Sort client registration metadata fields before hashing

Author: sandhose

crates/handlers/src/oauth2/registration.rs

@@ -206,6 +206,9 @@ pub(crate) async fn post(
     // Propagate any JSON extraction error
     let Json(body) = body?;
 
+    // Sort the properties to ensure a stable serialisation order for hashing
+    let body = body.sorted();
+
     // We need to serialize the body to compute the hash, and to log it
     let body_json = serde_json::to_string(&body)?;
 
@@ -529,9 +532,13 @@ mod tests {
         let request =
             Request::post(mas_router::OAuth2RegistrationEndpoint::PATH).json(serde_json::json!({
                 "client_uri": "https://example.com/",
-                "redirect_uris": ["https://example.com/"],
+                "client_name": "Example",
+                "client_name#en": "Example",
+                "client_name#fr": "Exemple",
+                "client_name#de": "Beispiel",
+                "redirect_uris": ["https://example.com/", "https://example.com/callback"],
                 "response_types": ["code"],
-                "grant_types": ["authorization_code"],
+                "grant_types": ["authorization_code", "urn:ietf:params:oauth:grant-type:device_code"],
                 "token_endpoint_auth_method": "none",
             }));
 
@@ -545,6 +552,25 @@ mod tests {
         let response: ClientRegistrationResponse = response.json();
         assert_eq!(response.client_id, client_id);
 
+        // Check that the order of some properties doesn't matter
+        let request =
+            Request::post(mas_router::OAuth2RegistrationEndpoint::PATH).json(serde_json::json!({
+                "client_uri": "https://example.com/",
+                "client_name": "Example",
+                "client_name#de": "Beispiel",
+                "client_name#fr": "Exemple",
+                "client_name#en": "Example",
+                "redirect_uris": ["https://example.com/callback", "https://example.com/"],
+                "response_types": ["code"],
+                "grant_types": ["urn:ietf:params:oauth:grant-type:device_code", "authorization_code"],
+                "token_endpoint_auth_method": "none",
+            }));
+
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::CREATED);
+        let response: ClientRegistrationResponse = response.json();
+        assert_eq!(response.client_id, client_id);
+
         // Doing that with a client that has a client_secret should not deduplicate
         let request =
             Request::post(mas_router::OAuth2RegistrationEndpoint::PATH).json(serde_json::json!({

crates/oauth2-types/src/registration/client_metadata_serde.rs

@@ -80,6 +80,13 @@ impl<T> Localized<T> {
             localized,
         }))
     }
+
+    /// Sort the localized keys. This is inteded to ensure a stable
+    /// serialization order when needed.
+    pub(super) fn sort(&mut self) {
+        self.localized
+            .sort_unstable_by(|k1, _v1, k2, _v2| k1.as_str().cmp(k2.as_str()));
+    }
 }
 
 #[serde_as]

crates/oauth2-types/src/registration/mod.rs

@@ -564,6 +564,51 @@ impl ClientMetadata {
         Ok(VerifiedClientMetadata { inner: self })
     }
 
+    /// Sort the properties. This is inteded to ensure a stable serialization
+    /// order when needed.
+    #[must_use]
+    pub fn sorted(mut self) -> Self {
+        // This sorts all the Vec<T> and Localized<T> fields
+        if let Some(redirect_uris) = &mut self.redirect_uris {
+            redirect_uris.sort();
+        }
+        if let Some(response_types) = &mut self.response_types {
+            response_types.sort();
+        }
+        if let Some(grant_types) = &mut self.grant_types {
+            grant_types.sort();
+        }
+        if let Some(contacts) = &mut self.contacts {
+            contacts.sort();
+        }
+        if let Some(client_name) = &mut self.client_name {
+            client_name.sort();
+        }
+        if let Some(logo_uri) = &mut self.logo_uri {
+            logo_uri.sort();
+        }
+        if let Some(client_uri) = &mut self.client_uri {
+            client_uri.sort();
+        }
+        if let Some(policy_uri) = &mut self.policy_uri {
+            policy_uri.sort();
+        }
+        if let Some(tos_uri) = &mut self.tos_uri {
+            tos_uri.sort();
+        }
+        if let Some(default_acr_values) = &mut self.default_acr_values {
+            default_acr_values.sort();
+        }
+        if let Some(request_uris) = &mut self.request_uris {
+            request_uris.sort();
+        }
+        if let Some(post_logout_redirect_uris) = &mut self.post_logout_redirect_uris {
+            post_logout_redirect_uris.sort();
+        }
+
+        self
+    }
+
     /// Array of the [OAuth 2.0 `response_type` values] that the client can use
     /// at the [authorization endpoint].
     ///

crates/oauth2-types/src/response_type.rs

@@ -78,7 +78,7 @@ impl core::str::FromStr for ResponseTypeToken {
 ///
 /// [OAuth 2.0 `response_type` value]: https://www.rfc-editor.org/rfc/rfc7591#page-9
 /// [authorization endpoint]: https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1
-#[derive(Debug, Clone, PartialEq, Eq, SerializeDisplay, DeserializeFromStr)]
+#[derive(Debug, Clone, PartialEq, Eq, SerializeDisplay, DeserializeFromStr, PartialOrd, Ord)]
 pub struct ResponseType(BTreeSet<ResponseTypeToken>);
 
 impl std::ops::Deref for ResponseType {