec signed_client_assertion(AllowAlgorithms, ClientContext, Jwk) ->
+-spec signed_client_assertion(AllowAlgorithms, Opts, ClientContext, Jwk) ->
     {ok, binary()} | {error, term()}
 when
     AllowAlgorithms :: [binary()],
     Jwk :: jose_jwk:key(),
+    Opts :: map(),
     ClientContext :: oidcc_client_context:t().
-signed_client_assertion(AllowAlgorithms, ClientContext, Jwk) ->
-    Jwt = jose_jwt:from(token_request_claims(ClientContext)),
+signed_client_assertion(AllowAlgorithms, Opts, ClientContext, Jwk) ->
+    Jwt = jose_jwt:from(token_request_claims(Opts, ClientContext)),
 
     oidcc_jwt_util:sign(Jwt, Jwk, AllowAlgorithms).
 
--spec token_request_claims(ClientContext) -> oidcc_jwt_util:claims() when
+-spec token_request_claims(Opts, ClientContext) -> oidcc_jwt_util:claims() when
+    Opts :: map(),
     ClientContext :: oidcc_client_context:t().
-token_request_claims(#oidcc_client_context{
+token_request_claims(Opts, #oidcc_client_context{
     client_id = ClientId,
     provider_configuration = #oidcc_provider_configuration{token_endpoint = TokenEndpoint}
 }) ->
+    Audience = maps:get(audience, Opts, TokenEndpoint),
     MaxClockSkew =
         case application:get_env(oidcc, max_clock_skew) of
             undefined -> 0;
@@ -212,7 +226,7 @@ token_request_claims(#oidcc_client_context{
     #{
         <<"iss">> => ClientId,
         <<"sub">> => ClientId,
-        <<"aud">> => TokenEndpoint,
+        <<"aud">> => Audience,
         <<"jti">> => random_string(32),
         <<"iat">> => os:system_time(seconds),
         <<"exp">> => os:system_time(seconds) + 30,

diff --git a/src/oidcc_authorization.erl b/src/oidcc_authorization.erl
@@ -42,7 +42,8 @@
 %%   <li>`url_extension' - add custom query parameters to the authorization url</li>
 %% </ul>
 
--type error() :: {grant_type_not_supported, authorization_code}.
+-type error() ::
+    {grant_type_not_supported, authorization_code} | par_required | oidcc_http_util:error().
 
 %% @doc
 %% Create Auth Redirect URL
@@ -78,18 +79,20 @@ create_redirect_url(#oidcc_client_context{} = ClientContext, Opts) ->
     } =
         ProviderConfiguration,
 
-    case lists:member(<<"authorization_code">>, GrantTypesSupported) of
-        true ->
-            QueryParams0 = redirect_params(ClientContext, Opts),
-            QueryParams = QueryParams0 ++ maps:get(url_extension, Opts, []),
-            QueryString = uri_string:compose_query(QueryParams),
-
-            {ok, [AuthEndpoint, <<"?">>, QueryString]};
+    maybe
+        true ?= lists:member(<<"authorization_code">>, GrantTypesSupported),
+        {ok, QueryParams0} ?= redirect_params(ClientContext, Opts),
+        QueryParams = QueryParams0 ++ maps:get(url_extension, Opts, []),
+        QueryString = uri_string:compose_query(QueryParams),
+        {ok, [AuthEndpoint, <<"?">>, QueryString]}
+    else
+        {error, Reason} ->
+            {error, Reason};
         false ->
             {error, {grant_type_not_supported, authorization_code}}
     end.
 
--spec redirect_params(ClientContext, Opts) -> oidcc_http_util:query_params() when
+-spec redirect_params(ClientContext, Opts) -> {ok, oidcc_http_util:query_params()} when
     ClientContext :: oidcc_client_context:t(),
     Opts :: opts().
 redirect_params(#oidcc_client_context{client_id = ClientId} = ClientContext, Opts) ->
@@ -107,7 +110,8 @@ redirect_params(#oidcc_client_context{client_id = ClientId} = ClientContext, Opt
     QueryParams4 = oidcc_scope:query_append_scope(
         maps:get(scopes, Opts, [openid]), QueryParams3
     ),
-    attempt_request_object(QueryParams4, ClientContext).
+    QueryParams5 = attempt_request_object(QueryParams4, ClientContext),
+    attempt_par(QueryParams5, ClientContext, Opts).
 
