feat(validation): ✨ Improved aud field handling in validation process

Author: itpropro

playground/nuxt.config.ts

@@ -35,6 +35,7 @@ export default defineNuxtConfig({
         allowedClientAuthParameters: [
           'test',
         ],
+        validateAccessToken: true,
       },
       auth0: {
         audience: 'test-api-oidc',

src/runtime/server/lib/oidc.ts

@@ -177,7 +177,7 @@ export function callbackEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
         return sendRedirect(
           event,
           consentUrl,
-          200,
+          302,
         )
       }
       return oidcErrorHandler(event, 'Token request failed')
@@ -192,15 +192,20 @@ export function callbackEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
     if ([config.audience as string, config.clientId].some(audience => accessToken.aud?.includes(audience) || idToken?.aud?.includes(audience)) && (config.validateAccessToken || config.validateIdToken)) {
       // Get OIDC configuration
       const openIdConfiguration = (config.openIdConfiguration && typeof config.openIdConfiguration === 'object') ? config.openIdConfiguration : typeof config.openIdConfiguration === 'string' ? await ofetch(config.openIdConfiguration) : await (config.openIdConfiguration!)(config)
-      const validationOptions = { jwksUri: openIdConfiguration.jwks_uri as string, issuer: openIdConfiguration.issuer as string, ...config.audience && { audience: config.audience } }
-
-      tokens = {
-        accessToken: config.validateAccessToken ? await validateToken(tokenResponse.access_token, validationOptions) : accessToken,
-        ...tokenResponse.refresh_token && { refreshToken: tokenResponse.refresh_token },
-        ...tokenResponse.id_token && { idToken: config.validateIdToken ? await validateToken(tokenResponse.id_token, validationOptions) : parseJwtToken(tokenResponse.id_token) },
+      const validationOptions = { jwksUri: openIdConfiguration.jwks_uri as string, issuer: openIdConfiguration.issuer as string, ...config.audience && { audience: [config.audience, config.clientId] } }
+      try {
+        tokens = {
+          accessToken: config.validateAccessToken ? await validateToken(tokenResponse.access_token, validationOptions) : accessToken,
+          ...tokenResponse.refresh_token && { refreshToken: tokenResponse.refresh_token },
+          ...tokenResponse.id_token && { idToken: config.validateIdToken ? await validateToken(tokenResponse.id_token, validationOptions) : parseJwtToken(tokenResponse.id_token) },
+        }
+      }
+      catch (error) {
+        return oidcErrorHandler(event, `[${provider}] Token validation failed: ${error}`)
       }
     }
     else {
+      logger.info('Skipped token validation')
       tokens = {
         accessToken,
         ...tokenResponse.refresh_token && { refreshToken: tokenResponse.refresh_token },
@@ -278,7 +283,7 @@ export function logoutEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
       const logoutRedirectUri = logoutParams.logoutRedirectUri || config.logoutRedirectUri
 
       // Set logout_hint and id_token_hint dynamic parameters if specified. According to https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
-      const additionalLogoutParameters: Record<string, string> = config.additionalLogoutParameters || {}
+      const additionalLogoutParameters: Record<string, string> = config.additionalLogoutParameters ? { ...config.additionalLogoutParameters } : {}
       if (config.additionalLogoutParameters) {
         const userSession = await getUserSession(event)
         Object.keys(config.additionalLogoutParameters).forEach((key) => {

src/runtime/server/utils/oidc.ts

@@ -3,12 +3,13 @@ import type { RefreshTokenRequest, TokenRequest, TokenRespose, UserSession } fro
 import type { OidcProviderConfig } from './provider'
 import { createConsola } from 'consola'
 import { createDefu } from 'defu'
-import { createError } from 'h3'
+import { sendRedirect } from 'h3'
 import { ofetch } from 'ofetch'
 import { snakeCase } from 'scule'
 import { normalizeURL } from 'ufo'
 import { textToBase64 } from 'undio'
 import { parseJwtToken } from './security'
+import { clearUserSession } from './session'
 
 export function useOidcLogger() {
   return createConsola().withDefaults({ tag: 'nuxt-oidc-auth', message: '[nuxt-oidc-auth]:' })
@@ -23,6 +24,7 @@ export const configMerger = createDefu((obj, key, value) => {
 })
 
 export async function refreshAccessToken(refreshToken: string, config: OidcProviderConfig) {
+  const logger = useOidcLogger()
   // Construct request header object
   const headers: HeadersInit = {}
 
@@ -77,6 +79,8 @@ export async function refreshAccessToken(refreshToken: string, config: OidcProvi
     config.optionalClaims.forEach(claim => parsedIdToken[claim] && ((user.claims as Record<string, unknown>)[claim] = (parsedIdToken[claim])))
   }
 
+  logger.info('Successfully refreshed token')
+
   return {
     user,
     tokens,
@@ -123,8 +127,12 @@ export function convertObjectToSnakeCase(object: Record<string, any>) {
 }
 
 export function oidcErrorHandler(event: H3Event, errorText: string, errorCode: number = 500) {
-  throw createError({
-    statusCode: errorCode,
-    message: errorText,
-  })
+  const logger = useOidcLogger()
+  clearUserSession(event, true)
+  logger.error(errorText, 'code:', errorCode)
+  return sendRedirect(
+    event,
+    '/',
+    302,
+  )
 }

src/runtime/server/utils/session.ts

@@ -44,11 +44,12 @@ export async function setUserSession(event: H3Event, data: UserSession) {
   return session.data
 }
 
-export async function clearUserSession(event: H3Event) {
+export async function clearUserSession(event: H3Event, skipHook: boolean = false) {
   const session = await _useSession(event)
   await useStorage('oidc').removeItem(session.id as string)
 
-  await sessionHooks.callHookParallel('clear', event)
+  if (!skipHook)
+    await sessionHooks.callHookParallel('clear', event)
 
   await session.clear()
   deleteCookie(event, sessionName)
@@ -149,7 +150,6 @@ export async function getUserSession(event: H3Event) {
       // Automatic token refresh
       if (providerSessionConfigs[provider].automaticRefresh) {
         await refreshUserSession(event)
-        logger.info('Successfully refreshed token')
         return userSession
       }
       await clearUserSession(event)