When using defineOAuthOidcEventHandler with a config that already includes 'openid' in the scope array, the resulting scope contains 'openid' twice due to how defu merges arrays.
|
config = defu(config, useRuntimeConfig(event).oauth.oidc, { |
|
scope: ['openid'], |
|
} satisfies OAuthOidcConfig) |
defu concatenates arrays rather than replacing them. So if the input config is
{ scope: ['openid', 'profile'] }, the merged result becomes
{ scope: ['openid', 'profile', 'openid'] }.
This produces a scope string of "openid profile openid" in the authorization request, which may cause errors with some OIDC providers that reject duplicate scopes.
This is the same class of issue reported in unjs/defu#136, which was closed as "not planned" since deduplication is left to consumers.
Reproduction
defineOAuthOidcEventHandler({
config: {
scope: ['openid', 'profile', 'email'],
},
async onSuccess(event, { user, tokens }) {
// ...
},
})
The authorization redirect will contain scope=openid+profile+email+openid.
When using defineOAuthOidcEventHandler with a config that already includes 'openid' in the scope array, the resulting scope contains 'openid' twice due to how
defumerges arrays.nuxt-auth-utils/src/runtime/server/lib/oauth/oidc.ts
Lines 246 to 248 in ceb366b
defuconcatenates arrays rather than replacing them. So if the input config is{ scope: ['openid', 'profile'] }, the merged result becomes{ scope: ['openid', 'profile', 'openid'] }.This produces a scope string of "openid profile openid" in the authorization request, which may cause errors with some OIDC providers that reject duplicate scopes.
This is the same class of issue reported in unjs/defu#136, which was closed as "not planned" since deduplication is left to consumers.
Reproduction
The authorization redirect will contain scope=openid+profile+email+openid.