search

logto-io / logto

🧑‍🚀 The better identity infrastructure for developers and the open-source alternative to Auth0.
https://logto.io
Mozilla Public License 2.0
7.79k stars 383 forks source link

feat(core): handle oidc scopes for token exchange #6147

Closed wangsijie closed 4 days ago

wangsijie commented 6 days ago

Summary

In token exchange grant: filter out non-oidc scopes when resource is not present (the audience is OP).

In other grant type flow, this is done by Grant class. But there is no Grant instance in token exchange, so we have to do it manually. The oidcScopes list comes from oidc.provider, SSOT is ensured. https://github.com/panva/node-oidc-provider/blob/0c569cf5c36dd5faa105fb931a43b2e587530def/lib/helpers/oidc_context.js#L159

Testing

Integration tests.

Checklist

github-actions[bot] commented 6 days ago

COMPARE TO master

Total Size Diff :chart_with_upwards_trend: +1.18 KB

Diff by File |Name|Diff| |---|---| |packages/core/src/oidc/grants/token-exchange.ts|:chart_with_upwards_trend: +386 Bytes| |packages/integration-tests/src/tests/api/oidc/token-exchange.test.ts|:chart_with_upwards_trend: +824 Bytes|