fix: reject oauthCallback when id_token is detected

panva · Dec 3, 2021 · 92ffee5 · 92ffee5
1 parent fb6a141
commit 92ffee5
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 0 deletions.
diff --git a/lib/client.js b/lib/client.js
@@ -565,6 +565,14 @@ class BaseClient {
       throw new OPError(params);
     }
 
+    if ('id_token' in params) {
+      throw new RPError({
+        message:
+          'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
+        params,
+      });
+    }
+
     const RESPONSE_TYPE_REQUIRED_PARAMS = {
       code: ['code'],
       token: ['access_token', 'token_type'],
@@ -608,6 +616,14 @@ class BaseClient {
         { clientAssertionPayload, DPoP },
       );
 
+      if ('id_token' in tokenset) {
+        throw new RPError({
+          message:
+            'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
+          params,
+        });
+      }
+
       if (tokenset.scope && checks.scope && this.fapi()) {
         const expected = new Set(checks.scope.split(' '));
         const actual = tokenset.scope.split(' ');

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -1084,6 +1084,44 @@ describe('Client', () => {
       });
     });
 
+    describe('cannot be used for id_token responses', function () {
+      it('rejects when id_token was issued by the authorization endpoint', function () {
+        return this.client
+          .oauthCallback('https://rp.example.com/cb', {
+            code: 'foo',
+            id_token: 'foo',
+          })
+          .then(fail, (error) => {
+            expect(error).to.be.instanceof(Error);
+            expect(error).to.have.property(
+              'message',
+              'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
+            );
+          });
+      });
+
+      it('rejects when id_token was issued by the token endpoint', function () {
+        nock('https://op.example.com')
+          .matchHeader('Accept', 'application/json')
+          .matchHeader('Content-Length', isNumber)
+          .matchHeader('Transfer-Encoding', isUndefined)
+          .post('/token')
+          .reply(200, { id_token: 'foo' });
+
+        return this.client
+          .oauthCallback('https://rp.example.com/cb', {
+            code: 'foo',
+          })
+          .then(fail, (error) => {
+            expect(error).to.be.instanceof(Error);
+            expect(error).to.have.property(
+              'message',
+              'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
+            );
+          });
+      });
+    });
+
     describe('response type checks', function () {
       it('rejects with an Error when code is missing', function () {
         return this.client