feat: Authorization Server Issuer Identifier in Authorization Response

Enables `iss` authorization response parameter for responses without existing countermeasures against mix-up attacks. This is a draft feature implementation. See the configuration documentation in `features.issAuthResp`
panva · Jan 13, 2021 · 3f67ee9 · 3f67ee9
1 parent 5d440ca
commit 3f67ee9
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -41,6 +41,7 @@ The following draft specifications are implemented by oidc-provider.
 - [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens - draft 05][jwt-at]
 - [JWT Response for OAuth Token Introspection - draft 09][jwt-introspection]
 - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - draft 02][jarm]
+- [OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response][iss-auth-resp]
 - [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 01][dpop]
 - [OAuth 2.0 JWT Secured Authorization Request (JAR)][jar]
 - [OAuth 2.0 Pushed Authorization Requests - draft 03][par]
@@ -176,3 +177,4 @@ See the list of available emitted [event names](/docs/events.md) and their descr
 [support-sponsor]: https://github.com/sponsors/panva
 [par]: https://tools.ietf.org/html/draft-ietf-oauth-par-03
 [rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-01.html
+[iss-auth-resp]: https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00
diff --git a/docs/README.md b/docs/README.md
@@ -1110,6 +1110,20 @@ async function introspectionAllowedPolicy(ctx, client, token) {
 
 </details>
 
+### features.issAuthResp
+
+[draft-ietf-oauth-iss-auth-resp-00](https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00) - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response  
+
+Enables `iss` authorization response parameter for responses without existing countermeasures against mix-up attacks.  
+
+
+_**default value**_:
+```js
+{
+  enabled: false
+}
+```
+
 ### features.jwtIntrospection
 
 [draft-ietf-oauth-jwt-introspection-response-09](https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-09) - JWT Response for OAuth Token Introspection  

diff --git a/lib/actions/authorization/respond.js b/lib/actions/authorization/respond.js
@@ -25,6 +25,10 @@ module.exports = async function respond(ctx, next) {
     out.session_state = processSessionState(ctx, params.redirect_uri);
   }
 
+  if (instance(ctx.oidc.provider).configuration('features.issAuthResp.enabled')) {
+    out.iss = ctx.oidc.provider.issuer;
+  }
+
   ctx.oidc.provider.emit('authorization.success', ctx, out);
   debug('uid=%s %o', ctx.oidc.uid, out);
 

diff --git a/lib/actions/discovery.js b/lib/actions/discovery.js
@@ -22,6 +22,7 @@ module.exports = function discovery(ctx, next) {
     issuer: ctx.oidc.issuer,
     jwks_uri: ctx.oidc.urlFor('jwks'),
     registration_endpoint: features.registration.enabled ? ctx.oidc.urlFor('registration') : undefined,
+    authorization_response_iss_parameter_supported: features.issAuthResp.enabled ? true : undefined,
     response_modes_supported: ['form_post', 'fragment', 'query'],
     response_types_supported: config.responseTypes,
     scopes_supported: [...config.scopes].concat([...config.dynamicScopes].map((s) => s[DYNAMIC_SCOPE_LABEL]).filter(Boolean)),

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -1594,6 +1594,16 @@ function getDefaults() {
          */
         scriptNonce: webMessageResponseModeScriptNonce,
       },
+
+      /*
+       * features.issAuthResp
+       *
+       * title: [draft-ietf-oauth-iss-auth-resp-00](https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00) - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response
+       *
+       * description: Enables `iss` authorization response parameter for responses without
+       * existing countermeasures against mix-up attacks.
+       */
+      issAuthResp: { enabled: false },
     },
 
     /*

diff --git a/lib/helpers/features.js b/lib/helpers/features.js
@@ -82,6 +82,12 @@ const DRAFTS = new Map(Object.entries({
     url: 'https://tools.ietf.org/html/draft-sakimura-oauth-wmrm-00',
     version: [0, 'id-00', 'individual-draft-00'],
   },
+  issAuthResp: {
+    name: 'OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response - draft 00',
+    type: 'IETF OAuth Working Group draft',
+    url: 'https://tools.ietf.org/html/draft-ietf-oauth-iss-auth-resp-00',
+    version: ['draft-00'],
+  },
 }));
 
 module.exports = {