refactor!: CIBA and PAR do not automatically turn on JAR

BREAKING CHANGE: The combination of FAPI and CIBA features no longer forces CIBA clients to use JAR. To continue conforming to a given FAPI CIBA profile that requires the use of JAR either set `features.requestObjects.requireSignedRequestObject` to `true` as a global policy or set `require_signed_request_object` or `backchannel_authentication_request_signing_alg` client metadata. BREAKING CHANGE: PAR no longer automatically enables the support for JAR. To support PAR with JAR configure both `features.pushedAuthorizationRequests` and `features.requestObjects.request`. BREAKING CHANGE: CIBA no longer automatically enables the support for JAR. To support CIBA with JAR configure both `features.ciba` and `features.requestObjects.request`.
panva · Dec 1, 2022 · 089fa43 · 089fa43
1 parent 4272027
commit 089fa43
Show file tree

Hide file tree

Showing 13 changed files with 1,206 additions and 1,094 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -638,7 +638,7 @@ _**default value**_:
 
 [OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html)  
 
-Enables Core CIBA Flow, when combined with `features.fapi` enables [Financial-grade API: Client Initiated Backchannel Authentication Profile - Implementer's Draft 01](https://openid.net/specs/openid-financial-api-ciba-ID1.html) as well.   
+Enables Core CIBA Flow, when combined with `features.fapi` and `features.requestObjects.request` enables [Financial-grade API: Client Initiated Backchannel Authentication Profile - Implementer's Draft 01](https://openid.net/specs/openid-financial-api-ciba-ID1.html) as well.   
 
 
 

diff --git a/lib/actions/authorization/fetch_request_uri.js b/lib/actions/authorization/fetch_request_uri.js
@@ -1,6 +1,6 @@
 import { URL } from 'node:url';
 
-import { InvalidRequestUri } from '../../helpers/errors.js';
+import { InvalidRequestUri, RequestUriNotSupported } from '../../helpers/errors.js';
 import instance from '../../helpers/weak_cache.js';
 import { PUSHED_REQUEST_URN } from '../../consts/index.js';
 
@@ -15,11 +15,8 @@ const allowedSchemes = new Set(['http:', 'https:', 'urn:']);
  * uses the response body as a value for the request parameter to be validated by a downstream
  * middleware
  *
- *
- * @throws: invalid_request
  * @throws: invalid_request_uri
- * @throws: request_not_supported
- * @throws: request_uri_not_supported
+ * @throws: request_uri_not_allowed
  */
 export default async function fetchRequestUri(ctx, next) {
   const { pushedAuthorizationRequests, requestObjects } = instance(ctx.oidc.provider).configuration('features');
@@ -44,7 +41,7 @@ export default async function fetchRequestUri(ctx, next) {
     ) {
       loadedRequestObject = await loadPushedAuthorizationRequest(ctx);
     } else if (!loadedRequestObject && !requestObjects.requestUri) {
-      throw new InvalidRequestUri('only request_uri values from the pushed_authorization_request_endpoint are allowed');
+      throw new RequestUriNotSupported();
     } else if (!loadedRequestObject && ctx.oidc.client.requestUris) {
       if (!ctx.oidc.client.requestUriAllowed(params.request_uri)) {
         throw new InvalidRequestUri('provided request_uri is not allowed');

diff --git a/lib/actions/authorization/process_request_object.js b/lib/actions/authorization/process_request_object.js
@@ -28,7 +28,6 @@ export default async function processRequestObject(PARAM_LIST, rejectDupesMiddle
     && (
       client.requireSignedRequestObject
       || (client.backchannelAuthenticationRequestSigningAlg && isBackchannelAuthentication)
-      || (ctx.oidc.fapiProfile !== undefined && isBackchannelAuthentication)
     )
   ) {
     throw new InvalidRequest('Request Object must be used by this client');

diff --git a/lib/actions/authorization/reject_unsupported.js b/lib/actions/authorization/reject_unsupported.js
@@ -11,17 +11,13 @@ export default function rejectUnsupported(ctx, next) {
   const { requestObjects, pushedAuthorizationRequests } = instance(ctx.oidc.provider).configuration('features');
   const { params } = ctx.oidc;
 
-  if (
-    !requestObjects.request
-    && params.request !== undefined
-    && (ctx.oidc.route !== 'pushed_authorization_request' && ctx.oidc.route !== 'backchannel_authentication')
-  ) {
+  if (params.request !== undefined && !requestObjects.request) {
     throw new RequestNotSupported();
   }
 
   if (
-    (!requestObjects.requestUri && !pushedAuthorizationRequests.enabled)
-    && params.request_uri !== undefined
+    params.request_uri !== undefined
+    && !(requestObjects.requestUri || pushedAuthorizationRequests.enabled)
   ) {
     throw new RequestUriNotSupported();
   }

diff --git a/lib/actions/discovery.js b/lib/actions/discovery.js
@@ -37,10 +37,10 @@ export default function discovery(ctx, next) {
     ctx.body.require_pushed_authorization_requests = pushedAuthorizationRequests.requirePushedAuthorizationRequests ? true : undefined;
   }
 
