oauth2orize-openid-examples icon indicating copy to clipboard operation
oauth2orize-openid-examples copied to clipboard

Published 20 hours ago verified publisher icon mohd7469

Enhancement : id_token with authorization code flow

Open mati-o opened this issue 8 years ago • 1 comments

To my understanding, when using Authorization Code flow with OIDC, beside generating an access_token and an optional refresh_token, it is mandatory to generate a JWT id_token.

Current exchange does not support that :

server.exchange(oauth2orize.exchange.code(function(client, code, redirectURI, done) {
  db.authorizationCodes.find(code, function(err, authCode) {
    if (err) { return done(err); }
    if (client.id !== authCode.clientID) { return done(null, false); }
    if (redirectURI !== authCode.redirectURI) { return done(null, false); }
    
    var token = utils.uid(256)
    db.accessTokens.save(token, authCode.userID, authCode.clientID, function(err) {
      if (err) { return done(err); }
      done(null, token);
    });
  });
}));

https://github.com/gerges-beshay/oauth2orize-openid-examples/blob/master/oauth2.js#L173

I think it is required to modify two functions - the code grant, to save the scope with authorizationCodes, and the token callback to something like

var params;
if (hasScope(scope, 'openid'){
  params = {
    id_token : //JWT
  };
}

done(null, token,refreshToken, params);

If you are okay with my proposed solution I might be able to send a pull request

mati-o avatar Dec 27 '16 13:12 mati-o

Hi,

So @mati-o what did you do with this? Is there a full example of using oauth2orize-openid?

Also with with authorization code flow one is not able to access the nonce param

YannisMarios avatar Nov 11 '17 07:11 YannisMarios