Am I using customFetch wrong?

[Orange-Rabbit]

Hi!

I think this is the right place for my question :)

Our Identity Provider is the Oracle Access Manager and it requires a custom header "x-oauth-identity-domain-name" set in any requests to that server.

To do this of course I want to use the customFetch option that openid-client offers.

So what I do is:

1. Get a Configuration through autodiscovery

const autodiscoveredConfig = await openIdClient.discovery(
    new URL(issuerUrl),
    clientConfig.clientId,
    {
      client_secret: clientConfig.clientSecret,
    },
    openIdClient.ClientSecretPost(clientConfig.clientSecret),
    {
      // Custom fetch is required for OAM. OAM Requires a non-standard defined header in its request to differentiate the domains.
      [openIdClient.customFetch]: buildCustomFetch(logger, clientConfig)
    }
  )

function buildCustomFetch(logger, clientConfig) {
  return (url, options) => {
    options.headers['x-oauth-identity-domain-name'] = clientConfig.domain
    console.log('###################################################################################')
    logger.debug(`Running custom fetch for OpenID Configuration (${clientConfig.issuer}) -> Url: ${url} | Options: ${JSON.stringify(options)} | Body: ${(options.body ?? 'No Body').toString()}`)
    console.log('###################################################################################')
    return undici.fetch(url, options)
  }
}

When the autodiscovery runs, it prints the expected log Running custom fetch for .... 👍

Next, I do the call and redirect and now want to make the Call to the token endpoint to get the tokens:
(**Note: ** the openIdClientConfig below is the autodiscoveredConfig from above)

const tokens = await openIdClient.authorizationCodeGrant(
  openidClientConfig,
  currentURL,
  {
    pkceCodeVerifier: codeVerifier,
    expectedState: state,
  },
)

But now, there are no logs from the customFetch that I set before, which makes the request fail 👎

Am I setting the customFetch wrong? Am I misunderstanding how it is applied?

I am grateful for any help!

[Orange-Rabbit]

Oh yah, I am using node 22.14.0, and openid-client is installed at 6.6.2

[Orange-Rabbit]

FYI:

When doing a client credentials request, the custom Fetch runs as usual:

  const tokens = await openIdClient.clientCredentialsGrant(config.openidClientConfig, {
    scope: config.scopes.join(' '),
  })

logs:

14:31:31 🐛 There is no token currently. Starting Refresh!
###################################################################################
14:31:31 🐛 Running custom fetch for OpenID Configuration (https://oam-e01.exa.bamf.in.bund.de/oauth2) -> Url: https://<redacted>/oauth2/rest/token | Options: {"body":{},"headers":{"accept":"application/json","content-type":"application/x-www-form-urlencoded;charset=UTF-8","user-agent":"openid-client/v6.6.2","x-oauth-identity-domain-name":"<redacted>"},"method":"POST","redirect":"manual"} | Body: scope=openid&grant_type=client_credentials&client_id=machine-client&client_secret=<redacted>
###################################################################################
14:31:31 🐛 Received new Token that expires in 1800 seconds.

[panva]

I can't see a flaw

import * as client from "openid-client";

const issuer = new URL("https://op.panva.cz");

{
  let i = 0;
  const customFetch = (url, options) => {
    i++;
    console.debug(`Running custom fetch -> Url: ${url}`);
    return fetch(url, options);
  };

  const config = await client.discovery(issuer, "foo", undefined, undefined, {
    [client.customFetch]: customFetch,
  });

  await client
    .authorizationCodeGrant(
      config,
      new URL("https://rp.example.com/cb?code=foo&iss=https://op.panva.cz")
    )
    .catch(() => {
      /* no op */
    });

  console.log(i);
}

{
  let i = 0;
  const customFetch = (url, options) => {
    i++;
    console.debug(`Running custom fetch -> Url: ${url}`);
    return fetch(url, options);
  };

  const config = await client.discovery(issuer, "foo", undefined, undefined, {
    [client.customFetch]: customFetch,
  });

  await client.clientCredentialsGrant(config).catch(() => {
    /* no op */
  });

  console.log(i);
}

Running custom fetch -> Url: https://op.panva.cz/.well-known/openid-configuration
Running custom fetch -> Url: https://op.panva.cz/token
2
Running custom fetch -> Url: https://op.panva.cz/.well-known/openid-configuration
Running custom fetch -> Url: https://op.panva.cz/token
2

[Orange-Rabbit]

I agree your code snippet works with our issuer.

But at least that means that conceptually I understood it correctly.
I'll need to dive in and see if maybe the client-configuration gets swapped/changed? At least thats my only idea.

Thanks for this snippet!