Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

signinSilent using refresh token clears profile info #754

Closed
MathiasFrost opened this issue Nov 6, 2022 · 7 comments · Fixed by #763
Closed

signinSilent using refresh token clears profile info #754

MathiasFrost opened this issue Nov 6, 2022 · 7 comments · Fixed by #763
Labels
bug Something isn't working Microsoft Entra ID Former Azure AD
Milestone
2.2.0

Comments

@MathiasFrost
Copy link

I have a question.

  1. I call signinPopup and log in.
  2. User is stored in localStorage with id_token, access_token, refresh_token as well as decoded user info from id_token stored as a profile object.
  3. Call signinSilent.
  4. oidc-client-ts exchanges the refresh_token for a new access_token and a new refresh_token.
  5. localStorage is updated with a new refresh_token and access_token, but the profile object is now empty (id_token was unchanged).

Is that supposed to happen and am I doing something wrong?

Thank you.
@pamapa
Copy link
Member

pamapa commented Nov 7, 2022

Id_token + more are taken from initial request if not coming from refresh token request. This was fixed some time ago, make sure you are using a recent version of this library.

The relevant code is here:

oidc-client-ts/src/ResponseValidator.ts

Lines 74 to 101 in ec554af

public async validateRefreshResponse(response: SigninResponse, state: RefreshState): Promise<void> {
const logger = this._logger.create("validateRefreshResponse");
response.userState = state.data;
// if there's no session_state on the response, copy over session_state from original request
response.session_state ??= state.session_state;
// if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request
response.scope ??= state.scope;
// OpenID Connect Core 1.0 says that id_token is optional in refresh response:
// https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
if (response.isOpenId) {
if (response.id_token) {
this._validateIdTokenAttributes(response, state.id_token);
logger.debug("ID Token validated");
}
else {
// if there's no id_token on the response, copy over id_token from original request
response.id_token = state.id_token;
// and decoded part too
response.profile = state.profile;
}
}
const hasIdToken = response.isOpenId && !!response.id_token;
await this._processClaims(response, false, hasIdToken);
logger.debug("claims processed");
}

@pamapa pamapa added the question Further information is requested label Nov 7, 2022
@MathiasFrost
Copy link
Author

Thanks for the answer.
Yes, I read through the previous issues related to this, which is why I am scratching my head at this.
I am using version 2.1.0 which is a recent release.

My guess from the method you referenced is that in my case we do not get past this if:

oidc-client-ts/src/ResponseValidator.ts

Line 85 in ec554af

if (response.isOpenId) {

I'm not familiar with that part of the response. Will do some debugging :)

@MathiasFrost
Copy link
Author

Okay, so I'm relatively certain of what is happening:

  1. The response from identity provider when exchanging refresh_token does not contain id_token at this point.
  2. response is created with field profile initialized at ctor as empty object.
  3. Scope does not contain openid, which means we do not enter this if.
  4. This results in the profile field containing values is overridden by the empty object mentioned in step 2.

So the question if is this is by design or not.
In my case I am using Azure AD and can't ask for openid at the same time as a resource (secured API).

@pamapa
Copy link
Member

pamapa commented Nov 8, 2022

The if if (response.isOpenId) { is there for historically reasons and i never saw a real world use-case to change that. Now i know such a case. I guess we can remove that if together with ...response.isOpenId &&...

Can you test this first and if all good providing a merge request?

@pamapa pamapa added bug Something isn't working and removed question Further information is requested labels Nov 8, 2022
@MathiasFrost
Copy link
Author

Sure, but I'm not sure I know what you mean by

...together with ...response..isOpenId &&...

Care to elaborate?

pamapa added a commit that referenced this issue Nov 14, 2022
@pamapa
fix: #754 preserve id_token and profile even if no openid is in scope…
dee453d 
… of refresh request
@pamapa pamapa mentioned this issue Nov 14, 2022
Merged
2 tasks
@pamapa
Copy link
Member

pamapa commented Nov 14, 2022

@MathiasFrost I have added a merge request, can you please test if that helps you?

pamapa added a commit that referenced this issue Nov 15, 2022
@pamapa
fix: #754 preserve id_token and profile even if no openid is in scope…
52fdec9 
… of refresh request
pamapa added a commit that referenced this issue Nov 15, 2022
@pamapa
fix: #754 preserve id_token and profile even if no openid is in scope…
47b4fa1 
… of refresh request
pamapa added a commit that referenced this issue Nov 18, 2022
@pamapa
fix: #754 preserve id_token and profile even if no openid is in scope…
edfef08 
… of refresh request
@MathiasFrost
Copy link
Author

@MathiasFrost I have added a merge request, can you please test if that helps you?

