fix(oidc-client): append query params when provided

[ancheetah]

JIRA Ticket

https://pingidentity.atlassian.net/browse/SDKS-4445

Description

Bug fix. Appends query params to authorization url when provided in options to oidcClient.tokens.get or oidcClient.authorize. Adds unit test.

Includes patch changeset

Summary by CodeRabbit

• New Features

  • Authorization URLs now accept and append custom query parameters from request options, while ensuring standard auth parameters take precedence.

• Tests

  • Added tests verifying query parameters are included and that standard params override conflicting query values.

• Chores

  • Added a changelog entry and applied patch-level package updates.

[changeset-bot]

🦋 Changeset detected

Latest commit: ef4ab6f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 13 packages

Name	Type
@forgerock/sdk-oidc	Patch
@forgerock/oidc-client	Patch
@forgerock/davinci-client	Patch
@forgerock/journey-app	Patch
@forgerock/journey-client	Patch
@forgerock/protect	Patch
@forgerock/sdk-types	Patch
@forgerock/sdk-utilities	Patch
@forgerock/iframe-manager	Patch
@forgerock/sdk-logger	Patch
@forgerock/sdk-request-middleware	Patch
@forgerock/storage	Patch
@forgerock/journey-suites	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Refactors authorize URL construction by removing the explicit OidcConfig from the createAuthorizeUrlµ signature and returned tuple, updates related tests, and adds behavior to spread optional options.query into the authorization URL search parameters in the effects package.

Changes

Cohort / File(s)	Change Summary
Changelog \.changeset/vast-dogs-make.md	Adds a patch changelog entry describing that query params are appended to the authorization URL when provided
Authorize Request Core packages/oidc-client/src/lib/authorize.request.ts, packages/oidc-client/src/lib/authorize.request.utils.ts	Removes OidcConfig from createAuthorizeUrlµ signature and from the returned tuple; changes BuildAuthorizationData from [string, OidcConfig, GetAuthorizationUrlOptions] to [string, GetAuthorizationUrlOptions]; updates types/docs and related return/error typing
Authorize Request Tests packages/oidc-client/src/lib/authorize.request.utils.test.ts	Adjusts expected tuples in tests to remove the separate config object and assert the new inline options shape
Authorization Effects packages/sdk-effects/oidc/src/lib/authorize.effects.ts	Spreads options.query into URLSearchParams prior to adding mandatory OAuth parameters so arbitrary query params are included in the final authorize URL (conflicting standard params are later overwritten by mandatory params)
Authorization Effects Tests packages/sdk-effects/oidc/src/lib/authorize.test.ts	Adds tests verifying query parameters are included and that standard parameters override conflicting query values

Sequence Diagram(s)

sequenceDiagram
    participant Caller
    participant authorize.request
    participant authorize.utils
    participant authorize.effects

    Caller->>authorize.request: authorize(url, options)
    activate authorize.request

    note over authorize.request: flatMap now calls\ncreateAuthorizeUrlµ(url, options)
    authorize.request->>authorize.utils: createAuthorizeUrlµ(url, options)
    activate authorize.utils

    authorize.utils->>authorize.utils: buildAuthorizeOptionsµ()
    note over authorize.utils: returns [string, GetAuthorizationUrlOptions]
    authorize.utils-->>authorize.request: [url, options]
    deactivate authorize.utils

    authorize.request->>authorize.effects: buildAuthorizeURL(url, options)
    activate authorize.effects

    note over authorize.effects: Spreads options.query into\nURLSearchParams (NEW)
    note over authorize.effects: Then adds mandatory params\n(code_challenge, client_id, etc.)
    authorize.effects-->>authorize.request: authorizeURL (with query params)
    deactivate authorize.effects

    authorize.request-->>Caller: authorizeURL
    deactivate authorize.request

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Files needing extra attention:
  • packages/oidc-client/src/lib/authorize.request.utils.ts — verify no callers relied on the removed config in the tuple.
  • packages/sdk-effects/oidc/src/lib/authorize.effects.ts — confirm parameter precedence and encoding when options.query contains keys that overlap standard params.
  • Updated tests — ensure assertions match new tuple shape and error types.

Possibly related PRs

• test(sdk-oidc): add tests to oidc effects package #416 — touches authorize URL generation and may be impacted by the changed createAuthorizeUrlµ signature and URL construction behavior.

