Address comments

MatMaul · MatMaul · commit c5ca1492e23f · 2024-12-16T13:47:22.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/config/src/sections/upstream_oauth2.rs b/crates/config/src/sections/upstream_oauth2.rs
@@ -399,13 +399,23 @@ fn is_default_true(value: &bool) -> bool {
 }
 
 #[allow(clippy::ref_option)]
-fn is_signed_response_alg_default(signed_response_alg: &Option<JsonWebSignatureAlg>) -> bool {
+fn is_signed_response_alg_default(signed_response_alg: &JsonWebSignatureAlg) -> bool {
     *signed_response_alg == signed_response_alg_default()
 }
 
+#[allow(clippy::ref_option)]
+fn is_optional_signed_response_alg_default(optional_signed_response_alg: &Option<JsonWebSignatureAlg>) -> bool {
+    *optional_signed_response_alg == optional_signed_response_alg_default()
+}
+
 #[allow(clippy::unnecessary_wraps)]
-fn signed_response_alg_default() -> Option<JsonWebSignatureAlg> {
-    Some(JsonWebSignatureAlg::Rs256)
+fn signed_response_alg_default() -> JsonWebSignatureAlg {
+    JsonWebSignatureAlg::Rs256
+}
+
+#[allow(clippy::unnecessary_wraps)]
+fn optional_signed_response_alg_default() -> Option<JsonWebSignatureAlg> {
+    Some(signed_response_alg_default())
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
@@ -485,13 +495,12 @@ pub struct Provider {
     /// Expected signature for the JWT payload returned by the token
     /// authentication endpoint.
     ///
-    /// If null, the response is expected to be an unsigned JSON payload.
     /// Defaults to `RS256`.
     #[serde(
         default = "signed_response_alg_default",
         skip_serializing_if = "is_signed_response_alg_default"
     )]
-    pub id_token_signed_response_alg: Option<JsonWebSignatureAlg>,
+    pub id_token_signed_response_alg: JsonWebSignatureAlg,
 
     /// The scopes to request from the provider
     pub scope: String,
@@ -524,8 +533,8 @@ pub struct Provider {
     /// If null, the response is expected to be an unsigned JSON payload.
     /// Defaults to `RS256`.
     #[serde(
-        default = "signed_response_alg_default",
-        skip_serializing_if = "is_signed_response_alg_default"
+        default = "optional_signed_response_alg_default",
+        skip_serializing_if = "is_optional_signed_response_alg_default"
     )]
     pub userinfo_signed_response_alg: Option<JsonWebSignatureAlg>,
 
diff --git a/crates/data-model/src/upstream_oauth2/provider.rs b/crates/data-model/src/upstream_oauth2/provider.rs
@@ -235,7 +235,7 @@ pub struct UpstreamOAuthProvider {
     pub encrypted_client_secret: Option<String>,
     pub token_endpoint_signing_alg: Option<JsonWebSignatureAlg>,
     pub token_endpoint_auth_method: TokenAuthMethod,
-    pub id_token_signed_response_alg: Option<JsonWebSignatureAlg>,
+    pub id_token_signed_response_alg: JsonWebSignatureAlg,
     pub response_mode: ResponseMode,
     pub created_at: DateTime<Utc>,
     pub disabled_at: Option<DateTime<Utc>>,
diff --git a/crates/handlers/src/upstream_oauth2/cache.rs b/crates/handlers/src/upstream_oauth2/cache.rs
@@ -289,6 +289,7 @@ mod tests {
     use mas_data_model::{
         UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderTokenAuthMethod,
     };
+    use mas_iana::jose::JsonWebSignatureAlg;
     use mas_storage::{clock::MockClock, Clock};
     use oauth2_types::scope::{Scope, OPENID};
     use ulid::Ulid;
@@ -411,7 +412,7 @@ mod tests {
             token_endpoint_signing_alg: None,
             token_endpoint_auth_method: UpstreamOAuthProviderTokenAuthMethod::None,
             response_mode: mas_data_model::UpstreamOAuthProviderResponseMode::Query,
-            id_token_signed_response_alg: None,
+            id_token_signed_response_alg: JsonWebSignatureAlg::Rs256,
             created_at: clock.now(),
             disabled_at: None,
             claims_imports: UpstreamOAuthProviderClaimsImports::default(),
diff --git a/crates/handlers/src/upstream_oauth2/callback.rs b/crates/handlers/src/upstream_oauth2/callback.rs
@@ -278,7 +278,6 @@ pub(crate) async fn handler(
 