Aye, works perfectly ^^

@pamapa pamapa added this to the 2.2.0 milestone Nov 25, 2022
github-actions bot pushed a commit to ncats/oidc-client-ts that referenced this issue Feb 28, 2023
@semantic-release-bot
chore(release): 1.0.0 [skip ci]
e1555e7 
# 1.0.0 (2023-02-28)

### Bug Fixes

* [authts#201](https://github.com/ncats/oidc-client-ts/issues/201) add sourcemaps ([6c1c965](6c1c965))
* [authts#225](https://github.com/ncats/oidc-client-ts/issues/225) move revoke from TokenRevocationClient into TokenClient ([e4570ee](e4570ee))
* [authts#257](https://github.com/ncats/oidc-client-ts/issues/257) signoutRedirect does not work ([79ebe27](79ebe27))
* [authts#314](https://github.com/ncats/oidc-client-ts/issues/314) document signingKeys is unused ([d9d79fd](d9d79fd))
* [authts#415](https://github.com/ncats/oidc-client-ts/issues/415) allow to get and process claims when scope does not contain openid ([558319b](558319b))
* [authts#435](https://github.com/ncats/oidc-client-ts/issues/435) allow passing post_logout_redirect_uri to signoutRedirect ([ad209f3](ad209f3))
* [authts#441](https://github.com/ncats/oidc-client-ts/issues/441) only validate sub during refresh token path when the optional id_token is present ([00b9072](00b9072))
* [authts#450](https://github.com/ncats/oidc-client-ts/issues/450) do not use workspaces ([4e993f4](4e993f4))
* [authts#466](https://github.com/ncats/oidc-client-ts/issues/466) clear stale states when creating new one ([1b39579](1b39579))
* [authts#569](https://github.com/ncats/oidc-client-ts/issues/569) if there's no session_state on the response, then take it from initial sign-in ([06de889](06de889))
* [authts#580](https://github.com/ncats/oidc-client-ts/issues/580) add id_token_hint if present ([0a495bb](0a495bb))
* [authts#688](https://github.com/ncats/oidc-client-ts/issues/688) id_token is lost on silent refresh token renewal ([0a49522](0a49522))
* [authts#754](https://github.com/ncats/oidc-client-ts/issues/754) preserve id_token and profile even if no openid is in scope of refresh request ([edfef08](edfef08))
* [authts#769](https://github.com/ncats/oidc-client-ts/issues/769) allow multiple resource parameters ([e0188fe](e0188fe))
* add change set ([ccf65d0](ccf65d0))
* add dist folder ([1e261f4](1e261f4))
* add release workflow ([b556057](b556057))
* add scope to refresh tokens ([62bc823](62bc823)), closes [authts#364](https://github.com/ncats/oidc-client-ts/issues/364)
* allow to override acr_values in signinRedirect ([5772d5d](5772d5d))
* avoid redundant error event when a window is closed by user ([9491eea](9491eea))
* build ([d99fe4d](d99fe4d))
* code style ([562c1d4](562c1d4))
* custom state ([542e7c3](542e7c3))
* deprecated unused clockSkewInSeconds and userInfoJwtIssuer settings ([52e8799](52e8799))
* ensure we only throw something of type Error ([b9c2a38](b9c2a38))
* fully specify crypto-js imports ([8a6f772](8a6f772))
* handle case of refresh token response not containing id_token ([50fbb50](50fbb50))
* improve test asserts ([d43f46b](d43f46b))
* improve unit-tests for JsonService ([2decbab](2decbab))
* improve unit-tests for MetadataService ([b57541e](b57541e))
* improve unit-tests for ResponseValidator ([be401a6](be401a6))
* improve unit-tests for SigninResponse ([8723167](8723167))
* indent of signingKeys ([985e28f](985e28f))
* no need for open+path ([6daa33b](6daa33b))
* remove dist folder ([b1520c7](b1520c7))
* remove npm release ([d39f4a5](d39f4a5))
* signout callback ([813fda0](813fda0))
* simplify _validateIdTokenAttributes ([84935b2](84935b2))
* store keypair ([22d36af](22d36af))
* test ([bda9a69](bda9a69))
* test setup update ([3154679](3154679))
* type of AccessTokenCallback ([af51769](af51769))
* update ([15c568c](15c568c))
* update config ([5e741ab](5e741ab))
* update package ([bf00d1e](bf00d1e))
* update package file ([73720a9](73720a9))
* update package-lock file ([22115a8](22115a8))
* update release file ([00bf5dc](00bf5dc))
* update release yml file ([9c05fc8](9c05fc8))
* update token ([10ff74f](10ff74f))
* **authts#278:** expose the internal logger ([361403f](361403f)), closes [authts#278](https://github.com/ncats/oidc-client-ts/issues/278)
* **authts#780:** filterProtocolClaims deletes properties required by the IdTokenClaims type ([b7fadd8](b7fadd8)), closes [authts#780](https://github.com/ncats/oidc-client-ts/issues/780)
* **CheckSessionIFrame:** normalize iframe origin before comparing to the MessageEvent origin ([e8e38a7](e8e38a7))
* **docs:** update oidc-client-ts-api.md ([e785030](e785030))
* **IFrameWindow:** wait for iframe content to unload before removing from DOM ([dea5ca0](dea5ca0))
* **JsonService:** throw an ErrorResponse instance for invalid responses ([dff9cdf](dff9cdf))
* **parcel-sample:** use COOP/COEP policies compatible with window.opener ([d491e94](d491e94))
* **PopupWindow:** clear the interval checking popup closed on dispose ([346f7c1](346f7c1))
