Skip to content

fix: ensure authorization_details can be passed in as array instead of only string #1111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

frederikprijck
Copy link
Member

@frederikprijck frederikprijck commented May 16, 2025

Changes

This PR ensures we can pass authorization_details as an array instead of only a string.

Additionally, the authorization_details are not returned as a string, but as an actual array.

This PR fixes those types, and implements it using Generics so that users can provide their own type of AuthorizationDetails (which will most often be the case).

This has been fixed for both CIBA+RAR and PAR+RAR.

References

https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow/user-authorization-with-ciba

Testing

To test this, simply do a CIBA+RAR exchange and inspect the returned authorization_details (even before this change, it's marked as a string but it's actually an object at run time.

  • This change adds unit test coverage
  • This change adds integration test coverage

Checklist

@frederikprijck frederikprijck requested a review from a team as a code owner May 16, 2025 09:35
@@ -238,7 +238,7 @@ describe('Backchannel', () => {
});

it('should return token response, including authorization_details when available', async () => {
const authorization_details = JSON.stringify([{ type: 'test-type' }]);
const authorization_details = [{ type: 'test-type' }];
Copy link
Member Author

@frederikprijck frederikprijck May 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test was incorrectly configuring auth0 to return a string, so the test passed.

@@ -189,6 +201,10 @@ export class Backchannel extends BaseAuthAPI implements IBackchannel {
...options,
login_hint: getLoginHint(userId, this.domain),
client_id: this.clientId,
authorization_details:
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to avoid sending it when not defined

@frederikprijck frederikprijck changed the title fix: ensure authorization_details is correctly returned as an array fix: ensure authorization_details can be passed in as array instead of only string May 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant