OIDC: pass id_token via id_token_hint on Manage Account interaction (#12499)

* Store id_token rather than just id_token_claims Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Pass id_token via `id_token_hint` on `Manage Account` interaction Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Fix tests Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --------- Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
2024-05-07 12:27:37 +01:00 · 2024-05-07 12:27:37 +01:00 · 580bb5537d
commit 580bb5537d
parent e2310e637c
8 changed files with 89 additions and 33 deletions
--- a/src/utils/oidc/authorize.ts
+++ b/src/utils/oidc/authorize.ts
@ -86,6 +86,8 @@ type CompleteOidcLoginResponse = {
    accessToken: string;
    // refreshToken gained from OIDC token issuer, when falsy token cannot be refreshed
    refreshToken?: string;
+    // idToken gained from OIDC token issuer
+    idToken: string;
    // this client's id as registered with the OIDC issuer
    clientId: string;
    // issuer used during authentication
@ -109,6 +111,7 @@ export const completeOidcLogin = async (queryParams: QueryDict): Promise<Complet
        identityServerUrl,
        accessToken: tokenResponse.access_token,
        refreshToken: tokenResponse.refresh_token,
+        idToken: tokenResponse.id_token,
        clientId: oidcClientSettings.clientId,
        issuer: oidcClientSettings.issuer,
        idTokenClaims,
--- a/src/utils/oidc/persistOidcSettings.ts
+++ b/src/utils/oidc/persistOidcSettings.ts
@ -15,9 +15,14 @@ limitations under the License.
 */

 import { IdTokenClaims } from "oidc-client-ts";
+import { decodeIdToken } from "matrix-js-sdk/src/matrix";

 const clientIdStorageKey = "mx_oidc_client_id";
 const tokenIssuerStorageKey = "mx_oidc_token_issuer";
+const idTokenStorageKey = "mx_oidc_id_token";
+/**
+ * @deprecated in favour of using idTokenStorageKey
+ */
 const idTokenClaimsStorageKey = "mx_oidc_id_token_claims";

 /**
@ -25,15 +30,13 @@ const idTokenClaimsStorageKey = "mx_oidc_id_token_claims";
 * Only set after successful authentication
 * @param clientId
 * @param issuer
+ * @param idToken
+ * @param idTokenClaims
 */
-export const persistOidcAuthenticatedSettings = (
-    clientId: string,
-    issuer: string,
-    idTokenClaims: IdTokenClaims,
-): void => {
+export const persistOidcAuthenticatedSettings = (clientId: string, issuer: string, idToken: string): void => {
    localStorage.setItem(clientIdStorageKey, clientId);
    localStorage.setItem(tokenIssuerStorageKey, issuer);
-    localStorage.setItem(idTokenClaimsStorageKey, JSON.stringify(idTokenClaims));
+    localStorage.setItem(idTokenStorageKey, idToken);
 };

 /**
@ -59,13 +62,26 @@ export const getStoredOidcClientId = (): string => {
 };

 /**
- * Retrieve stored id token claims from local storage
- * @returns idtokenclaims or undefined
+ * Retrieve stored id token claims from stored id token or local storage
+ * @returns idTokenClaims or undefined
 */
 export const getStoredOidcIdTokenClaims = (): IdTokenClaims | undefined => {
+    const idToken = getStoredOidcIdToken();
+    if (idToken) {
+        return decodeIdToken(idToken);
+    }
+
    const idTokenClaims = localStorage.getItem(idTokenClaimsStorageKey);
    if (!idTokenClaims) {
        return;
    }
    return JSON.parse(idTokenClaims) as IdTokenClaims;
 };
+
+/**
+ * Retrieve stored id token from local storage
+ * @returns idToken or undefined
+ */
+export const getStoredOidcIdToken = (): string | undefined => {
+    return localStorage.getItem(idTokenStorageKey) ?? undefined;
+};