ForgeRock · ryanbas21 · Sep 2, 2025 · Aug 25, 2025 · Aug 25, 2025 · Aug 26, 2025
diff --git a/.changeset/config.json b/.changeset/config.json
@@ -13,6 +13,7 @@
   "baseBranch": "main",
   "updateInternalDependencies": "patch",
   "ignore": [
+    "ping-javascript-sdk",
     "scratchpad",
     "@forgerock/pingone-scripts",
     "@forgerock/device-client",

diff --git a/.github/workflows/changesets-renovate.yml b/.github/workflows/changesets-renovate.yml
diff --git a/e2e/mock-api-v2/GEMINI.md b/e2e/mock-api-v2/GEMINI.md
diff --git a/e2e/mock-api-v2/src/addStepCookie.openapi.ts b/e2e/mock-api-v2/src/addStepCookie.openapi.ts
@@ -9,7 +9,7 @@ export const addStepCookie = (spec: any) => {
   const FLOW_TAGS = new Set(['Authorization', 'Capabilities']);
   const FLOW_PATH_MATCHERS = [
     /\/davinci\/authorize\b/,
-    /\/davinci\/connections\/[^/]+\/capabilities\//,
+    /\/davinci\/connections\/[^/]+\/capabilities/,
   ];
 
   const shouldAnnotate = (path: string, op: any) =>
@@ -32,6 +32,18 @@ export const addStepCookie = (spec: any) => {
         example: 2,
       });
     }
+    const alreadyAcrValues = op.parameters.some(
+      (p: any) => p && p.in === 'cookie' && p.name === 'acr_values',
+    );
+    if (!alreadyAcrValues && !op.tags?.includes('Authorization')) {
+      op.parameters.push({
+        name: 'acr_values',
+        in: 'cookie',
+        required: false,
+        description: 'The acr_values that were used to initiate the authorization flow.',
+        schema: { type: 'string' },
+      });
+    }
   };
 
   const ensureSetCookie = (op: any, status: string) => {

diff --git a/e2e/mock-api-v2/src/handlers/authorize.handler.ts b/e2e/mock-api-v2/src/handlers/authorize.handler.ts
@@ -4,28 +4,26 @@
  * This software may be modified and distributed under the terms
  * of the MIT license. See the LICENSE file for details.
  */
-import { Effect } from 'effect';
-
+import { Effect, pipe } from 'effect';
 import { MockApi } from '../spec.js';
-import { HttpApiBuilder, HttpApiError } from '@effect/platform';
+import { HttpApiBuilder, HttpApiError, HttpServerResponse } from '@effect/platform';
 import { getFirstElementAndRespond } from '../services/mock-env-helpers/index.js';
 
 const AuthorizeHandlerMock = HttpApiBuilder.group(MockApi, 'Authorization', (handlers) =>
   handlers.handle('authorize', ({ urlParams }) =>
     Effect.gen(function* () {
-      /**
-       * We expect an acr_value query parameter to be present in the request.
-       * If it is not present, we return a 404 Not Found error.
-       */
       const acr_value = urlParams?.acr_values ?? '';
 
-      if (!acr_value) {
-        return yield* Effect.fail(new HttpApiError.NotFound());
-      }
+      const body = yield* getFirstElementAndRespond(urlParams);
 
-      const response = yield* getFirstElementAndRespond(urlParams);
+      const res = yield* pipe(
+        HttpServerResponse.json(body),
+        Effect.flatMap(HttpServerResponse.setCookie('acr_values', acr_value, { path: '/' })),
+        Effect.catchTag('CookieError', () => Effect.fail(new HttpApiError.InternalServerError())),
+        Effect.catchTag('HttpBodyError', () => Effect.fail(new HttpApiError.InternalServerError())),
+      );
 
-      return response;
+      return res;
     }).pipe(Effect.withSpan('DavinciAuthorize')),
   ),
 );

diff --git a/e2e/mock-api-v2/src/handlers/capabilities.handler.ts b/e2e/mock-api-v2/src/handlers/capabilities.handler.ts
@@ -4,12 +4,11 @@
  * This software may be modified and distributed under the terms
  * of the MIT license. See the LICENSE file for details.
  */
-import { Console, Effect, pipe } from 'effect';
+import { Effect, pipe } from 'effect';
 import { MockApi } from '../spec.js';
 import {
   HttpApiBuilder,
   HttpApiError,
-  HttpBody,
   HttpServerRequest,
   HttpServerResponse,
 } from '@effect/platform';
@@ -18,15 +17,13 @@ import { validator } from '../helpers/match.js';
 import { returnSuccessResponseRedirect } from '../responses/return-success-redirect.js';
 
 const CapabilitiesHandlerMock = HttpApiBuilder.group(MockApi, 'Capabilities', (handlers) =>
-  handlers.handle('capabilities', ({ urlParams, payload }) =>
+  handlers.handle('capabilities', ({ payload }) =>
     Effect.gen(function* () {
-      /**
-       * We expect an acr_value query parameter to be present in the request.
-       * If it is not present, we return a 404 Not Found error.
-       */
-      const acr_value = urlParams?.acr_values ?? '';
-      console.log('acr_value', acr_value);
+      const req = yield* HttpServerRequest.HttpServerRequest;
+      console.log('request cookies', req.cookies);
+      const acr_value = req.cookies.acr_values ?? '';
 
