Include redirect_uri

[dondracek]

Hi! 👋

Firstly, thanks for your work on this project! 🙂

Today I used patch-package to patch [email protected] for the project I'm working on.

The problem was that we're using Azure B2C as Auth-Provider and it does need a redirect_uri even on refresh-token-POST-requests. I know it's not in the oauth-specification and it doesn't really make sense. However, we do have to use it and we deal with it.

Here is the diff that solved my problem:

diff --git a/node_modules/oidc-client-ts/dist/esm/oidc-client-ts.js b/node_modules/oidc-client-ts/dist/esm/oidc-client-ts.js
index 2bc62f7..50bd84e 100644
--- a/node_modules/oidc-client-ts/dist/esm/oidc-client-ts.js
+++ b/node_modules/oidc-client-ts/dist/esm/oidc-client-ts.js
@@ -805,7 +805,8 @@ var OidcClientSettingsStore = class {
     // extra
     extraQueryParams = {},
     extraTokenParams = {},
-    extraHeaders = {}
+    extraHeaders = {},
+    includeRedirectUriInRefreshTokenRequest = false
   }) {
     this.authority = authority;
     if (metadataUrl) {
@@ -858,6 +859,7 @@ var OidcClientSettingsStore = class {
     this.extraQueryParams = extraQueryParams;
     this.extraTokenParams = extraTokenParams;
     this.extraHeaders = extraHeaders;
+    this.includeRedirectUriInRefreshTokenRequest = includeRedirectUriInRefreshTokenRequest;
   }
 };
 
@@ -1049,6 +1051,10 @@ var TokenClient = class {
         }
         break;
     }
+    // fix for Azure B2C "speciality"
+    if (this._settings.includeRedirectUriInRefreshTokenRequest) {
+      params.set('redirect_uri', this._settings.redirect_uri);
+    }
     const url = await this._metadataService.getTokenEndpoint(false);
     logger2.debug("got token endpoint");
     const response = await this._jsonService.postForm(url, { body: params, basicAuth, timeoutInSeconds, initCredentials: this._settings.fetchRequestCredentials });
diff --git a/node_modules/oidc-client-ts/dist/types/oidc-client-ts.d.ts b/node_modules/oidc-client-ts/dist/types/oidc-client-ts.d.ts
index 67480e1..ba9e70a 100644
--- a/node_modules/oidc-client-ts/dist/types/oidc-client-ts.d.ts
+++ b/node_modules/oidc-client-ts/dist/types/oidc-client-ts.d.ts
@@ -633,6 +633,13 @@ export declare interface OidcClientSettings {
      * Only scopes in this list will be passed in the token refresh request.
      */
     refreshTokenAllowedScope?: string | undefined;
+    /**
+     * Include redirect_uri parameter in refresh token request.
+     * Yes, this is outside of OIDC specification and makes not really sense, but some big providers (AKA Azure B2C) does require redirect_uri in refresh token request.
+     *
+     * see: https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow#4-refresh-the-token
+     */
+    includeRedirectUriInRefreshTokenRequest?: boolean;
 }
 
 /**
@@ -675,7 +682,8 @@ export declare class OidcClientSettingsStore {
     readonly fetchRequestCredentials: RequestCredentials;
     readonly refreshTokenAllowedScope: string | undefined;
     readonly disablePKCE: boolean;
-    constructor({ authority, metadataUrl, metadata, signingKeys, metadataSeed, client_id, client_secret, response_type, scope, redirect_uri, post_logout_redirect_uri, client_authentication, prompt, display, max_age, ui_locales, acr_values, resource, response_mode, filterProtocolClaims, loadUserInfo, staleStateAgeInSeconds, clockSkewInSeconds, userInfoJwtIssuer, mergeClaims, disablePKCE, stateStore, refreshTokenCredentials, revokeTokenAdditionalContentTypes, fetchRequestCredentials, refreshTokenAllowedScope, extraQueryParams, extraTokenParams, extraHeaders, }: OidcClientSettings);
+    readonly includeRedirectUriInRefreshTokenRequest: boolean;
+    constructor({ authority, metadataUrl, metadata, signingKeys, metadataSeed, client_id, client_secret, response_type, scope, redirect_uri, post_logout_redirect_uri, client_authentication, prompt, display, max_age, ui_locales, acr_values, resource, response_mode, filterProtocolClaims, loadUserInfo, staleStateAgeInSeconds, clockSkewInSeconds, userInfoJwtIssuer, mergeClaims, disablePKCE, stateStore, refreshTokenCredentials, revokeTokenAdditionalContentTypes, fetchRequestCredentials, refreshTokenAllowedScope, extraQueryParams, extraTokenParams, extraHeaders, includeRedirectUriInRefreshTokenRequest,}: OidcClientSettings);
 }
 
 /**
diff --git a/node_modules/oidc-client-ts/dist/umd/oidc-client-ts.js b/node_modules/oidc-client-ts/dist/umd/oidc-client-ts.js
index 0c1838e..67c715a 100644
--- a/node_modules/oidc-client-ts/dist/umd/oidc-client-ts.js
+++ b/node_modules/oidc-client-ts/dist/umd/oidc-client-ts.js
@@ -1104,6 +1104,10 @@ var TokenClient = class {
         }
         break;
     }
+    // fix for Azure B2C "speciality"
+    if (this._settings.includeRedirectUriInRefreshTokenRequest) {
+      params.set('redirect_uri', this._settings.redirect_uri);
+    }
     const url = await this._metadataService.getTokenEndpoint(false);
     logger2.debug("got token endpoint");
     const response = await this._jsonService.postForm(url, { body: params, basicAuth, timeoutInSeconds, initCredentials: this._settings.fetchRequestCredentials });

This issue body was partially generated by patch-package.

[pamapa]

According to their own specification redirect_uri is defined as optional:
"redirect_uri | Optional | The redirect URI of the application where you received the authorization code."
If that is really required, you should ask them to fix their IdP code or documentation. Strange!

[ikeem07]

This functionality is pivotal to anyone using Azure B2C for token renewal. @dondracek Thank you for putting the pull request together. We are hoping that @pamapa will merge this pull request into this already awesome library.

[gidich]

@pamapa - I believe that this pull request matches what you suggested to be done on this issue 581.

Is there another approach you are suggesting to @n0rwin that wasn't addressed by @dondracek ?

[pamapa]

@pamapa - I believe that this pull request matches what you suggested to be done on this issue 581.

Yes, that is how i would like to have it, but the idea is not yet part of the code base, i will prepare something testable...

[pamapa]

Can you please test and review this merge request?