Skip to content

Commit

Permalink
fix: ignore non-conform "unrecognized" id_token in oauthCallback()
Browse files Browse the repository at this point in the history
fixes #503
  • Loading branch information
panva committed Jul 4, 2022
1 parent 687ba84 commit 3425110
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 2 deletions.
6 changes: 4 additions & 2 deletions lib/client.js
Original file line number Diff line number Diff line change
Expand Up @@ -557,13 +557,14 @@ class BaseClient {
throw new OPError(params);
}

if ('id_token' in params) {
if (typeof params.id_token === 'string' && params.id_token.length) {
throw new RPError({
message:
'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
params,
});
}
delete params.id_token

const RESPONSE_TYPE_REQUIRED_PARAMS = {
code: ['code'],
Expand Down Expand Up @@ -608,13 +609,14 @@ class BaseClient {
{ clientAssertionPayload, DPoP },
);

if ('id_token' in tokenset) {
if (typeof tokenset.id_token === 'string' && tokenset.id_token.length) {
throw new RPError({
message:
'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
params,
});
}
delete tokenset.id_token

return tokenset;
}
Expand Down
29 changes: 29 additions & 0 deletions test/client/client_instance.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -1100,6 +1100,18 @@ describe('Client', () => {
});
});

it('ignores the id_token when falsy', function () {
return this.client
.oauthCallback('https://rp.example.com/cb', {
access_token: 'foo',
token_type: 'bearer',
id_token: '',
})
.then((tokenset) => {
expect(tokenset).not.to.have.property('id_token');
});
});

it('rejects when id_token was issued by the token endpoint', function () {
nock('https://op.example.com')
.matchHeader('Accept', 'application/json')
Expand All @@ -1120,6 +1132,23 @@ describe('Client', () => {
);
});
});

it('ignores the the token endpoint id_token property when falsy', function () {
nock('https://op.example.com')
.matchHeader('Accept', 'application/json')
.matchHeader('Content-Length', isNumber)
.matchHeader('Transfer-Encoding', isUndefined)
.post('/token')
.reply(200, { id_token: '' });

return this.client
.oauthCallback('https://rp.example.com/cb', {
code: 'foo',
})
.then((tokenset) => {
expect(tokenset).not.to.have.property('id_token');
});
});
});

describe('response type checks', function () {
Expand Down

0 comments on commit 3425110

Please sign in to comment.