Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't validate id_token when alg is HS256 and there is no clientSecret #330

Merged
merged 6 commits into from
Feb 5, 2019
Merged

Don't validate id_token when alg is HS256 and there is no clientSecret #330

merged 6 commits into from
Feb 5, 2019

Conversation

luisrudge
Copy link
Contributor

@luisrudge luisrudge commented Jan 31, 2019
edited

fix #329

Changes

In 2.13.0 we added ID token validation, but there are old tenants that return HS256 id_tokens. Since this library doesn't require the clientSecret param and the client secret is needed to validate HS256 id_tokens, the validation fails with an exception. This PR bypasses the validation when the id_token is HS256 and there is no client secret (it will emit a console.warn).

References

#295

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

[x] This change adds unit test coverage

[ ] This change adds integration test coverage

Checklist

[x] I have read the Auth0 general contribution guidelines

[x] I have read the Auth0 Code of Conduct

[x] All existing and new tests complete without errors

@luisrudge luisrudge added this to the v2.14.1 milestone Jan 31, 2019
@luisrudge luisrudge mentioned this pull request Jan 31, 2019
Closed
lbalmaceda
lbalmaceda reviewed Jan 31, 2019
View reviewed changes
src/auth/OAUthWithIDTokenValidation.js Show resolved Hide resolved
src/auth/OAUthWithIDTokenValidation.js Show resolved Hide resolved
test/auth/oauth-with-idtoken-validation.tests.js
};
sinon.stub(jwt, 'verify', function(idtoken, getKey, options, callback) {
getKey({ alg: 'HS256' }, function(err, key) {
expect(err.message).to.contain(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think besides skipping the validation is also important to test that the console.warn was called with the right message

@damieng damieng merged commit 7c5388c into master Feb 5, 2019
@luisrudge luisrudge deleted the fix/hs256-no-client-secret branch February 5, 2019 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lbalmaceda lbalmaceda lbalmaceda approved these changes

Assignees
No one assigned
Labels
CH: Fixed
Projects
None yet
Milestone
v2.15.0
Development

Successfully merging this pull request may close these issues.

oauth.signIn not working since v2.13.0
3 participants
@luisrudge @lbalmaceda @damieng