refactor: disable "token" including response types defaults

BREAKING CHANGE: the default enabled response types now omit all that result in access tokens being issued by the authorization endpoint and delivered via a fragment. If you're upgrading just configure `responseTypes` to include the ones you need for legacy purposes.
panva · Jun 22, 2019 · 78e4ebb · 78e4ebb
1 parent 2a5e15d
commit 78e4ebb
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 12 deletions.
diff --git a/certification/configuration.js b/certification/configuration.js
@@ -105,6 +105,7 @@ module.exports = {
       },
     ],
   },
+  responseTypes: ['code id_token token', 'code id_token', 'code token', 'code', 'id_token token', 'id_token', 'none'],
   subjectTypes: ['public', 'pairwise'],
   pairwiseIdentifier(ctx, accountId, { sectorIdentifier }) {
     return crypto.createHash('sha256')

diff --git a/docs/README.md b/docs/README.md
@@ -2489,18 +2489,15 @@ async renderError(ctx, out, error) {
 
 ### responseTypes
 
-Array of response_type values that OP supports   
+Array of response_type values that OP supports. The default omits all response types that result in access tokens being issued by the authorization endpoint directly as per [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-3.1.2) You can still enable them if you need to.   
 
 
 
 _**default value**_:
 ```js
 [
-  'code id_token token',
   'code id_token',
-  'code token',
   'code',
-  'id_token token',
   'id_token',
   'none'
 ]

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -1274,7 +1274,10 @@ const DEFAULTS = {
   /*
    * responseTypes
    *
-   * description: Array of response_type values that OP supports
+   * description: Array of response_type values that OP supports. The default omits all response
+   * types that result in access tokens being issued by the authorization endpoint directly as per
+   * [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-3.1.2)
+   * You can still enable them if you need to.
    *
    * example: Supported values list
    * These are values defined in [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#Authentication)
@@ -1289,11 +1292,8 @@ const DEFAULTS = {
    * ```
    */
   responseTypes: [
-    'code id_token token',
     'code id_token',
-    'code token',
     'code',
-    'id_token token',
     'id_token',
     'none',
   ],

diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
@@ -406,16 +406,23 @@ describe('Client metadata validation', () => {
     mustBeArray(this.title);
     const responseTypes = ['code id_token token', 'code id_token', 'code token', 'code', 'id_token token', 'id_token', 'none'];
     responseTypes.forEach((value) => {
+      const grants = [];
+      if (value.includes('token')) {
+        grants.push('implicit');
+      }
+      if (value.includes('code')) {
+        grants.push('authorization_code');
+      }
       allows(this.title, [value], {
-        grant_types: ['implicit', 'authorization_code'],
-      });
+        grant_types: grants,
+      }, { responseTypes });
     });
     allows(this.title, responseTypes, {
       grant_types: ['implicit', 'authorization_code'],
-    });
+    }, { responseTypes });
     allows(this.title, ['token id_token'], { // mixed up order
       grant_types: ['implicit'],
-    }, undefined, (client) => {
+    }, { responseTypes }, (client) => {
       expect(client.metadata().response_types).to.eql(['id_token token']);
     });
 

diff --git a/test/default.config.js b/test/default.config.js
@@ -41,5 +41,14 @@ module.exports = {
     },
     keys: ['foo'],
   },
+  responseTypes: [
+    'code id_token token',
+    'code id_token',
+    'code token',
+    'code',
+    'id_token token',
+    'id_token',
+    'none',
+  ],
   whitelistedJWA: cloneDeep(JWA),
 };