Suggested reviewers

• cerebrl
• ryanbas21

Poem

🐰 I hopped through tuples, nipped config from the tree,

I sprinkled query params for all to see,
Paths and options now waltz, tidy and bright,
The auth URL shimmers in morning light,
— a tiny rabbit's code delight ✨

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'fix(oidc-client): append query params when provided' directly and accurately reflects the main change in the changeset. It uses a conventional commit format with the 'fix' type and clearly describes the primary behavior change: appending query parameters to the authorization URL when provided. The title is concise, specific, and immediately conveys the intent to a developer reviewing the change history.
Description check	✅ Passed	The pull request description follows the required template structure with both main sections present: a JIRA Ticket link and a Description section. It includes the relevant ticket reference (SDKS-4445), clearly explains the bug fix (appending query params to authorization URL), mentions the scope (oidcClient.tokens.get and oidcClient.authorize), notes that unit tests were added, and confirms a changeset was included. While the description is concise, it provides sufficient information about the changes and their context.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch SDKS-4445-oidc-query-params

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52c2b48 and ef4ab6f.

📒 Files selected for processing (6)

• .changeset/vast-dogs-make.md (1 hunks)
• packages/oidc-client/src/lib/authorize.request.ts (1 hunks)
• packages/oidc-client/src/lib/authorize.request.utils.test.ts (0 hunks)
• packages/oidc-client/src/lib/authorize.request.utils.ts (2 hunks)
• packages/sdk-effects/oidc/src/lib/authorize.effects.ts (1 hunks)
• packages/sdk-effects/oidc/src/lib/authorize.test.ts (1 hunks)

💤 Files with no reviewable changes (1)

• packages/oidc-client/src/lib/authorize.request.utils.test.ts

✅ Files skipped from review due to trivial changes (1)

• .changeset/vast-dogs-make.md

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/sdk-effects/oidc/src/lib/authorize.effects.ts
• packages/oidc-client/src/lib/authorize.request.ts

🧰 Additional context used

🧬 Code graph analysis (2)

packages/sdk-effects/oidc/src/lib/authorize.test.ts (2)

packages/sdk-types/src/lib/authorize.types.ts (1)

• GenerateAndStoreAuthUrlValues (44-48)

packages/sdk-effects/oidc/src/lib/authorize.effects.ts (1)

• createAuthorizeUrl (23-60)

packages/oidc-client/src/lib/authorize.request.utils.ts (1)

packages/sdk-types/src/lib/authorize.types.ts (1)

• GetAuthorizationUrlOptions (19-36)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Mend Code Security Check
• GitHub Check: pr

🔇 Additional comments (5)

packages/oidc-client/src/lib/authorize.request.utils.ts (3)

15-15: Good refactor simplifying the type definition.

Removing the explicit OidcConfig from the tuple simplifies the API since the necessary configuration values are already embedded within GetAuthorizationUrlOptions.

---

93-93: Documentation accurately reflects the refactored return type.

The JSDoc correctly documents the simplified return type.

---

95-98: Function signature correctly simplified.

Removing the config parameter streamlines the API, as the configuration values are now part of the options parameter. The implementation correctly returns a 2-tuple matching the updated type.

packages/sdk-effects/oidc/src/lib/authorize.test.ts (2)

86-102: Excellent test coverage for query parameter inclusion.

This test properly verifies that custom query parameters are successfully included in the authorization URL, which is the core functionality described in the PR objectives.

---

104-120: Critical security test ensuring parameter integrity.

This test is essential for preventing query parameter injection attacks. It correctly verifies that standard OAuth parameters (like client_id) cannot be overridden by values in the query object, while still allowing custom parameters to be included. The underlying implementation spreads options.query first, then sets standard parameters, ensuring the correct override behavior.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit ef4ab6f

Command	Status	Duration	Result
nx run-many -t build	✅ Succeeded	<1s	View ↗
nx affected -t build typecheck lint test e2e-ci	✅ Succeeded	1m 30s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-11-03 16:04:06 UTC

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

packages/sdk-effects/oidc/src/lib/authorize.effects.ts (1)

42-53: LGTM! Query parameter spreading implemented correctly.

The implementation correctly spreads options.query into URLSearchParams before adding standard OAuth parameters. This ordering ensures that required OAuth parameters (e.g., client_id, redirect_uri) cannot be overridden by custom query parameters, which is the correct security posture.

Consider adding a brief comment explaining the parameter precedence:

  const requestParams = new URLSearchParams({
+   // Spread custom query params first; standard OAuth params below will override any conflicts
    ...options.query,
    code_challenge: challenge,

packages/sdk-effects/oidc/src/lib/authorize.test.ts (1)

86-102: LGTM! Good test coverage for the new feature.

The test correctly verifies that custom query parameters are appended to the authorization URL when provided via options.query.

Consider adding a test case that verifies standard OAuth parameters take precedence over query parameters in case of naming conflicts:

it('should ensure standard OAuth params override conflicting query params', async () => {
  const optionsWithConflict: GenerateAndStoreAuthUrlValues = {
    ...mockOptions,
    query: {
      client_id: 'malicious-client',
      custom_param: 'value',
    },
  };

  const url = await createAuthorizeUrl(baseUrl, optionsWithConflict);
  const params = new URL(url).searchParams;

  // Standard param should override query param
  expect(params.get('client_id')).toBe(mockOptions.clientId);
  // Custom param should be preserved
  expect(params.get('custom_param')).toBe('value');
});

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fa3d434 and 52c2b48.

