fix(oidc-client): address PAR code review — correctness, security, error handling

- Fix: spurious await on Micro value in client.store authorize path
- Fix: validateParResponse uses toDispatchError for SerializedError,
  preserving diagnostic info instead of silently dropping it
- Fix: optional chaining on wellknown?.require_pushed_authorization_requests
  in authorizeµ default param (prevents synchronous throw outside Micro)
- Fix: scope PAR dispatch tapError inside flatMap to prevent double-logging
  with misleading "Error dispatching PAR authorize request" message
- Fix: dispatchAuthorizeIframe validates code+state shape before succeeding
- Fix: add credentials: include to PAR endpoint FetchArgs for SSO support
- Fix: correct misleading log in authorizeIframe error path
- Feat: surface expires_in from PAR response; warn when TTL < 30s
- Test: add PAR 400 error e2e scenario to mock server and par.spec.ts
- Chore: remove console.log debug artifacts from client.store.test.ts

Author: ryanbas21

e2e/am-mock-api/src/app/routes.auth.js

@@ -666,6 +666,12 @@ export default function (app) {
   app.get('/callback', (req, res) => res.status(200).send('ok'));
 
   app.post(authPaths.par, (req, res) => {
+    if (req.query.scenario === 'error') {
+      return res.status(400).json({
+        error: 'invalid_request',
+        error_description: 'Missing required PAR parameter',
+      });
+    }
     res.status(201).json(parResponse);
   });
 

e2e/oidc-suites/src/par.spec.ts

@@ -17,7 +17,54 @@ async function loginJourney(page, username: string, password: string) {
   await expect(page.locator('#journey-status')).toContainText('Session established');
 }
 
+// Synthetic PAR error endpoint — intercepted by Playwright before any real network call
+const SYNTHETIC_PAR_ERROR_URL = 'http://localhost:8443/synthetic-par-error-endpoint';
+// The real wellknown used by the PAR app (intercepted to inject the synthetic PAR endpoint)
+const DEFAULT_WELLKNOWN_PATTERN =
+  '**/openam-sdks.forgeblocks.com/am/oauth2/alpha/.well-known/openid-configuration*';
+
 test.describe('PAR (Pushed Authorization Request) login tests', () => {
+  test('PAR authorize returns 400 error — SDK surfaces error to the UI without redirecting', async ({
+    page,
+  }) => {
+    const { navigate } = asyncEvents(page);
+
+    // Intercept the wellknown to inject our synthetic PAR endpoint URL
+    await page.route(DEFAULT_WELLKNOWN_PATTERN, async (route) => {
+      const response = await route.fetch();
+      const json = await response.json();
+      await route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        body: JSON.stringify({
+          ...json,
+          pushed_authorization_request_endpoint: SYNTHETIC_PAR_ERROR_URL,
+        }),
+      });
+    });
+
+    // Intercept the synthetic PAR endpoint and return a 400 error
+    await page.route(SYNTHETIC_PAR_ERROR_URL, (route) => {
+      route.fulfill({
+        status: 400,
+        contentType: 'application/json',
+        body: JSON.stringify({
+          error: 'invalid_request',
+          error_description: 'Missing required PAR parameter',
+        }),
+      });
+    });
+
+    await navigate('/par/');
+
+    // Clicking redirect login triggers PAR → receives 400 → SDK should surface an error
+    await page.getByRole('button', { name: 'Login (Redirect' }).click();
+
+    // The SDK should surface an error in the UI instead of redirecting away
+    await expect(page.locator('.error')).toBeVisible({ timeout: 10000 });
+    await expect(page.locator('.error')).toContainText('PAR_ERROR');
+  });
+
   test('background login with PAR enabled (ParClient) obtains access token', async ({ page }) => {
     const { navigate } = asyncEvents(page);
 

packages/oidc-client/src/lib/authorize.request.micros.test.ts

@@ -408,3 +408,24 @@ it.effect('dispatchAuthorizeIframe fails with unknown_error when data is undefin
     expect(exit.cause.error.type).toBe('unknown_error');
   }),
 );
+
+it.effect('dispatchAuthorizeIframe fails with unknown_error when data has no code or state', () =>
+  Micro.gen(function* () {
+    vi.mocked(mockStore.dispatch).mockResolvedValueOnce({
+      data: { unexpected: 'shape' },
+    } as unknown as ReturnType<typeof mockStore.dispatch>);
+
+    const exit = yield* Micro.exit(
+      dispatchAuthorizeIframe(
+        mockStore,
+        'https://example.com/authorize?foo=bar',
+        wellknown,
+        {} as import('@forgerock/sdk-types').GetAuthorizationUrlOptions,
+      ),
+    );
+    expect(Micro.exitIsFailure(exit)).toBe(true);
+    if (!Micro.exitIsFailure(exit) || !Micro.causeIsFail(exit.cause)) return;
+    expect(exit.cause.error.type).toBe('unknown_error');
+    expect(exit.cause.error.error).toBe('Unknown_Error');
+  }),
+);

