Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticated User object has empty profile attribute #1787

Open
mellis481 opened this issue Dec 18, 2024 · 1 comment
Open

Authenticated User object has empty profile attribute #1787

mellis481 opened this issue Dec 18, 2024 · 1 comment

Comments

@mellis481
Copy link

mellis481 commented Dec 18, 2024
edited
Loading

My application is currently using two different IdPs, both using authorization code flow: Auth0 and a home-grown auth provider. oidc-client-ts operations (eg. sign in, sign out, etc.) are all working fine with both IdPs. The only issue is that, in our home-grown auth provider, the authenticated User object (the result of signinCallback() and what is stored in the oidc.user session storage item) is not spec-compliant. Namely, instead of having a profile property with at least sub, iss, aud, exp, and iat properties, the profile property is simply an empty object ({}).

Interestingly, the access_token prop value for the User/session storage item includes those properties. Here is an example of a decoded JWT:

{
  "sub": "admin",
  "aud": "",
  "nbf": 1734542699,
  "scope": [
    "profile"
  ],
  "iss": "http://localhost:8095/auth",
  "exp": 1734549899,
  "iat": 1734542699,
  "userId": 11,
  "jti": "<some guid>"
}

It seems like the User is simply the response from the token endpoint call that is made during the signinCallback() execution. The data included in the token endpoint call for our home-grown auth provider is:

grant_type: authorization_code
redirect_uri: http://localhost:8095/ui/authorize
code: <some code>
code_verifier: <some verifier>
client_id: my-service

And the response is:

{
  access_token: "some access token",
  expires_in: 7200,
  scope:  "profile",
  token_type: "Bearer"
}

Any idea why the profile property is an empty object for our one IdP?
@mellis481 mellis481 changed the title Session storage item has empty profile attribute Authenticated User object has empty profile attribute Dec 18, 2024
@mellis481
Copy link
Author

mellis481 commented Dec 19, 2024
edited
Loading

After doing some debugging through the oidc-client-ts code while running my app, it looks like the profile prop is being set when Auth0 is the IdP in _validateIdTokenAttributes(). When the validateSigninResponse() function is being executed, the following check occurs:

if (response.isOpenId) {
  this._validateIdTokenAttributes(response);
}

When Auth0 is the IdP, response.isOpenId is true because there is an id_token. response.profile then gets set (using the id_token) in _validateIdTokenAttributes().

When the home-grown IdP is used, response.isOpenId is false and profile never gets updated and remains the original value (an empty object).

So what is the home-grown IdP failing to do? Given the logic described above, it seems like it should be including an id_token. Is an id_token required? It seems like it would have to be since, when there isn't one, profile will be an empty object unless there is another way it can be set besides using the id_token....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mellis481