feat: add server-wide policy configuration on accepting tokens in query

docs/README.md

@@ -1807,6 +1807,17 @@ function scriptNonce(ctx) {
 
 </details>
 
+### acceptQueryParamAccessTokens
+
+Several OAuth 2.0 / OIDC profiles prohibit the use of query strings to carry access tokens. This setting either allows (true) or prohibits (false) that mechanism to be used.   
+
+
+
+_**default value**_:
+```js
+true
+```
+
 ### acrValues
 
 Array of strings, the Authentication Context Class References that OP supports.  

lib/actions/userinfo.js

@@ -69,7 +69,6 @@ module.exports = [
   async function validateAccessToken(ctx, next) {
     const accessToken = await ctx.oidc.provider.AccessToken.find(ctx.oidc.getAccessToken({
       acceptDPoP: true,
-      acceptQueryParam: !instance(ctx.oidc.provider).configuration('features.fapiRW.enabled'),
     }));
 
     ctx.assert(accessToken, new InvalidToken('access token not found'));

lib/helpers/defaults.js

@@ -199,6 +199,17 @@ const DEFAULTS = {
   conformIdTokenClaims: true,
 
 
+  /*
+   * acceptQueryParamAccessTokens
+   *
+   * description: Several OAuth 2.0 / OIDC profiles prohibit the use of query strings to carry
+   * access tokens. This setting either allows (true) or prohibits (false) that mechanism to be
+   * used.
+   *
+   */
+  acceptQueryParamAccessTokens: true,
+
+
   /*
    * cookies
    *

lib/helpers/oidc_context.js

@@ -21,7 +21,11 @@ const COOKIES = Symbol('context#cookies');
 const UID = Symbol('context#uid');
 
 module.exports = function getContext(provider) {
-  const { clockTolerance, features: { dPoP: dPoPConfig } } = instance(provider).configuration();
+  const {
+    acceptQueryParamAccessTokens,
+    clockTolerance,
+    features: { dPoP: dPoPConfig, fapiRW: { enabled: fapiEnabled } },
+  } = instance(provider).configuration();
   const { app } = provider;
 
   class OIDCContext extends events.EventEmitter {
@@ -293,15 +297,18 @@ module.exports = function getContext(provider) {
       return this.entities.Client;
     }
 
-    getAccessToken({ acceptDPoP = false, acceptQueryParam = true } = {}) {
+    getAccessToken({
+      acceptDPoP = false, acceptQueryParam = !fapiEnabled && acceptQueryParamAccessTokens,
+    } = {}) {
       if ('accessToken' in instance(this)) {
         return instance(this).accessToken;
       }
+
       const { ctx } = this;
       const mechanisms = omitBy({
         body: get(ctx.oidc, 'body.access_token'),
         header: ctx.headers.authorization,
-        query: acceptQueryParam ? ctx.query.access_token : undefined,
+        query: ctx.query.access_token,
       }, (value) => typeof value !== 'string' || !value);
 
       debug('uid=%s received access token via %o', this.uid, mechanisms);
@@ -322,6 +329,10 @@ module.exports = function getContext(provider) {
         throw new InvalidRequest('access token must only be provided using one mechanism');
       }
 
+      if (!acceptQueryParam && mechanism === 'query') {
+        throw new InvalidRequest('access tokens must not be provided via query parameter');
+      }
+
       let dPoP;
       if (acceptDPoP && dPoPConfig.enabled) {
         ({ dPoP } = this);

test/fapirw/fapirw.test.js

@@ -12,11 +12,11 @@ describe('Financial-grade API - Part 2: Read and Write API Security Profile beha
         .expect('x-fapi-interaction-id', 'b2bef873-2fd8-4fcd-943b-caafcd0b1c3b');
     });
 
-    it('does not recognize query string bearer token', async function () {
+    it('does not allow query string bearer token', async function () {
       const at = await new this.provider.AccessToken({ clientId: 'client', accountId: 'account', scope: 'openid' }).save();
       await this.agent.get('/me')
         .query({ access_token: at })
-        .expect(this.failWith(400, 'invalid_request', 'no access token provided'));
+        .expect(this.failWith(400, 'invalid_request', 'access tokens must not be provided via query parameter'));
 
       await this.agent.get('/me')
         .auth(at, { type: 'bearer' })