Skip to content

Access Token Exposure Control #1979

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Mar 28, 2025
Merged

Access Token Exposure Control #1979

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
41101dc
add AT exposure control flag to Auth0Client constructor
tusharpandey13 Mar 19, 2025
0ea7fdd
Merge branch 'main' into feature/AT-exposure-control
tusharpandey13 Mar 28, 2025
df10f75
Merge branch 'main' into feature/AT-exposure-control
tusharpandey13 Mar 28, 2025
8456851
Merge branch 'main' into feature/AT-exposure-control
tusharpandey13 Mar 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 64 additions & 1 deletion src/server/auth-client.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,7 +324,7 @@ ca/T0LLtgmbMmxSv/MmzIg==
expect(authClient.handleProfile).toHaveBeenCalled();
});

it("should call the access token handler if the path is /auth/access-token", async () => {
it("should call the handleAccessToken method if the path is /auth/access-token and enableAccessTokenEndpoint is true", async () => {
const secret = await generateSecret(32);
const transactionStore = new TransactionStore({
secret
Expand All @@ -342,6 +342,69 @@ ca/T0LLtgmbMmxSv/MmzIg==

secret,
appBaseUrl: DEFAULT.appBaseUrl,
enableAccessTokenEndpoint: true,

fetch: getMockAuthorizationServer()
});
const request = new NextRequest("https://example.com/auth/access-token", {
method: "GET"
});
authClient.handleAccessToken = vi.fn();
await authClient.handler(request);
expect(authClient.handleAccessToken).toHaveBeenCalled();
});

it("should not call the handleAccessToken method if the path is /auth/access-token but enableAccessTokenEndpoint is false", async () => {
const secret = await generateSecret(32);
const transactionStore = new TransactionStore({
secret
});
const sessionStore = new StatelessSessionStore({
secret
});
const authClient = new AuthClient({
transactionStore,
sessionStore,

domain: DEFAULT.domain,
clientId: DEFAULT.clientId,
clientSecret: DEFAULT.clientSecret,

secret,
appBaseUrl: DEFAULT.appBaseUrl,
enableAccessTokenEndpoint: false,

fetch: getMockAuthorizationServer()
});
const request = new NextRequest("https://example.com/auth/access-token", {
method: "GET"
});
authClient.handleAccessToken = vi.fn();
const response = await authClient.handler(request);
expect(authClient.handleAccessToken).not.toHaveBeenCalled();
// When a route doesn't match, the handler returns a NextResponse.next() with status 200
expect(response.status).toBe(200);
});

it("should use the default value (true) for enableAccessTokenEndpoint when not explicitly provided", async () => {
const secret = await generateSecret(32);
const transactionStore = new TransactionStore({
secret
});
const sessionStore = new StatelessSessionStore({
secret
});
const authClient = new AuthClient({
transactionStore,
sessionStore,

domain: DEFAULT.domain,
clientId: DEFAULT.clientId,
clientSecret: DEFAULT.clientSecret,

secret,
appBaseUrl: DEFAULT.appBaseUrl,
// enableAccessTokenEndpoint not specified, should default to true

fetch: getMockAuthorizationServer()
});
Expand Down
8 changes: 7 additions & 1 deletion src/server/auth-client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ export interface AuthClientOptions {
allowInsecureRequests?: boolean;
httpTimeout?: number;
enableTelemetry?: boolean;
enableAccessTokenEndpoint?: boolean;
}

function createRouteUrl(url: string, base: string) {
Expand Down Expand Up @@ -133,6 +134,8 @@ export class AuthClient {

private authorizationServerMetadata?: oauth.AuthorizationServer;

private readonly enableAccessTokenEndpoint: boolean;

constructor(options: AuthClientOptions) {
// dependencies
this.fetch = options.fetch || fetch;
Expand Down Expand Up @@ -219,6 +222,8 @@ export class AuthClient {
process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE || "/auth/access-token",
...options.routes
};

this.enableAccessTokenEndpoint = options.enableAccessTokenEndpoint ?? true;
}

async handler(req: NextRequest): Promise<NextResponse> {
Expand All @@ -236,7 +241,8 @@ export class AuthClient {
return this.handleProfile(req);
} else if (
method === "GET" &&
sanitizedPathname === this.routes.accessToken
sanitizedPathname === this.routes.accessToken &&
this.enableAccessTokenEndpoint
) {
return this.handleAccessToken(req);
} else if (
Expand Down
13 changes: 13 additions & 0 deletions src/server/client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,19 @@ export interface Auth0ClientOptions {
* via the `Auth0-Client` header. Defaults to `true`.
*/
enableTelemetry?: boolean;

/**
* Boolean value to enable the `/auth/access-token` endpoint for use in the client app.
*
* Defaults to `true`.
*
* NOTE: Set this to `false` if your client does not need to directly interact with resource servers (Token Mediating Backend). This will be false for most apps.
*
* A security best practice is to disable this to avoid exposing access tokens to the client app.
*
* See: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-token-mediating-backend
*/
enableAccessTokenEndpoint?: boolean;
}

export type PagesRouterRequest = IncomingMessage | NextApiRequest;
Expand Down