fix: ignore non-conform "unrecognized" id_token in oauthCallback()

fixes #503
panva · Jul 4, 2022 · 3425110 · 3425110
1 parent 687ba84
commit 3425110
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/lib/client.js b/lib/client.js
@@ -557,13 +557,14 @@ class BaseClient {
       throw new OPError(params);
     }
 
-    if ('id_token' in params) {
+    if (typeof params.id_token === 'string' && params.id_token.length) {
       throw new RPError({
         message:
           'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
         params,
       });
     }
+    delete params.id_token
 
     const RESPONSE_TYPE_REQUIRED_PARAMS = {
       code: ['code'],
@@ -608,13 +609,14 @@ class BaseClient {
         { clientAssertionPayload, DPoP },
       );
 
-      if ('id_token' in tokenset) {
+      if (typeof tokenset.id_token === 'string' && tokenset.id_token.length) {
         throw new RPError({
           message:
             'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
           params,
         });
       }
+      delete tokenset.id_token
 
       return tokenset;
     }

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -1100,6 +1100,18 @@ describe('Client', () => {
           });
       });
 
+      it('ignores the id_token when falsy', function () {
+        return this.client
+          .oauthCallback('https://rp.example.com/cb', {
+            access_token: 'foo',
+            token_type: 'bearer',
+            id_token: '',
+          })
+          .then((tokenset) => {
+            expect(tokenset).not.to.have.property('id_token');
+          });
+      });
+
       it('rejects when id_token was issued by the token endpoint', function () {
         nock('https://op.example.com')
           .matchHeader('Accept', 'application/json')
@@ -1120,6 +1132,23 @@ describe('Client', () => {
             );
           });
       });
+
+      it('ignores the the token endpoint id_token property when falsy', function () {
+        nock('https://op.example.com')
+          .matchHeader('Accept', 'application/json')
+          .matchHeader('Content-Length', isNumber)
+          .matchHeader('Transfer-Encoding', isUndefined)
+          .post('/token')
+          .reply(200, { id_token: '' });
+
+        return this.client
+          .oauthCallback('https://rp.example.com/cb', {
+            code: 'foo',
+          })
+          .then((tokenset) => {
+            expect(tokenset).not.to.have.property('id_token');
+          });
+      });
     });
 
     describe('response type checks', function () {