packages/oidc-client/src/lib/authorize.request.micros.ts

@@ -100,10 +100,13 @@ export const dispatchAuthorizeIframe = (
   }).pipe(
     Micro.flatMap(({ error, data }) => {
       if (error) return handleDispatchError(error, wellknown, options);
-      if (data !== undefined) return Micro.succeed(data);
+      const d = data as { code?: unknown; state?: unknown } | undefined;
+      if (d !== undefined && typeof d.code === 'string' && typeof d.state === 'string') {
+        return Micro.succeed(d as AuthorizationSuccess);
+      }
       return Micro.fail({
         error: 'Unknown_Error',
-        error_description: 'Response data was empty',
+        error_description: 'Response data did not contain expected code and state fields',
         type: 'unknown_error',
       } as const);
     }),

packages/oidc-client/src/lib/authorize.request.ts

@@ -70,6 +70,7 @@ function dispatchAuthorizeµ(
 export function parAuthorizeµ(
   wellknown: WellknownResponse,
   config: OidcConfig,
+  log: CustomLogger,
   store: ClientStore,
   options?: OptionalAuthorizeOptions,
 ): Micro.Micro<string, AuthorizationError, never> {
@@ -96,7 +97,14 @@ export function parAuthorizeµ(
       prompt,
     );
     const parResult = yield* dispatchParRequest(store, parEndpoint, body);
-    const { request_uri } = yield* validateParResponse(parResult);
+    const { request_uri, expires_in } = yield* validateParResponse(parResult);
+    if (expires_in < 30) {
+      yield* Micro.sync(() =>
+        log.warn(
+          `PAR request_uri expires in ${expires_in}s — authorize must complete before expiry`,
+        ),
+      );
+    }
     yield* storeAuthOptions(storeOptions);
     return yield* buildParSlimUrl(
       wellknown.authorization_endpoint,
@@ -120,7 +128,7 @@ export function authorizeµ(
   log: CustomLogger,
   store: ClientStore,
   options?: GetAuthorizationUrlOptions,
-  useParFlow = config.par ?? wellknown.require_pushed_authorization_requests === true,
+  useParFlow = config.par ?? wellknown?.require_pushed_authorization_requests === true,
 ): Micro.Micro<AuthorizationSuccess, AuthorizationError, never> {
   const parDispatchOptions: GetAuthorizationUrlOptions = {
     clientId: config.clientId,
@@ -130,14 +138,17 @@ export function authorizeµ(
     ...options,
   };
 
-  const parFlow = parAuthorizeµ(wellknown, config, store, options).pipe(
+  const parFlow = parAuthorizeµ(wellknown, config, log, store, options).pipe(
     Micro.tap((url) => log.debug('PAR authorize URL created', url)),
     Micro.tapError((err) =>
       Micro.sync(() => log.error(`PAR authorize failed [${err.type}]: ${err.error}`, err)),
     ),
-    Micro.flatMap((url) => dispatchAuthorizeµ(url, parDispatchOptions, wellknown, store, log)),
-    Micro.tapError((err) =>
-      Micro.sync(() => log.error('Error dispatching PAR authorize request', err)),
+    Micro.flatMap((url) =>
+      dispatchAuthorizeµ(url, parDispatchOptions, wellknown, store, log).pipe(
+        Micro.tapError((err) =>
+          Micro.sync(() => log.error('Error dispatching PAR authorize request', err)),
+        ),
+      ),
     ),
   );
 

packages/oidc-client/src/lib/authorize.request.utils.test.ts

@@ -55,6 +55,13 @@ const mockStore = {
   dispatch: vi.fn(),
 } as unknown as ClientStore;
 
+const mockLog = {
+  debug: vi.fn(),
+  error: vi.fn(),
+  info: vi.fn(),
+  warn: vi.fn(),
+} as unknown as import('@forgerock/sdk-logger').CustomLogger;
+
 const sessionStorageStub = { getItem: vi.fn(), setItem: vi.fn(), removeItem: vi.fn() };
 
 afterEach(() => {
@@ -126,7 +133,7 @@ it('toDispatchError delegates to toAuthorizationError for FetchBaseQueryError',
 it.effect('parAuthorizeµ fails with wellknown_error when par endpoint is missing', () =>
   Micro.gen(function* () {
     const configWithPar: OidcConfig = { ...config, par: true };
-    const result = yield* Micro.exit(parAuthorizeµ(wellknown, configWithPar, mockStore));
+    const result = yield* Micro.exit(parAuthorizeµ(wellknown, configWithPar, mockLog, mockStore));
     expect(Micro.exitIsFailure(result)).toBe(true);
     if (!Micro.exitIsFailure(result)) return;
     expect(Micro.causeIsFail(result.cause)).toBe(true);
@@ -149,7 +156,7 @@ it.effect('parAuthorizeµ succeeds and returns slim authorize URL', () =>
       data: { request_uri: requestUri, expires_in: 60 },
     } as unknown as ReturnType<typeof mockStore.dispatch>);
 
