Skip to content

Commit 4b423b0

Browse files
committed
fix: Exception when id_token not set.
django-oauth-toolkit does not support openid for the resource owner credentials flow. The response will still have openid in the scopes property, but there is not id_token This leads to an exception. This change makes the client a little more tolerant of auth servers by not trying to parse the id_token in this scenario. authts#1206
1 parent 759079b commit 4b423b0

2 files changed

Lines changed: 22 additions & 1 deletion

File tree

src/ResponseValidator.test.ts

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -578,6 +578,27 @@ describe("ResponseValidator", () => {
578578
expect(stubResponse).not.toHaveProperty("profile");
579579
});
580580

581+
it("should process an openid signin response without an id_token as a non-openid signin response", async () => {
582+
// this is aimed at Authorization servers that don't support the OIDC spec and don't return an id_token if the
583+
// openid scope is set in the request scope.
584+
// arrange
585+
Object.assign(stubResponse, {
586+
isOpenId: true,
587+
});
588+
jest.spyOn(JwtUtils, "decode").mockReturnValue({ sub: "subsub" });
589+
590+
// act
591+
await subject.validateCredentialsResponse(stubResponse, true);
592+
593+
// assert
594+
expect(JwtUtils.decode).not.toHaveBeenCalledWith("id_token");
595+
expect(
596+
subject["_userInfoService"].getClaims,
597+
).not.toHaveBeenCalledWith();
598+
expect(stubResponse).toHaveProperty("profile", {});
599+
600+
});
601+
581602
it("should process a valid non-openid signin response skipping userInfo", async () => {
582603
// arrange
583604
Object.assign(stubResponse, {

src/ResponseValidator.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ export class ResponseValidator {
5151
public async validateCredentialsResponse(response: SigninResponse, skipUserInfo: boolean): Promise<void> {
5252
const logger = this._logger.create("validateCredentialsResponse");
5353

54-
if (response.isOpenId) {
54+
if (response.isOpenId && !!response.id_token) {
5555
this._validateIdTokenAttributes(response);
5656
}
5757
logger.debug("tokens validated");

0 commit comments

Comments
 (0)