refactor(token): ♻️ Improved token validation

Author: itpropro

.vscode/settings.json

@@ -16,5 +16,28 @@
   "typescript.format.enable": true,
   "typescript.preferences.quoteStyle": "single",
   "html.format.wrapAttributes": "force-expand-multiline",
-  "unocss.root": ["playground"]
+  "unocss.root": ["playground"],
+  "eslint.validate": [
+    "javascript",
+    "javascriptreact",
+    "typescript",
+    "typescriptreact",
+    "vue",
+    "html",
+    "markdown",
+    "json",
+    "jsonc",
+    "yaml",
+    "toml",
+    "xml",
+    "gql",
+    "graphql",
+    "astro",
+    "svelte",
+    "css",
+    "less",
+    "scss",
+    "pcss",
+    "postcss"
+  ]
 }

eslint.config.js

@@ -14,7 +14,7 @@ export default createConfigForNuxt({
 }).prepend(
   antfu(
     {
-      ignores: ['playground/', 'client/'],
+      ignores: ['client/'],
       unocss: false,
       markdown: false,
       rules: {

playground/nuxt.config.ts

@@ -73,7 +73,7 @@ export default defineNuxtConfig({
         logoutRedirectUri: 'https://google.com',
         baseUrl: '',
         exposeIdToken: true,
-      }
+      },
     },
     session: {
       expirationCheck: true,
@@ -103,7 +103,7 @@ export default defineNuxtConfig({
 
   unocss: {
     preflight: true,
-    configFile: 'uno.config.ts'
+    configFile: 'uno.config.ts',
   },
 
   devtools: { enabled: true },

playground/pages/auth/login.vue

@@ -2,7 +2,7 @@
 definePageMeta({
   layout: 'authentication',
 })
-const { currentProvider, login, user } = useOidcAuth()
+const { currentProvider, login } = useOidcAuth()
 const { providers } = useProviders(currentProvider.value as string)
 // use `@click="login(provider.name as any, { test: 'thiswillappearinentra', test2: 'thiswillbeignored' })"` for testing the logout params
 </script>

playground/server/plugins/session.ts

@@ -14,6 +14,7 @@ export default defineNitroPlugin(() => {
   })
 
   sessionHooks.hook('refresh', async (session) => {
+    // eslint-disable-next-line no-console
     console.log('Injecting "status" claim as test on refresh')
     if (!(Object.keys(session).length === 0)) {
       const claimToAdd = { status: 'Refresh' }

src/runtime/server/lib/oidc.ts

@@ -188,15 +188,16 @@ export function callbackEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
 
     // Validate tokens only if audience is matched
     const accessToken = parseJwtToken(tokenResponse.access_token, !!config.skipAccessTokenParsing)
-    if ([config.audience, config.clientId].some(audience => accessToken.aud?.includes(audience as string)) && (config.validateAccessToken || config.validateIdToken)) {
+    const idToken = tokenResponse.id_token ? parseJwtToken(tokenResponse.id_token) : undefined
+    if ([config.audience as string, config.clientId].some(audience => accessToken.aud?.includes(audience) || idToken?.aud?.includes(audience)) && (config.validateAccessToken || config.validateIdToken)) {
       // Get OIDC configuration
       const openIdConfiguration = (config.openIdConfiguration && typeof config.openIdConfiguration === 'object') ? config.openIdConfiguration : typeof config.openIdConfiguration === 'string' ? await ofetch(config.openIdConfiguration) : await (config.openIdConfiguration!)(config)
-      const validationOptions = { jwksUri: openIdConfiguration.jwks_uri as string, issuer: openIdConfiguration.issuer as string }
+      const validationOptions = { jwksUri: openIdConfiguration.jwks_uri as string, issuer: openIdConfiguration.issuer as string, ...config.audience && { audience: config.audience } }
 
       tokens = {
         accessToken: config.validateAccessToken ? await validateToken(tokenResponse.access_token, validationOptions) : accessToken,
         ...tokenResponse.refresh_token && { refreshToken: tokenResponse.refresh_token },
-        ...tokenResponse.id_token && { idToken: config.validateIdToken ? await validateToken(tokenResponse.id_token, { jwksUri: openIdConfiguration.jwks_uri as string, issuer: openIdConfiguration.issuer as string }) : parseJwtToken(tokenResponse.id_token) },
+        ...tokenResponse.id_token && { idToken: config.validateIdToken ? await validateToken(tokenResponse.id_token, validationOptions) : parseJwtToken(tokenResponse.id_token) },
       }
     }
     else {
@@ -213,7 +214,7 @@ export function callbackEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
       canRefresh: !!tokens.refreshToken,
       loggedInAt: timestamp,
       updatedAt: timestamp,
-      expireAt: accessToken.exp || timestamp + useRuntimeConfig().oidc.session.maxAge!,
+      expireAt: tokens.accessToken.exp || timestamp + useRuntimeConfig().oidc.session.maxAge!,
       provider,
     }
 

src/runtime/server/utils/oidc.ts

@@ -67,7 +67,7 @@ export async function refreshAccessToken(refreshToken: string, config: OidcProvi
   const user: Omit<UserSession, 'provider'> = {
     canRefresh: !!tokens.refreshToken,
     updatedAt: Math.trunc(Date.now() / 1000), // Use seconds instead of milliseconds to align wih JWT
-    expireAt: parseJwtToken(tokenResponse.access_token).exp || Math.trunc(Date.now() / 1000) + 3600, // Fallback 60 min
+    expireAt: parseJwtToken(tokenResponse.access_token, !!config.skipAccessTokenParsing)?.exp || Math.trunc(Date.now() / 1000) + 3600, // Fallback 60 min
   }
 
   // Update optional claims

src/runtime/server/utils/session.ts

@@ -85,7 +85,7 @@ export async function refreshUserSession(event: H3Event) {
   const { user, tokens, expiresIn } = tokenRefreshResponse!
 
   // Replace the session storage
-  const accessToken = parseJwtToken(tokens.accessToken, providerPresets[provider].skipAccessTokenParsing)
+  const accessToken = parseJwtToken(tokens.accessToken, !!config.skipAccessTokenParsing)
 
   const updatedPersistentSession: PersistentSession = {
     exp: accessToken.exp || Math.trunc(Date.now() / 1000) + Number.parseInt(expiresIn),