diff --git a/examples/oauth.ts b/examples/oidc.ts index d55e62d..b0331db 100644 --- a/examples/oauth.ts +++ b/examples/oidc.ts @@ -33,7 +33,7 @@ const code_challenge_method = 'S256' */ const code_verifier = oauth.generateRandomCodeVerifier() const code_challenge = await oauth.calculatePKCECodeChallenge(code_verifier) -let state: string | undefined +let nonce: string | undefined { // redirect user to as.authorization_endpoint @@ -41,17 +41,17 @@ let state: string | undefined authorizationUrl.searchParams.set('client_id', client.client_id) authorizationUrl.searchParams.set('redirect_uri', redirect_uri) authorizationUrl.searchParams.set('response_type', 'code') - authorizationUrl.searchParams.set('scope', 'api:read') + authorizationUrl.searchParams.set('scope', 'openid email') authorizationUrl.searchParams.set('code_challenge', code_challenge) authorizationUrl.searchParams.set('code_challenge_method', code_challenge_method) /** - * We cannot be sure the AS supports PKCE so we're going to use state too. Use of PKCE is + * We cannot be sure the AS supports PKCE so we're going to use nonce too. Use of PKCE is * backwards compatible even if the AS doesn't support it which is why we're using it regardless. */ if (as.code_challenge_methods_supported?.includes('S256') !== true) { - state = oauth.generateRandomState() - authorizationUrl.searchParams.set('state', state) + nonce = oauth.generateRandomNonce() + authorizationUrl.searchParams.set('nonce', nonce) } // now redirect the user to authorizationUrl.href @@ -59,10 +59,11 @@ let state: string | undefined // one eternity later, the user lands back on the redirect_uri // Authorization Code Grant Request & Response +let sub: string let access_token: string { const currentUrl: URL = getCurrentUrl() - const params = oauth.validateAuthResponse(as, client, currentUrl, state) + const params = oauth.validateAuthResponse(as, client, currentUrl) const response = await oauth.authorizationCodeGrantRequest( as, @@ -73,19 +74,22 @@ let access_token: string code_verifier, ) - const result = await oauth.processAuthorizationCodeResponse(as, client, response) + const result = await oauth.processAuthorizationCodeResponse(as, client, response, { + expectedNonce: nonce, + requireIdToken: true, + }) console.log('Access Token Response', result) ;({ access_token } = result) + const claims = oauth.getValidatedIdTokenClaims(result)! + console.log('ID Token Claims', claims) + ;({ sub } = claims) } -// Protected Resource Request +// UserInfo Request { - const response = await oauth.protectedResourceRequest( - access_token, - 'GET', - new URL('https://rs.example.com/api'), - ) + const response = await oauth.userInfoRequest(as, client, access_token) - console.log('Protected Resource Response', await response.json()) + const result = await oauth.processUserInfoResponse(as, client, sub, response) + console.log('UserInfo Response', result) }