search

badgateway / oauth2-client

OAuth2 client for Node and browsers
https://www.npmjs.com/package/@badgateway/oauth2-client
MIT License
269 stars 31 forks source link

Wrong authentication endpoint with discoveryEndpoint used #137

Closed Daenara closed 1 month ago

Daenara commented 6 months ago

Hello, I am trying to get OIDC to work using just the discovery endpoint. I did point it ti the .well-known/openid-configuration url and checked that the correct endpoints are configured there. When I use this.client.getEndpoint('authorizationEndpoint') it gets me the default configured /authorize instead of what is configured in the .well-known. My best guess is that this happens because authorizationEndpoint has a default value, so that one is returned before the code actually checking the discoveryEndpoint. This should not happen because if I give it an discorverEndpoint, I expect it to be used over default values.

https://github.com/badgateway/oauth2-client/blob/7ce4f29a1c3bfc1547df3326f67a07aeed48ec05/src/client.ts#L283-L295

evert commented 1 month ago

Hi! Sorry I missed this.

settings[endpoint] will not be set unless you set it. Likewise, the discovery endpoint will only be checked if you didn't already specify an authorization endpoint yourself.

So to make sure discovery works, don't pass an endpoint during setup. If my interpretation of your issue is wrong, please share how you've constructed the client so we can dig a bit deeper!