-    const url = yield* parAuthorizeµ(wellknownWithPar, configWithPar, mockStore);
+    const url = yield* parAuthorizeµ(wellknownWithPar, configWithPar, mockLog, mockStore);
 
     expect(url).toContain('client_id=123456789');
     expect(url).toContain(`request_uri=${encodeURIComponent(requestUri)}`);
@@ -172,7 +179,9 @@ it.effect('parAuthorizeµ fails with network_error when PAR POST returns error',
       },
     } as unknown as ReturnType<typeof mockStore.dispatch>);
 
-    const result = yield* Micro.exit(parAuthorizeµ(wellknownWithPar, configWithPar, mockStore));
+    const result = yield* Micro.exit(
+      parAuthorizeµ(wellknownWithPar, configWithPar, mockLog, mockStore),
+    );
 
     expect(Micro.exitIsFailure(result)).toBe(true);
     if (!Micro.exitIsFailure(result)) return;
@@ -193,7 +202,9 @@ it.effect('parAuthorizeµ fails with network_error when PAR response is missing
       data: {},
     } as unknown as ReturnType<typeof mockStore.dispatch>);
 
-    const result = yield* Micro.exit(parAuthorizeµ(wellknownWithPar, configWithPar, mockStore));
+    const result = yield* Micro.exit(
+      parAuthorizeµ(wellknownWithPar, configWithPar, mockLog, mockStore),
+    );
 
     expect(Micro.exitIsFailure(result)).toBe(true);
     if (!Micro.exitIsFailure(result)) return;
@@ -223,7 +234,7 @@ it.effect(
         data: { request_uri: requestUri, expires_in: 60 },
       } as unknown as ReturnType<typeof mockStore.dispatch>);
 
-      const url = yield* parAuthorizeµ(wellknownWithPar, configWithPar, mockStore, {
+      const url = yield* parAuthorizeµ(wellknownWithPar, configWithPar, mockLog, mockStore, {
         prompt: 'none',
       });
 
@@ -261,6 +272,21 @@ it('hasPushRequestUri returns false when request_uri is missing', () => {
   expect(hasPushRequestUri('string')).toBe(false);
 });
 
+// ─── validateParResponse ─────────────────────────────────────────────────────
+
+import { validateParResponse } from './authorize.request.utils.js';
+
+it.effect('validateParResponse with SerializedError preserves error message', () =>
+  Micro.gen(function* () {
+    const serializedError = { name: 'Error', message: 'network timeout', code: 'FETCH_ERROR' };
+    const exit = yield* Micro.exit(validateParResponse({ error: serializedError }));
+    expect(Micro.exitIsFailure(exit)).toBe(true);
+    if (!Micro.exitIsFailure(exit) || !Micro.causeIsFail(exit.cause)) return;
+    // Should surface the actual message, not generic "Unknown_Error"
+    expect(exit.cause.error.error_description).toContain('network timeout');
+  }),
+);
+
 // ─── buildParAuthorizeUrl ────────────────────────────────────────────────────
 
 it('buildParAuthorizeUrl produces slim URL with client_id and request_uri', () => {
@@ -340,13 +366,6 @@ it('buildAuthorizeOptions falls back to "openid" scope and "code" responseType w
 
 // ─── authorizeµ flow routing ──────────────────────────────────────────────────
 
-const mockLog = {
-  debug: vi.fn(),
-  error: vi.fn(),
-  info: vi.fn(),
-  warn: vi.fn(),
-} as unknown as import('@forgerock/sdk-logger').CustomLogger;
-
 it.effect('authorizeµ uses PAR flow when useParFlow=true', () =>
   Micro.gen(function* () {
     const requestUri = 'urn:ietf:params:oauth:request_uri:par-routing-test';

