OIDC: persist id token claims (#11691)

* persist idTokenClaims

* tests

* remove unused cde

src/Lifecycle.ts

@@ -272,7 +272,7 @@ export async function attemptDelegatedAuthLogin(
  */
 async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean> {
     try {
-        const { accessToken, refreshToken, homeserverUrl, identityServerUrl, clientId, issuer } =
+        const { accessToken, refreshToken, homeserverUrl, identityServerUrl, idTokenClaims, clientId, issuer } =
             await completeOidcLogin(queryParams);
 
         const {
@@ -294,7 +294,7 @@ async function attemptOidcNativeLogin(queryParams: QueryDict): Promise<boolean>
         logger.debug("Logged in via OIDC native flow");
         await onSuccessfulDelegatedAuthLogin(credentials);
         // this needs to happen after success handler which clears storages
-        persistOidcAuthenticatedSettings(clientId, issuer);
+        persistOidcAuthenticatedSettings(clientId, issuer, idTokenClaims);
         return true;
     } catch (error) {
         logger.error("Failed to login via OIDC", error);

src/utils/oidc/authorize.ts

@@ -18,6 +18,7 @@ import { completeAuthorizationCodeGrant, generateOidcAuthorizationUrl } from "ma
 import { QueryDict } from "matrix-js-sdk/src/utils";
 import { OidcClientConfig } from "matrix-js-sdk/src/matrix";
 import { randomString } from "matrix-js-sdk/src/randomstring";
+import { IdTokenClaims } from "oidc-client-ts";
 
 /**
  * Start OIDC authorization code flow
@@ -81,6 +82,8 @@ type CompleteOidcLoginResponse = {
     clientId: string;
     // issuer used during authentication
     issuer: string;
+    // claims of the given access token; used during token refresh to validate new tokens
+    idTokenClaims: IdTokenClaims;
 };
 /**
  * Attempt to complete authorization code flow to get an access token
@@ -90,7 +93,7 @@ type CompleteOidcLoginResponse = {
  */
 export const completeOidcLogin = async (queryParams: QueryDict): Promise<CompleteOidcLoginResponse> => {
     const { code, state } = getCodeAndStateFromQueryParams(queryParams);
-    const { homeserverUrl, tokenResponse, identityServerUrl, oidcClientSettings } =
+    const { homeserverUrl, tokenResponse, idTokenClaims, identityServerUrl, oidcClientSettings } =
         await completeAuthorizationCodeGrant(code, state);
 
     return {
@@ -100,5 +103,6 @@ export const completeOidcLogin = async (queryParams: QueryDict): Promise<Complet
         refreshToken: tokenResponse.refresh_token,
         clientId: oidcClientSettings.clientId,
         issuer: oidcClientSettings.issuer,
+        idTokenClaims,
     };
 };

src/utils/oidc/persistOidcSettings.ts

@@ -14,8 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+import { IdTokenClaims } from "oidc-client-ts";
+
 const clientIdStorageKey = "mx_oidc_client_id";
 const tokenIssuerStorageKey = "mx_oidc_token_issuer";
+const idTokenClaimsStorageKey = "mx_oidc_id_token_claims";
 
 /**
  * Persists oidc clientId and issuer in session storage
@@ -23,9 +26,14 @@ const tokenIssuerStorageKey = "mx_oidc_token_issuer";
  * @param clientId
  * @param issuer
  */
-export const persistOidcAuthenticatedSettings = (clientId: string, issuer: string): void => {
+export const persistOidcAuthenticatedSettings = (
+    clientId: string,
+    issuer: string,
+    idTokenClaims: IdTokenClaims,
+): void => {
     sessionStorage.setItem(clientIdStorageKey, clientId);
     sessionStorage.setItem(tokenIssuerStorageKey, issuer);
+    sessionStorage.setItem(idTokenClaimsStorageKey, JSON.stringify(idTokenClaims));
 };
 
 /**