Merge pull request auth0#375 from auth0/fix/add-option-to-bypass-validation

Add flag to bypass id_token validation

Author: luisrudge

src/auth/OAUthWithIDTokenValidation.js

@@ -13,12 +13,13 @@ var HS256_IGNORE_VALIDATION_MESSAGE =
  * @constructor
  * @memberOf module:auth
  *
- * @param  {Object}              oauth                           An instance of @type {OAuthAuthenticator}
- * @param  {Object}              options                         Authenticator options.
- * @param  {String}              options.domain                  AuthenticationClient server domain
- * @param  {String}              [options.clientId]              Default client ID.
- * @param  {String}              [options.clientSecret]          Default client Secret.
- * @param  {String}              [options.supportedAlgorithms]   Algorithms that your application expects to receive
+ * @param  {Object}              oauth                               An instance of @type {OAuthAuthenticator}
+ * @param  {Object}              options                             Authenticator options.
+ * @param  {String}              options.domain                      AuthenticationClient server domain
+ * @param  {String}              [options.clientId]                  Default client ID.
+ * @param  {String}              [options.clientSecret]              Default client Secret.
+ * @param  {String}              [options.supportedAlgorithms]       Algorithms that your application expects to receive
+ * @param  {Boolean}             [options.__bypassIdTokenValidation] Whether the id_token should be validated or not
  */
 var OAUthWithIDTokenValidation = function(oauth, options) {
   if (!oauth) {
@@ -34,6 +35,7 @@ var OAUthWithIDTokenValidation = function(oauth, options) {
   }
 
   this.oauth = oauth;
+  this.__bypassIdTokenValidation = options.__bypassIdTokenValidation;
   this.clientId = options.clientId;
   this.clientSecret = options.clientSecret;
   this.domain = options.domain;
@@ -56,8 +58,11 @@ var OAUthWithIDTokenValidation = function(oauth, options) {
  * @return  {Promise|undefined}
  */
 OAUthWithIDTokenValidation.prototype.create = function(params, data, cb) {
+  const _this = this;
   const createAndValidate = this.oauth.create(params, data).then(r => {
-    var _this = this;
+    if (_this.__bypassIdTokenValidation) {
+      return r;
+    }
     if (r.id_token) {
       function getKey(header, callback) {
         if (header.alg === 'HS256') {

src/auth/OAuthAuthenticator.js

@@ -12,11 +12,12 @@ var OAUthWithIDTokenValidation = require('./OAUthWithIDTokenValidation');
  * @constructor
  * @memberOf module:auth
  *
- * @param  {Object}              options                Authenticator options.
- * @param  {String}              options.baseUrl        The Auth0 account URL.
- * @param  {String}              options.domain         AuthenticationClient server domain
- * @param  {String}              [options.clientId]     Default client ID.
- * @param  {String}              [options.clientSecret] Default client Secret.
+ * @param  {Object}              options                             Authenticator options.
+ * @param  {String}              options.baseUrl                     The Auth0 account URL.
+ * @param  {String}              options.domain                      AuthenticationClient server domain
+ * @param  {String}              [options.clientId]                  Default client ID.
+ * @param  {String}              [options.clientSecret]              Default client Secret.
+ * @param  {Boolean}             [options.__bypassIdTokenValidation] Whether the id_token should be validated or not
  */
 var OAuthAuthenticator = function(options) {
   if (!options) {

src/auth/index.js

@@ -37,11 +37,12 @@ var BASE_URL_FORMAT = 'https://%s';
  *   clientId: '{OPTIONAL_CLIENT_ID}'
  * });
  *
- * @param   {Object}  options                         Options for the Authentication Client SDK.
- * @param   {String}  options.domain                  AuthenticationClient server domain.
- * @param   {String}  [options.clientId]              Default client ID.
- * @param   {String}  [options.clientSecret]          Default client Secret.
- * @param   {String}  [options.supportedAlgorithms]   Algorithms that your application expects to receive
+ * @param   {Object}  options                           Options for the Authentication Client SDK.
+ * @param   {String}  options.domain                    AuthenticationClient server domain.
+ * @param   {String}  [options.clientId]                Default client ID.
+ * @param   {String}  [options.clientSecret]            Default client Secret.
+ * @param   {String}  [options.supportedAlgorithms]     Algorithms that your application expects to receive
+ * @param  {Boolean}  [options.__bypassIdTokenValidation] Whether the id_token should be validated or not
  */
 var AuthenticationClient = function(options) {
   if (!options || typeof options !== 'object') {
@@ -61,7 +62,8 @@ var AuthenticationClient = function(options) {
       'Content-Type': 'application/json'
     },
     baseUrl: util.format(BASE_URL_FORMAT, options.domain),
-    supportedAlgorithms: options.supportedAlgorithms
+    supportedAlgorithms: options.supportedAlgorithms,
+    __bypassIdTokenValidation: options.__bypassIdTokenValidation
   };
 
   if (options.telemetry !== false) {

test/auth/oauth-with-idtoken-validation.tests.js

@@ -77,6 +77,17 @@ describe('OAUthWithIDTokenValidation', function() {
       var oauthWithValidation = new OAUthWithIDTokenValidation(oauth, {});
       oauthWithValidation.create(PARAMS, DATA, done);
     });
+    it('Bypasses validation when options.__bypassIdTokenValidation is true', function(done) {
+      var oauth = {
+        create: function() {
+          return new Promise(res => res({ id_token: 'foobar' }));
+        }
+      };
+      var oauthWithValidation = new OAUthWithIDTokenValidation(oauth, {
+        __bypassIdTokenValidation: true
+      });
+      oauthWithValidation.create(PARAMS, DATA, done);
+    });
     it('Calls jwt.verify with token and algs', function(done) {
       var oauth = {
         create: function() {