packages/oidc-client/src/lib/authorize.request.utils.ts

@@ -200,11 +200,9 @@ export const buildAuthorizeRedirectUrl = (
 export const validateParResponse = (result: {
   error?: FetchBaseQueryError | SerializedError;
   data?: unknown;
-}): Micro.Micro<{ request_uri: string }, AuthorizationError, never> => {
+}): Micro.Micro<{ request_uri: string; expires_in: number }, AuthorizationError, never> => {
   if (result.error) {
-    return Micro.fail(
-      toAuthorizationError(isFetchBaseQueryError(result.error) ? result.error.data : undefined),
-    );
+    return Micro.fail(toDispatchError(result.error));
   }
   if (!hasPushRequestUri(result.data)) {
     return Micro.fail({
@@ -213,7 +211,8 @@ export const validateParResponse = (result: {
       type: 'network_error',
     } as const);
   }
-  return Micro.succeed(result.data);
+  const d = result.data as { request_uri: string; expires_in?: number };
+  return Micro.succeed({ request_uri: d.request_uri, expires_in: d.expires_in ?? 60 });
 };
 
 export const handleDispatchError = (

packages/oidc-client/src/lib/client.store.test.ts

@@ -22,7 +22,6 @@ vi.stubGlobal(
 
     return {
       getItem(key: string) {
-        console.log('getItem', key);
         return store[key] || null;
       },
       setItem(key: string) {
@@ -43,15 +42,14 @@ const parRequestUri = 'urn:ietf:params:oauth:request_uri:test-par-request-uri';
 
 const server = setupServer(
   // P1 Revoke
-  http.post('*/as/authorize', async () => {
-    console.log('authorize request received');
-    return HttpResponse.json({
+  http.post('*/as/authorize', async () =>
+    HttpResponse.json({
       authorizeResponse: {
         code: 123,
         state: 'NzUyNDUyMDAxOTMyNDUxNzI1NjkxNDc2MjEyMzUwMjQzMzQyMjE4OQ',
       },
-    });
-  }),
+    }),
+  ),
   http.post('*/as/token', async () =>
     HttpResponse.json({
       access_token: 'abcdefghijklmnop',
@@ -204,7 +202,6 @@ describe('PingOne token get method', async () => {
     }
     const tokens = await oidcClient.token.get({ backgroundRenew: true });
     if ('error' in tokens) {
-      console.log('tokens error', tokens);
       expect.fail();
     }
     expect(tokens.accessToken).toBe('1234567890');
@@ -229,7 +226,6 @@ describe('PingOne token get method', async () => {
     }
     const tokens = await oidcClient.token.get({ backgroundRenew: true });
     if ('error' in tokens) {
-      console.log('tokens error', tokens);
       expect.fail();
     }
     expect(tokens.accessToken).toBe('abcdefghijklmnop');
@@ -254,7 +250,6 @@ describe('PingOne token get method', async () => {
     }
     const tokens = await oidcClient.token.get({ backgroundRenew: true });
     if ('error' in tokens) {
-      console.log('tokens error', tokens);
       expect.fail();
     }
     expect(tokens.accessToken).toBe('abcdefghijklmnop');
@@ -279,7 +274,6 @@ describe('PingOne token get method', async () => {
     }
     const tokens = await oidcClient.token.get({ backgroundRenew: true, forceRenew: true });
     if ('error' in tokens) {
-      console.log('tokens error', tokens);
       expect.fail();
     }
     expect(tokens.accessToken).toBe('abcdefghijklmnop');

packages/oidc-client/src/lib/client.store.ts

@@ -132,7 +132,7 @@ export async function oidc<ActionType extends ActionTypes = ActionTypes>({
 
         if (useParFlow) {
           const result = await Micro.runPromiseExit(
-            parAuthorizeµ(wellknown, config, store, options).pipe(
+            parAuthorizeµ(wellknown, config, log, store, options).pipe(
               Micro.tapError((err) =>
                 Micro.sync(() =>
                   log.error(`PAR authorize.url() failed [${err.type}]: ${err.error}`, err),
@@ -192,7 +192,7 @@ export async function oidc<ActionType extends ActionTypes = ActionTypes>({
         }
 
         const result = await Micro.runPromiseExit(
-          await authorizeµ(wellknown, config, log, store, options, useParFlow),
+          authorizeµ(wellknown, config, log, store, options, useParFlow),
         );
 
         if (exitIsSuccess(result)) {

packages/oidc-client/src/lib/oidc.api.ts

@@ -114,6 +114,7 @@ export const oidcApi = createApi({
             Accept: 'application/json',
             'Content-Type': 'application/x-www-form-urlencoded',
           },
+          credentials: 'include',
           body,
         };
 
@@ -210,7 +211,7 @@ export const oidcApi = createApi({
           });
 
         if ('error' in response) {
-          logger.error('Received authorization code', response);
+          logger.error('Error in authorizeIframe response', response);
           return {
             error: {
               status: 400,