diff --git a/lib/client.js b/lib/client.js index a314e721..2ba0c35a 100644 --- a/lib/client.js +++ b/lib/client.js @@ -557,13 +557,14 @@ class BaseClient { throw new OPError(params); } - if ('id_token' in params) { + if (typeof params.id_token === 'string' && params.id_token.length) { throw new RPError({ message: 'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()', params, }); } + delete params.id_token const RESPONSE_TYPE_REQUIRED_PARAMS = { code: ['code'], @@ -608,13 +609,14 @@ class BaseClient { { clientAssertionPayload, DPoP }, ); - if ('id_token' in tokenset) { + if (typeof tokenset.id_token === 'string' && tokenset.id_token.length) { throw new RPError({ message: 'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()', params, }); } + delete tokenset.id_token return tokenset; } diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js index 459c7218..ff7a1a18 100644 --- a/test/client/client_instance.test.js +++ b/test/client/client_instance.test.js @@ -1100,6 +1100,18 @@ describe('Client', () => { }); }); + it('ignores the id_token when falsy', function () { + return this.client + .oauthCallback('https://rp.example.com/cb', { + access_token: 'foo', + token_type: 'bearer', + id_token: '', + }) + .then((tokenset) => { + expect(tokenset).not.to.have.property('id_token'); + }); + }); + it('rejects when id_token was issued by the token endpoint', function () { nock('https://op.example.com') .matchHeader('Accept', 'application/json') @@ -1120,6 +1132,23 @@ describe('Client', () => { ); }); }); + + it('ignores the the token endpoint id_token property when falsy', function () { + nock('https://op.example.com') + .matchHeader('Accept', 'application/json') + .matchHeader('Content-Length', isNumber) + .matchHeader('Transfer-Encoding', isUndefined) + .post('/token') + .reply(200, { id_token: '' }); + + return this.client + .oauthCallback('https://rp.example.com/cb', { + code: 'foo', + }) + .then((tokenset) => { + expect(tokenset).not.to.have.property('id_token'); + }); + }); }); describe('response type checks', function () {