JanssenProject · yuriyz · Mar 15, 2022 · Mar 15, 2022
@@ -1,13 +1,17 @@
+/*
+ * Janssen Project software is available under the Apache License (2004). See http://www.apache.org/licenses/ for full text.
+ *
+ * Copyright (c) 2020, Janssen Project
+ */
+
 package io.jans.as.client.client.assertbuilders;
 
 import io.jans.as.client.AuthorizationResponse;
-import io.jans.as.client.client.AssertBuilder;
 import io.jans.as.model.common.ResponseType;
 
 import java.util.List;
 
-import static org.testng.Assert.assertNotNull;
-import static org.testng.Assert.assertNull;
+import static org.testng.Assert.*;
 
 public class AuthorizationResponseAssertBuilder extends BaseAssertBuilder {
 
@@ -76,8 +80,17 @@ public void check() {
                     assertNotNull(response.getIdToken(), "The id_token is null");
                 }
             }
-        } else {
-
+        } else if (status == 302) {
+            assertEquals(response.getStatus(), status, "Unexpected response code: " + response.getEntity());
+            assertNotNull(response.getLocation(), "The location is null");
+            assertNotNull(response.getEntity(), "The entity is null");
+            assertNotNull(response.getErrorType(), "The error type is null");
+            assertNotNull(response.getErrorDescription(), "The error description is null");
+            if (nullState) {
+                assertNull(response.getState(), "The state is not null");
+            } else {
+                assertNotNull(response.getState(), "The state is null");
+            }
         }
     }
 }
@@ -185,6 +185,12 @@
         </classes>
     </test>
 
+    <test name="Force Signed Request Object Test" enabled="true">
+        <classes>
+            <class name="io.jans.as.client.ws.rs.ForceSignedRequestObjectTest"></class>
+        </classes>
+    </test>
+
     <test name="Grant Types Restriction (HTTP)" enabled="true">
         <classes>
             <class name="io.jans.as.client.ws.rs.GrantTypesRestrictionHttpTest"/>

@@ -23,7 +23,7 @@
  * @author Javier Rojas Blum
  * @author Yuriy Zabrovarnyy
  * @author Yuriy Movchan
- * @version February 10, 2022
+ * @version March 15, 2022
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
 public class AppConfiguration implements Configuration {
@@ -105,6 +105,7 @@ public class AppConfiguration implements Configuration {
     private List<String> idTokenSigningAlgValuesSupported;
     private List<String> idTokenEncryptionAlgValuesSupported;
     private List<String> idTokenEncryptionEncValuesSupported;
+    private Boolean forceSignedRequestObject = false;
     private List<String> requestObjectSigningAlgValuesSupported;
     private List<String> requestObjectEncryptionAlgValuesSupported;
     private List<String> requestObjectEncryptionEncValuesSupported;
@@ -1232,6 +1233,18 @@ public void setIdTokenEncryptionEncValuesSupported(List<String> idTokenEncryptio
         this.idTokenEncryptionEncValuesSupported = idTokenEncryptionEncValuesSupported;
     }
 
+    public Boolean getForceSignedRequestObject() {
+        if (forceSignedRequestObject == null) {
+            return false;
+        }
+
+        return forceSignedRequestObject;
+    }
+
+    public void setForceSignedRequestObject(Boolean forceSignedRequestObject) {
+        this.forceSignedRequestObject = forceSignedRequestObject;
+    }
+
     public List<String> getRequestObjectSigningAlgValuesSupported() {
         return requestObjectSigningAlgValuesSupported;
     }

@@ -167,6 +167,7 @@
         "A128GCM",
         "A256GCM"
     ],
+    "forceSignedRequestObject": false,
     "requestObjectSigningAlgValuesSupported":[
         "none",
         "HS256",

@@ -99,7 +99,7 @@
  * Implementation for request authorization through REST web services.
  *
  * @author Javier Rojas Blum
- * @version March 7, 2022
+ * @version March 15, 2022
  */
 @Path("/")
 public class AuthorizeRestWebServiceImpl implements AuthorizeRestWebService {
@@ -320,6 +320,10 @@ private Response requestAuthorization(
 
             Set<String> scopes = scopeChecker.checkScopesPolicy(client, scope);
 
+            if (Boolean.TRUE.equals(appConfiguration.getForceSignedRequestObject()) && StringUtils.isBlank(request) && StringUtils.isBlank(requestUri)) {
+                throw authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "A signed request object is required");
+            }
+
             JwtAuthorizationRequest jwtRequest = null;
             if (StringUtils.isNotBlank(request) || StringUtils.isNotBlank(requestUri)) {
                 try {
@@ -341,6 +345,11 @@ private Response requestAuthorization(
                         redirectUriResponse.getRedirectUri().setBaseRedirectUri(jwtRequest.getRedirectUri());
                     }
 
+                    SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(jwtRequest.getAlgorithm());
+                    if (Boolean.TRUE.equals(appConfiguration.getForceSignedRequestObject()) && signatureAlgorithm == SignatureAlgorithm.NONE) {
+                        throw authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "A signed request object is required");
+                    }
+
                     // JWT wins
                     if (!jwtRequest.getScopes().isEmpty()) {
                         if (!scopes.contains("openid")) { // spec: Even if a scope parameter is present in the Request Object value, a scope parameter MUST always be passed using the OAuth 2.0 request syntax containing the openid scope value

@@ -116,6 +116,7 @@
     ],
     "idTokenEncryptionEncValuesSupported":[
     ],
+    "forceSignedRequestObject": false,
     "requestObjectSigningAlgValuesSupported":[
         "HS256",
         "RS256",

@@ -145,6 +145,7 @@
         "A128GCM",
         "A256GCM"
     ],
+    "forceSignedRequestObject": false,
     "requestObjectSigningAlgValuesSupported":[
         "none",
         "HS256",