feat: experimental support for OIDC RP Metadata Choices

Author: panva

README.md

@@ -51,6 +51,7 @@ The following draft specifications are implemented by oidc-provider:
 
 - [Financial-grade API: Client Initiated Backchannel Authentication Profile (`FAPI-CIBA`) - Implementer's Draft 01][fapi-ciba]
 - [FAPI 2.0 Message Signing (`FAPI 2.0`) - Implementer's Draft 01][fapi2ms-id1]
+- [OIDC Relying Party Metadata Choices 1.0 - draft 01][rp-metadata-choices]
 
 Updates to draft specification versions are released as MINOR library versions,
 if you utilize these specification implementations consider using the tilde `~` operator in your
@@ -165,3 +166,4 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a
 [fapi2sp]: https://openid.net/specs/fapi-security-profile-2_0-final.html
 [fapi2ms-id1]: https://openid.net/specs/fapi-2_0-message-signing-ID1.html
 [Security Policy]: https://github.com/panva/node-oidc-provider/security/policy
+[rp-metadata-choices]: https://openid.net/specs/openid-connect-rp-metadata-choices-1_0-02.html

docs/README.md

@@ -457,6 +457,7 @@ location / {
   - Experimental features:
     - [externalSigningSupport (e.g. KMS)](#featuresexternalsigningsupport)
     - [richAuthorizationRequests](#featuresrichauthorizationrequests)
+    - [rpMetadataChoices](#featuresrpmetadatachoices)
     - [webMessageResponseMode](#featureswebmessageresponsemode)
 - [acrValues](#acrvalues)
 - [allowOmittingSingleRegisteredRedirectUri](#allowomittingsingleregisteredredirecturi)
@@ -2081,6 +2082,43 @@ async function postLogoutSuccessSource(ctx) {
 
 </details>
 
+### features.rpMetadataChoices
+
+[`OIDC Relying Party Metadata Choices 1.0 - draft 02`](https://openid.net/specs/openid-connect-rp-metadata-choices-1_0-02.html)  
+
+> [!NOTE]
+> This is an experimental feature.
+
+Enables the use of the following multi-valued input parameters metadata from the Relying Party Metadata Choices draft assuming their underlying feature is also enabled:   
+ - subject_types_supported
+ - id_token_signing_alg_values_supported
+ - id_token_encryption_alg_values_supported
+ - id_token_encryption_enc_values_supported
+ - userinfo_signing_alg_values_supported
+ - userinfo_encryption_alg_values_supported
+ - userinfo_encryption_enc_values_supported
+ - request_object_signing_alg_values_supported
+ - request_object_encryption_alg_values_supported
+ - request_object_encryption_enc_values_supported
+ - token_endpoint_auth_methods_supported
+ - token_endpoint_auth_signing_alg_values_supported
+ - introspection_signing_alg_values_supported
+ - introspection_encryption_alg_values_supported
+ - introspection_encryption_enc_values_supported
+ - authorization_signing_alg_values_supported
+ - authorization_encryption_alg_values_supported
+ - authorization_encryption_enc_values_supported
+ - backchannel_authentication_request_signing_alg_values_supported  
+
+
+_**default value**_:
+```js
+{
+  ack: undefined,
+  enabled: false
+}
+```
+
 ### features.userinfo
 
 [`OIDC Core 1.0`](https://openid.net/specs/openid-connect-core-1_0-errata2.html#UserInfo) - UserInfo Endpoint  

lib/consts/client_attributes.js

@@ -172,6 +172,28 @@ const SYNTAX = {
   client_secret: noVSCHAR,
 };
 
+const CHOICES = {
+  authorization_encrypted_response_alg: 'authorization_encryption_alg_values_supported',
+  authorization_encrypted_response_enc: 'authorization_encryption_enc_values_supported',
+  authorization_signed_response_alg: 'authorization_signing_alg_values_supported',
+  backchannel_authentication_request_signing_alg: 'backchannel_authentication_request_signing_alg_values_supported',
+  id_token_encrypted_response_alg: 'id_token_encryption_alg_values_supported',
+  id_token_encrypted_response_enc: 'id_token_encryption_enc_values_supported',
+  id_token_signed_response_alg: 'id_token_signing_alg_values_supported',
+  introspection_encrypted_response_alg: 'introspection_encryption_alg_values_supported',
+  introspection_encrypted_response_enc: 'introspection_encryption_enc_values_supported',
+  introspection_signed_response_alg: 'introspection_signing_alg_values_supported',
+  request_object_encryption_alg: 'request_object_encryption_alg_values_supported',
+  request_object_encryption_enc: 'request_object_encryption_enc_values_supported',
+  request_object_signing_alg: 'request_object_signing_alg_values_supported',
+  subject_type: 'subject_types_supported',
+  token_endpoint_auth_method: 'token_endpoint_auth_methods_supported',
+  token_endpoint_auth_signing_alg: 'token_endpoint_auth_signing_alg_values_supported',
+  userinfo_encrypted_response_alg: 'userinfo_encryption_alg_values_supported',
+  userinfo_encrypted_response_enc: 'userinfo_encryption_enc_values_supported',
+  userinfo_signed_response_alg: 'userinfo_signing_alg_values_supported',
+};
+
 export {
   ARYS,
   BOOL,
@@ -185,4 +207,5 @@ export {
   SYNTAX,
   WEB_URI,
   WHEN,
+  CHOICES,
 };

