Can't authenticate when the server advertises authorization_response_iss_parameter_supported

[protoism]

Describe the bug

Exception when trying to authenticate with a simple Keycloak server

To Reproduce

A bit complicate.. We're using boxyhq's saml-jackson library...

Steps to reproduce the behaviour:

• Keycloak server (podman run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycl oak/keycloak:23.0.3 start-dev)
• Configure the server
• Add a OIDC connection with autodiscovery URL (something like http://localhost:8080/realms/master/.well-known/openid-configuration)
• Login with OIDC

Expected behaviour No exception

Environment: Node 20

Additional context

• [x] the bug is happening on latest openid-client too.
• [x] i have searched the issues tracker on github for similar issues and couldn't find anything related.

While there might be some problem in saml-jackson, I wonder if this code in lib/client.js is correct:

    } else if (
      this.issuer.authorization_response_iss_parameter_supported &&
      !('id_token' in params) &&
      !('response' in parameters)
    ) {
      throw new RPError({
        message: 'iss missing from the response',
        params,
      });

Is checking for 'id_token' the right thing to do?

[panva]

Yes it is the right thing to do. When authorization_response_iss_parameter_supported is advertised and there's no ID Token or JARM response the server is supposed to return an iss parameter.

[protoism]

I read the code better, and you're absolutely right. Thanks... the issue is simply on saml-jackson, then, which is filtering out 'iss'