* **RedirectNavigator:** wait for 'unload' instead of 'beforeunload' ([608668b](608668b))
* **RedirectNavigator:** wait until the window is unloading to resolve the returned promise ([86f124c](86f124c))
* **TokenClient:** incorrect secret value sent for client_secret_post ([8fc20c2](8fc20c2))
* **UserManager:** fix anonymous session monitoring ([577200e](577200e))
* [#11](#11) eslint errors wherever possible ([91a4e55](91a4e55))
* [#13](#13) convert checkSessionInterval (milliseconds) to checkSessionIntervalInSeconds in settings ([7d41514](7d41514))
* [#13](#13) convert silentRequestTimeout (milliseconds) to silentRequestTimeoutInSeconds in settings ([0f7005c](0f7005c))
* [#13](#13) rename accessTokenExpiringNotificationTime to accessTokenExpiringNotificationTimeInSeconds in settings ([be7733b](be7733b))
* [#13](#13) rename clockSkew to clockSkewInSeconds in settings ([ca09d98](ca09d98))
* [#13](#13) rename duration to durationInSeconds in Timer ([3715389](3715389))
* [#13](#13) rename staleStateAge to staleStateAgeInSeconds in settings ([56bcaa6](56bcaa6))
* [authts#158](https://github.com/ncats/oidc-client-ts/issues/158) default response mode is explicit query ([b442b84](b442b84))
* [#16](#16) marshal OidcClient instead of inherit ([8009969](8009969))
* [authts#166](https://github.com/ncats/oidc-client-ts/issues/166) move samples/Angular into separate repository ([9d03379](9d03379))
* [authts#167](https://github.com/ncats/oidc-client-ts/issues/167) round tripping "state" is missing ([2d5da0f](2d5da0f))
* [authts#170](https://github.com/ncats/oidc-client-ts/issues/170) revert removing too much from commit "remove implicit flow" (320168b) and adapt ([310b0f2](310b0f2))
* [authts#173](https://github.com/ncats/oidc-client-ts/issues/173) refresh_token is undefined ([95d8443](95d8443))
* [authts#175](https://github.com/ncats/oidc-client-ts/issues/175) treat eslint warnings as errors ([13251d4](13251d4))
* [authts#184](https://github.com/ncats/oidc-client-ts/issues/184) improve esbuild ([26bdc17](26bdc17))
* [#23](#23) avoid multiple instances of MetaDataService ([00b7319](00b7319))
* [#4](#4) add explicit-function-return-type ([02606f1](02606f1))
* [authts#64](https://github.com/ncats/oidc-client-ts/issues/64) drop Cordova ([14c0be8](14c0be8))
* [#7](#7) drop Global.ts ([142d883](142d883))
* [#9](#9) change default settings to minimal + best practice ([536dc68](536dc68))
* add missing devDependencies ([0c48b70](0c48b70))
* add missing metadataSeed ([fa8f78c](fa8f78c))
* add npm package link icon ([e5d6cad](e5d6cad))
* adding url check to iframe _message ([e8bd1b2](e8bd1b2))
* adjust return type, _signinCallback never returns a user ([04831f6](04831f6))
* Angular 8 build error: ([4688b62](4688b62))
* avoid test warning by awaiting promise ([3b1bed5](3b1bed5))
* bump version ([d51c50e](d51c50e))
* change classes to use named exports instead of default exports ([712986f](712986f))
* enforce importsNotUsedAsValues ([975363b](975363b))
* explicit use window.setInterval, avoid NodeJS.Time vs number warning ([207c962](207c962))
* export modules from index directly instead of requiring and then re-exporting ([bcc98ff](bcc98ff))
* export more types (esbuild is more conservative than tsdx) ([9b7123f](9b7123f))
* for typescript v4.4.2 ([11cfd18](11cfd18))
* improve code ([5c2d93f](5c2d93f))
* improve description for UserSignedIn and UserSignedOut ([50f3b1a](50f3b1a))
* improve event logger name ([13448a8](13448a8))
* improve ParsedJwt type ([4842559](4842559))
* move eslint to devDependencies ([e6be1c8](e6be1c8))
* parcel npm scripts ([27da3f3](27da3f3))
* pipeline icon ([e8556dc](e8556dc))
* prepare for test release ([211e304](211e304))
* prevent scrollbars in browsers that refuse to render iframes with zero height ([cac300f](cac300f))
* remove argument/type mapping hack ([d66cf72](d66cf72))
* remove getEpochTime from OidcClientSettings ([6b5020c](6b5020c)), closes [/github.com/IdentityModel/oidc-client-js/pull/1271#issuecomment-769877657](https://github.com//github.com/IdentityModel/oidc-client-js/pull/1271/issues/issuecomment-769877657)
* remove useless jsx config ([28662f2](28662f2))
* remove User.state, its not used at all ([703b941](703b941))
* restore Angular sample project functionality ([2a4b2b5](2a4b2b5))
* signinSilent fails when no user is available ([0c9ea9c](0c9ea9c))
* simplify the arguments types ([be75227](be75227))
* spaces ([2f623ac](2f623ac))
* support typescript 4.4.2 ([860b116](860b116))
* target ES5 to have accessors (getter) without warnings ([4d26e6e](4d26e6e))
* type ([f77455d](f77455d))
* type of jwt aud field ([a1337d4](a1337d4))
* types ([ac61a78](ac61a78))
* update repository location ([aac326e](aac326e))
* updating with changes ([319ac38](319ac38))
* url can be undefined ([047f4b1](047f4b1))
* use type exports in entrypoint ([ba3186c](ba3186c))
* window is not defined ([7a1efc0](7a1efc0))
* workflow file ([81ad9de](81ad9de))