+      console.log('acr_value', acr_value);
       if (!acr_value) {
         return yield* Effect.fail(new HttpApiError.NotFound());
       }
@@ -36,15 +33,13 @@ const CapabilitiesHandlerMock = HttpApiBuilder.group(MockApi, 'Capabilities', (h
        * If the cookie is not present, we return a 404 Not Found error.
        */
 
-      const req = yield* HttpServerRequest.HttpServerRequest;
-
       const stepIndexCookie = req.cookies['stepIndex'];
-      console.log(req.cookies);
 
       /**
        * If we are here with no step index that means we can't continue through a flow.
        * We should error
        */
+      console.log('step index cookie', stepIndexCookie);
       if (!stepIndexCookie) {
         console.log('no step index');
         return yield* Effect.fail(new HttpApiError.NotFound());
@@ -76,59 +71,49 @@ const CapabilitiesHandlerMock = HttpApiBuilder.group(MockApi, 'Capabilities', (h
        */
       const steps = responseMap[acr_value];
 
-      /**
-       * This may not be the best way to write this.
-       * An alternative option would be for us to include the success response we want to return,
-       * in the response map.
-       *
-       * then we can check if we are at the last step. if we are we write the cookie
-       * and then we return the success response (last item in array)
-       *
-       * for now, this returns a default success response and writes cookies.
-       */
-      if (stepIndex + 1 >= steps.length) {
+      if (stepIndex + 1 === steps.length - 1) {
         /**
          * we need to return a success because we have not failed yet,
          * and we have no more steps to process.
          */
-        const body = yield* HttpBody.json(returnSuccessResponseRedirect).pipe(
-          Effect.tap(Console.log(`here stepIndex: ${stepIndex}`)),
-          /**
-           * Decide on a better way to handle this error possibiltiy
-           */
-          Effect.catchTag('HttpBodyError', () =>
-            Effect.fail(
-              new HttpApiError.HttpApiDecodeError({
-                message: 'Failed to encode body',
-                issues: [],
-              }),
+        const body = responseMap[stepIndex];
+
+        return yield* pipe(
+          HttpServerResponse.json(body),
+          Effect.flatMap((res) => HttpServerResponse.setCookie(res, 'ST', 'MockApiCookie123')),
+          Effect.flatMap((res) =>
+            HttpServerResponse.setCookie(
+              res,
+              'interactionId',
+              returnSuccessResponseRedirect.interactionId,
+              {
+                httpOnly: true,
+                secure: true,
+                sameSite: 'strict',
+              },
             ),
           ),
-        );
-        return pipe(
-          HttpServerResponse.json(body),
-          HttpServerResponse.setCookie('ST', 'MockApiCookie123'),
-          HttpServerResponse.setCookie(
-            'interactionId',
-            returnSuccessResponseRedirect.interactionId,
-            {
-              httpOnly: true,
-              secure: true,
-              sameSite: 'strict',
-            },
+          Effect.flatMap((res) =>
+            HttpServerResponse.setCookie(
+              res,
+              'interactionToken',
+              returnSuccessResponseRedirect.interactionToken,
+              {
+                httpOnly: true,
+                secure: true,
+                sameSite: 'strict',
+              },
+            ),
           ),
-          HttpServerResponse.setCookie(
-            'interactionToken',
-            returnSuccessResponseRedirect.interactionToken,
-            {
-              httpOnly: true,
-              secure: true,
-              sameSite: 'strict',
-            },
+          Effect.flatMap((res) => HttpServerResponse.removeCookie(res, 'stepIndex')),
+          Effect.flatMap((res) => HttpServerResponse.setStatus(res, 200)),
+          Effect.flatMap((res) =>
+            HttpServerResponse.setHeader(res, 'Content-Type', 'application/json'),
+          ),
+          Effect.catchTag('CookieError', () => Effect.fail(new HttpApiError.InternalServerError())),
+          Effect.catchTag('HttpBodyError', () =>
+            Effect.fail(new HttpApiError.InternalServerError()),
           ),
-          HttpServerResponse.removeCookie('stepIndex'),
-          HttpServerResponse.setStatus(200),
-          HttpServerResponse.setHeader('Content-Type', 'application/json'),
         );
       }
 

diff --git a/e2e/mock-api-v2/src/handlers/open-id-configuration.handler.ts b/e2e/mock-api-v2/src/handlers/open-id-configuration.handler.ts
@@ -6,22 +6,96 @@
  */
 import { Effect } from 'effect';
 import { MockApi } from '../spec.js';
-import { openidConfigurationResponse } from '../responses/open-id-configuration.js';
 import { HttpApiBuilder } from '@effect/platform';
+import { HttpServerRequest } from '@effect/platform/HttpServerRequest';
 
