Revert "Add IdTokenVerifier::require_typ_check method (#175)"

ramosbugs · ramosbugs · commit 02525323bfdc · 2024-06-10T16:40:54.000-07:00
This reverts commit e28f85a.
diff --git a/src/verification/mod.rs b/src/verification/mod.rs
@@ -125,7 +125,6 @@ where
     iss_required: bool,
     issuer: IssuerUrl,
     is_signature_check_enabled: bool,
-    is_typ_check_enabled: bool,
     other_aud_verifier_fn: Arc<dyn Fn(&Audience) -> bool + 'a + Send + Sync>,
     signature_keys: JsonWebKeySet<K>,
 }
@@ -147,7 +146,6 @@ where
             iss_required: true,
             issuer,
             is_signature_check_enabled: true,
-            is_typ_check_enabled: true,
             // Secure default: reject all other audiences as untrusted, since any other audience
             // can potentially impersonate the user when by sending its copy of these claims
             // to this relying party.
@@ -171,11 +169,6 @@ where
         self
     }
 
-    pub fn require_typ_check(mut self, typ_check_required: bool) -> Self {
-        self.is_typ_check_enabled = typ_check_required;
-        self
-    }
-
     pub fn set_allowed_algs<I>(mut self, algs: I) -> Self
     where
         I: IntoIterator<Item = K::SigningAlgorithm>,
@@ -202,23 +195,20 @@ where
     }
 
     fn validate_jose_header<JE>(
-        &self,
         jose_header: &JsonWebTokenHeader<JE, K::SigningAlgorithm>,
     ) -> Result<(), ClaimsVerificationError>
     where
         JE: JweContentEncryptionAlgorithm<
             KeyType = <K::SigningAlgorithm as JwsSigningAlgorithm>::KeyType,
         >,
     {
-        if self.is_typ_check_enabled {
-            // The 'typ' header field must either be omitted or have the canonicalized value JWT.
-            if let Some(ref jwt_type) = jose_header.typ {
-                if jwt_type.to_uppercase() != "JWT" {
-                    return Err(ClaimsVerificationError::Unsupported(format!(
-                        "unexpected or unsupported JWT type `{}`",
-                        **jwt_type
-                    )));
-                }
+        // The 'typ' header field must either be omitted or have the canonicalized value JWT.
+        if let Some(ref jwt_type) = jose_header.typ {
+            if jwt_type.to_uppercase() != "JWT" {
+                return Err(ClaimsVerificationError::Unsupported(format!(
+                    "unexpected or unsupported JWT type `{}`",
+                    **jwt_type
+                )));
             }
         }
         // The 'cty' header field must be omitted, since it's only used for JWTs that contain
@@ -260,7 +250,7 @@ where
     {
         {
             let jose_header = jwt.unverified_header();
-            self.validate_jose_header(jose_header)?;
+            Self::validate_jose_header(jose_header)?;
 
             // The code below roughly follows the validation steps described in
             // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
@@ -624,14 +614,6 @@ where
         self
     }
 
-    /// Specifies whether the `typ` field in the [JOSE header](
-    /// https://tools.ietf.org/html/rfc7519#section-5) should be validated against supported
-    /// values.
-    pub fn require_typ_check(mut self, typ_check_required: bool) -> Self {
-        self.jwt_verifier = self.jwt_verifier.require_typ_check(typ_check_required);
-        self
-    }
-
     /// Specifies whether the issuer claim must match the expected issuer URL for the provider.
     pub fn require_issuer_match(mut self, iss_required: bool) -> Self {
         self.jwt_verifier = self.jwt_verifier.require_issuer_match(iss_required);
diff --git a/src/verification/tests.rs b/src/verification/tests.rs
@@ -36,25 +36,9 @@ fn assert_unsupported<T>(result: Result<T, ClaimsVerificationError>, expected_su
 
 #[test]
 fn test_jose_header() {
-    let client_id = ClientId::new("my_client".to_string());
-    let issuer = IssuerUrl::new("https://example.com".to_string()).unwrap();
-    let verifier = CoreJwtClaimsVerifier::new(
-        client_id.clone(),
-        issuer.clone(),
-        CoreJsonWebKeySet::new(vec![]),
-    );
-
-    // No typ
-    verifier
-        .validate_jose_header(
-            &serde_json::from_str::<CoreJsonWebTokenHeader>("{\"alg\":\"RS256\"}")
-                .expect("failed to deserialize"),
-        )
-        .expect("JWT typ field was required");
-
     // Unexpected JWT type.
     assert_unsupported(
-        verifier.validate_jose_header(
+        CoreJwtClaimsVerifier::validate_jose_header(
             &serde_json::from_str::<CoreJsonWebTokenHeader>(
                 "{\"alg\":\"RS256\",\"typ\":\"NOT_A_JWT\"}",
             )
@@ -65,14 +49,14 @@ fn test_jose_header() {
 
     // Nested JWTs.
     assert_unsupported(
-        verifier.validate_jose_header(
+        CoreJwtClaimsVerifier::validate_jose_header(
             &serde_json::from_str::<CoreJsonWebTokenHeader>("{\"alg\":\"RS256\",\"cty\":\"JWT\"}")
                 .expect("failed to deserialize"),
         ),
         "nested JWT",
     );
     assert_unsupported(
-        verifier.validate_jose_header(
+        CoreJwtClaimsVerifier::validate_jose_header(
             &serde_json::from_str::<CoreJsonWebTokenHeader>(
                 "{\"alg\":\"RS256\",\"cty\":\"NOT_A_JWT\"}",
             )
@@ -83,7 +67,7 @@ fn test_jose_header() {
 
     // Critical fields. Adapted from https://tools.ietf.org/html/rfc7515#appendix-E
     assert_unsupported(
-        verifier.validate_jose_header(
+        CoreJwtClaimsVerifier::validate_jose_header(
             &serde_json::from_str::<CoreJsonWebTokenHeader>(
                 "{\
                      \"alg\":\"RS256\",\
@@ -97,38 +81,6 @@ fn test_jose_header() {
     );
 }
 
-#[test]
-fn test_jose_header_typ_check_disabled() {
-    let client_id = ClientId::new("my_client".to_string());
-    let issuer = IssuerUrl::new("https://example.com".to_string()).unwrap();
-
-    // Build a verifier that does *not* check the value of `typ`.
-    let verifier = CoreJwtClaimsVerifier::new(
-        client_id.clone(),
-        issuer.clone(),
-        CoreJsonWebKeySet::new(vec![]),
-    )
-    .require_typ_check(false);
-
-    // No typ
-    verifier
-        .validate_jose_header(
-            &serde_json::from_str::<CoreJsonWebTokenHeader>("{\"alg\":\"RS256\"}")
-                .expect("failed to deserialize"),
-        )
-        .expect("JWT typ field was required");
-
-    // Unsupported typ value
-    verifier
-        .validate_jose_header(
-            &serde_json::from_str::<CoreJsonWebTokenHeader>(
-                "{\"alg\":\"RS256\",\"typ\":\"NOT_A_JWT\"}",
-            )
-            .expect("failed to deserialize"),
-        )
-        .expect("any typ value is allowed");
-}
-
 #[derive(Clone, Debug, Deserialize, PartialEq, Serialize)]
 struct TestClaims {
     aud: Option<Vec<Audience>>,
