don't call user info endpoint from querySessionStatus IdentityModel#825

chrisgbaker · Aug 7, 2019 · b8e6eac · b8e6eac
1 parent bcf6b36
commit b8e6eac
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 16 deletions.
diff --git a/src/OidcClient.js b/src/OidcClient.js
@@ -44,7 +44,7 @@ export class OidcClient {
         // have round tripped, but people were getting confused, so i added state (since that matches the spec)
         // and so now if data is not passed, but state is then state will be used
         data, state, prompt, display, max_age, ui_locales, id_token_hint, login_hint, acr_values,
-        resource, request, request_uri, response_mode, extraQueryParams, extraTokenParams, request_type } = {},
+        resource, request, request_uri, response_mode, extraQueryParams, extraTokenParams, request_type, skipUserInfo } = {},
         stateStore
     ) {
         Log.debug("OidcClient.createSigninRequest");
@@ -83,7 +83,8 @@ export class OidcClient {
                 authority,
                 prompt, display, max_age, ui_locales, id_token_hint, login_hint, acr_values,
                 resource, request, request_uri, extraQueryParams, extraTokenParams, request_type, response_mode,
-                client_secret: this._settings.client_secret
+                client_secret: this._settings.client_secret,
+                skipUserInfo
             });
 
             var signinState = signinRequest.state;

diff --git a/src/ResponseValidator.js b/src/ResponseValidator.js
@@ -36,7 +36,7 @@ export class ResponseValidator {
             Log.debug("ResponseValidator.validateSigninResponse: state processed");
             return this._validateTokens(state, response).then(response => {
                 Log.debug("ResponseValidator.validateSigninResponse: tokens validated");
-                return this._processClaims(response).then(response => {
+                return this._processClaims(state, response).then(response => {
                     Log.debug("ResponseValidator.validateSigninResponse: claims processed");
                     return response;
                 });
@@ -138,13 +138,13 @@ export class ResponseValidator {
         return Promise.resolve(response);
     }
 
-    _processClaims(response) {
+    _processClaims(state, response) {
         if (response.isOpenIdConnect) {
             Log.debug("ResponseValidator._processClaims: response is OIDC, processing claims");
 
             response.profile = this._filterProtocolClaims(response.profile);
 
-            if (this._settings.loadUserInfo && response.access_token) {
+            if (state.skipUserInfo !== true && this._settings.loadUserInfo && response.access_token) {
                 Log.debug("ResponseValidator._processClaims: loading user info");
 
                 return this._userInfoService.getClaims(response.access_token).then(claims => {

diff --git a/src/SigninRequest.js b/src/SigninRequest.js
@@ -11,7 +11,7 @@ export class SigninRequest {
         url, client_id, redirect_uri, response_type, scope, authority,
         // optional
         data, prompt, display, max_age, ui_locales, id_token_hint, login_hint, acr_values, resource, response_mode,
-        request, request_uri, extraQueryParams, request_type, client_secret, extraTokenParams
+        request, request_uri, extraQueryParams, request_type, client_secret, extraTokenParams, skipUserInfo
     }) {
         if (!url) {
             Log.error("SigninRequest.ctor: No url passed");
@@ -49,7 +49,7 @@ export class SigninRequest {
             data, client_id, authority, redirect_uri, 
             code_verifier: code, 
             request_type, response_mode,
-            client_secret, scope, extraTokenParams });
+            client_secret, scope, extraTokenParams, skipUserInfo });
 
         url = UrlUtility.addQueryParam(url, "client_id", client_id);
         url = UrlUtility.addQueryParam(url, "redirect_uri", redirect_uri);

diff --git a/src/SigninState.js b/src/SigninState.js
@@ -7,7 +7,7 @@ import { JoseUtil } from './JoseUtil.js';
 import random from './random.js';
 
 export class SigninState extends State {
-    constructor({nonce, authority, client_id, redirect_uri, code_verifier, response_mode, client_secret, scope, extraTokenParams} = {}) {
+    constructor({nonce, authority, client_id, redirect_uri, code_verifier, response_mode, client_secret, scope, extraTokenParams, skipUserInfo} = {}) {
         super(arguments[0]);
 
