Skip to content

Commit 10b58d7

Browse files
brockallenbrockallen
committed
prevent hybrid flow
1 parent 4a2b048 commit 10b58d7

File tree

3 files changed

+38
-10
lines changed

3 files changed

+38
-10
lines changed

src/OidcClient.js

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,10 @@ export class OidcClient {
6565

6666
let authority = this._settings.authority;
6767

68+
if (SigninRequest.isCode(response_type) && response_type !== "code") {
69+
return Promise.reject(new Error("OpenID Connect hybrid flow is not supported"));
70+
}
71+
6872
return this._metadataService.getAuthorizationEndpoint().then(url => {
6973
Log.debug("OidcClient.createSigninRequest: Received authorization endpoint", url);
7074

src/ResponseValidator.js

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -215,6 +215,11 @@ export class ResponseValidator {
215215
}
216216

217217
_validateTokens(state, response) {
218+
if (response.code) {
219+
Log.debug("ResponseValidator._validateTokens: Validating code");
220+
return this._processCode(state, response);
221+
}
222+
218223
if (response.id_token) {
219224
if (response.access_token) {
220225
Log.debug("ResponseValidator._validateTokens: Validating id_token and access_token");
@@ -225,16 +230,11 @@ export class ResponseValidator {
225230
return this._validateIdToken(state, response);
226231
}
227232

228-
if (response.code) {
229-
Log.debug("ResponseValidator._validateTokens: Validating code");
230-
return this._validateCode(state, response);
231-
}
232-
233-
Log.debug("ResponseValidator._validateTokens: No id_token to validate");
233+
Log.debug("ResponseValidator._validateTokens: No code to process or id_token to validate");
234234
return Promise.resolve(response);
235235
}
236236

237-
_validateCode(state, response) {
237+
_processCode(state, response) {
238238
var request = {
239239
client_id: state.client_id,
240240
code : response.code,
@@ -249,12 +249,13 @@ export class ResponseValidator {
249249
}
250250

251251
if (response.id_token) {
252-
Log.debug("ResponseValidator._validateCode: token response successful, parsing id_token");
252+
Log.debug("ResponseValidator._processCode: token response successful, parsing id_token");
253253
var jwt = this._joseUtil.parseJwt(response.id_token);
254254
response.profile = jwt.payload;
255+
//return this._validateIdToken(state, response);
255256
}
256257
else {
257-
Log.debug("ResponseValidator._validateCode: token response successful, returning response");
258+
Log.debug("ResponseValidator._processCode: token response successful, returning response");
258259
}
259260

260261
return response;

test/unit/OidcClient.spec.js

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,6 @@ import { StubStateStore } from './StubStateStore';
2020
import { StubResponseValidator } from './StubResponseValidator';
2121

2222
import chai from 'chai';
23-
import { Z_NO_COMPRESSION } from 'zlib';
2423
chai.should();
2524
let assert = chai.assert;
2625

@@ -197,6 +196,30 @@ describe("OidcClient", function () {
197196
});
198197
});
199198

199+
it("should fail if hybrid code id_token requested", function (done) {
200+
var p = subject.createSigninRequest({response_type:"code id_token"});
201+
p.then(null, err => {
202+
err.message.should.contain("hybrid");
203+
done();
204+
});
205+
});
206+
207+
it("should fail if hybrid code token requested", function (done) {
208+
var p = subject.createSigninRequest({response_type:"code token"});
209+
p.then(null, err => {
210+
err.message.should.contain("hybrid");
211+
done();
212+
});
213+
});
214+
215+
it("should fail if hybrid code id_token token requested", function (done) {
216+
var p = subject.createSigninRequest({response_type:"code id_token token"});
217+
p.then(null, err => {
218+
err.message.should.contain("hybrid");
219+
done();
220+
});
221+
});
222+
200223
it("should fail if metadata fails", function (done) {
201224

202225
stubMetadataService.getAuthorizationEndpointResult = Promise.reject(new Error("test"));

0 commit comments

Comments
 (0)