     let mut context = AttributeMappingContext::new();
     if let Some(id_token) = token_response.id_token.as_ref() {
-        if let Some(signed_response_alg) = &provider.id_token_signed_response_alg {
             jwks = Some(
                 mas_oidc_client::requests::jose::fetch_jwks(
                     &client,
@@ -290,7 +289,7 @@ pub(crate) async fn handler(
             let id_token_verification_data = JwtVerificationData {
                 issuer: &provider.issuer,
                 jwks: &jwks.clone().unwrap(),
-                signing_algorithm: signed_response_alg,
+                signing_algorithm: &provider.id_token_signed_response_alg,
                 client_id: &provider.client_id,
             };
 
@@ -329,11 +328,6 @@ pub(crate) async fn handler(
                 .map_err(mas_oidc_client::error::IdTokenError::from)?;
 
             context = context.with_id_token_claims(claims);
-        } else {
-            let claims = serde_json::from_str(id_token)
-                .map_err(mas_oidc_client::error::IdTokenError::from)?;
-            context = context.with_id_token_claims(claims);
-        }
     }
 
     if let Some(extra_callback_parameters) = extra_callback_parameters.clone() {
diff --git a/crates/handlers/src/upstream_oauth2/link.rs b/crates/handlers/src/upstream_oauth2/link.rs
@@ -922,7 +922,7 @@ mod tests {
                     scope: Scope::from_iter([OPENID]),
                     token_endpoint_auth_method: UpstreamOAuthProviderTokenAuthMethod::None,
                     token_endpoint_signing_alg: None,
-                    id_token_signed_response_alg: None,
+                    id_token_signed_response_alg: JsonWebSignatureAlg::Rs256,
                     client_id: "client".to_owned(),
                     encrypted_client_secret: None,
                     claims_imports,
diff --git a/crates/handlers/src/views/login.rs b/crates/handlers/src/views/login.rs
@@ -346,6 +346,7 @@ mod test {
     use mas_data_model::{
         UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderTokenAuthMethod,
     };
+    use mas_iana::jose::JsonWebSignatureAlg;
     use mas_router::Route;
     use mas_storage::{
         upstream_oauth2::{UpstreamOAuthProviderParams, UpstreamOAuthProviderRepository},
@@ -403,7 +404,7 @@ mod test {
                     scope: [OPENID].into_iter().collect(),
                     token_endpoint_auth_method: UpstreamOAuthProviderTokenAuthMethod::None,
                     token_endpoint_signing_alg: None,
-                    id_token_signed_response_alg: None,
+                    id_token_signed_response_alg: JsonWebSignatureAlg::Rs256,
                     fetch_userinfo: false,
                     userinfo_signed_response_alg: None,
                     client_id: "client".to_owned(),
@@ -443,7 +444,7 @@ mod test {
                     scope: [OPENID].into_iter().collect(),
                     token_endpoint_auth_method: UpstreamOAuthProviderTokenAuthMethod::None,
                     token_endpoint_signing_alg: None,
-                    id_token_signed_response_alg: None,
+                    id_token_signed_response_alg: JsonWebSignatureAlg::Rs256,
                     fetch_userinfo: false,
                     userinfo_signed_response_alg: None,
                     client_id: "client".to_owned(),
diff --git a/crates/oidc-client/src/error.rs b/crates/oidc-client/src/error.rs
@@ -200,10 +200,6 @@ pub enum IdTokenError {
     /// one we got before.
     #[error("wrong authentication time")]
     WrongAuthTime,
-
-    #[error(transparent)]
-    /// TODO
-    Deserialize(#[from] serde_json::Error),
 }
 