-  if (requestObjects.request || requestObjects.requestUri || pushedAuthorizationRequests.enabled) {
+  ctx.body.request_parameter_supported = requestObjects.request;
+  ctx.body.request_uri_parameter_supported = requestObjects.requestUri;
+  if (requestObjects.request || requestObjects.requestUri) {
     ctx.body.request_object_signing_alg_values_supported = config.requestObjectSigningAlgValues;
-    ctx.body.request_parameter_supported = requestObjects.request;
-    ctx.body.request_uri_parameter_supported = requestObjects.requestUri;
     ctx.body.require_request_uri_registration = requestObjects.requestUri && requestObjects.requireUriRegistration ? true : undefined;
     ctx.body.require_signed_request_object = requestObjects.requireSignedRequestObject ? true : undefined;
   }
@@ -105,7 +105,7 @@ export default function discovery(ctx, next) {
       ctx.body.authorization_encryption_enc_values_supported = config.authorizationEncryptionEncValues;
     }
 
-    if (requestObjects.request || requestObjects.requestUri || pushedAuthorizationRequests.enabled) {
+    if (requestObjects.request || requestObjects.requestUri) {
       ctx.body.request_object_encryption_alg_values_supported = config.requestObjectEncryptionAlgValues;
       ctx.body.request_object_encryption_enc_values_supported = config.requestObjectEncryptionEncValues;
     }
@@ -124,7 +124,7 @@ export default function discovery(ctx, next) {
     ctx.body.backchannel_authentication_endpoint = ctx.oidc.urlFor('backchannel_authentication');
     ctx.body.backchannel_token_delivery_modes_supported = [...features.ciba.deliveryModes];
     ctx.body.backchannel_user_code_parameter_supported = true;
-    ctx.body.backchannel_authentication_request_signing_alg_values_supported = config.requestObjectSigningAlgValues.filter((alg) => !alg.startsWith('HS'));
+    ctx.body.backchannel_authentication_request_signing_alg_values_supported = requestObjects.request ? config.requestObjectSigningAlgValues.filter((alg) => !alg.startsWith('HS')) : undefined;
   }
 
   defaults(ctx.body, config.discovery);

diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
@@ -88,7 +88,6 @@ export default function getSchema(provider) {
   if (
     features.requestObjects.request
     || features.requestObjects.requestUri
-    || features.pushedAuthorizationRequests.enabled
   ) {
     RECOGNIZED_METADATA.push('request_object_signing_alg');
     RECOGNIZED_METADATA.push('require_signed_request_object');
@@ -141,7 +140,9 @@ export default function getSchema(provider) {
     RECOGNIZED_METADATA.push('backchannel_token_delivery_mode');
     RECOGNIZED_METADATA.push('backchannel_user_code_parameter');
     RECOGNIZED_METADATA.push('backchannel_client_notification_endpoint');
-    RECOGNIZED_METADATA.push('backchannel_authentication_request_signing_alg');
+    if (features.requestObjects.request) {
+      RECOGNIZED_METADATA.push('backchannel_authentication_request_signing_alg');
+    }
   }
 
   if (features.dPoP.enabled) {
@@ -597,11 +598,10 @@ export default function getSchema(provider) {
     }
 
     jarPolicy() {
-      const { features: { requestObjects, pushedAuthorizationRequests } } = configuration;
+      const { features: { requestObjects } } = configuration;
 
       const enabled = requestObjects.request
-        || requestObjects.requestUri
-        || pushedAuthorizationRequests.enabled;
+        || requestObjects.requestUri;
 
       if (enabled) {
         if (requestObjects.requireSignedRequestObject) {

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -921,7 +921,7 @@ function makeDefaults() {
        *
        * title: [OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html)
        *
-       * description: Enables Core CIBA Flow, when combined with `features.fapi` enables [Financial-grade API: Client Initiated Backchannel Authentication Profile - Implementer's Draft 01](https://openid.net/specs/openid-financial-api-ciba-ID1.html) as well.
+       * description: Enables Core CIBA Flow, when combined with `features.fapi` and `features.requestObjects.request` enables [Financial-grade API: Client Initiated Backchannel Authentication Profile - Implementer's Draft 01](https://openid.net/specs/openid-financial-api-ciba-ID1.html) as well.
        *
        */
       ciba: {