Skip to content

Commit

Permalink
Allow specifying more OIDC client metadata for dynamic registration (m…
Browse files Browse the repository at this point in the history 
…atrix-org#4070)
  • Loading branch information
@t3chguy
t3chguy authored Feb 16, 2024
1 parent 2cf7d81 commit fe46fec
Show file tree
Hide file tree
Showing 4 changed files with 77 additions and 29 deletions.
38 changes: 26 additions & 12 deletions spec/unit/oidc/register.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,22 @@ limitations under the License.
import fetchMockJest from "fetch-mock-jest";

import { OidcError } from "../../../src/oidc/error";
import { registerOidcClient } from "../../../src/oidc/register";
import { OidcRegistrationClientMetadata, registerOidcClient } from "../../../src/oidc/register";

describe("registerOidcClient()", () => {
const issuer = "https://auth.com/";
const registrationEndpoint = "https://auth.com/register";
const clientName = "Element";
const baseUrl = "https://just.testing";
const metadata: OidcRegistrationClientMetadata = {
clientUri: baseUrl,
redirectUris: [baseUrl],
clientName,
applicationType: "web",
tosUri: "http://tos-uri",
policyUri: "http://policy-uri",
contacts: ["[email protected]"],
};
const dynamicClientId = "xyz789";

const delegatedAuthConfig = {
Expand All @@ -42,14 +51,19 @@ describe("registerOidcClient()", () => {
status: 200,
body: JSON.stringify({ client_id: dynamicClientId }),
});
expect(await registerOidcClient(delegatedAuthConfig, clientName, baseUrl)).toEqual(dynamicClientId);
expect(fetchMockJest).toHaveBeenCalledWith(registrationEndpoint, {
headers: {
"Accept": "application/json",
"Content-Type": "application/json",
},
method: "POST",
body: JSON.stringify({
expect(await registerOidcClient(delegatedAuthConfig, metadata)).toEqual(dynamicClientId);
expect(fetchMockJest).toHaveBeenCalledWith(
registrationEndpoint,
expect.objectContaining({
headers: {
"Accept": "application/json",
"Content-Type": "application/json",
},
method: "POST",
}),
);
expect(JSON.parse(fetchMockJest.mock.calls[0][1]!.body as string)).toEqual(
expect.objectContaining({
client_name: clientName,
client_uri: baseUrl,
response_types: ["code"],
Expand All @@ -59,14 +73,14 @@ describe("registerOidcClient()", () => {
token_endpoint_auth_method: "none",
application_type: "web",
}),
});
);
});

it("should throw when registration request fails", async () => {
fetchMockJest.post(registrationEndpoint, {
status: 500,
});
await expect(() => registerOidcClient(delegatedAuthConfig, clientName, baseUrl)).rejects.toThrow(
await expect(() => registerOidcClient(delegatedAuthConfig, metadata)).rejects.toThrow(
OidcError.DynamicRegistrationFailed,
);
});
Expand All @@ -77,7 +91,7 @@ describe("registerOidcClient()", () => {
// no clientId in response
body: "{}",
});
await expect(() => registerOidcClient(delegatedAuthConfig, clientName, baseUrl)).rejects.toThrow(
await expect(() => registerOidcClient(delegatedAuthConfig, metadata)).rejects.toThrow(
OidcError.DynamicRegistrationInvalid,
);
});
Expand Down
17 changes: 17 additions & 0 deletions src/@types/common.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
/*
Copyright 2024 The Matrix.org Foundation C.I.C.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

export type NonEmptyArray<T> = [T, ...T[]];
1 change: 1 addition & 0 deletions src/matrix.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ export * from "./crypto/store/localStorage-crypto-store";
export * from "./crypto/store/indexeddb-crypto-store";
export type { OutgoingRoomKeyRequest } from "./crypto/store/base";
export * from "./content-repo";
export * from "./@types/common";
export * from "./@types/uia";
export * from "./@types/event";
export * from "./@types/PushRules";
Expand Down
50 changes: 33 additions & 17 deletions src/oidc/register.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,16 +19,37 @@ import { OidcError } from "./error";
import { Method } from "../http-api";
import { logger } from "../logger";
import { ValidatedIssuerConfig } from "./validate";
import { NonEmptyArray } from "../@types/common";

/**
* Client metadata passed to registration endpoint
*/
export type OidcRegistrationClientMetadata = {
clientName: string;
clientUri: string;
redirectUris: string[];
clientName: OidcRegistrationRequestBody["client_name"];
clientUri: OidcRegistrationRequestBody["client_uri"];
logoUri?: OidcRegistrationRequestBody["logo_uri"];
applicationType: OidcRegistrationRequestBody["application_type"];
redirectUris: OidcRegistrationRequestBody["redirect_uris"];
contacts: OidcRegistrationRequestBody["contacts"];
tosUri: OidcRegistrationRequestBody["tos_uri"];
policyUri: OidcRegistrationRequestBody["policy_uri"];
};

interface OidcRegistrationRequestBody {
client_name: string;
client_uri: string;
logo_uri?: string;
contacts: NonEmptyArray<string>;
tos_uri: string;
policy_uri: string;
redirect_uris?: NonEmptyArray<string>;
response_types?: NonEmptyArray<string>;
grant_types?: NonEmptyArray<string>;
id_token_signed_response_alg: string;
token_endpoint_auth_method: string;
application_type: "web" | "native";
}

/**
* Make the client registration request
* @param registrationEndpoint - URL as returned from issuer ./well-known/openid-configuration
Expand All @@ -42,15 +63,19 @@ const doRegistration = async (
clientMetadata: OidcRegistrationClientMetadata,
): Promise<string> => {
// https://openid.net/specs/openid-connect-registration-1_0.html
const metadata = {
const metadata: OidcRegistrationRequestBody = {
client_name: clientMetadata.clientName,
client_uri: clientMetadata.clientUri,
response_types: ["code"],
grant_types: ["authorization_code", "refresh_token"],
redirect_uris: clientMetadata.redirectUris,
id_token_signed_response_alg: "RS256",
token_endpoint_auth_method: "none",
application_type: "web",
application_type: clientMetadata.applicationType,
logo_uri: clientMetadata.logoUri,
contacts: clientMetadata.contacts,
policy_uri: clientMetadata.policyUri,
tos_uri: clientMetadata.tosUri,
};
const headers = {
"Accept": "application/json",
Expand Down Expand Up @@ -88,25 +113,16 @@ const doRegistration = async (
/**
* Attempts dynamic registration against the configured registration endpoint
* @param delegatedAuthConfig - Auth config from ValidatedServerConfig
* @param clientName - Client name to register with the OP, eg 'Element'
* @param baseUrl - URL of the home page of the Client, eg 'https://app.element.io/'
* @param clientMetadata - The metadata for the client which to register
* @returns Promise<string> resolved with registered clientId
* @throws when registration is not supported, on failed request or invalid response
*/
export const registerOidcClient = async (
delegatedAuthConfig: IDelegatedAuthConfig & ValidatedIssuerConfig,
clientName: string,
baseUrl: string,
clientMetadata: OidcRegistrationClientMetadata,
): Promise<string> => {
const clientMetadata = {
clientName,
clientUri: baseUrl,
redirectUris: [baseUrl],
};
if (!delegatedAuthConfig.registrationEndpoint) {
throw new Error(OidcError.DynamicRegistrationNotSupported);
}
const clientId = await doRegistration(delegatedAuthConfig.registrationEndpoint, clientMetadata);

return clientId;
return doRegistration(delegatedAuthConfig.registrationEndpoint, clientMetadata);
};

0 comments on commit fe46fec

Please sign in to comment.