refactor(CIMD): filter unrecognized array members before validating

closes #1398

Author: panva

lib/helpers/add_client.js

@@ -1,13 +1,14 @@
+/* eslint-disable no-param-reassign */
 import sectorValidate from './sector_validate.js';
 
-export default async function add(provider, metadata, { ctx, store = false } = {}) {
-  const client = new provider.Client(metadata, ctx); // eslint-disable-line no-use-before-define
+export default async function add(provider, metadata, { ctx, store, cimd } = {}) {
+  const client = new provider.Client(metadata, ctx, { cimd });
 
   if (client.sectorIdentifierUri !== undefined) {
     await sectorValidate(provider, client);
   }
 
-  if (store) {
+  if (!cimd && store) {
     await provider.Client.adapter.upsert(client.clientId, client.metadata());
   }
   return client;

lib/helpers/client_id_metadata_document.js

@@ -102,7 +102,7 @@ export async function resolveClientByMetadataDocument(provider, id) {
   // Check cache
   const cached = entries.get(id);
   if (cached && cached.freshUntil > Date.now()) {
-    const client = await addClient(provider, cached.properties, { store: false });
+    const client = await addClient(provider, cached.properties, { cimd: true });
     Object.defineProperty(client, 'clientIdMetadataDocument', { value: true });
 
     if (!(await feature.allowClient(ctx, client))) {
@@ -180,7 +180,7 @@ export async function resolveClientByMetadataDocument(provider, id) {
   // Compute cache TTL
   const ttl = parseCacheDuration(response, feature.cacheDuration);
 
-  const client = await addClient(provider, properties, { store: false });
+  const client = await addClient(provider, properties, { cimd: true });
 
   Object.defineProperty(client, 'clientIdMetadataDocument', { value: true });
 

lib/helpers/client_schema.js

@@ -211,11 +211,16 @@ export default function getSchema(provider) {
   };
 
   class Schema {
+    #cimd = false;
+
     constructor(
       metadata,
       ctx,
       processCustomMetadata = !!configuration.extraClientMetadata.properties.length,
+      cimd = false,
     ) {
+      this.#cimd = cimd;
+
       if (processCustomMetadata) {
         this.#assign(metadata);
         this.processCustomMetadata(ctx);
@@ -557,7 +562,12 @@ export default function getSchema(provider) {
       }
 
       if (isAry && !this[prop].every((val) => only[method](val))) {
-        if (length) {
+        if (this.#cimd && length) {
+          this[prop] = this[prop].filter((val) => only[method](val));
+          if (!this[prop].length) {
+            this.invalidate(`${prop} has no values supported by this authorization server`);
+          }
+        } else if (length) {
           this.invalidate(`${prop} can only contain ${formatters.formatList([...only], { type: 'disjunction' })}`);
         } else {
           this.invalidate(`${prop} must be empty (no values are allowed)`);

lib/models/client.js

@@ -322,8 +322,8 @@ export default function getClient(provider) {
 
     static #adapter;
 
-    constructor(metadata, ctx) {
-      const schema = new Client.Schema(metadata, ctx);
+    constructor(metadata, ctx, { cimd } = {}) {
+      const schema = new Client.Schema(metadata, ctx, undefined, cimd);
 
       Object.assign(this, mapKeys(schema, (value, key) => {
         if (!instance(provider).RECOGNIZED_METADATA.includes(key)) {
@@ -551,7 +551,7 @@ export default function getClient(provider) {
         let client = dynamicClients.get(propHash);
 
         if (!client) {
-          client = await addClient(provider, properties, { store: false });
+          client = await addClient(provider, properties);
           dynamicClients.set(propHash, client);
         }
 

test/client_id_metadata_document/client_id_metadata_document.test.js

@@ -502,6 +502,142 @@ describe('Client ID Metadata Document', () => {
     });
   });
 