### Features

* [#15](#15) ensure typedoc works before we merge ([f8a7669](f8a7669))
* [#15](#15) move text from index.md into source code ([c7f2a85](c7f2a85))
* [authts#152](https://github.com/ncats/oidc-client-ts/issues/152) remove implicit flow ([320168b](320168b))
* [authts#152](https://github.com/ncats/oidc-client-ts/issues/152) update docs, implicit flow is gone ([5eba1a5](5eba1a5))
* [authts#152](https://github.com/ncats/oidc-client-ts/issues/152) update samples/Parcel, implicit flow is gone ([1e8522d](1e8522d))
* [authts#251](https://github.com/ncats/oidc-client-ts/issues/251) retry silent renew for fetch timeout ([0078fd5](0078fd5))
* [authts#251](https://github.com/ncats/oidc-client-ts/issues/251) retry silent renew for iframe timeout ([b8e6c84](b8e6c84))
* [#4](#4) introduce SigningKey type ([63fccb1](63fccb1))
* [#4](#4) reduce any types ([2575030](2575030))
* [authts#73](https://github.com/ncats/oidc-client-ts/issues/73) improve logging ([eccb5dc](eccb5dc))
* add ability to specify iframe script origin and iframe notify parent for silent auth ([authts#514](https://github.com/ncats/oidc-client-ts/issues/514)) ([e28dcef](e28dcef))
* add DPoP feature ([c228b30](c228b30))
* add github pages via typedoc ([7064f82](7064f82))
* add minimal SSR support ([2a6f632](2a6f632))
* add some more typedoc comments ([9d11051](9d11051))
* add some more unit-tests for UserManager ([b520ed6](b520ed6))
* add unit-test for TokenClient ([f15ba9e](f15ba9e))
* automatically center popups in front of the opener window ([8c6f799](8c6f799))
* default of loadUserInfo changed from true to false ([a0c056c](a0c056c))
* execute "npm dedupe" ([a35caf7](a35caf7))
* extend Parcel with revoke access token ([dcde654](dcde654))
* fine tune export ([e092726](e092726))
* improve sample Parcel logging ([2e1db1a](2e1db1a))
* increase open-pull-requests-limit from 5 to 10 ([a346acb](a346acb))
* introduce ErrorTimeout ([23f8e33](23f8e33))
* introduce Logger.createStatic ([a4ce6b6](a4ce6b6))
* make use of improved logger ([f811496](f811496))
* move ErrorResponse into error sub-dir ([b8fa443](b8fa443))
* move random into CryptoUtils ([9fb4aa0](9fb4aa0))
* return destructor functions from event listener methods ([6fa9632](6fa9632))
* set sandbox attribute for iframe ([dc28584](dc28584))
* update parcel to v2.0.1 ([c037f2b](c037f2b))
* **Claims:** rebase with main ([4bfae02](4bfae02))
* **ErrorResponse:** attach the request body to POST errors ([2f793f6](2f793f6))
* **PopupWindow:** compute a default width based on the size of the window opener ([4b5f377](4b5f377))
* **User:** add types for standard claims to UserProfile ([authts#241](https://github.com/ncats/oidc-client-ts/issues/241)) ([bb33e10](bb33e10))
* [#1](#1) adapt unit-tests ([0e533b1](0e533b1))
* [#1](#1) port build system to tsdx ([cb74a41](cb74a41))
* [#1](#1) port to typescript ([bb02e6f](bb02e6f))
* [#12](#12) add eslint for unit-tests ([9e01e6f](9e01e6f))
* [#20](#20) make client_id, authority, extraQueryParams and extraTokenParams settings readonly ([8de0cf6](8de0cf6))
