Fix OIDC B2C problems #220
Conversation
(1) Rewrote the metadata loading and the configuration code. Restructured OIDCStrategy. (2) #188 B2C mocha tests (partially done, waiting for the AAD fix of missing nonce to add test for hybrid/code flow) (3) #165 rename 'callbackURL' and 'returnURL' to 'redirectUrl'. (4) #189 Extensibility to allow issuer validation when going against commend end point (5) #194 error message for 'sub' mismatch is incorrect after redeeming 'code' (6) #218 missing email claim for B2C
lovemaths
force-pushed
the
sijliu/v3.0.0b2c
branch
from
53f4fdc to
d60bdb6
Compare
| @@ -69,18 +68,22 @@ const NONCE_MAX_AMOUNT = 10; | |||
| const NONCE_LIFE_TIME = 3600; // second | |||
|
|
|||
| function makeProfileObject(src, raw) { | |||
| var emails = []; | |||
| if (src.upn) | |||
| emails = [src.upn]; | |||
There was a problem hiding this comment.
@tushargupta51 Should we be using upn as emails?
There was a problem hiding this comment.
upn is always the email
There was a problem hiding this comment.
upn is not necessarily the email of the user. It might have @ in it. I think this property should be called username instead of emails.
There was a problem hiding this comment.
For AAD, upn is always in the email format like '[email protected]'
There was a problem hiding this comment.
You are right. It is always in email format. But I am not sure if we can use that as email of the user. I saw you updated the code to set emails: src.emails. What is src here? json for id token? Is emails a new property?
| if (src.upn) | ||
| emails = [src.upn]; | ||
| else if (src.emails) | ||
| emails = src.emails; |
There was a problem hiding this comment.
Is it possible to get both upn and emails back? What happens if we do? Do we ignore emails?
There was a problem hiding this comment.
no. For B2C we get emails but not upn; for non B2C we get upn but no emails
There was a problem hiding this comment.
I think for non B2c, we get email claim in the id token.
There was a problem hiding this comment.
Confirmed with Danny, AAD won't return email claim in id_token. To get email claim, one needs to call graph api.
| return self.fail('invalid nonce'); | ||
| // For B2C, check the policy | ||
| if (self._options.isB2C) { | ||
| if (!jwtClaims.acr || jwtClaims.acr.length <= 6 || jwtClaims.acr.substring(0,6).toUpperCase() !== 'B2C_1_') |
There was a problem hiding this comment.
Please define the B2C_1_ string as a constant and then use value.length.
| * @params {Object} req | ||
| * @params {Function} next | ||
| * @params {Function} nextt |
There was a problem hiding this comment.
typo? Are we actually using this variable?
There was a problem hiding this comment.
we used to, but not anymore, will remove the 'next'
| } | ||
|
|
||
| log.info('received id_token: ', id_token); | ||
| log.info('received id_token: ', items.id_token); |
There was a problem hiding this comment.
Are we logging the contents of the id_token? I don't think we want to do that.
There was a problem hiding this comment.
why not? logging is only seen by the developers, with the id_token it is much easier for them to debug issues
There was a problem hiding this comment.
I spoke to Brent, and we assume for Wilson that the log can contain PII. This seems fine.
| return self.failWithLog('In _flowInitializationHandler: missing policy in the request for B2C'); | ||
| // policy is not case sensitive. AAD turns policy to lower case. | ||
| policy = req.query.p.toLowerCase(); | ||
| if (!policy.startsWith('b2c_1_')) |
There was a problem hiding this comment.
Use the same constant as above.
| * (3) Description: | ||
| * the metadata endpoint provided by the Microsoft Identity Portal that provides | ||
| * the keys and other important info at runtime. Examples: | ||
| * <1> v1 non-common endpoint |
There was a problem hiding this comment.
should we say: tenant endpoint
There was a problem hiding this comment.
I think it is already very clear here with the examples.
There was a problem hiding this comment.
Agree with Brent. We should call this "v1 tenant-specific (not common) endpoint".
There was a problem hiding this comment.
@lovemaths Is this still an open issue?
There was a problem hiding this comment.
changed it in the latest commit
| * (3) Description: | ||
| * How you get the authorization code and tokens back | ||
| * | ||
| * - `redirectUrl` (1) Required |
|
|
|
|
(1) Rewrote the metadata loading and the configuration code. Restructured OIDCStrategy.
(2) #188 B2C mocha tests (partially done, waiting for the AAD fix of missing nonce to add test for hybrid/code flow)
(3) #165 rename 'callbackURL' and 'returnURL' to 'redirectUrl'.
(4) #189 Extensibility to allow issuer validation when going against commend end point
(5) #194 error message for 'sub' mismatch is incorrect after redeeming 'code'
(6) #218 missing email claim for B2C