OIDC: pass id_token via id_token_hint on Manage Account interaction (#12499)

* Store id_token rather than just id_token_claims Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Pass id_token via `id_token_hint` on `Manage Account` interaction Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Fix tests Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --------- Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
2024-05-07 12:27:37 +01:00 · 2024-05-07 12:27:37 +01:00 · 580bb5537d
commit 580bb5537d
parent e2310e637c
8 changed files with 89 additions and 33 deletions
--- a/test/utils/oidc/authorize-test.ts
+++ b/test/utils/oidc/authorize-test.ts
@ -115,6 +115,7 @@ describe("OIDC authorization", () => {
        const tokenResponse: BearerTokenResponse = {
            access_token: "abc123",
            refresh_token: "def456",
+            id_token: "ghi789",
            scope: "test",
            token_type: "Bearer",
            expires_at: 12345,
@ -163,6 +164,7 @@ describe("OIDC authorization", () => {
                identityServerUrl,
                issuer,
                clientId,
+                idToken: "ghi789",
                idTokenClaims: result.idTokenClaims,
            });
        });
--- a/test/utils/oidc/persistOidcSettings-test.ts
+++ b/test/utils/oidc/persistOidcSettings-test.ts
@ -15,14 +15,19 @@ limitations under the License.
 */

 import { IdTokenClaims } from "oidc-client-ts";
+import { decodeIdToken } from "matrix-js-sdk/src/matrix";
+import { mocked } from "jest-mock";

 import {
    getStoredOidcClientId,
+    getStoredOidcIdToken,
    getStoredOidcIdTokenClaims,
    getStoredOidcTokenIssuer,
    persistOidcAuthenticatedSettings,
 } from "../../../src/utils/oidc/persistOidcSettings";

+jest.mock("matrix-js-sdk/src/matrix");
+
 describe("persist OIDC settings", () => {
    jest.spyOn(Storage.prototype, "getItem");
    jest.spyOn(Storage.prototype, "setItem");
@ -33,6 +38,7 @@ describe("persist OIDC settings", () => {

    const clientId = "test-client-id";
    const issuer = "https://auth.org/";
+    const idToken = "test-id-token";
    const idTokenClaims: IdTokenClaims = {
        // audience is this client
        aud: "123",
@ -44,45 +50,65 @@ describe("persist OIDC settings", () => {
    };

    describe("persistOidcAuthenticatedSettings", () => {
-        it("should set clientId and issuer in session storage", () => {
-            persistOidcAuthenticatedSettings(clientId, issuer, idTokenClaims);
+        it("should set clientId and issuer in localStorage", () => {
+            persistOidcAuthenticatedSettings(clientId, issuer, idToken);
            expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_client_id", clientId);
            expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_token_issuer", issuer);
-            expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_id_token_claims", JSON.stringify(idTokenClaims));
+            expect(localStorage.setItem).toHaveBeenCalledWith("mx_oidc_id_token", idToken);
        });
    });

    describe("getStoredOidcTokenIssuer()", () => {
-        it("should return issuer from session storage", () => {
+        it("should return issuer from localStorage", () => {
            localStorage.setItem("mx_oidc_token_issuer", issuer);
            expect(getStoredOidcTokenIssuer()).toEqual(issuer);
            expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_token_issuer");
        });

-        it("should return undefined when no issuer in session storage", () => {
+        it("should return undefined when no issuer in localStorage", () => {
            expect(getStoredOidcTokenIssuer()).toBeUndefined();
        });
    });

    describe("getStoredOidcClientId()", () => {
-        it("should return clientId from session storage", () => {
+        it("should return clientId from localStorage", () => {
            localStorage.setItem("mx_oidc_client_id", clientId);
            expect(getStoredOidcClientId()).toEqual(clientId);
            expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_client_id");
        });
-        it("should throw when no clientId in session storage", () => {
+        it("should throw when no clientId in localStorage", () => {
            expect(() => getStoredOidcClientId()).toThrow("Oidc client id not found in storage");
        });
    });

+    describe("getStoredOidcIdToken()", () => {
+        it("should return token from localStorage", () => {
+            localStorage.setItem("mx_oidc_id_token", idToken);
+            expect(getStoredOidcIdToken()).toEqual(idToken);
+            expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_id_token");
+        });
+
+        it("should return undefined when no token in localStorage", () => {
+            expect(getStoredOidcIdToken()).toBeUndefined();
+        });
+    });
+
    describe("getStoredOidcIdTokenClaims()", () => {
-        it("should return issuer from session storage", () => {
+        it("should return claims from localStorage", () => {
            localStorage.setItem("mx_oidc_id_token_claims", JSON.stringify(idTokenClaims));
            expect(getStoredOidcIdTokenClaims()).toEqual(idTokenClaims);
            expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_id_token_claims");
        });

-        it("should return undefined when no issuer in session storage", () => {
+        it("should return claims extracted from id_token in localStorage", () => {
+            localStorage.setItem("mx_oidc_id_token", idToken);
+            mocked(decodeIdToken).mockReturnValue(idTokenClaims);
+            expect(getStoredOidcIdTokenClaims()).toEqual(idTokenClaims);
+            expect(decodeIdToken).toHaveBeenCalledWith(idToken);
+            expect(localStorage.getItem).toHaveBeenCalledWith("mx_oidc_id_token_claims");
+        });
+
+        it("should return undefined when no claims in localStorage", () => {
            expect(getStoredOidcIdTokenClaims()).toBeUndefined();
        });
    });