Merge pull request #775 from auth0/auth0js-v8

Auth0js v8 - configuration validation + default scope

package.json

@@ -79,7 +79,7 @@
     "zuul-ngrok": "gnandretta/zuul-ngrok#upgrade-ngrok"
   },
   "dependencies": {
-    "auth0-js": "8.0.1",
+    "auth0-js": "8.0.4",
     "blueimp-md5": "2.3.1",
     "fbjs": "^0.3.1",
     "immutable": "^3.7.3",
@@ -89,7 +89,8 @@
     "react-addons-css-transition-group": "^15.0.0 || ^16.0.0",
     "react-dom": "^15.0.0 || ^16.0.0",
     "trim": "0.0.1",
-    "url-join": "^1.1.0"
+    "url-join": "^1.1.0",
+    "idtoken-verifier": "^1.0.1"
   },
   "cdn-component": {
     "name": "lock",

scripts/ci.sh

@@ -99,7 +99,7 @@ npm run dist build
 
 # Release
 git checkout -b dist
-#bower_release
+bower_release
 new_line
 npm_release "$VERSION"
 new_line

src/core/index.js

@@ -218,6 +218,10 @@ function extractAuthOptions(options) {
     nonce
   } = options.auth || {};
 
+  let {
+    oidcConformant
+  } = options;
+
   audience = typeof audience === "string" ? audience : undefined;
   connectionScopes = typeof connectionScopes === "object" ? connectionScopes : {};
   params = typeof params === "object" ? params : {};
@@ -234,6 +238,14 @@ function extractAuthOptions(options) {
     warn(options, "Usage of scope 'openid profile' is not recommended. See https://auth0.com/docs/scopes for more details.");
   }
 
+  if (oidcConformant && !redirect && responseType.indexOf('id_token') > -1) {
+    throw new Error("It is not posible to request an 'id_token' while using popup mode.");
+  }
+
+  if (oidcConformant && !params.scope) {
+    params.scope = 'openid';
+  }
+
   return Immutable.fromJS({
     audience,
     connectionScopes,

src/core/remote_data.js

@@ -20,25 +20,23 @@ export function syncRemoteData(m) {
     });
   }
 
-  if (!l.oidcConformant(m)) {
-    m = sync(m, "sso", {
-      conditionFn: l.auth.sso,
-      waitFn: m => isSuccess(m, "client"),
-      syncFn: (m, cb) => fetchSSOData(l.id(m), isADEnabled(m), cb),
-      successFn: (m, result) => m.mergeIn(["sso"], Immutable.fromJS(result)),
-      errorFn: (m, error) => {
-        // location.origin is not supported in all browsers
-        let origin = location.protocol + "//" + location.hostname;
-        if (location.port) {
-          origin += ":" + location.port;
-        }
+  m = sync(m, "sso", {
+    conditionFn: (m) => l.auth.sso(m) && !l.oidcConformant(m),
+    waitFn: m => isSuccess(m, "client"),
+    syncFn: (m, cb) => fetchSSOData(l.id(m), isADEnabled(m), cb),
+    successFn: (m, result) => m.mergeIn(["sso"], Immutable.fromJS(result)),
+    errorFn: (m, error) => {
+      // location.origin is not supported in all browsers
+      let origin = location.protocol + "//" + location.hostname;
+      if (location.port) {
+        origin += ":" + location.port;
+      }
 
-        const appSettingsUrl = `https://manage.auth0.com/#/applications/${l.clientID(m)}/settings`;
+      const appSettingsUrl = `https://manage.auth0.com/#/applications/${l.clientID(m)}/settings`;
 
-        l.warn(m, `There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a "Origin" error has been logged before this warning, please add "${origin}" to the "Allowed Origins (CORS)" list in the Auth0 dashboard: ${appSettingsUrl}`);
-      }
-    });
-  }
+      l.warn(m, `There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a "Origin" error has been logged before this warning, please add "${origin}" to the "Allowed Origins (CORS)" list in the Auth0 dashboard: ${appSettingsUrl}`);
+    }
+  });
 
   return m;
 }

src/core/web_api/legacy_api.js

@@ -1,3 +1,4 @@
+var IdTokenVerifier = require('idtoken-verifier');
 import auth0 from 'auth0-js';
 import {normalizeError, loginCallback} from './helper';
 
