feat(oidc-client): implement token exchange

Author: cerebrl

e2e/oidc-app/src/main.ts

@@ -16,7 +16,7 @@ async function app() {
   // create object from URL query parameters
   const urlParams = new URLSearchParams(window.location.search);
   const code = urlParams.get('code');
-  // const state = urlParams.get('state');
+  const state = urlParams.get('state');
   // get error and error_description if they exist
   const error = urlParams.get('error');
   // const errorDescription = urlParams.get('error_description');
@@ -26,11 +26,19 @@ async function app() {
 
     if ('error' in response) {
       console.error('Authorization Error:', response);
-      // window.location.assign(response.redirectUrl);
+      window.location.assign(response.redirectUrl);
       return;
     } else if ('code' in response) {
       console.log('Authorization Code:', response.code);
     }
+  } else if (code && state) {
+    const response = await oidcClient.token.exchange(code, state);
+
+    if ('error' in response) {
+      console.error('Token Exchange Error:', response);
+    } else {
+      console.log('Token Exchange Response:', response);
+    }
   }
 }
 

packages/oidc-client/package.json

@@ -31,6 +31,7 @@
     "@forgerock/sdk-oidc": "workspace:*",
     "@forgerock/sdk-request-middleware": "workspace:*",
     "@forgerock/sdk-types": "workspace:*",
+    "@forgerock/storage": "workspace:*",
     "@reduxjs/toolkit": "catalog:",
     "effect": "^3.12.7"
   },

packages/oidc-client/src/lib/authorize.request.types.ts

@@ -13,6 +13,6 @@ export interface AuthorizeSuccessResponse {
 export interface AuthorizeErrorResponse {
   error: string;
   error_description: string;
-  redirectUrl: string; // URL to redirect the user to for re-authorization
-  type: 'auth_error';
+  redirectUrl?: string; // URL to redirect the user to for re-authorization
+  type: 'auth_error' | 'wellknown_error' | 'network_error' | 'unknown_error';
 }

packages/oidc-client/src/lib/authorize.request.utils.ts

@@ -105,11 +105,10 @@ export function createAuthorizeErrorµ(
     try: async () => {
       const url = await createAuthorizeUrl(wellknown.authorization_endpoint, {
         ...options,
-        prompt: 'none',
       });
       return {
-        error: 'AuthorizationUrlError',
-        error_description: `Error creating authorization URL for ${url}`,
+        error: res.error,
+        error_description: res.error_description,
         type: 'auth_error',
         redirectUrl: url,
       } as AuthorizeErrorResponse;

packages/oidc-client/src/lib/client.store.ts

@@ -5,19 +5,24 @@
  * of the MIT license. See the LICENSE file for details.
  */
 import { CustomLogger, logger as loggerFn, LogLevel } from '@forgerock/sdk-logger';
-import { createAuthorizeUrl } from '@forgerock/sdk-oidc';
+import { createAuthorizeUrl, getStoredAuthUrlValues } from '@forgerock/sdk-oidc';
+import { createStorage } from '@forgerock/storage';
+import { Micro } from 'effect';
 import { exitIsSuccess } from 'effect/Micro';
 
 import { authorizeµ } from './authorize.request.js';
 import { createClientStore } from './client.store.utils.js';
 import { GenericError } from './error.types.js';
+import { oidcApi } from './oidc.api.js';
 import { wellknownApi, wellknownSelector } from './wellknown.api.js';
 
 import type { ActionTypes, RequestMiddleware } from '@forgerock/sdk-request-middleware';
 import type { GetAuthorizationUrlOptions } from '@forgerock/sdk-types';
 
 import type { OidcConfig } from './config.types.js';
-import { Micro } from 'effect';
+import { AuthorizeErrorResponse } from './authorize.request.types.js';
+import { TokenExchangeOptions } from './client.store.types.js';
+import { TokenRequestOptions } from './token.types.js';
 
 export async function oidc<ActionType extends ActionTypes = ActionTypes>({
   config,
@@ -36,13 +41,13 @@ export async function oidc<ActionType extends ActionTypes = ActionTypes>({
 
   if (!config?.serverConfig?.wellknown) {
     return {
-      message: 'Requires a wellknown url initializing this factory.',
+      error: 'Requires a wellknown url initializing this factory.',
       type: 'argument_error',
     };
   }
   if (!config?.clientId) {
     return {
-      message: 'Requires a clientId.',
+      error: 'Requires a clientId.',
       type: 'argument_error',
     };
   }
@@ -54,7 +59,7 @@ export async function oidc<ActionType extends ActionTypes = ActionTypes>({
 
   if (error || !data) {
     return {
-      message: `Error fetching wellknown config`,
+      error: `Error fetching wellknown config`,
       type: 'network_error',
     };
   }
@@ -75,11 +80,11 @@ export async function oidc<ActionType extends ActionTypes = ActionTypes>({
 
         if (!wellknown?.authorization_endpoint) {
           const err = {
-            message: 'Authorization endpoint not found in wellknown configuration',
+            error: 'Authorization endpoint not found in wellknown configuration',
             type: 'wellknown_error',
           } as const;
 
-          log.error(err.message);
+          log.error(err.error);
 
           return err;
         }
@@ -92,11 +97,12 @@ export async function oidc<ActionType extends ActionTypes = ActionTypes>({
 
         if (!wellknown?.authorization_endpoint) {
           const err = {
-            message: 'Authorization endpoint not found in wellknown configuration',
+            error: 'Wellknown missing authorization endpoint',
+            error_description: 'Authorization endpoint not found in wellknown configuration',
             type: 'wellknown_error',
-          } as const;
+          } as AuthorizeErrorResponse;
 
