fix: required PAR should not affect CIBA and DAG

Author: panva

lib/actions/authorization/process_request_object.js

@@ -11,7 +11,7 @@ export default async function processRequestObject(PARAM_LIST, rejectDupesMiddle
   const { params, client, route } = ctx.oidc;
 
   const pushedRequestObject = 'PushedAuthorizationRequest' in ctx.oidc.entities;
-  if (client.requirePushedAuthorizationRequests && route !== 'pushed_authorization_request' && !pushedRequestObject) {
+  if (client.requirePushedAuthorizationRequests && route === 'authorization' && !pushedRequestObject) {
     throw new InvalidRequest('Pushed Authorization Request must be used');
   }
 

test/ciba/ciba.config.js

@@ -79,6 +79,15 @@ export default {
       backchannel_client_notification_endpoint: 'https://rp.example.com/ping',
       backchannel_token_delivery_mode: 'ping',
     },
+    {
+      client_id: 'client-par-required',
+      grant_types: ['urn:openid:params:grant-type:ciba', 'refresh_token'],
+      response_types: [],
+      redirect_uris: [],
+      token_endpoint_auth_method: 'none',
+      backchannel_token_delivery_mode: 'poll',
+      require_pushed_authorization_requests: true,
+    },
     {
       client_id: 'client-signed',
       grant_types: ['urn:openid:params:grant-type:ciba', 'refresh_token'],

test/ciba/ciba.test.js

@@ -168,6 +168,21 @@ describe('features.ciba', () => {
         });
       });
 
+      it('does not require PAR for clients with require_pushed_authorization_requests', async function () {
+        return this.agent.post(route)
+          .send({
+            scope: 'openid',
+            login_hint: 'accountId',
+            client_id: 'client-par-required',
+          })
+          .type('form')
+          .expect(200)
+          .expect('content-type', /application\/json/)
+          .expect((response) => {
+            expect(response.body).to.have.keys('expires_in', 'auth_req_id');
+          });
+      });
+
       it('requested_expiry', async function () {
         await this.agent.post(route)
           .send({

test/device_code/device_authorization_endpoint.test.js

@@ -149,6 +149,26 @@ describe('device_authorization_endpoint', () => {
     expect(dc.params).not.to.have.property('response_mode');
   });
 
+  it('does not require PAR for clients with require_pushed_authorization_requests', function () {
+    return this.agent.post(route)
+      .send({
+        client_id: 'client-par-required',
+        scope: 'openid',
+      })
+      .type('form')
+      .expect(200)
+      .expect('content-type', /application\/json/)
+      .expect(({ body }) => {
+        expect(body).to.have.keys([
+          'device_code',
+          'user_code',
+          'verification_uri',
+          'verification_uri_complete',
+          'expires_in',
+        ]);
+      });
+  });
+
   it('handles regular client auth', function () {
     return this.agent.post(route)
       .auth('client-basic-auth', 'secret')

test/device_code/device_code.config.js

@@ -29,6 +29,14 @@ export default {
       redirect_uris: [],
       token_endpoint_auth_method: 'none',
       application_type: 'native',
+    }, {
+      client_id: 'client-par-required',
+      grant_types: ['urn:ietf:params:oauth:grant-type:device_code', 'refresh_token'],
+      response_types: [],
+      redirect_uris: [],
+      token_endpoint_auth_method: 'none',
+      application_type: 'native',
+      require_pushed_authorization_requests: true,
     }, {
       client_id: 'client-other',
       grant_types: ['urn:ietf:params:oauth:grant-type:device_code', 'refresh_token'],