Skip to content
This repository has been archived by the owner on Feb 25, 2019. It is now read-only.

Enforce client grant_types and response_types #217

Merged
merged 11 commits into from
Sep 3, 2015
Merged

Enforce client grant_types and response_types #217

merged 11 commits into from
Sep 3, 2015

Conversation

adalinesimonian
Copy link
Member

Fixes #95 #96

Breaking changes

Existing client registrations that did not follow the OIDC specification will now behave according to specification. Clients must now be explicitly registered with the sets of response_type and grant_type values that they will use.

For example, a client that intends to use the implicit flow must have token id_token or id_token token defined on its response_types claim and implicit on its grant_types claim in order to work.

Existing clients without a defined response_types claim will act as though their only supported response_type values are code. Clients using other response types must have their registration data updated using nv update client [id] [json] or otherwise.

Summary

  • New: Validates and enforces response_types and grant_types
  • New: Allows supported response types to be configured
  • New: Added tests
  • Fix: Response type sets are validated in any order, e.g. code id_token is equivalent to id_token code
  • Fix: Whitespace around response types and response modes no longer breaks validation
  • Fix: Running the server in development without NODE_ENV set no longer validates client metadata with production logic

@adalinesimonian
feat(Client): Require and provide default for grant_type
acfe1ee 
The OpenID Connect specification makes it clear that this property is optional, and does not need to be specified in order to register a client. However, it provides a desired default value and behaviour.

Marking this property as required in the schema and providing a default value effectively makes it optional, as the default value is used whenever a desired value is not explicitly specified. This falls in line with the defined behaviour in the specification.
@adalinesimonian
feat(Client): Require and provide default for response_types
8136ad6 
The OpenID Connect specification makes it clear that this property is optional, and does not need to be specified in order to register a client. However, it provides a desired default value and behaviour.

Marking this property as required in the schema and providing a default value effectively makes it optional, as the default value is used whenever a desired value is not explicitly specified. This falls in line with the defined behaviour in the specification.
@adalinesimonian
feat(Client): Validate response_types against grant_types
9846da6 
Validates that clients have the appropriate grant_types defined for their desired response_types per the Client Metadata section in the OpenID Connect Registration 1.0 specification

http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
@adalinesimonian
fix: Validate response_types regardless of order
75b6e8d
@adalinesimonian
test(Client): Test response_type validation
9d4f834
@adalinesimonian
fix: Trim leading and trailing whitespace in response_type and respon…
d951c28 
…se_mode
@adalinesimonian
feat: Check that requested response types are allowed in settings
a0a7350
@adalinesimonian
feat(verifyClient): Enforce response_types (#95)
f4ebf52
@adalinesimonian
fix(Client): Equate undefined NODE_ENV to development environment
76d0937 
Makes behaviour consistent with the rest of Anvil Connect, where the lack of a NODE_ENV environment variable value denotes that the server is in a development environment.
@adalinesimonian
Merge branch 'vsimonian-fix-unverified-redirects' into vsimonian-enfo…
0271fe3 
…rce-grant_types-response_types
@adalinesimonian
refactor: consolidate response_type verification logic
8dc37bc
@christiansmith
Copy link
Member

Reviewed.

christiansmith added a commit that referenced this pull request Sep 3, 2015
@christiansmith
Merge pull request #217 from anvilresearch/vsimonian-enforce-grant_ty…
36ea8b2 
…pes-response_types

Enforce client grant_types and response_types
@christiansmith christiansmith merged commit 36ea8b2 into master Sep 3, 2015
@adalinesimonian adalinesimonian deleted the vsimonian-enforce-grant_types-response_types branch September 3, 2015 19:59
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adalinesimonian @christiansmith