Find a replacement for `oidc-client-js`

[nscuro]

Current Behavior:

The OIDC client library oidc-client-js we currently use has been unmaintained and archived for a while now (https://github.com/IdentityModel/oidc-client-js/issues/1391). We need to find a replacement for it that is still maintained.

Proposed Behavior:

Migrate to the TypeScript-focused fork oidc-client-ts. It is largely compatible with oidc-client-js and will not require major refactoring.

Only drawback that will have user impact: It doesn't support the implicit flow anymore. AFAICT, this will bite users who use Google Identity, as Google doesn't support "public" OIDC clients for the authorization code flow.

[DoPaNik]

I wanted to ask about the current status of the OIDC client library replacement issue. Are there any plans to migrate?

As oidc-client-js is no longer maintained, vulnerabilities have also occurred in version 1.11.5 or have never been closed. It appears that the project is still using YUI 2.9.0, which has three known vulnerabilities.

CVE-2012-5881 CVE-2012-5882 CVE-2012-5883

These vulnerabilities are related to the jsrsasign dependency.

I noticed that a fix was implemented in 1.11.6.beta, but it doesn't seem to have made it into a stable release.

[elliotsegler]

I agree, it'd be good to get that resolved but for anyone else hunting to see what the impact is I've done some digging.

jsrsasign uses very small part of YUI. Just object inheritance class definition. https://github.com/kjur/jsrsasign/issues/434

Given that the affected .swf files aren't packaged anywhere in the dependency tree I don't think those specific CVEs would be an issue.

[nscuro]

The blocking factor for a migration to oidc-client-ts is still its abandonment of the implicit grant, which, as stated in the original issue description, is required for at least Google Identity. Potentially others as well.