From 3bb4c5ac116d76c9a8c33d7658e17239f4319e46 Mon Sep 17 00:00:00 2001 From: Leon Wilzer Date: Fri, 5 Sep 2025 13:28:47 +0200 Subject: [PATCH] make token_endpoint_auth_signing_alg_values_supported optional token_endpoint_auth_signing_alg_values_supported is an optional value according to OIDC spec --- crates/oauth2-types/src/oidc.rs | 75 ++++++--------------------------- 1 file changed, 14 insertions(+), 61 deletions(-) diff --git a/crates/oauth2-types/src/oidc.rs b/crates/oauth2-types/src/oidc.rs index 39e1074b1..9ac67278b 100644 --- a/crates/oauth2-types/src/oidc.rs +++ b/crates/oauth2-types/src/oidc.rs @@ -692,10 +692,6 @@ impl ProviderMetadata { .token_endpoint_auth_signing_alg_values_supported .iter() .flatten(), - metadata - .token_endpoint_auth_methods_supported - .iter() - .flatten(), )?; if let Some(url) = &metadata.revocation_endpoint { @@ -708,33 +704,18 @@ impl ProviderMetadata { .revocation_endpoint_auth_signing_alg_values_supported .iter() .flatten(), - metadata - .revocation_endpoint_auth_methods_supported - .iter() - .flatten(), )?; if let Some(url) = &metadata.introspection_endpoint { validate_url("introspection_endpoint", url, ExtraUrlRestrictions::None)?; } - // The list can also contain token types so remove them as we don't need to - // check them. - let introspection_methods = metadata - .introspection_endpoint_auth_methods_supported - .as_ref() - .map(|v| { - v.iter() - .filter_map(AuthenticationMethodOrAccessTokenType::authentication_method) - .collect::>() - }); validate_signing_alg_values_supported( "introspection_endpoint", metadata .introspection_endpoint_auth_signing_alg_values_supported .iter() .flatten(), - introspection_methods.into_iter().flatten(), )?; if let Some(url) = &metadata.userinfo_endpoint { @@ -1099,12 +1080,6 @@ pub enum ProviderMetadataVerificationError { #[error("missing `implicit` grant type")] GrantTypesMissingImplicit, - /// The given endpoint is missing auth signing algorithm values, but they - /// are required because it supports at least one of the `client_secret_jwt` - /// or `private_key_jwt` authentication methods. - #[error("{0} missing auth signing algorithm values")] - MissingAuthSigningAlgValues(&'static str), - /// `none` is in the given endpoint's signing algorithm values, but is not /// allowed. #[error("{0} signing algorithm values contain `none`")] @@ -1176,32 +1151,14 @@ fn validate_url( fn validate_signing_alg_values_supported<'a>( endpoint: &'static str, values: impl Iterator, - mut methods: impl Iterator, ) -> Result<(), ProviderMetadataVerificationError> { - let mut no_values = true; - for value in values { if *value == JsonWebSignatureAlg::None { return Err(ProviderMetadataVerificationError::SigningAlgValuesWithNone( endpoint, )); } - - no_values = false; } - - if no_values - && methods.any(|method| { - matches!( - method, - OAuthClientAuthenticationMethod::ClientSecretJwt - | OAuthClientAuthenticationMethod::PrivateKeyJwt - ) - }) - { - return Err(ProviderMetadataVerificationError::MissingAuthSigningAlgValues(endpoint)); - } - Ok(()) } @@ -1543,36 +1500,32 @@ mod tests { Some(vec![JsonWebSignatureAlg::Rs256, JsonWebSignatureAlg::EdDsa]); metadata.clone().validate(&issuer).unwrap(); - // Err - `client_secret_jwt` without signing alg values. + // Ok - `client_secret_jwt` with signing alg values. metadata.token_endpoint_auth_methods_supported = Some(vec![OAuthClientAuthenticationMethod::ClientSecretJwt]); - metadata.token_endpoint_auth_signing_alg_values_supported = None; - let endpoint = assert_matches!( - metadata.clone().validate(&issuer), - Err(ProviderMetadataVerificationError::MissingAuthSigningAlgValues(endpoint)) => endpoint - ); - assert_eq!(endpoint, "token_endpoint"); - - // Ok - `client_secret_jwt` with signing alg values. metadata.token_endpoint_auth_signing_alg_values_supported = Some(vec![JsonWebSignatureAlg::Rs256]); metadata.clone().validate(&issuer).unwrap(); - // Err - `private_key_jwt` without signing alg values. + // Ok - `private_key_jwt` with signing alg values. metadata.token_endpoint_auth_methods_supported = Some(vec![OAuthClientAuthenticationMethod::PrivateKeyJwt]); - metadata.token_endpoint_auth_signing_alg_values_supported = None; - let endpoint = assert_matches!( - metadata.clone().validate(&issuer), - Err(ProviderMetadataVerificationError::MissingAuthSigningAlgValues(endpoint)) => endpoint - ); - assert_eq!(endpoint, "token_endpoint"); - - // Ok - `private_key_jwt` with signing alg values. metadata.token_endpoint_auth_signing_alg_values_supported = Some(vec![JsonWebSignatureAlg::Rs256]); metadata.clone().validate(&issuer).unwrap(); + // Ok - `client_secret_jwt` without signing alg values. + metadata.token_endpoint_auth_methods_supported = + Some(vec![OAuthClientAuthenticationMethod::ClientSecretJwt]); + metadata.token_endpoint_auth_signing_alg_values_supported = None; + metadata.clone().validate(&issuer).unwrap(); + + // Ok - `private_key_jwt` without signing alg values. + metadata.token_endpoint_auth_methods_supported = + Some(vec![OAuthClientAuthenticationMethod::PrivateKeyJwt]); + metadata.token_endpoint_auth_signing_alg_values_supported = None; + metadata.clone().validate(&issuer).unwrap(); + // Ok - Other auth methods without signing alg values. metadata.token_endpoint_auth_methods_supported = Some(vec![ OAuthClientAuthenticationMethod::ClientSecretBasic,