search

authts / oidc-client-ts

OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications
https://authts.github.io/oidc-client-ts/
Apache License 2.0
1.42k stars 214 forks source link

Invalid scopes #1449

Open BrunoM24 opened 8 months ago

BrunoM24 commented 8 months ago

I'm getting an error saying that the scopes are invalid, but I think the problem is the encoding

UserManager:

const userManager = new UserManager({ client_id: import.meta.env.VITE_CLIENT_ID, authority: import.meta.env.VITE__AUTH, redirect_uri: import.meta.env.VITE_REDIRECT_URL, scope: 'openid profile email', response_type: 'code', userStore: new WebStorageStateStore({ store: localStorage }) })

parms sent on the request:

client_id: xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx redirect_uri: https://xxxxxx.xxx/login-completed response_type: code scope: openid profile email state: ac2551245239411dbb6c6de77d7f14df code_challenge: tcXobU0N1tYsUeCTojFfWSr1oXVEKlP52yAxV4lmxVw code_challenge_method: S256

The request sent by the lib:

https://xxxxxxxxxxx.xx/affwebservices/CASSO/oidc/xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/authorize?client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx&redirect_uri=https%3A%2F%2Fxxxxxxx.xx%2Flogin-completed&response_type=code&scope=openid+profile+email&state=ac2551245239411dbb6c6de77d7f14df&code_challenge=tcXobU0N1tYsUeCTojFfWSr1oXVEKlP52yAxV4lmxVw&code_challenge_method=S256

The scope are being sent like "scope=openid+profile+email"

I think the spaces should have been replaces by "%20" instead of "+"

pamapa commented 7 months ago

The affected code is here: https://github.com/authts/oidc-client-ts/blob/81959b17a5938a135c589c59e2d70efc75eb9349/src/SigninRequest.ts#L113-L119

Using the official URL class. So i do not think this is wrong. And this is working with a lot of IdPs already. What kind of IdP are you using?

A space can be encoded with a plus (+) sign or with %20.