📒 Files selected for processing (6)

• .changeset/vast-dogs-make.md (1 hunks)
• packages/oidc-client/src/lib/authorize.request.ts (1 hunks)
• packages/oidc-client/src/lib/authorize.request.utils.test.ts (0 hunks)
• packages/oidc-client/src/lib/authorize.request.utils.ts (2 hunks)
• packages/sdk-effects/oidc/src/lib/authorize.effects.ts (1 hunks)
• packages/sdk-effects/oidc/src/lib/authorize.test.ts (1 hunks)

💤 Files with no reviewable changes (1)

• packages/oidc-client/src/lib/authorize.request.utils.test.ts

🧰 Additional context used

🧬 Code graph analysis (3)

packages/oidc-client/src/lib/authorize.request.ts (1)

packages/oidc-client/src/lib/authorize.request.utils.ts (1)

• createAuthorizeUrlµ (95-119)

packages/sdk-effects/oidc/src/lib/authorize.test.ts (2)

packages/sdk-types/src/lib/authorize.types.ts (1)

• GenerateAndStoreAuthUrlValues (44-48)

packages/sdk-effects/oidc/src/lib/authorize.effects.ts (1)

• createAuthorizeUrl (23-60)

packages/oidc-client/src/lib/authorize.request.utils.ts (1)

packages/sdk-types/src/lib/authorize.types.ts (1)

• GetAuthorizationUrlOptions (19-36)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: pr
• GitHub Check: Mend Code Security Check

🔇 Additional comments (5)

.changeset/vast-dogs-make.md (1)

1-6: LGTM!

The changeset correctly documents this patch-level feature addition for both affected packages.

packages/oidc-client/src/lib/authorize.request.utils.ts (3)

15-15: LGTM! Type simplification improves data flow.

Removing OidcConfig from the BuildAuthorizationData tuple is a good refactoring that reduces redundancy. All necessary config fields are now embedded directly in the GetAuthorizationUrlOptions object.

---

25-44: LGTM! Config fields correctly embedded in options.

The function now constructs authorization options by extracting necessary fields from config and embedding them directly in the options object, which aligns with the simplified tuple structure.

---

95-98: LGTM! Function signature correctly updated.

The removal of the config parameter is appropriate since all necessary data is now available in the options object. The signature change is consistent with the updated BuildAuthorizationData type.

packages/oidc-client/src/lib/authorize.request.ts (1)

40-40: LGTM! Call site correctly updated.

The function call correctly reflects the updated createAuthorizeUrlµ signature, passing only url and options parameters.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 18.52%. Comparing base (fa3d434) to head (ef4ab6f).

❌ Your project status has failed because the head coverage (18.52%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #471      +/-   ##
==========================================
- Coverage   18.52%   18.52%   -0.01%     
==========================================
  Files         138      138              
  Lines       27402    27401       -1     
  Branches      963      963              
==========================================
- Hits         5076     5075       -1     
  Misses      22326    22326              

Files with missing lines	Coverage Δ
packages/oidc-client/src/lib/authorize.request.ts	33.33% <100.00%> (ø)
...ges/oidc-client/src/lib/authorize.request.utils.ts	42.85% <ø> (-1.23%)	⬇️
...ages/sdk-effects/oidc/src/lib/authorize.effects.ts	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@471

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@471

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@471

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@471

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@471

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@471

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@471

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@471

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@471

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@471

commit: ef4ab6f

[github-actions]

Deployed 7e23c86 to https://ForgeRock.github.io/ping-javascript-sdk/pr-471/7e23c86eab3d412b13139bcc364dfe7c1348d820 branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🚨 Significant Changes

🔻 @forgerock/journey-client - 0.0 KB (-82.0 KB, -100.0%)

📊 Minor Changes

📉 @forgerock/oidc-client - 22.9 KB (-0.0 KB)
📈 @forgerock/journey-client - 82.0 KB (+0.0 KB)
📈 @forgerock/sdk-oidc - 2.6 KB (+0.0 KB)

➖ No Changes

➖ @forgerock/device-client - 9.2 KB
➖ @forgerock/protect - 150.1 KB
➖ @forgerock/sdk-utilities - 7.5 KB
➖ @forgerock/sdk-types - 8.0 KB
➖ @forgerock/storage - 1.4 KB
➖ @forgerock/sdk-logger - 1.6 KB
➖ @forgerock/iframe-manager - 2.4 KB
➖ @forgerock/sdk-request-middleware - 4.5 KB
➖ @forgerock/davinci-client - 35.4 KB

---

13 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}

[ryanbas21]

Breaking change ?

this was not, i'm forgetting code from 6 months ago at this point