* [#23](#23) avoid multiple metadataUrl implementations ([a575bce](a575bce))
* [#23](#23) cache matadata and signingKeys in MetadataService ([5479346](5479346))
* [#3](#3) replace .then with async/await pattern ([35318a2](35318a2))
* [#4](#4) fix lint warnings ([f14b8c9](f14b8c9))
* [#4](#4) reduce any type ([e86bedc](e86bedc))
* [#4](#4) reduce any type in navigators ([9c82d50](9c82d50))
* [#4](#4) reduce any type in SilentRenewService ([267c5f9](267c5f9))
* [#4](#4) reduce any type in TokenClient ([2ec9624](2ec9624))
* [#4](#4) reduce any type of signin and signout chain ([cefd12a](cefd12a))
* [#4](#4) reduce any types ([312b341](312b341))
* [#4](#4) reduce eslint errors of misused-promises ([e6e0bbd](e6e0bbd))
* [#4](#4) reduce eslint errors of restrict-plus-operands ([c8973f6](c8973f6))
* [#4](#4) reduce typescript warning/error ignores ([c8f70f0](c8f70f0))
* [#4](#4) reduce usage of any type ([f067d1b](f067d1b))
* [#4](#4) reduce usage of any type ([4e56fb3](4e56fb3))
* [#4](#4) reduce usage of any type ([862b2a4](862b2a4))
* [#4](#4) reduce usage of any type: session_state is typeof string ([5e81347](5e81347))
* [#4](#4) response_mode can only be "query" or "fragment" ([7c73645](7c73645))
* [authts#48](https://github.com/ncats/oidc-client-ts/issues/48) add redirectMethod to settings ([14a481f](14a481f))
* [#5](#5) use external jsrsasign and drop rsa.js ([19b0f62](19b0f62))
* [#6](#6) make use of public/protected keyword ([172bc96](172bc96))
* [#8](#8) replace XMLHttpRequest with fetch ([4fec4d7](4fec4d7))
* [#9](#9) redirect_uri was and is a required setting ([368b25e](368b25e))
* add docusaurus website [#15](#15) ([14ce282](14ce282))
* add typedoc ([0302c21](0302c21))
* introduce sub-directories utils and navigators ([3e6d591](3e6d591))
* merge openid-configuration and metdata ([36d5add](36d5add)), closes [authts#1067](https://github.com/ncats/oidc-client-ts/issues/1067)
* prevent mangling of function names ([34b5bdb](34b5bdb))
* split responses state into state_id (query id state) and "state" (callers custom state) ([0423efa](0423efa))
* support passing extra params to signin and signout requests ([7b27ccf](7b27ccf))
* support passing window params to signin/signout methods ([0e66f8a](0e66f8a))
* use Webpack 4 ([b49b3ce](b49b3ce))

### Reverts

* Revert "filter more stuff from npm?" ([44f3fbe](44f3fbe))
@pamapa pamapa added the Microsoft Entra ID Former Azure AD label May 24, 2023
dbfr3qs pushed a commit to dbfr3qs/oidc-client-ts that referenced this issue Apr 3, 2024
@pamapa
fix: authts#754 preserve id_token and profile even if no openid is in…
0c26baf 
… scope of refresh request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Microsoft Entra ID Former Azure AD
Projects
None yet
Milestone
2.2.0
Development

Successfully merging a pull request may close this issue.

preserve id_token and profile even if no openid is in scope of refresh request authts/oidc-client-ts
2 participants
@pamapa @MathiasFrost