@@ -6,6 +7,9 @@ class Auth0LegacyAPIClient {
     this.client = null;
     this.authOpt = null;
 
+    this.clientID = clientID;
+    this.tokenIssuer = (opts.overrides && opts.overrides.__token_issuer) || `https://${domain}/`;
+
     const default_telemetry = {
       name: 'lock.js',
       version: __VERSION__,
@@ -78,11 +82,64 @@ class Auth0LegacyAPIClient {
   }
 
   parseHash(hash = '', cb) {
-    return this.client.parseHash({
-      hash: decodeURIComponent(hash),
-      nonce: this.authOpt.nonce,
-      state: this.authOpt.state
-    }, cb);
+    hash = decodeURIComponent(hash);
+    var nonce = this.authOpt.nonce;
+    var state = this.authOpt.state;
+
+    var parsed_qs = parseQS(hash.replace(/^#?\/?/, ''));
+
+    if (parsed_qs.hasOwnProperty('error')) {
+      var err = {
+        error: parsed_qs.error,
+        error_description: parsed_qs.error_description
+      };
+
+      if (parsed_qs.state) {
+        err.state = parsed_qs.state;
+      }
+
+      return cb(err);
+    }
+
+    if (!parsed_qs.hasOwnProperty('access_token')
+       && !parsed_qs.hasOwnProperty('id_token')
+       && !parsed_qs.hasOwnProperty('refresh_token')) {
+      return cb(null, null);
+    }
+
+    var prof;
+
+    if (parsed_qs.hasOwnProperty('id_token')) {
+      var invalidJwt = function (error) {
+        var err = {
+          error: 'invalid_token',
+          error_description: error
+        };
+        return err;
+      };
+
+      var verifier = new IdTokenVerifier({});
+      prof = verifier.decode(parsed_qs.id_token).payload;
+
+      if (prof.aud !== this.clientID) {
+      return cb(invalidJwt(
+        'The clientID configured (' + this.clientID + ') does not match with the clientID set in the token (' + prof.aud + ').'));
+      }
+
+      // iss should be the Auth0 domain (i.e.: https://contoso.auth0.com/)
+      if (prof.iss !== this.tokenIssuer) {
+        return cb(invalidJwt(
+          'The domain configured (' + this.tokenIssuer + ') does not match with the domain set in the token (' + prof.iss + ').'));
+      }
+    }
+
+    cb(null, {
+      accessToken: parsed_qs.access_token,
+      idToken: parsed_qs.id_token,
+      idTokenPayload: prof,
+      refreshToken: parsed_qs.refresh_token,
+      state: parsed_qs.state
+    })
   }
 
   getUserInfo(token, callback) {
@@ -98,4 +155,13 @@ class Auth0LegacyAPIClient {
   }
 }
 
-export default Auth0LegacyAPIClient;
+export default Auth0LegacyAPIClient;
+
+
+function parseQS(qs) {
+  return qs.split('&').reduce(function (prev, curr) {
+    var param = curr.split('=');
+    prev[param[0]] = param[1];
+    return prev;
+  }, {});
+}

src/core/web_api/p2_api.js

@@ -19,6 +19,7 @@ class Auth0APIClient {
       redirectUri: opts.redirectUrl,
       responseMode: opts.responseMode,
       responseType: opts.responseType,
+      leeway: opts.leeway || 1,
       _sendTelemetry: opts._sendTelemetry === false ? false : true,
       _telemetryInfo: opts._telemetryInfo || default_telemetry,
       __tenant: opts.overrides && opts.overrides.__tenant,

support/index.html

@@ -17,10 +17,9 @@
     const domain = "auth0-tests-lock.auth0.com";
     const options = {
       auth: {
-        responseType: 'token',
-        redirect: false
+        responseType: 'id_token'
       },
-      oidcConformant: false
+      oidcConformant: true
     };
 
     const lock = new Auth0Lock(cid, domain, options);