-          log.error(err.message);
+          log.error(err.error);
 
           return err;
         }
@@ -108,9 +114,75 @@ export async function oidc<ActionType extends ActionTypes = ActionTypes>({
         if (exitIsSuccess(result)) {
           return result.value;
         } else {
-          return result.cause;
+          return {
+            error: 'Authorization failure',
+            error_description: result.cause.message,
+            type: 'auth_error',
+          } as AuthorizeErrorResponse;
         }
       },
     },
+    token: {
+      exchange: async (code: string, state: string, options?: TokenExchangeOptions) => {
+        const storeState = store.getState();
+        const wellknown = wellknownSelector(wellknownUrl, storeState);
+
+        if (!wellknown?.token_endpoint) {
+          const err = {
+            error: 'Wellknown missing token endpoint',
+            type: 'wellknown_error',
+          } as AuthorizeErrorResponse;
+
+          log.error(err.error);
+
+          return err;
+        }
+
+        // TODO: Validate state
+        const values = getStoredAuthUrlValues(config.clientId, options?.prefix);
+
+        if (values.state !== state) {
+          const err = {
+            error: 'State mismatch',
+            type: 'auth_error',
+          } as GenericError;
+
+          log.error(err.error);
+
+          return err;
+        }
+
+        const requestOptions: TokenRequestOptions = {
+          code,
+          config,
+          endpoint: wellknown.token_endpoint,
+        };
+        if (values.verifier) {
+          requestOptions.verifier = values.verifier;
+        }
+
+        const { data, error } = await store.dispatch(
+          oidcApi.endpoints.exchange.initiate(requestOptions),
+        );
+
+        if (error || !data) {
+          const err = {
+            error: 'Error exchanging token',
+            type: 'network_error',
+          } as GenericError;
+
+          log.error(err.error);
+
+          return err;
+        }
+
+        // TODO: handle response and errors; if success, store tokens and return them
+        createStorage({ storeType: 'localStorage' }, 'oidcTokens', options?.customStorage).set(
+          data,
+        );
+
+        return data;
+      },
+    },
   };
 }

packages/oidc-client/src/lib/client.store.types.ts

@@ -0,0 +1,6 @@
+import { CustomStorageObject } from '@forgerock/sdk-types';
+
+export interface TokenExchangeOptions {
+  prefix?: string;
+  customStorage: CustomStorageObject;
+}

packages/oidc-client/src/lib/client.store.utils.ts

@@ -8,6 +8,7 @@ import type { ActionTypes, RequestMiddleware } from '@forgerock/sdk-request-midd
 import type { logger as loggerFn } from '@forgerock/sdk-logger';
 
 import { configureStore } from '@reduxjs/toolkit';
+import { oidcApi } from './oidc.api.js';
 import { wellknownApi } from './wellknown.api.js';
 
 export function createClientStore<ActionType extends ActionTypes>({
@@ -19,6 +20,7 @@ export function createClientStore<ActionType extends ActionTypes>({
 }) {
   return configureStore({
     reducer: {
+      [oidcApi.reducerPath]: oidcApi.reducer,
       [wellknownApi.reducerPath]: wellknownApi.reducer,
     },
     middleware: (getDefaultMiddleware) =>
@@ -33,7 +35,9 @@ export function createClientStore<ActionType extends ActionTypes>({
             logger,
           },
         },
-      }).concat(wellknownApi.middleware),
+      })
+        .concat(wellknownApi.middleware)
+        .concat(oidcApi.middleware),
   });
 }
 

packages/oidc-client/src/lib/error.types.ts

@@ -6,7 +6,8 @@
  */
 export interface GenericError {
   code?: string | number;
-  message: string;
+  error: string;
+  message?: string;
   type:
     | 'argument_error'
     | 'auth_error'

packages/oidc-client/src/lib/oidc.api.ts

@@ -0,0 +1,43 @@
+import { createApi, fetchBaseQuery } from '@reduxjs/toolkit/query';
+import { OidcConfig } from './config.types.js';
+import { TokenExchangeResponse } from './token.types.js';
+
+export const oidcApi = createApi({
+  reducerPath: 'oidc',
+  baseQuery: fetchBaseQuery(),
+  endpoints: (builder) => ({
+    exchange: builder.mutation<
+      TokenExchangeResponse,
+      {
+        code: string;
+        config: OidcConfig;
+        endpoint: string;
+        verifier?: string;
+      }
+    >({
+      query: ({ code, config, endpoint, verifier }) => {
+        const { clientId, redirectUri } = config;
+        const body = new URLSearchParams({
+          grant_type: 'authorization_code',
+          code,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+        });
+
+        if (verifier) {
+          body.append('code_verifier', verifier);
+        }
+
+        return {
+          url: endpoint,
+          method: 'POST',
+          headers: {
+            Accept: 'application/json',
+            'Content-Type': 'application/x-www-form-urlencoded',
+          },
+          body,
+        };
+      },
+    }),
+  }),
+});

packages/oidc-client/src/lib/token.types.ts

@@ -0,0 +1,17 @@
+import { OidcConfig } from './config.types.js';
+
+export interface TokenExchangeResponse {
+  token: string;
+  idToken?: string;
+  refreshToken?: string;
+  expiresIn?: number;
+  scope?: string;
+  tokenType?: string;
+}
+
+export interface TokenRequestOptions {
+  code: string;
+  config: OidcConfig;
+  endpoint: string;
+  verifier?: string;
+}