search

GluuFederation / oxAuth

OAuth 2.0 server and client; OpenID Connect Provider (OP) & UMA Authorization Server (AS)
https://gluu.org/docs/ce
MIT License
421 stars 150 forks source link

Dynamic Registration : Fix software_statement validation behavior #1444

Closed yuriyz closed 4 years ago

yuriyz commented 4 years ago

Describe the issue

Currently if software_statement is provided to AS without jwks or jwks_uri claim it is rejected. There many problems with it:

1) first of all JWT can use HMAC based algorithms with key which does not require JWKS. Openbanking has example on their page with HS512 alg. 2) We are not flexible on how to provide JWS outside of the statement (e.g. custom script).

We will provide both: a) configurable claims which can be forced if needed b) make jwks fetching via dynamic registration custom script.

yuriyz commented 4 years ago

There are following options for software statement validation: 1) softwareStatementValidationType=script - default one, jwks and hmac secret are returned by dynamic client registration script 2) softwareStatementValidationType=jwks_uri, allows to specify jwks_uri claim name from software_statement. Claim name specified by softwareStatementValidationClaimName configuration property. 3) softwareStatementValidationType=jwks, allows to specify jwks claim name from software_statement. Claim name specified by softwareStatementValidationClaimName configuration property. 4) softwareStatementValidationType=none, no validation.

Done in 4.2.1 and master.