fix: allow client registration update fields to be omitted by the client

see https://mailarchive.ietf.org/arch/msg/oauth/bwPxi1HUSdxLrVzty8pAfDDpt8I/ closes #664
davesag · Mar 4, 2020 · 9df9bd7 · 9df9bd7
1 parent e2a975f
commit 9df9bd7
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 17 deletions.
diff --git a/lib/actions/registration.js b/lib/actions/registration.js
@@ -1,6 +1,4 @@
 const omitBy = require('lodash/omitBy');
-const findKey = require('lodash/findKey');
-const has = require('lodash/has');
 
 const constantEquals = require('../helpers/constant_equals');
 const noCache = require('../shared/no_cache');
@@ -17,10 +15,6 @@ const FORBIDDEN = [
   'client_id_issued_at',
 ];
 
-function findMissingKey(value, key) {
-  return !FORBIDDEN.includes(key) && !has(this.oidc.body, key) && value !== undefined;
-}
-
 async function setWWWAuthenticateHeader(ctx, next) {
   try {
     await next();
@@ -184,12 +178,6 @@ module.exports = {
       await next();
     },
 
-    async function metaChecks(ctx, next) {
-      const hit = findKey(ctx.oidc.client.metadata(), findMissingKey.bind(ctx));
-      ctx.assert(!hit, new InvalidRequest(`${hit} must be provided`));
-      await next();
-    },
-
     async function equalChecks(ctx, next) {
       ctx.assert(ctx.oidc.body.client_id === ctx.oidc.client.clientId, new InvalidRequest('provided client_id does not match the authenticated client\'s one'));
 

diff --git a/test/registration_management/registration_management.test.js b/test/registration_management/registration_management.test.js
@@ -104,14 +104,16 @@ describe('OAuth 2.0 Dynamic Client Registration Management Protocol', () => {
         .expect(this.failWith(400, 'invalid_request', "provided client_secret does not match the authenticated client's one"));
     });
 
-    it('must contain all previous properties', async function () {
+    it('allows for properties to be deleted by omission', async function () {
       const client = await setup.call(this, { userinfo_signed_response_alg: 'RS256' });
+      delete client.userinfo_signed_response_alg;
       return this.agent.put(`/reg/${client.client_id}`)
         .auth(client.registration_access_token, { type: 'bearer' })
-        .send(updateProperties(client, {
-          userinfo_signed_response_alg: undefined,
-        }))
-        .expect(this.failWith(400, 'invalid_request', 'userinfo_signed_response_alg must be provided'));
+        .send(updateProperties(client))
+        .expect(200)
+        .expect((res) => {
+          expect(res.body).not.to.have.property('userinfo_signed_response_alg');
+        });
     });
 
     it('provides a secret if suddently needed', async function () {