From 628bc2ed4091b3edb0c9b70467c5a4fa7dcd18c2 Mon Sep 17 00:00:00 2001 From: Steve Hobbs Date: Wed, 20 Oct 2021 12:27:28 +0100 Subject: [PATCH 1/2] handleRedirectCallback now stores scope from token endpoint --- .../handleRedirectCallback.test.ts | 37 +++++++++++++++++++ src/Auth0Client.ts | 1 + 2 files changed, 38 insertions(+) diff --git a/__tests__/Auth0Client/handleRedirectCallback.test.ts b/__tests__/Auth0Client/handleRedirectCallback.test.ts index dd7f0f928..eb0420c43 100644 --- a/__tests__/Auth0Client/handleRedirectCallback.test.ts +++ b/__tests__/Auth0Client/handleRedirectCallback.test.ts @@ -205,13 +205,50 @@ describe('Auth0Client', () => { it('returns the transactions appState', async () => { const auth0 = setup(); + const appState = { key: 'property' }; + const result = await loginWithRedirect(auth0, { appState }); + expect(result).toBeDefined(); expect(result.appState).toBe(appState); }); + + it('does not store the scope from token endpoint if none was returned', async () => { + const auth0 = setup(); + const cacheSetSpy = jest.spyOn(auth0['cacheManager'], 'set'); + + const appState = { + key: 'property' + }; + + await loginWithRedirect(auth0, { appState }); + + expect( + Object.keys(cacheSetSpy.mock.calls[0][0]).includes('oauthTokenScope') + ).toBeFalsy(); + }); + + it('stores the scope returned from the token endpoint in the cache', async () => { + const auth0 = setup(); + const cacheSetSpy = jest.spyOn(auth0['cacheManager'], 'set'); + + const appState = { + key: 'property' + }; + + await loginWithRedirect( + auth0, + { appState }, + { token: { response: { scope: 'openid profile email' } } } + ); + + expect(cacheSetSpy).toHaveBeenCalledWith( + expect.objectContaining({ oauthTokenScope: 'openid profile email' }) + ); + }); }); it('calls oauth/token without redirect uri if not set in transaction', async () => { diff --git a/src/Auth0Client.ts b/src/Auth0Client.ts index d7384ebc8..8ae682c7f 100644 --- a/src/Auth0Client.ts +++ b/src/Auth0Client.ts @@ -678,6 +678,7 @@ export default class Auth0Client { decodedToken, audience: transaction.audience, scope: transaction.scope, + ...(authResult.scope ? { oauthTokenScope: authResult.scope } : null), client_id: this.options.client_id }); From d43707d0bf2798d216e317084e1cf87f2008bdc1 Mon Sep 17 00:00:00 2001 From: Steve Hobbs Date: Wed, 20 Oct 2021 13:41:50 +0100 Subject: [PATCH 2/2] Ensure detailedResponse not sent in authorize or token requests --- src/Auth0Client.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/Auth0Client.ts b/src/Auth0Client.ts index 8ae682c7f..e93761b83 100644 --- a/src/Auth0Client.ts +++ b/src/Auth0Client.ts @@ -318,6 +318,7 @@ export default class Auth0Client { auth0Client, cacheLocation, advancedOptions, + detailedResponse, ...withoutClientOptions } = this.options; @@ -1016,8 +1017,10 @@ export default class Auth0Client { const code_challengeBuffer = await sha256(code_verifier); const code_challenge = bufferToBase64UrlEncoded(code_challengeBuffer); + const { detailedResponse, ...withoutClientOptions } = options; + const params = this._getParams( - options, + withoutClientOptions, stateIn, nonceIn, code_challenge, @@ -1064,6 +1067,7 @@ export default class Auth0Client { redirect_uri, ignoreCache, timeoutInSeconds, + detailedResponse, ...customOptions } = options; @@ -1145,6 +1149,7 @@ export default class Auth0Client { audience, ignoreCache, timeoutInSeconds, + detailedResponse, ...customOptions } = options;