 /// All errors that can occur when adding client credentials to the request.
diff --git a/crates/storage-pg/.sqlx/query-1d758df58ccfead4cb39ee8f88f60b382b7881e9c4ead31ff257ff5ff4414b6e.json b/crates/storage-pg/.sqlx/query-1d758df58ccfead4cb39ee8f88f60b382b7881e9c4ead31ff257ff5ff4414b6e.json
diff --git a/crates/storage-pg/.sqlx/query-27d6f228a9a608b5d03d30cb4074be94dc893df9107e982583aa954b5067dfd1.json b/crates/storage-pg/.sqlx/query-27d6f228a9a608b5d03d30cb4074be94dc893df9107e982583aa954b5067dfd1.json
diff --git a/crates/storage-pg/migrations/20241202123523_upstream_oauth_responses_alg.sql b/crates/storage-pg/migrations/20241202123523_upstream_oauth_responses_alg.sql
@@ -6,5 +6,5 @@
 -- Add columns to upstream_oauth_providers to specify the
 -- expected signing algorithm for the endpoint JWT responses.
 ALTER TABLE "upstream_oauth_providers"
-  ADD COLUMN "id_token_signed_response_alg" TEXT DEFAULT 'RS256',
+  ADD COLUMN "id_token_signed_response_alg" TEXT NOT NULL DEFAULT 'RS256',
   ADD COLUMN "userinfo_signed_response_alg" TEXT DEFAULT 'RS256';
diff --git a/crates/storage-pg/src/app_session.rs b/crates/storage-pg/src/app_session.rs
@@ -452,6 +452,7 @@ impl AppSessionRepository for PgAppSessionRepository<'_> {
 mod tests {
     use chrono::Duration;
     use mas_data_model::Device;
+    use mas_iana::jose::JsonWebSignatureAlg;
     use mas_storage::{
         app_session::{AppSession, AppSessionFilter},
         clock::MockClock,
diff --git a/crates/storage-pg/src/upstream_oauth2/mod.rs b/crates/storage-pg/src/upstream_oauth2/mod.rs
@@ -22,6 +22,7 @@ mod tests {
     use mas_data_model::{
         UpstreamOAuthProviderClaimsImports, UpstreamOAuthProviderTokenAuthMethod,
     };
+    use mas_iana::jose::JsonWebSignatureAlg;
     use mas_storage::{
         clock::MockClock,
         upstream_oauth2::{
@@ -60,7 +61,7 @@ mod tests {
                     brand_name: None,
                     scope: Scope::from_iter([OPENID]),
                     token_endpoint_auth_method: UpstreamOAuthProviderTokenAuthMethod::None,
-                    id_token_signed_response_alg: None,
+                    id_token_signed_response_alg: JsonWebSignatureAlg::Rs256,
                     fetch_userinfo: false,
                     userinfo_signed_response_alg: None,
                     token_endpoint_signing_alg: None,
@@ -309,7 +310,7 @@ mod tests {
                         fetch_userinfo: false,
                         userinfo_signed_response_alg: None,
                         token_endpoint_signing_alg: None,
-                        id_token_signed_response_alg: None,
+                        id_token_signed_response_alg: JsonWebSignatureAlg::Rs256,
                         client_id,
                         encrypted_client_secret: None,
                         claims_imports: UpstreamOAuthProviderClaimsImports::default(),
diff --git a/crates/storage-pg/src/upstream_oauth2/provider.rs b/crates/storage-pg/src/upstream_oauth2/provider.rs
@@ -56,7 +56,7 @@ struct ProviderLookup {
     encrypted_client_secret: Option<String>,
     token_endpoint_signing_alg: Option<String>,
     token_endpoint_auth_method: String,
-    id_token_signed_response_alg: Option<String>,
+    id_token_signed_response_alg: String,
     fetch_userinfo: bool,
     userinfo_signed_response_alg: Option<String>,
     created_at: DateTime<Utc>,
@@ -100,11 +100,8 @@ impl TryFrom<ProviderLookup> for UpstreamOAuthProvider {
                     .row(id)
                     .source(e)
             })?;
-        let id_token_signed_response_alg = value
-            .id_token_signed_response_alg
-            .map(|x| x.parse())
-            .transpose()
-            .map_err(|e| {
+        let id_token_signed_response_alg =
+            value.id_token_signed_response_alg.parse().map_err(|e| {
                 DatabaseInconsistencyError::on("upstream_oauth_providers")
                     .column("id_token_signed_response_alg")
                     .row(id)
@@ -349,10 +346,7 @@ impl UpstreamOAuthProviderRepository for PgUpstreamOAuthProviderRepository<'_> {
                 .token_endpoint_signing_alg
                 .as_ref()
                 .map(ToString::to_string),
-            params
-                .id_token_signed_response_alg
-                .as_ref()
-                .map(ToString::to_string),
+            params.id_token_signed_response_alg.to_string(),
             params.fetch_userinfo,
             params
                 .userinfo_signed_response_alg
@@ -558,10 +552,7 @@ impl UpstreamOAuthProviderRepository for PgUpstreamOAuthProviderRepository<'_> {
                 .token_endpoint_signing_alg
                 .as_ref()
                 .map(ToString::to_string),
-            params
-                .id_token_signed_response_alg
-                .as_ref()
-                .map(ToString::to_string),
+            params.id_token_signed_response_alg.to_string(),
             params.fetch_userinfo,
             params
                 .userinfo_signed_response_alg
diff --git a/crates/storage/src/upstream_oauth2/provider.rs b/crates/storage/src/upstream_oauth2/provider.rs
@@ -45,9 +45,8 @@ pub struct UpstreamOAuthProviderParams {
     /// Expected signature for the JWT payload returned by the token
     /// authentication endpoint.
     ///
-    /// If `None`, the response is expected to be an unsigned JSON payload.
     /// Defaults to `RS256`.
-    pub id_token_signed_response_alg: Option<JsonWebSignatureAlg>,
+    pub id_token_signed_response_alg: JsonWebSignatureAlg,
 