+  describe('unsupported metadata value filtering', () => {
+    it('filters unsupported grant_types and keeps supported ones', function () {
+      mock('https://filter-grants.example.com')
+        .intercept({ path: '/client' })
+        .reply(200, JSON.stringify({
+          client_id: 'https://filter-grants.example.com/client',
+          redirect_uris: ['https://filter-grants.example.com/cb'],
+          token_endpoint_auth_method: 'none',
+          grant_types: ['authorization_code', 'urn:ietf:params:oauth:grant-type:device_code'],
+        }), {
+          headers: { 'content-type': 'application/json' },
+        });
+
+      return this.agent.get('/auth')
+        .query({
+          client_id: 'https://filter-grants.example.com/client',
+          redirect_uri: 'https://filter-grants.example.com/cb',
+          response_type: 'code',
+          scope: 'openid',
+        })
+        .expect(303)
+        .expect((response) => {
+          const location = new URL(response.headers.location, this.provider.issuer);
+          expect(location.pathname).to.match(/\/interaction\//);
+        });
+    });
+
+    it('rejects when all grant_types are unsupported', function () {
+      mock('https://no-grants.example.com')
+        .intercept({ path: '/client' })
+        .reply(200, JSON.stringify({
+          client_id: 'https://no-grants.example.com/client',
+          redirect_uris: ['https://no-grants.example.com/cb'],
+          token_endpoint_auth_method: 'none',
+          grant_types: ['urn:ietf:params:oauth:grant-type:device_code'],
+        }), {
+          headers: { 'content-type': 'application/json' },
+        });
+
+      return this.agent.get('/auth')
+        .query({
+          client_id: 'https://no-grants.example.com/client',
+          redirect_uri: 'https://no-grants.example.com/cb',
+          response_type: 'code',
+          scope: 'openid',
+        })
+        .expect(400)
+        .expect((response) => {
+          expect(response.text).to.contain('invalid_client_metadata');
+        });
+    });
+
+    it('filters unsupported response_types and keeps supported ones', function () {
+      mock('https://filter-rt.example.com')
+        .intercept({ path: '/client' })
+        .reply(200, JSON.stringify({
+          client_id: 'https://filter-rt.example.com/client',
+          redirect_uris: ['https://filter-rt.example.com/cb'],
+          token_endpoint_auth_method: 'none',
+          grant_types: ['authorization_code'],
+          response_types: ['code', 'code token id_token unsupported'],
+        }), {
+          headers: { 'content-type': 'application/json' },
+        });
+
+      return this.agent.get('/auth')
+        .query({
+          client_id: 'https://filter-rt.example.com/client',
+          redirect_uri: 'https://filter-rt.example.com/cb',
+          response_type: 'code',
+          scope: 'openid',
+        })
+        .expect(303)
+        .expect((response) => {
+          const location = new URL(response.headers.location, this.provider.issuer);
+          expect(location.pathname).to.match(/\/interaction\//);
+        });
+    });
+
+    it('filters unsupported response_modes and keeps supported ones', function () {
+      mock('https://filter-rm.example.com')
+        .intercept({ path: '/client' })
+        .reply(200, JSON.stringify({
+          client_id: 'https://filter-rm.example.com/client',
+          redirect_uris: ['https://filter-rm.example.com/cb'],
+          token_endpoint_auth_method: 'none',
+          response_modes: ['query', 'unsupported_mode'],
+        }), {
+          headers: { 'content-type': 'application/json' },
+        });
+
+      return this.agent.get('/auth')
+        .query({
+          client_id: 'https://filter-rm.example.com/client',
+          redirect_uri: 'https://filter-rm.example.com/cb',
+          response_type: 'code',
+          scope: 'openid',
+        })
+        .expect(303)
+        .expect((response) => {
+          const location = new URL(response.headers.location, this.provider.issuer);
+          expect(location.pathname).to.match(/\/interaction\//);
+        });
+    });
+
+    it('post-enum consistency validation still applies to filtered values', function () {
+      mock('https://consistency.example.com')
+        .intercept({ path: '/client' })
+        .reply(200, JSON.stringify({
+          client_id: 'https://consistency.example.com/client',
+          redirect_uris: ['https://consistency.example.com/cb'],
+          token_endpoint_auth_method: 'none',
+          grant_types: ['urn:ietf:params:oauth:grant-type:device_code', 'implicit'],
+          response_types: ['id_token'],
+        }), {
+          headers: { 'content-type': 'application/json' },
+        });
+
+      // implicit is supported but device_code is not
+      // after filtering grant_types becomes ['implicit'], response_types ['id_token'] is ok
+      return this.agent.get('/auth')
+        .query({
+          client_id: 'https://consistency.example.com/client',
+          redirect_uri: 'https://consistency.example.com/cb',
+          response_type: 'id_token',
+          scope: 'openid',
+          nonce: 'nonce',
+        })
+        .expect(303)
+        .expect((response) => {
+          const location = new URL(response.headers.location, this.provider.issuer);
+          expect(location.pathname).to.match(/\/interaction\//);
+        });
+    });
+  });
+
   describe('allowFetch hook', () => {
     it('rejects when allowFetch returns false', async function () {
       const { features } = i(this.provider); // eslint-disable-line no-undef