         if (nonce === true) {
@@ -37,6 +37,7 @@ export class SigninState extends State {
         this._client_secret = client_secret;
         this._scope = scope;
         this._extraTokenParams = extraTokenParams;
+        this._skipUserInfo = skipUserInfo;
     }
 
     get nonce() {
@@ -69,6 +70,9 @@ export class SigninState extends State {
     get extraTokenParams() {
         return this._extraTokenParams;
     }
+    get skipUserInfo() {
+        return this._skipUserInfo;
+    }
 
     toStorageString() {
         Log.debug("SigninState.toStorageString");
@@ -85,7 +89,8 @@ export class SigninState extends State {
             response_mode: this.response_mode,
             client_secret: this.client_secret,
             scope: this.scope,
-            extraTokenParams : this.extraTokenParams
+            extraTokenParams : this.extraTokenParams,
+            skipUserInfo: this.skipUserInfo
         });
     }
 

diff --git a/src/UserManager.js b/src/UserManager.js
@@ -328,7 +328,8 @@ export class UserManager extends OidcClient {
         args.redirect_uri = url;
         args.prompt = "none";
         args.response_type = args.response_type || this.settings.query_status_response_type;
-        args.scope = "openid";
+        args.scope = args.scope || "openid";
+        args.skipUserInfo = true;
 
         return this._signinStart(args, this._iframeNavigator, {
             startUrl: url,

diff --git a/test/unit/ResponseValidator.spec.js b/test/unit/ResponseValidator.spec.js
@@ -441,7 +441,7 @@ describe("ResponseValidator", function () {
             stubResponse.isOpenIdConnect = true;
             stubResponse.profile = { a: 'apple', b: 'banana' };
 
-            subject._processClaims(stubResponse).then(response => {
+            subject._processClaims({}, stubResponse).then(response => {
                 subject._filterProtocolClaimsWasCalled.should.be.true;
                 done();
             });
@@ -452,7 +452,7 @@ describe("ResponseValidator", function () {
 
             stubResponse.isOpenIdConnect = false;
 
-            subject._processClaims(stubResponse).then(response => {
+            subject._processClaims({}, stubResponse).then(response => {
                 assert.isUndefined(subject._filterProtocolClaimsWasCalled);
                 done();
             });
@@ -468,7 +468,7 @@ describe("ResponseValidator", function () {
             stubResponse.access_token = "access_token";
             stubUserInfoService.getClaimsResult = Promise.resolve({ c: 'carrot' });
 
-            subject._processClaims(stubResponse).then(response => {
+            subject._processClaims({}, stubResponse).then(response => {
                 stubUserInfoService.getClaimsWasCalled.should.be.true;
                 subject._mergeClaimsWasCalled.should.be.true;
                 done();
@@ -485,7 +485,7 @@ describe("ResponseValidator", function () {
             stubResponse.access_token = "access_token";
             stubUserInfoService.getClaimsResult = Promise.resolve({ c: 'carrot' });
 
-            subject._processClaims(stubResponse).then(response => {
+            subject._processClaims({}, stubResponse).then(response => {
                 stubUserInfoService.getClaimsWasCalled.should.be.false;
                 done();
             });
@@ -501,7 +501,7 @@ describe("ResponseValidator", function () {
             stubResponse.access_token = "access_token";
             stubUserInfoService.getClaimsResult = Promise.resolve({ c: 'carrot' });
 
-            subject._processClaims(stubResponse).then(response => {
+            subject._processClaims({}, stubResponse).then(response => {
                 stubUserInfoService.getClaimsWasCalled.should.be.false;
                 done();
             });
@@ -516,7 +516,7 @@ describe("ResponseValidator", function () {
             stubResponse.profile = { a: 'apple', b: 'banana' };
             stubUserInfoService.getClaimsResult = Promise.resolve({ c: 'carrot' });
 
-            subject._processClaims(stubResponse).then(response => {
+            subject._processClaims({}, stubResponse).then(response => {
                 stubUserInfoService.getClaimsWasCalled.should.be.false;
                 done();
             });