From 4ccce4de46bb01265170da7ce438afb8ca5e5591 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Fri, 13 Sep 2024 16:11:54 +0200 Subject: [PATCH] Remove the `contacts` requirement from the client registration policy --- docs/reference/configuration.md | 2 - policies/client_registration.rego | 17 +---- policies/client_registration_test.rego | 89 +------------------------- 3 files changed, 5 insertions(+), 103 deletions(-) diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md index 56183a7c1..7552382dd 100644 --- a/docs/reference/configuration.md +++ b/docs/reference/configuration.md @@ -372,8 +372,6 @@ policy: allow_insecure_uris: false # don't require clients to provide a client_uri. default: false allow_missing_client_uri: false - # don't require clients to provide a contacts field. default: false - allow_missing_contacts: false # Restrict emails on registration to a specific domain # Items in this array are evaluated as a glob diff --git a/policies/client_registration.rego b/policies/client_registration.rego index 0104979c2..cd95b0dd1 100644 --- a/policies/client_registration.rego +++ b/policies/client_registration.rego @@ -96,19 +96,6 @@ violation[{"msg": "logo_uri not on the same host as the client_uri"}] { not host_matches_client_uri(input.client_metadata.logo_uri) } -violation[{"msg": "missing contacts"}] { - not data.client_registration.allow_missing_contacts - not input.client_metadata.contacts -} - -violation[{"msg": "invalid contacts"}] { - not is_array(input.client_metadata.contacts) -} - -violation[{"msg": "empty contacts"}] { - count(input.client_metadata.contacts) == 0 -} - # If the grant_types is missing, we assume it is authorization_code uses_grant_type("authorization_code") { not input.client_metadata.grant_types @@ -143,11 +130,11 @@ violation[{"msg": "missing redirect_uris"}] { not input.client_metadata.redirect_uris } -violation[{"msg": "invalid redirect_uris"}] { +violation[{"msg": "invalid redirect_uris: it must be an array"}] { not is_array(input.client_metadata.redirect_uris) } -violation[{"msg": "empty redirect_uris"}] { +violation[{"msg": "invalid redirect_uris: it must have at least one redirect_uri"}] { requires_redirect_uris count(input.client_metadata.redirect_uris) == 0 } diff --git a/policies/client_registration_test.rego b/policies/client_registration_test.rego index e7510f988..fe4f077e2 100644 --- a/policies/client_registration_test.rego +++ b/policies/client_registration_test.rego @@ -5,20 +5,13 @@ test_valid { "grant_types": ["authorization_code"], "client_uri": "https://example.com/", "redirect_uris": ["https://example.com/callback"], - "contacts": ["contact@example.com"], } } test_missing_client_uri { - not allow with input.client_metadata as { - "grant_types": [], - "contacts": ["contact@example.com"], - } + not allow with input.client_metadata as {"grant_types": []} - allow with input.client_metadata as { - "grant_types": [], - "contacts": ["contact@example.com"], - } + allow with input.client_metadata as {"grant_types": []} with data.client_registration.allow_missing_client_uri as true } @@ -26,7 +19,6 @@ test_insecure_client_uri { not allow with input.client_metadata as { "grant_types": [], "client_uri": "http://example.com/", - "contacts": ["contact@example.com"], } } @@ -35,7 +27,6 @@ test_tos_uri { "grant_types": [], "client_uri": "https://example.com/", "tos_uri": "https://example.com/tos", - "contacts": ["contact@example.com"], } # Insecure @@ -43,7 +34,6 @@ test_tos_uri { "grant_types": [], "client_uri": "https://example.com/", "tos_uri": "http://example.com/tos", - "contacts": ["contact@example.com"], } # Insecure, but allowed by the config @@ -51,7 +41,6 @@ test_tos_uri { "grant_types": [], "client_uri": "https://example.com/", "tos_uri": "http://example.com/tos", - "contacts": ["contact@example.com"], } with data.client_registration.allow_insecure_uris as true @@ -60,7 +49,6 @@ test_tos_uri { "grant_types": [], "client_uri": "https://example.com/", "tos_uri": "https://example.org/tos", - "contacts": ["contact@example.com"], } # TOS on a subdomain of the client_uri host is allowed @@ -68,7 +56,6 @@ test_tos_uri { "grant_types": [], "client_uri": "https://example.com/", "tos_uri": "https://tos.example.com/", - "contacts": ["contact@example.com"], } # Host mistmatch, but allowed by the config @@ -76,7 +63,6 @@ test_tos_uri { "grant_types": [], "client_uri": "https://example.com/", "tos_uri": "https://example.org/tos", - "contacts": ["contact@example.com"], } with data.client_registration.allow_host_mismatch as true } @@ -86,7 +72,6 @@ test_logo_uri { "grant_types": [], "client_uri": "https://example.com/", "logo_uri": "https://example.com/logo.png", - "contacts": ["contact@example.com"], } # Insecure @@ -94,7 +79,6 @@ test_logo_uri { "grant_types": [], "client_uri": "https://example.com/", "logo_uri": "http://example.com/logo.png", - "contacts": ["contact@example.com"], } # Insecure, but allowed by the config @@ -102,7 +86,6 @@ test_logo_uri { "grant_types": [], "client_uri": "https://example.com/", "logo_uri": "http://example.com/logo.png", - "contacts": ["contact@example.com"], } with data.client_registration.allow_insecure_uris as true @@ -111,7 +94,6 @@ test_logo_uri { "grant_types": [], "client_uri": "https://example.com/", "logo_uri": "https://example.org/logo.png", - "contacts": ["contact@example.com"], } # Logo on a subdomain of the client_uri host is allowed @@ -119,7 +101,6 @@ test_logo_uri { "grant_types": [], "client_uri": "https://example.com/", "logo_uri": "https://static.example.com/logo.png", - "contacts": ["contact@example.com"], } # Host mistmatch, but allowed by the config @@ -127,7 +108,6 @@ test_logo_uri { "grant_types": [], "client_uri": "https://example.com/", "logo_uri": "https://example.org/logo.png", - "contacts": ["contact@example.com"], } with data.client_registration.allow_host_mismatch as true } @@ -137,7 +117,6 @@ test_policy_uri { "grant_types": [], "client_uri": "https://example.com/", "policy_uri": "https://example.com/policy", - "contacts": ["contact@example.com"], } # Insecure @@ -145,7 +124,6 @@ test_policy_uri { "grant_types": [], "client_uri": "https://example.com/", "policy_uri": "http://example.com/policy", - "contacts": ["contact@example.com"], } # Insecure, but allowed by the config @@ -153,7 +131,6 @@ test_policy_uri { "grant_types": [], "client_uri": "https://example.com/", "policy_uri": "http://example.com/policy", - "contacts": ["contact@example.com"], } with data.client_registration.allow_insecure_uris as true @@ -162,7 +139,6 @@ test_policy_uri { "grant_types": [], "client_uri": "https://example.com/", "policy_uri": "https://example.org/policy", - "contacts": ["contact@example.com"], } # Policy on a subdomain of the client_uri host is allowed @@ -170,7 +146,6 @@ test_policy_uri { "grant_types": [], "client_uri": "https://example.com/", "policy_uri": "https://policy.example.com/", - "contacts": ["contact@example.com"], } # Host mistmatch, but allowed by the config @@ -178,51 +153,42 @@ test_policy_uri { "grant_types": [], "client_uri": "https://example.com/", "policy_uri": "https://example.org/policy", - "contacts": ["contact@example.com"], } with data.client_registration.allow_host_mismatch as true } test_redirect_uris { # Missing redirect_uris - not allow with input.client_metadata as { - "client_uri": "https://example.com/", - "contacts": ["contact@example.com"], - } + not allow with input.client_metadata as {"client_uri": "https://example.com/"} # redirect_uris is not an array not allow with input.client_metadata as { "client_uri": "https://example.com/", "redirect_uris": "https://example.com/callback", - "contacts": ["contact@example.com"], } # Empty redirect_uris not allow with input.client_metadata as { "client_uri": "https://example.com/", "redirect_uris": [], - "contacts": ["contact@example.com"], } # Not required for the client_credentials grant allow with input.client_metadata as { "grant_types": ["client_credentials"], "client_uri": "https://example.com/", - "contacts": ["contact@example.com"], } # Required for the authorization_code grant not allow with input.client_metadata as { "grant_types": ["client_credentials", "refresh_token", "authorization_code"], "client_uri": "https://example.com/", - "contacts": ["contact@example.com"], } # Required for the implicit grant not allow with input.client_metadata as { "grant_types": ["client_credentials", "implicit"], "client_uri": "https://example.com/", - "contacts": ["contact@example.com"], } } @@ -231,7 +197,6 @@ test_web_redirect_uri { "application_type": "web", "client_uri": "https://example.com/", "redirect_uris": ["https://example.com/second/callback", "https://example.com/callback"], - "contacts": ["contact@example.com"], } # Insecure URL @@ -239,7 +204,6 @@ test_web_redirect_uri { "application_type": "web", "client_uri": "https://example.com/", "redirect_uris": ["http://example.com/callback", "https://example.com/callback"], - "contacts": ["contact@example.com"], } # Insecure URL, but allowed by the config @@ -247,7 +211,6 @@ test_web_redirect_uri { "application_type": "web", "client_uri": "https://example.com/", "redirect_uris": ["http://example.com/callback", "https://example.com/callback"], - "contacts": ["contact@example.com"], } with data.client_registration.allow_insecure_uris as true @@ -256,7 +219,6 @@ test_web_redirect_uri { "application_type": "web", "client_uri": "https://example.com/", "redirect_uris": ["https://example.com/second/callback", "https://example.org/callback"], - "contacts": ["contact@example.com"], } # Host mismatch, but allowed by the config @@ -264,7 +226,6 @@ test_web_redirect_uri { "application_type": "web", "client_uri": "https://example.com/", "redirect_uris": ["https://example.com/second/callback", "https://example.org/callback"], - "contacts": ["contact@example.com"], } with data.client_registration.allow_host_mismatch as true @@ -273,7 +234,6 @@ test_web_redirect_uri { "application_type": "web", "client_uri": "https://example.com/", "redirect_uris": ["https://app.example.com/callback"], - "contacts": ["contact@example.com"], } # No custom scheme allowed @@ -281,7 +241,6 @@ test_web_redirect_uri { "application_type": "web", "client_uri": "https://example.com/", "redirect_uris": ["com.example.app:/callback"], - "contacts": ["contact@example.com"], } # localhost not allowed @@ -289,7 +248,6 @@ test_web_redirect_uri { "application_type": "web", "client_uri": "https://example.com/", "redirect_uris": ["http://locahost:1234/callback"], - "contacts": ["contact@example.com"], } # localhost not allowed @@ -297,7 +255,6 @@ test_web_redirect_uri { "application_type": "web", "client_uri": "https://example.com/", "redirect_uris": ["http://127.0.0.1:1234/callback"], - "contacts": ["contact@example.com"], } # localhost not allowed @@ -305,7 +262,6 @@ test_web_redirect_uri { "application_type": "web", "client_uri": "https://example.com/", "redirect_uris": ["http://[::1]:1234/callback"], - "contacts": ["contact@example.com"], } } @@ -323,7 +279,6 @@ test_native_redirect_uri { "http://[::1]/callback", "http://[::1]:1234/callback", ], - "contacts": ["contact@example.com"], } # We still allow matching URLs for native apps @@ -331,7 +286,6 @@ test_native_redirect_uri { "application_type": "native", "client_uri": "https://example.com/", "redirect_uris": ["https://example.com/"], - "contacts": ["contact@example.com"], } # But not insecure @@ -339,7 +293,6 @@ test_native_redirect_uri { "application_type": "native", "client_uri": "https://example.com/", "redirect_uris": ["http://example.com/"], - "contacts": ["contact@example.com"], } # And not a mismatch @@ -347,7 +300,6 @@ test_native_redirect_uri { "application_type": "native", "client_uri": "https://example.com/", "redirect_uris": ["http://bad.com/"], - "contacts": ["contact@example.com"], } # We don't allow HTTPS on localhost @@ -355,7 +307,6 @@ test_native_redirect_uri { "application_type": "native", "client_uri": "https://example.com/", "redirect_uris": ["https://localhost:1234/"], - "contacts": ["contact@example.com"], } # Ensure we're not allowing localhost as a prefix @@ -363,7 +314,6 @@ test_native_redirect_uri { "application_type": "native", "client_uri": "https://example.com/", "redirect_uris": ["http://localhost.com/"], - "contacts": ["contact@example.com"], } # For custom schemes, it should match the client_uri hostname @@ -371,7 +321,6 @@ test_native_redirect_uri { "application_type": "native", "client_uri": "https://example.com/", "redirect_uris": ["org.example.app:/callback"], - "contacts": ["contact@example.com"], } } @@ -381,48 +330,17 @@ test_reverse_dns_match { reverse_dns_match(client_uri.host, redirect_uri.scheme) } -test_contacts { - # Missing contacts - not allow with input.client_metadata as { - "grant_types": [], - "client_uri": "https://example.com/", - } - - # Missing contacts, but allowed by config - allow with input.client_metadata as { - "grant_types": [], - "client_uri": "https://example.com/", - } - with data.client_registration.allow_missing_contacts as true - - # contacts is not an array - not allow with input.client_metadata as { - "grant_types": [], - "client_uri": "https://example.com/", - "contacts": "contact@example.com", - } - - # Empty contacts - not allow with input.client_metadata as { - "grant_types": [], - "client_uri": "https://example.com/", - "contacts": [], - } -} - test_client_credentials_grant { # Allowed for confidential clients allow with input.client_metadata as { "grant_types": ["client_credentials"], "token_endpoint_auth_method": "client_secret_basic", "client_uri": "https://example.com/", - "contacts": ["contact@example.com"], } allow with input.client_metadata as { "grant_types": ["client_credentials"], # If omitted, defaults to "client_secret_basic" "client_uri": "https://example.com/", - "contacts": ["contact@example.com"], } # Disallowed for public clients @@ -430,7 +348,6 @@ test_client_credentials_grant { "grant_types": ["client_credentials"], "token_endpoint_auth_method": "none", "client_uri": "https://example.com/", - "contacts": ["contact@example.com"], } }