 -spec append_code_challenge(PkceVerifier, QueryParams, ClientContext) ->
     oidcc_http_util:query_params()
@@ -136,14 +140,14 @@ append_code_challenge(CodeVerifier, QueryParams, ClientContext) ->
                         mode => urlsafe, padding => false
                     }),
                     [
-                        {"code_challenge", CodeChallenge},
-                        {"code_challenge_method", <<"S256">>}
+                        {<<"code_challenge">>, CodeChallenge},
+                        {<<"code_challenge_method">>, <<"S256">>}
                         | QueryParams
                     ];
                 {false, true} ->
                     [
-                        {"code_challenge", CodeVerifier},
-                        {"code_challenge_method", <<"plain">>}
+                        {<<"code_challenge">>, CodeVerifier},
+                        {<<"code_challenge_method">>, <<"plain">>}
                         | QueryParams
                     ];
                 {false, false} ->
@@ -257,6 +261,81 @@ attempt_request_object(QueryParams, #oidcc_client_context{
             end
     end.
 
+-spec attempt_par(QueryParams, ClientContext, Opts) ->
+    {ok, QueryParams} | {error, error()}
+when
+    QueryParams :: oidcc_http_util:query_params(),
+    ClientContext :: oidcc_client_context:t(),
+    Opts :: opts().
+attempt_par(
+    _QueryParams,
+    #oidcc_client_context{
+        provider_configuration = #oidcc_provider_configuration{
+            require_pushed_authorization_requests = true,
+            pushed_authorization_request_endpoint = undefined
+        }
+    },
+    _Opts
+) ->
+    {error, par_required};
+attempt_par(
+    QueryParams,
+    #oidcc_client_context{
+        provider_configuration = #oidcc_provider_configuration{
+            pushed_authorization_request_endpoint = undefined
+        }
+    },
+    _Opts
+) ->
+    {ok, QueryParams};
+attempt_par(
+    QueryParams,
+    #oidcc_client_context{
+        client_id = ClientId,
+        provider_configuration =
+            #oidcc_provider_configuration{
+                issuer = Issuer,
+                token_endpoint_auth_methods_supported = SupportedAuthMethods,
+                token_endpoint_auth_signing_alg_values_supported = SigningAlgs,
+                pushed_authorization_request_endpoint = PushedAuthorizationRequestEndpoint
+            }
+    } = ClientContext,
+    Opts
+) ->
+    Header0 = [{"accept", "application/json"}],
+
+    TelemetryOpts = #{
+        topic => [oidcc, par_request], extra_meta => #{issuer => Issuer, client_id => ClientId}
+    },
+
+    RequestOpts = maps:get(request_opts, Opts, #{}),
+    %% https://datatracker.ietf.org/doc/html/rfc9126#section-2
+    %% > To address that ambiguity, the issuer identifier URL of the authorization
+    %% > server according to [RFC8414] SHOULD be used as the value of the audience.
+    AuthenticationOpts = #{audience => Issuer},
+
+    maybe
+        {ok, {Body, Header}} ?=
+            oidcc_auth_util:add_client_authentication(
+                QueryParams,
+                Header0,
+                SupportedAuthMethods,
+                SigningAlgs,
+                AuthenticationOpts,
+                ClientContext
+            ),
+        Request =
+            {PushedAuthorizationRequestEndpoint, Header, "application/x-www-form-urlencoded",
+                uri_string:compose_query(Body)},
+        {ok, {{json, ParResponse}, _Headers}} ?=
+            oidcc_http_util:request(post, Request, TelemetryOpts, RequestOpts),
+        #{<<"request_uri">> := ParRequestUri} ?= ParResponse,
+        {ok, [{<<"request_uri">>, ParRequestUri}, {<<"client_id">>, ClientId}]}
+    else
+        {error, Reason} -> {error, Reason};
+        #{} = JsonResponse -> {error, {http_error, 201, JsonResponse}}
+    end.
+
 -spec essential_params(QueryParams :: oidcc_http_util:query_params()) ->
     oidcc_http_util:query_params().
 essential_params(QueryParams) ->

diff --git a/test/oidcc_authorization_SUITE.erl b/test/oidcc_authorization_SUITE.erl
@@ -1,5 +1,8 @@
 -module(oidcc_authorization_SUITE).
 
+-include("oidcc_client_context.hrl").
+-include("oidcc_provider_configuration.hrl").
+
 -export([all/0]).
 -export([create_redirect_url_inl_gov/1]).
 
@@ -14,10 +17,15 @@ create_redirect_url_inl_gov(_Config) ->
             issuer => <<"https://identity-preview.inl.gov">>
         }),
 
-    {ok, ClientContext} = oidcc_client_context:from_configuration_worker(
+    {ok, #oidcc_client_context{provider_configuration = ProviderConfiguration} = ClientContext0} = oidcc_client_context:from_configuration_worker(
         InlGovPid, <<"client_id">>, <<"client_secret">>
     ),
-
+    %% we only want to test the URL generation, not the PAR request
+    ClientContext = ClientContext0#oidcc_client_context{
+        provider_configuration = ProviderConfiguration#oidcc_provider_configuration{
+            pushed_authorization_request_endpoint = undefined
+        }
+    },
     {ok, Url} = oidcc_authorization:create_redirect_url(ClientContext, #{
         redirect_uri => <<"https://my.server/return">>
     }),