-/**
- * TODO: This needs to make a request for an openid configuration in a LIVE environment
- * The proper way is to probably create a LIVE (effect convention) route, that handles this
- * then the LIVE app is provided the HttpClient needed
- *
- *
- */
 const OpenidConfigMock = HttpApiBuilder.group(MockApi, 'OpenIDConfig', (handlers) =>
-  handlers.handle(
-    'openid',
-    Effect.fn('OpenId')(function* () {
-      const value = yield* Effect.succeed(openidConfigurationResponse);
-      return value;
+  handlers.handle('openid', ({ path: { envid } }) =>
+    Effect.gen(function* () {
+      const request = yield* HttpServerRequest;
+      const url = new URL(request.url);
+      const issuer = `${url.protocol}//${url.host}/${envid}/as`;
+      return {
+        issuer,
+        authorization_endpoint: `${issuer}/authorize`,
+        pushed_authorization_request_endpoint: `${issuer}/par`,
+        token_endpoint: `${issuer}/token`,
+        userinfo_endpoint: `${issuer}/userinfo`,
+        jwks_uri: `${issuer}/jwks`,
+        end_session_endpoint: `${issuer}/signoff`,
+        check_session_iframe: `${issuer}/checksession`,
+        introspection_endpoint: `${issuer}/introspect`,
+        revocation_endpoint: `${issuer}/revoke`,
+        device_authorization_endpoint: `${issuer}/device_authorization`,
+        claims_parameter_supported: false,
+        request_parameter_supported: true,
+        request_uri_parameter_supported: false,
+        require_pushed_authorization_requests: false,
+        scopes_supported: ['openid', 'profile', 'email', 'address', 'phone'],
+        response_types_supported: [
+          'code',
+          'id_token',
+          'token id_token',
+          'code id_token',
+          'code token',
+          'code token id_token',
+        ],
+        response_modes_supported: ['pi.flow', 'query', 'fragment', 'form_post'],
+        grant_types_supported: [
+          'authorization_code',
+          'implicit',
+          'client_credentials',
+          'refresh_token',
+          'urn:ietf:params:oauth:grant-type:device_code',
+        ],
+        subject_types_supported: ['public'],
+        id_token_signing_alg_values_supported: ['RS256'],
+        userinfo_signing_alg_values_supported: ['none'],
+        request_object_signing_alg_values_supported: [
+          'none',
+          'HS256',
+          'HS384',
+          'HS512',
+          'RS256',
+          'RS384',
+          'RS512',
+        ],
+        token_endpoint_auth_methods_supported: [
+          'client_secret_basic',
+          'client_secret_post',
+          'client_secret_jwt',
+          'private_key_jwt',
+        ],
+        token_endpoint_auth_signing_alg_values_supported: [
+          'HS256',
+          'HS384',
+          'HS512',
+          'RS256',
+          'RS384',
+          'RS512',
+        ],
+        claim_types_supported: ['normal'],
+        claims_supported: [
+          'sub',
+          'iss',
+          'auth_time',
+          'acr',
+          'name',
+          'given_name',
+          'family_name',
+          'middle_name',
+          'preferred_username',
+          'profile',
+          'picture',
+          'zoneinfo',
+          'phone_number',
+          'updated_at',
+          'address',
+          'email',
+          'locale',
+        ],
+        code_challenge_methods_supported: ['plain', 'S256'],
+      };
     }),
   ),
 );

diff --git a/e2e/mock-api-v2/src/handlers/userinfo.handler.ts b/e2e/mock-api-v2/src/handlers/userinfo.handler.ts
@@ -7,13 +7,18 @@
 import { Effect } from 'effect';
 import { MockApi } from '../spec.js';
 import { UserInfo } from '../services/userinfo.service.js';
-import { HttpApiBuilder } from '@effect/platform';
+import { HttpApiBuilder, HttpApiError } from '@effect/platform';
 import { BearerToken } from '../middleware/Authorization.js';
 
 const UserInfoMockHandler = HttpApiBuilder.group(MockApi, 'ProtectedRequests', (handlers) =>
   handlers.handle('UserInfo', () =>
     Effect.gen(function* () {
       const authToken = yield* BearerToken;
+
+      if (!authToken) {
+        return yield* Effect.fail(new HttpApiError.Unauthorized());
+      }
+
       const { getUserInfo } = yield* UserInfo;
 
       const response = yield* getUserInfo(authToken);

diff --git a/e2e/mock-api-v2/src/main.ts b/e2e/mock-api-v2/src/main.ts
@@ -66,7 +66,7 @@ const ServerMock = HttpApiBuilder.serve(HttpMiddleware.logger).pipe(
 
   Layer.provide(NodeSdkLive),
   HttpServer.withLogAddress,
-  Layer.provide(NodeHttpServer.layer(createServer, { port: 9443 })),
+  Layer.provide(NodeHttpServer.layer(createServer, { port: 9443, host: 'localhost' })),
 );
 
 Layer.launch(ServerMock).pipe(NodeRuntime.runMain);