lib/helpers/client_schema.js

@@ -151,6 +151,14 @@ export default function getSchema(provider) {
     RECOGNIZED_METADATA.push('authorization_details_types');
   }
 
+  let CHOICES = {};
+
+  if (features.rpMetadataChoices.enabled) {
+    CHOICES = Object.fromEntries(Object.entries(CLIENT_ATTRIBUTES.CHOICES)
+      .filter(([key]) => RECOGNIZED_METADATA.includes(key)));
+    RECOGNIZED_METADATA.push(...Object.values(CHOICES));
+  }
+
   instance(provider).RECOGNIZED_METADATA = RECOGNIZED_METADATA;
 
   const ENUM = {
@@ -208,18 +216,32 @@ export default function getSchema(provider) {
       ctx,
       processCustomMetadata = !!configuration.extraClientMetadata.properties.length,
     ) {
+      this.#initialize(metadata);
+
+      if (processCustomMetadata) {
+        this.processCustomMetadata(ctx);
+        this.#initialize(this);
+      }
+
+      this.ensureStripUnrecognized();
+      this.ensureStripChoices();
+    }
+
+    #initialize(metadata) {
       Object.assign(
         this,
         omitBy(
           pick(DEFAULTS, ...RECOGNIZED_METADATA),
-          isUndefined,
+          (value, key) => isUndefined(value)
+            || (key in CHOICES && metadata[CHOICES[key]] !== undefined),
         ),
         omitBy(
           pick(metadata, ...RECOGNIZED_METADATA, ...configuration.extraClientMetadata.properties),
           isUndefined,
         ),
       );
 
+      this.choices();
       this.required();
       this.booleans();
       this.whens();
@@ -311,11 +333,11 @@ export default function getSchema(provider) {
             this.invalidate('only one tls_client_auth certificate subject value must be provided');
           }
         } else {
-          delete this.tls_client_auth_san_dns;
-          delete this.tls_client_auth_san_email;
-          delete this.tls_client_auth_san_ip;
-          delete this.tls_client_auth_san_uri;
-          delete this.tls_client_auth_subject_dn;
+          this.#unset('tls_client_auth_san_dns');
+          this.#unset('tls_client_auth_san_email');
+          this.#unset('tls_client_auth_san_ip');
+          this.#unset('tls_client_auth_san_uri');
+          this.#unset('tls_client_auth_subject_dn');
         }
       }
 
@@ -325,16 +347,50 @@ export default function getSchema(provider) {
       if (this.jwks !== undefined && this.jwks_uri !== undefined) {
         this.invalidate('jwks and jwks_uri must not be used at the same time');
       }
+    }
 
-      if (processCustomMetadata) {
-        this.processCustomMetadata(ctx);
-      }
+    choices() {
+      for (const [target, choice] of Object.entries(CHOICES)) {
+        if (this[choice] !== undefined) {
+          if (!Array.isArray(this[choice])) {
+            this.invalidate(`${choice} must be an array`);
+          }
+          const choices = new Set(this[choice]);
 
-      this.ensureStripUnrecognized();
+          if (this[target] !== undefined && !choices.has(this[target])) {
+            this.invalidate(`${choice} must include the value of provided ${target}`);
+          }
 
-      if (processCustomMetadata) {
-        // eslint-disable-next-line no-constructor-return
-        return new Schema(this, ctx, false);
+          const only = ENUM[target](this);
+
+          // test the options in the following order:
+          // - explicit value (if provided)
+          // - ...rest
+          const options = new Set();
+          if (this[target]) {
+            options.add(this[target]);
+          }
+          for (const value of choices) {
+            if (typeof value !== 'string' || !value.length) {
+              this.invalidate(`${choice} must only contain strings`);
+            }
+            options.add(value);
+          }
+
+          for (const option of options) {
+            try {
+              this[target] = option;
+              this.#enum(target, only);
+              break;
+            } catch {
+              this.#unset(target);
+            }
+          }
+
+          if (!this[target]) {
+            this.invalidate(`${choice} includes no supported values`);
+          }
+        }
       }
     }
 
