From 6db02a64dea2df502ca35dd44c916023ea26f89a Mon Sep 17 00:00:00 2001 From: eirikafterdark <167545806+eirikafterdark@users.noreply.github.com> Date: Fri, 14 Jun 2024 17:32:16 +0200 Subject: [PATCH 1/2] Only request OIDC scopes that are supported In particular, an OIDC provider should not have to support the "email" scope. --- packages/oidc-auth/src/index.ts | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/packages/oidc-auth/src/index.ts b/packages/oidc-auth/src/index.ts index 2a330345e..729925b3a 100644 --- a/packages/oidc-auth/src/index.ts +++ b/packages/oidc-auth/src/index.ts @@ -26,7 +26,7 @@ const defaultExpirationInterval = 60 * 60 * 24 // 1 day export type OidcAuth = { sub: string - email: string + email?: string rtk: string // refresh token rtkexp: number // token expiration time ; refresh token if it's expired ssnexp: number // session expiration time; if it's expired, revoke session and redirect to IdP @@ -180,7 +180,7 @@ const updateAuth = async ( const authExpires = Number(env.OIDC_AUTH_EXPIRES!) || defaultExpirationInterval const updated: OidcAuth = { sub: claims?.sub || orig?.sub || '', - email: (claims?.email as string) || orig?.email || '', + email: (claims?.email as string | undefined) || orig?.email || '', rtk: response.refresh_token || orig?.rtk || '', rtkexp: Math.floor(Date.now() / 1000) + authRefreshInterval, ssnexp: orig?.ssnexp || Math.floor(Date.now() / 1000) + authExpires, @@ -240,17 +240,16 @@ const generateAuthorizationRequestUrl = async ( authorizationRequestUrl.searchParams.set('client_id', client.client_id) authorizationRequestUrl.searchParams.set('redirect_uri', env.OIDC_REDIRECT_URI) authorizationRequestUrl.searchParams.set('response_type', 'code') - if (as.scopes_supported === undefined || as.scopes_supported.length === 0) { - throw new HTTPException(500, { - message: 'The supported scopes information is not provided by the IdP', - }) - } else if (as.scopes_supported.indexOf('email') === -1) { - throw new HTTPException(500, { message: 'The "email" scope is not supported by the IdP' }) - } else if (as.scopes_supported.indexOf('offline_access') === -1) { - authorizationRequestUrl.searchParams.set('scope', 'openid email') - } else { - authorizationRequestUrl.searchParams.set('scope', 'openid email offline_access') + + const scopes = ['openid']; + if (as.scopes_supported?.includes('email')) { + scopes.push('email'); + } + if (as.scopes_supported?.includes('offline_access')) { + scopes.push('offline_access'); } + authorizationRequestUrl.searchParams.set('scope', scopes.join(' ')) + authorizationRequestUrl.searchParams.set('state', state) authorizationRequestUrl.searchParams.set('nonce', nonce) authorizationRequestUrl.searchParams.set('code_challenge', code_challenge) From 40fd6d8fa46658607f928f08a5786770f4f163c0 Mon Sep 17 00:00:00 2001 From: eirikafterdark <167545806+eirikafterdark@users.noreply.github.com> Date: Fri, 14 Jun 2024 17:34:16 +0200 Subject: [PATCH 2/2] Code style (remove semicolon) --- packages/oidc-auth/src/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/oidc-auth/src/index.ts b/packages/oidc-auth/src/index.ts index 729925b3a..b87319236 100644 --- a/packages/oidc-auth/src/index.ts +++ b/packages/oidc-auth/src/index.ts @@ -243,10 +243,10 @@ const generateAuthorizationRequestUrl = async ( const scopes = ['openid']; if (as.scopes_supported?.includes('email')) { - scopes.push('email'); + scopes.push('email') } if (as.scopes_supported?.includes('offline_access')) { - scopes.push('offline_access'); + scopes.push('offline_access') } authorizationRequestUrl.searchParams.set('scope', scopes.join(' '))