From 35f293640d75f25f884f8bc3c2562583fe6d556a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gugler=20Michael=20=28O=C3=96=20Gemdat=29?= Date: Sun, 10 Mar 2024 08:39:41 +0100 Subject: [PATCH] The most significant changes involve the validation of signing algorithms in the `DiscoveryEndpointResponse` class and the addition of "RS512" as a required algorithm in the `OidcConstants` class. A new test method has also been added to the `discovery_endpoint_response_should` class to test the validation of the `DiscoveryEndpointResponse` when one of the required signing algorithms is provided. 1. The `DiscoveryEndpointResponse` class in `DiscoveryEndpointResponse.cs` now uses the `ValidateOneOfRequiredValues` method instead of `ValidateRequiredValues` for `SigningAlgorithmsSupported`. This allows for the validation of multiple signing algorithms rather than just one. 2. The `OidcConstants` class in `OidcConstants.cs` has been updated to include "RS512" as a required algorithm, in addition to "RS256". This expands the list of required signing algorithms. 3. The `discovery_endpoint_response_should` class in `DiscoveryEndpointResponseTests.cs` has been updated with a new test method `be_valid_when_one_required_id_token_signing_alg_value_is_provided`. This method tests the validation of the `DiscoveryEndpointResponse` when one of the required signing algorithms is provided. It uses the `InlineData` attribute to test with both "RS256" and "RS512". The error message in the `validate` action has also been updated to reflect these changes. --- .../DiscoveryEndpointResponse.cs | 2 +- .../OidcConstants.cs | 2 +- .../DiscoveryEndpointResponseTests.cs | 22 ++++++++++++++++++- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs b/src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs index b34427e943..8d8510958b 100644 --- a/src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs +++ b/src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs @@ -37,7 +37,7 @@ public void ValidateResponse() // but some identity providers (f.e. Identity Server and Azure AD) return 'id_token token' ValidateOneOfRequiredValues(ResponseTypesSupported, OidcConstants.RESPONSE_TYPES_SUPPORTED, OidcConstants.REQUIRED_COMBINED_RESPONSE_TYPES); ValidateOneOfRequiredValues(SubjectTypesSupported, OidcConstants.SUBJECT_TYPES_SUPPORTED, OidcConstants.REQUIRED_SUBJECT_TYPES); - ValidateRequiredValues(SigningAlgorithmsSupported, OidcConstants.ALGORITHMS_SUPPORTED, OidcConstants.REQUIRED_ALGORITHMS); + ValidateOneOfRequiredValues(SigningAlgorithmsSupported, OidcConstants.ALGORITHMS_SUPPORTED, OidcConstants.REQUIRED_ALGORITHMS); } private static void ValidateValue(string value, string metadata) diff --git a/src/HealthChecks.OpenIdConnectServer/OidcConstants.cs b/src/HealthChecks.OpenIdConnectServer/OidcConstants.cs index 8df2c8fdab..cc5dd12f9c 100644 --- a/src/HealthChecks.OpenIdConnectServer/OidcConstants.cs +++ b/src/HealthChecks.OpenIdConnectServer/OidcConstants.cs @@ -20,5 +20,5 @@ internal class OidcConstants internal static string[] REQUIRED_SUBJECT_TYPES => new[] { "pairwise", "public" }; - internal static string[] REQUIRED_ALGORITHMS => new[] { "RS256" }; + internal static string[] REQUIRED_ALGORITHMS => new[] { "RS256", "RS512" }; } diff --git a/test/HealthChecks.OpenIdConnectServer.Tests/Functional/DiscoveryEndpointResponseTests.cs b/test/HealthChecks.OpenIdConnectServer.Tests/Functional/DiscoveryEndpointResponseTests.cs index 7752b8b395..59eb01739a 100644 --- a/test/HealthChecks.OpenIdConnectServer.Tests/Functional/DiscoveryEndpointResponseTests.cs +++ b/test/HealthChecks.OpenIdConnectServer.Tests/Functional/DiscoveryEndpointResponseTests.cs @@ -129,7 +129,27 @@ public void be_invalid_when_required_id_token_signing_alg_values_supported_is_mi validate .ShouldThrow() - .Message.ShouldBe("Invalid discovery response - 'id_token_signing_alg_values_supported' must contain the following values: RS256!"); + .Message.ShouldBe($"Invalid discovery response - 'id_token_signing_alg_values_supported' must be one of the following values: {string.Join(",", OidcConstants.REQUIRED_ALGORITHMS)}!"); + } + + [Theory] + [InlineData("RS256")] + [InlineData("RS512")] + public void be_valid_when_one_required_id_token_signing_alg_value_is_provided(string supportedSigningAlgorithm) + { + var response = new DiscoveryEndpointResponse + { + Issuer = RandomString, + AuthorizationEndpoint = RandomString, + JwksUri = RandomString, + ResponseTypesSupported = REQUIRED_RESPONSE_TYPES, + SubjectTypesSupported = OidcConstants.REQUIRED_SUBJECT_TYPES, + SigningAlgorithmsSupported = new[] { supportedSigningAlgorithm }, + }; + + Action validate = () => response.ValidateResponse(); + + validate.ShouldNotThrow(); } [Fact]