From 0ed3cc6748b2739850b222b74a72633908710b22 Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Sun, 8 Dec 2024 20:23:54 +1100
Subject: [PATCH] fix: enforcement

---
 handler/oauth2/strategy_jwt_profile.go |  8 ++++----
 token/jwt/jwt_strategy.go              |  2 +-
 token/jwt/jwt_strategy_opts.go         | 23 ++++++++---------------
 token/jwt/util.go                      |  2 +-
 4 files changed, 14 insertions(+), 21 deletions(-)

diff --git a/handler/oauth2/strategy_jwt_profile.go b/handler/oauth2/strategy_jwt_profile.go
index c553d5a5..1d0d105f 100644
--- a/handler/oauth2/strategy_jwt_profile.go
+++ b/handler/oauth2/strategy_jwt_profile.go
@@ -44,12 +44,12 @@ func (s *JWTProfileCoreStrategy) GenerateAccessToken(ctx context.Context, reques
 		ok     bool
 	)
 
-	if s.Config.GetEnforceJWTProfileAccessTokens(ctx) {
-		return s.GenerateJWT(ctx, oauth2.AccessToken, requester, nil)
-	}
+	enforce := s.Config.GetEnforceJWTProfileAccessTokens(ctx)
 
-	if client, ok = requester.GetClient().(oauth2.JWTProfileClient); ok && client.GetEnableJWTProfileOAuthAccessTokens() {
+	if client, ok = requester.GetClient().(oauth2.JWTProfileClient); ok && (enforce || client.GetEnableJWTProfileOAuthAccessTokens()) {
 		return s.GenerateJWT(ctx, oauth2.AccessToken, requester, client)
+	} else if enforce {
+		return s.GenerateJWT(ctx, oauth2.AccessToken, requester, nil)
 	}
 
 	return s.HMACCoreStrategy.GenerateAccessToken(ctx, requester)
diff --git a/token/jwt/jwt_strategy.go b/token/jwt/jwt_strategy.go
index 21c54ad9..a4615926 100644
--- a/token/jwt/jwt_strategy.go
+++ b/token/jwt/jwt_strategy.go
@@ -75,7 +75,7 @@ func (j *DefaultStrategy) Encode(ctx context.Context, claims Claims, opts ...Str
 
 	kid, alg, enc := o.client.GetEncryptionKeyID(), o.client.GetEncryptionAlg(), o.client.GetEncryptionEnc()
 
-	if len(kid) == 0 && len(alg) == 0 {
+	if len(kid)+len(alg) == 0 {
 		return EncodeCompactSigned(ctx, claims, o.headers, keySig)
 	}
 
diff --git a/token/jwt/jwt_strategy_opts.go b/token/jwt/jwt_strategy_opts.go
index e9a442c8..d9fae20b 100644
--- a/token/jwt/jwt_strategy_opts.go
+++ b/token/jwt/jwt_strategy_opts.go
@@ -62,8 +62,7 @@ func WithClient(client Client) StrategyOpt {
 
 func WithIDTokenClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case IDTokenClient:
+		if c, ok := client.(IDTokenClient); ok {
 			opts.client = &decoratedIDTokenClient{IDTokenClient: c}
 		}
 
@@ -73,8 +72,7 @@ func WithIDTokenClient(client any) StrategyOpt {
 
 func WithUserInfoClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case UserInfoClient:
+		if c, ok := client.(UserInfoClient); ok {
 			opts.client = &decoratedUserInfoClient{UserInfoClient: c}
 		}
 
@@ -84,8 +82,7 @@ func WithUserInfoClient(client any) StrategyOpt {
 
 func WithIntrospectionClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case IntrospectionClient:
+		if c, ok := client.(IntrospectionClient); ok {
 			opts.client = &decoratedIntrospectionClient{IntrospectionClient: c}
 		}
 
@@ -95,8 +92,7 @@ func WithIntrospectionClient(client any) StrategyOpt {
 
 func WithJARMClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case JARMClient:
+		if c, ok := client.(JARMClient); ok {
 			opts.client = &decoratedJARMClient{JARMClient: c}
 		}
 
@@ -106,8 +102,7 @@ func WithJARMClient(client any) StrategyOpt {
 
 func WithJARClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case JARClient:
+		if c, ok := client.(JARClient); ok {
 			opts.client = &decoratedJARClient{JARClient: c}
 		}
 
@@ -117,8 +112,7 @@ func WithJARClient(client any) StrategyOpt {
 
 func WithJWTProfileAccessTokenClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case JWTProfileAccessTokenClient:
+		if c, ok := client.(JWTProfileAccessTokenClient); ok {
 			opts.client = &decoratedJWTProfileAccessTokenClient{JWTProfileAccessTokenClient: c}
 		}
 
@@ -128,10 +122,9 @@ func WithJWTProfileAccessTokenClient(client any) StrategyOpt {
 
 func WithStatelessJWTProfileIntrospectionClient(client any) StrategyOpt {
 	return func(opts *StrategyOpts) (err error) {
-		switch c := client.(type) {
-		case IntrospectionClient:
+		if c, ok := client.(IntrospectionClient); ok {
 			opts.client = &decoratedIntrospectionClient{IntrospectionClient: c}
-		case JWTProfileAccessTokenClient:
+		} else if c, ok := client.(JWTProfileAccessTokenClient); ok {
 			opts.client = &decoratedJWTProfileAccessTokenClient{JWTProfileAccessTokenClient: c}
 		}
 
diff --git a/token/jwt/util.go b/token/jwt/util.go
index 20e3ccdd..0a65469a 100644
--- a/token/jwt/util.go
+++ b/token/jwt/util.go
@@ -328,7 +328,7 @@ func NewClientSecretJWK(ctx context.Context, secret []byte, kid, alg, enc, use s
 			bits = aes.BlockSize * 1.5
 		case jose.A256KW, jose.A256GCMKW, jose.PBES2_HS512_A256KW:
 			bits = aes.BlockSize * 2
-		case jose.DIRECT:
+		default:
 			switch jose.ContentEncryption(enc) {
 			case jose.A128CBC_HS256, "":
 				bits = aes.BlockSize * 2