Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID Connect scope defaults being merged? #1878

Open
kenlfg opened this issue Aug 9, 2024 · 0 comments
Open

OpenID Connect scope defaults being merged? #1878

kenlfg opened this issue Aug 9, 2024 · 0 comments
Labels
bug

Comments

@kenlfg
Copy link

kenlfg commented Aug 9, 2024

Version

module: 5.0.0-1667386184.dfbbb54
nuxt: 2.18.1

Nuxt configuration

mode:

  • [ X ] spa

Nuxt configuration

sample: {
scheme: 'openIDConnect',
clientId: [CLIENT_ID],
codeChallengeMethod: '',
responseType: 'code',
grantType: 'authorization_code',
scope: ['openid','profile','email'],
endpoints: {
configuration: '[URL]'
},
redirectUri: ${host}/auth/[CUSTOM],
user: {
property: 'user',
autoFetch: true
}
},

Reproduction

  • Set up an OIDC config (you could test this out with Google, for instance, which does not support the scope offline_access as it's an option you pass instead).
  • Call loginWith for the schema
  • Get an auth error because an invalid scope was passed.

What is expected?

When you specify the scope in your schema, that should override the defaults.

What is actually happening?

Whatever you're doing to initialize the configuration is merging the defaults (in your code) with the schema defaults I'm setting in the nuxt.config.js file. So if I specify a scope of ['openid', 'profile', 'email'], you will initialize with a scope of ['openid', 'profile', 'email', 'offline_access']. This seems to be true even if I explicitly pass in an array of scope values via the loginWith function's call options.

You have a workaround depicted in another issue where people can use a string instead of an array. This does override the array and replace it with the string specified in the nuxt.config.js but it leads to an warning that the openid-configuration file is not valid and causes issues with the provider.

Steps to reproduce

  • Have an OIDC provider that does not support offline_access like Google.
  • Set your scope in nuxt.config.js in a strategy that's using the "openIDConnect" scheme.
  • Load up your Nuxt site and check the console. You'll get a warning about the openid-configuration being invalid.
  • Try calling loginWith with your strategy and get an error that the attempt was invalid because the scope doesn't match.

Additional information

The easiest fix is to remove any in-code defaults though that could be problematic depending on the use case. The better fix would be to not do an Array.reduce on the field (from what I read about defu, it does do a reduce for array options when merging).

I tested the first case by just editing the file in node_modules and removing "offline_access". Fixes my problem though it's a bad solution of course because not everyone will have the same scope as I do and doing a clean prune and install for a production build will reset it.

Checklist

  • [ x ] I have tested with the latest Nuxt version and the issue still occurs
  • [ x ] I have tested with the latest module version and the issue still occurs
  • [ x ] I have searched the issue tracker and this issue hasn't been reported yet
@kenlfg kenlfg added the bug label Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kenlfg