     /// Whether to fetch the user profile from the userinfo endpoint,
     /// or to rely on the data returned in the `id_token` from the
diff --git a/crates/templates/Cargo.toml b/crates/templates/Cargo.toml
@@ -37,5 +37,6 @@ rand.workspace = true
 oauth2-types.workspace = true
 mas-data-model.workspace = true
 mas-i18n.workspace = true
+mas-iana.workspace = true
 mas-router.workspace = true
 mas-spa.workspace = true
diff --git a/crates/templates/src/context.rs b/crates/templates/src/context.rs
@@ -18,6 +18,7 @@ use std::{
 
 use chrono::{DateTime, Duration, Utc};
 use http::{Method, Uri, Version};
+use mas_iana::jose::JsonWebSignatureAlg;
 use mas_data_model::{
     AuthorizationGrant, BrowserSession, Client, CompatSsoLogin, CompatSsoLoginState,
     DeviceCodeGrant, UpstreamOAuthLink, UpstreamOAuthProvider, UpstreamOAuthProviderClaimsImports,
@@ -1395,7 +1396,7 @@ impl TemplateContext for UpstreamRegister {
                 scope: Scope::from_iter([OPENID]),
                 token_endpoint_auth_method: UpstreamOAuthProviderTokenAuthMethod::ClientSecretBasic,
                 token_endpoint_signing_alg: None,
-                id_token_signed_response_alg: None,
+                id_token_signed_response_alg: JsonWebSignatureAlg::Rs256,
                 client_id: "client-id".to_owned(),
                 encrypted_client_secret: None,
                 claims_imports: UpstreamOAuthProviderClaimsImports::default(),
diff --git a/docs/config.schema.json b/docs/config.schema.json
@@ -1876,7 +1876,7 @@
           ]
         },
         "id_token_signed_response_alg": {
-          "description": "Expected signature for the JWT payload returned by the token authentication endpoint.\n\nIf null, the response is expected to be an unsigned JSON payload. Defaults to `RS256`.",
+          "description": "Expected signature for the JWT payload returned by the token authentication endpoint.\n\nDefaults to `RS256`.",
           "allOf": [
             {
               "$ref": "#/definitions/JsonWebSignatureAlg"
