diff --git a/certification/configuration.js b/certification/configuration.js index dd0eedfe2..2f1c45dd7 100644 --- a/certification/configuration.js +++ b/certification/configuration.js @@ -105,6 +105,7 @@ module.exports = { }, ], }, + responseTypes: ['code id_token token', 'code id_token', 'code token', 'code', 'id_token token', 'id_token', 'none'], subjectTypes: ['public', 'pairwise'], pairwiseIdentifier(ctx, accountId, { sectorIdentifier }) { return crypto.createHash('sha256') diff --git a/docs/README.md b/docs/README.md index c37d08f53..fa33858a9 100644 --- a/docs/README.md +++ b/docs/README.md @@ -2489,18 +2489,15 @@ async renderError(ctx, out, error) { ### responseTypes -Array of response_type values that OP supports +Array of response_type values that OP supports. The default omits all response types that result in access tokens being issued by the authorization endpoint directly as per [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-3.1.2) You can still enable them if you need to. _**default value**_: ```js [ - 'code id_token token', 'code id_token', - 'code token', 'code', - 'id_token token', 'id_token', 'none' ] diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js index 9c772b8a3..f5447809a 100644 --- a/lib/helpers/defaults.js +++ b/lib/helpers/defaults.js @@ -1274,7 +1274,10 @@ const DEFAULTS = { /* * responseTypes * - * description: Array of response_type values that OP supports + * description: Array of response_type values that OP supports. The default omits all response + * types that result in access tokens being issued by the authorization endpoint directly as per + * [OAuth 2.0 Security Best Current Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-3.1.2) + * You can still enable them if you need to. * * example: Supported values list * These are values defined in [Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#Authentication) @@ -1289,11 +1292,8 @@ const DEFAULTS = { * ``` */ responseTypes: [ - 'code id_token token', 'code id_token', - 'code token', 'code', - 'id_token token', 'id_token', 'none', ], diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js index 13280536a..79a3a289f 100644 --- a/test/configuration/client_metadata.test.js +++ b/test/configuration/client_metadata.test.js @@ -406,16 +406,23 @@ describe('Client metadata validation', () => { mustBeArray(this.title); const responseTypes = ['code id_token token', 'code id_token', 'code token', 'code', 'id_token token', 'id_token', 'none']; responseTypes.forEach((value) => { + const grants = []; + if (value.includes('token')) { + grants.push('implicit'); + } + if (value.includes('code')) { + grants.push('authorization_code'); + } allows(this.title, [value], { - grant_types: ['implicit', 'authorization_code'], - }); + grant_types: grants, + }, { responseTypes }); }); allows(this.title, responseTypes, { grant_types: ['implicit', 'authorization_code'], - }); + }, { responseTypes }); allows(this.title, ['token id_token'], { // mixed up order grant_types: ['implicit'], - }, undefined, (client) => { + }, { responseTypes }, (client) => { expect(client.metadata().response_types).to.eql(['id_token token']); }); diff --git a/test/default.config.js b/test/default.config.js index b7265d5d8..69b99ecc1 100644 --- a/test/default.config.js +++ b/test/default.config.js @@ -41,5 +41,14 @@ module.exports = { }, keys: ['foo'], }, + responseTypes: [ + 'code id_token token', + 'code id_token', + 'code token', + 'code', + 'id_token token', + 'id_token', + 'none', + ], whitelistedJWA: cloneDeep(JWA), };