Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

filterProtocolClaims deletes properties required by the IdTokenClaims type

See original GitHub issue

If filterProtocolClaims is set to true (the default), the properties iss, aud, exp and iat that are required by the IdTokenClaims type are deleted and undefined, thus breaking the defined types.

const userManager = new UserManager({
  // ... other options omitted
  filterProtocolClaims: true, // defaults to true
  // ...
});
const user = await userManager.getUser();
const exp = user.profile.exp; // TypeScript says this is a number
console.log(typeof exp) // Should be "number" but is "undefined"

Relevant parts of the code

These properties are deleted from the response: https://github.com/authts/oidc-client-ts/blob/bcfe363c685e8f243b43bc588ecba7495f88ffa9/src/ResponseValidator.ts#L26-L41 https://github.com/authts/oidc-client-ts/blob/bcfe363c685e8f243b43bc588ecba7495f88ffa9/src/ResponseValidator.ts#L225-L235 Some of which are mandatory here: https://github.com/authts/oidc-client-ts/blob/bcfe363c685e8f243b43bc588ecba7495f88ffa9/src/Claims.ts#L109

Issue Analytics

  • State:open
  • Created 10 months ago
  • Comments:8 (6 by maintainers)

github_iconTop GitHub Comments

2reactions
Badisicommented, Dec 7, 2022

The userManager.getUser().profile property is of type UserProfile and equals to IdTokenClaims: https://github.com/authts/oidc-client-ts/blob/bcfe363c685e8f243b43bc588ecba7495f88ffa9/src/User.ts#L11

IdTokenClaims requires iss, sub, aud, exp, iat to be mandatory as per the OIDC specs, and any other properties are optionals: https://github.com/authts/oidc-client-ts/blob/bcfe363c685e8f243b43bc588ecba7495f88ffa9/src/Claims.ts#L103-L109

So I think those 5 should never be deleted no matter what (even to reduce storage space).

We could simply modify ProtocolClaims like this:

const ProtocolClaims = [ 
     // "iss", should never be excluded, it is required as per the OIDC specs
     // "sub", should never be excluded, we need access to it internally 
     // "aud", should never be excluded, it is required as per the OIDC specs
     // "exp", should never be excluded, it is required as per the OIDC specs
     // "iat", should never be excluded, it is required as per the OIDC specs
     "nbf", 
     "jti", 
     "auth_time", 
     "nonce", 
     "acr", 
     "amr", 
     "azp", 
     "at_hash", // https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken 
 ] as const;

But beyond that, I don’t like the idea that a user could be biased because of the filtering process. (ie. a user may receive an undefined property that is defined but was deleted) So if we want to keep it that way, we will also have to reduce the scope of UserProfile (something like UserProfile = Omit<IdTokenClaims, keyof ProtocolClaims>)

or… drop the filtering completely as suggested by @pamapa.

1reaction
niklasholmcommented, Dec 7, 2022

@brockallen @pamapa My use case is that I use them for informational/debugging purposes, for example printing the time of issue, which I can do just fine by disabling the filter, so it’s beside the point I’m trying to make. This issue is about the type being incorrect. If the properties are not guaranteed to be defined, they must be typed as optional, simple as that.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Issues · authts/oidc-client-ts
filterProtocolClaims deletes properties required by the IdTokenClaims type bug Something isn't working help wanted Extra attention is needed.
Read more >
@azure/msal-common | microsoft-authentication-libraries-for-js
idTokenClaims - Object contains claims from ID token; localAccountId - The user's account ID; nativeAccountId - The user's native account ID ...
Read more >
Provide optional claims to Azure AD apps - Microsoft Entra
An application can configure optional claims to be returned in each of three types of tokens (ID token, access token, SAML 2 token)...
Read more >
OpenID Connect & OAuth 2.0 API
Find information about the OAuth 2.0 and OpenID Connect endpoints that Okta exposes on its authorization servers.
Read more >
Authts Oidc-Client-Ts Statistics & Issues - Codesti
Issue Title State Comments Created Date Updated Date AWS Cognito ‑ got it working open 0 2022‑12‑15 2022‑12‑12 Using package with Vite and Pinia closed...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

after upgrading to 2.2.0 Google OIDC is returning multiple profile pictures

Next page

RFC8707 - Possible Missing Multiple Resources handling for Code Flow Authorization Request