validateIdToken fails on new version

[shaun-pendrigh]

Since upgrading from 4.0.0 to 4.1.2, validateIdToken fails with the following message:

SyntaxError: Unexpected token u in JSON at position 0
    at JSON.parse (<anonymous>)
    at C:\Users\SPendrigh\Documents\Development\Officejs\sample\node_modules\intuit-oauth\src\OAuthClient.js:479:33
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async C:\Users\SPendrigh\Documents\Development\Officejs\sample\app.js:78:7
    at async C:\Users\SPendrigh\Documents\Development\Officejs\sample\app.js:73:3 {
  error: 'Unexpected token u in JSON at position 0',
  authResponse: '',
  intuit_tid: '',
  originalMessage: 'Unexpected token u in JSON at position 0',
  error_description: ''

I modified the sample program to add the OAuthClient.scopes.OpenId, OAuthClient.scopes.Profile, OAuthClient.scopes.Email scopes and added a call to validateIdToken after the createToken call and recreated the error.

I then forced the intuit-oauth version back to 4.0.0 and ran it again and it worked as expected, confirming it is an issue in the new version.

[rajeshgupta723]

Hi @shaun-pendrigh Thanks, will look into the issue. In the meantime, please feel free to raise a PR for the fix.

[rajeshgupta723]

Hi @shaun-pendrigh Created a new branch release-4.1.3 and this PR: #174 to fix the issue. Please test your use case in this new branch. If all looks good, will merge this PR into master and will release this change. Thanks.

[shaun-pendrigh]

Thanks @rajeshgupta723, will do asap

[shaun-pendrigh]

Hi @rajeshgupta723. The problem does not seem to be resolved. The getKeyFromJWKsURI is still having an error. I have tried to unpack the logic and understand what is going on in order to assist, but I am certainly not an expert in this. I eventually managed to log the response as it is coming back in version 4.0.0 as well as the new 4.1.3 branch.

In version 4.0.0 the response was in the "body" property and it was a valid json string. In the new version 4.1.3 there is no json property, it is undefined. The keys that the response needs are in the "data" property but it does not seem to be in the same json string format as before. So I am unsure of how to process that "data" property in order to pass correctly as an array of keys.

I don't know enough about Axios to understand the response formats. But hopefully what I have found will help you to know the answer.

Version4.0.0 response.log
Version4.1.3 response.log

[rajeshgupta723]

Hi @shaun-pendrigh, thanks for providing the log from diff versions, this was helpful. I've pushed the fix to release-4.1.3 branch. Would you please test and confirm the fix, it that works for you now? Thanks

[shaun-pendrigh]

Hi @rajeshgupta723

I am not sure if I have done anything wrong in the testing as I am guessing you expect this update to fix the issue. However I still see this error:

SyntaxError: Unexpected token o in JSON at position 1 at JSON.parse (<anonymous>) at C:\Users\SPendrigh\Documents\Development\Officejs\oauth-jsclient-release-4.1.3\src\OAuthClient.js:495:33 at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async C:\Users\SPendrigh\Documents\Development\Officejs\oauth-jsclient-release-4.1.3\sample\app.js:94:3 { error: 'Unexpected token o in JSON at position 1', authResponse: '', intuit_tid: '', originalMessage: 'Unexpected token o in JSON at position 1', error_description: ''

I see your change to getKeyFromJWKsURI has:
const responseBody = JSON.parse(response.data);

But it seems response.data is not valid JSON. Again I am not sure how Axios returns this data. But looking at the log file this data does not have the expected formatting around the property names for example to be valid JSON.

Let me know if there is more I can do to help this process.

[rajeshgupta723]

Hi @shaun-pendrigh could you please get the latest from branch release-4.1.3, and check whether the issue is resolved? Thanks

[shaun-pendrigh]

Hi @rajeshgupta723

My findings are as follows:

• getKeyFromJWKsURI now seems to find a validate public key. If I log cert (line 486) it contains "-----BEGIN RSA PUBLIC KEY----- ..."
• However, I am not sure what the changes on line 459 are meant to do. But response lands up being null.
• Log call on line 460 then throws an exception "TypeError: Cannot read properties of null (reading 'json')" as response is null.
• If I modify that log call to not throw exception then validateIdToken returns false
• If I log res from line 458 it seems to contain valid data. But not a json property.
• Line 459 expecting res.json seems to be a new change. It did not check for json in the previous release. So is the getKeyFromJWKsURI jwt.verify expected to return a json property?

Hope that helps.

[rajeshgupta723]

Hi @shaun-pendrigh Thanks for your findings. I've reviewed and made updates to fix this. Could you please get latest from the branch release-4.1.3, and check? Thanks

[shaun-pendrigh]

@rajeshgupta723 can you confirm what change you made? There does not seem to be any change between the current branch release-4.1.3 and the one I downloaded last time to test.

[rajeshgupta723]

@shaun-pendrigh The change is in oauthclient.js to not look for response json property. sorry I thought it was pushed, just now pushed it. please get latest. Thanks.

[shaun-pendrigh]

@rajeshgupta723 ok thanks got the updates now. My test of validateIdToken is now passing. Thank you

[yasht01]

This should have been a breaking change. Led to a waste of 5 hours for our dev team.