erlef · maennchen · Dec 16, 2023 · Dec 16, 2023
diff --git a/include/oidcc_provider_configuration.hrl b/include/oidcc_provider_configuration.hrl
@@ -93,6 +93,20 @@
         code_challenge_methods_supported = undefined :: [binary()] | undefined,
         %% OpenID Connect RP-Initiated Logout 1.0
         end_session_endpoint = undefined :: uri_string:uri_string() | undefined,
+        %% OAuth 2.0 Pushed Authorization Requests
+        require_pushed_authorization_requests = false :: boolean(),
+        %% OAuth 2.0 Pushed Authorization Requests
+        pushed_authorization_request_endpoint = undefined :: uri_string:uri_string() | undefined,
+        %% JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
+        authorization_signing_alg_values_supported = undefined :: [binary()] | undefined,
+        %% JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
+        authorization_encryption_alg_values_supported = undefined :: [binary()] | undefined,
+        %% JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
+        authorization_encryption_enc_values_supported = undefined :: [binary()] | undefined,
+        %% OAuth 2.0 Authorization Server Issuer Identification (RFC9207)
+        authorization_response_iss_parameter_supported = false :: boolean(),
+        %% OAuth 2.0 Demonstrating Proof of Possession (DPoP)
+        dpop_signing_alg_values_supported = undefined :: [binary()] | undefined,
         %% Unknown Fields
         extra_fields = #{} :: #{binary() => term()}
     }

diff --git a/lib/oidcc/provider_configuration.ex b/lib/oidcc/provider_configuration.ex
@@ -110,6 +110,13 @@ defmodule Oidcc.ProviderConfiguration do
           introspection_endpoint_auth_signing_alg_values_supported: [String.t()] | :undefined,
           code_challenge_methods_supported: [String.t()] | :undefined,
           end_session_endpoint: :uri_string.uri_string() | :undefined,
+          require_pushed_authorization_requests: boolean(),
+          pushed_authorization_request_endpoint: :uri_string.uri_string() | :undefined,
+          authorization_response_iss_parameter_supported: boolean(),
+          authorization_signing_alg_values_supported: [String.t()] | :undefined,
+          authorization_encryption_alg_values_supported: [String.t()] | :undefined,
+          authorization_encryption_enc_values_supported: [String.t()] | :undefined,
+          dpop_signing_alg_values_supported: [String.t()] | :undefined,
           extra_fields: %{String.t() => term()}
         }
 

diff --git a/src/oidcc_provider_configuration.erl b/src/oidcc_provider_configuration.erl
@@ -116,6 +116,13 @@
             [binary()] | undefined,
         code_challenge_methods_supported :: [binary()] | undefined,
         end_session_endpoint :: uri_string:uri_string() | undefined,
+        require_pushed_authorization_requests :: boolean(),
+        pushed_authorization_request_endpoint :: uri_string:uri_string() | undefined,
+        authorization_signing_alg_values_supported :: [binary()] | undefined,
+        authorization_encryption_alg_values_supported :: [binary()] | undefined,
+        authorization_encryption_enc_values_supported :: [binary()] | undefined,
+        authorization_response_iss_parameter_supported :: boolean(),
+        dpop_signing_alg_values_supported :: [binary()] | undefined,
         extra_fields :: #{binary() => term()}
     }.
 %% Record containing OpenID and OAuth 2.0 Configuration
@@ -339,7 +346,18 @@ decode_configuration(Configuration0, Opts) ->
                 introspection_endpoint_auth_signing_alg_values_supported :=
                     IntrospectionEndpointAuthSigningAlgValuesSupported,
                 code_challenge_methods_supported := CodeChallengeMethodsSupported,
-                end_session_endpoint := EndSessionEndpoint
+                end_session_endpoint := EndSessionEndpoint,
+                require_pushed_authorization_requests := RequirePushedAuthorizationRequests,
+                pushed_authorization_request_endpoint := PushedAuthorizationRequestEndpoint,
+                authorization_signing_alg_values_supported :=
+                    AuthorizationSigningAlgValuesSupported,
+                authorization_encryption_alg_values_supported :=
+                    AuthorizationEncryptionAlgValuesSupported,
+                authorization_encryption_enc_values_supported :=
+                    AuthorizationEncryptionEncValuesSupported,
+                authorization_response_iss_parameter_supported :=
+                    AuthorizationResponseIssParameterSupported,
+                dpop_signing_alg_values_supported := DpopSigningAlgValuesSupported
             },
             ExtraFields
         }} ?=
@@ -431,7 +449,24 @@ decode_configuration(Configuration0, Opts) ->
                         case AllowUnsafeHttp of
                             true -> fun oidcc_decode_util:parse_setting_uri/2;
                             false -> fun oidcc_decode_util:parse_setting_uri_https/2
-                        end}
+                        end},
+                    {optional, require_pushed_authorization_requests, false,
+                        fun oidcc_decode_util:parse_setting_boolean/2},
+                    {optional, pushed_authorization_request_endpoint, undefined,
+                        case AllowUnsafeHttp of
+                            true -> fun oidcc_decode_util:parse_setting_uri/2;
+                            false -> fun oidcc_decode_util:parse_setting_uri_https/2
+                        end},
+                    {optional, authorization_signing_alg_values_supported, undefined,
+                        fun parse_token_signing_alg_values_no_none/2},
+                    {optional, authorization_encryption_alg_values_supported, undefined,
+                        fun oidcc_decode_util:parse_setting_binary_list/2},
+                    {optional, authorization_encryption_enc_values_supported, undefined,
+                        fun oidcc_decode_util:parse_setting_binary_list/2},
+                    {optional, authorization_response_iss_parameter_supported, false,
+                        fun oidcc_decode_util:parse_setting_boolean/2},
+                    {optional, dpop_signing_alg_values_supported, undefined,
+                        fun parse_token_signing_alg_values_no_none/2}
                 ],
                 #{}
             ),
@@ -497,6 +532,16 @@ decode_configuration(Configuration0, Opts) ->
             code_challenge_methods_supported =
                 CodeChallengeMethodsSupported,
             end_session_endpoint = EndSessionEndpoint,
+            require_pushed_authorization_requests = RequirePushedAuthorizationRequests,
+            pushed_authorization_request_endpoint = PushedAuthorizationRequestEndpoint,
+            authorization_signing_alg_values_supported = AuthorizationSigningAlgValuesSupported,
+            authorization_encryption_alg_values_supported =
+                AuthorizationEncryptionAlgValuesSupported,
+            authorization_encryption_enc_values_supported =
+                AuthorizationEncryptionEncValuesSupported,
+            authorization_response_iss_parameter_supported =
+                AuthorizationResponseIssParameterSupported,
+            dpop_signing_alg_values_supported = DpopSigningAlgValuesSupported,
             extra_fields = ExtraFields
         }}
     end.