@@ -478,34 +534,38 @@ export default function getSchema(provider) {
         const only = fn(this);
 
         if (this[prop] !== undefined) {
-          const isAry = ARYS.includes(prop);
-          let length;
-          let method;
-          if (only instanceof Set) {
-            ({ size: length } = only);
-            method = 'has';
-          } else {
-            ({ length } = only);
-            method = 'includes';
-          }
-
-          if (isAry && !this[prop].every((val) => only[method](val))) {
-            if (length) {
-              this.invalidate(`${prop} can only contain ${formatters.formatList([...only], { type: 'disjunction' })}`);
-            } else {
-              this.invalidate(`${prop} must be empty (no values are allowed)`);
-            }
-          } else if (!isAry && !only[method](this[prop])) {
-            if (length) {
-              this.invalidate(`${prop} must be ${formatters.formatList([...only], { type: 'disjunction' })}`);
-            } else {
-              this.invalidate(`${prop} must not be provided (no values are allowed)`);
-            }
-          }
+          this.#enum(prop, only);
         }
       });
     }
 
+    #enum(prop, only) {
+      const isAry = ARYS.includes(prop);
+      let length;
+      let method;
+      if (only instanceof Set) {
+        ({ size: length } = only);
+        method = 'has';
+      } else {
+        ({ length } = only);
+        method = 'includes';
+      }
+
+      if (isAry && !this[prop].every((val) => only[method](val))) {
+        if (length) {
+          this.invalidate(`${prop} can only contain ${formatters.formatList([...only], { type: 'disjunction' })}`);
+        } else {
+          this.invalidate(`${prop} must be empty (no values are allowed)`);
+        }
+      } else if (!isAry && !only[method](this[prop])) {
+        if (length) {
+          this.invalidate(`${prop} must be ${formatters.formatList([...only], { type: 'disjunction' })}`);
+        } else {
+          this.invalidate(`${prop} must not be provided (no values are allowed)`);
+        }
+      }
+    }
+
     normalizeResponseTypes() {
       this.response_types = this.response_types.map((type) => [...new Set(type.split(' '))].sort().join(' '));
     }
@@ -602,11 +662,19 @@ export default function getSchema(provider) {
       const allowed = [...RECOGNIZED_METADATA, ...configuration.extraClientMetadata.properties];
       Object.keys(this).forEach((prop) => {
         if (!allowed.includes(prop)) {
-          delete this[prop];
+          this.#unset(prop);
         }
       });
     }
 
+    ensureStripChoices() {
+      Object.values(CHOICES).forEach(this.#unset, this);
+    }
+
+    #unset(prop) {
+      delete this[prop];
+    }
+
     scopes() {
       if (this.scope) {
         const parsed = new Set(this.scope.split(' '));

lib/helpers/defaults.js

@@ -1887,6 +1887,35 @@ function makeDefaults() {
         assertJwtClaimsAndHeader,
       },
 
+      /*
+       * features.rpMetadataChoices
+       *
+       * title: [`OIDC Relying Party Metadata Choices 1.0 - draft 02`](https://openid.net/specs/openid-connect-rp-metadata-choices-1_0-02.html)
+       *
+       * description: Enables the use of the following multi-valued input parameters metadata from the Relying Party Metadata Choices draft assuming their underlying feature is also enabled:
+       *
+       * - subject_types_supported
+       * - id_token_signing_alg_values_supported
+       * - id_token_encryption_alg_values_supported
+       * - id_token_encryption_enc_values_supported
+       * - userinfo_signing_alg_values_supported
+       * - userinfo_encryption_alg_values_supported
+       * - userinfo_encryption_enc_values_supported
+       * - request_object_signing_alg_values_supported
+       * - request_object_encryption_alg_values_supported
+       * - request_object_encryption_enc_values_supported
+       * - token_endpoint_auth_methods_supported
+       * - token_endpoint_auth_signing_alg_values_supported
+       * - introspection_signing_alg_values_supported
+       * - introspection_encryption_alg_values_supported
+       * - introspection_encryption_enc_values_supported
+       * - authorization_signing_alg_values_supported
+       * - authorization_encryption_alg_values_supported
+       * - authorization_encryption_enc_values_supported
+       * - backchannel_authentication_request_signing_alg_values_supported
+       */
+      rpMetadataChoices: { enabled: false, ack: undefined },
+
       /*
        * features.revocation
        *

lib/helpers/features.js

@@ -36,4 +36,8 @@ export const EXPERIMENTS = new Map(Object.entries({
     name: 'External Signing Key Support',
     version: ['experimental-01'],
   },
+  rpMetadataChoices: {
+    name: 'OpenID Connect Relying Party Metadata Choices',
+    version: 'draft-02',
+  },
 }));