diff --git a/src/OidcClient.js b/src/OidcClient.js index 0f1c15fe..ff1e5eff 100644 --- a/src/OidcClient.js +++ b/src/OidcClient.js @@ -44,7 +44,7 @@ export class OidcClient { // have round tripped, but people were getting confused, so i added state (since that matches the spec) // and so now if data is not passed, but state is then state will be used data, state, prompt, display, max_age, ui_locales, id_token_hint, login_hint, acr_values, - resource, request, request_uri, response_mode, extraQueryParams, extraTokenParams, request_type } = {}, + resource, request, request_uri, response_mode, extraQueryParams, extraTokenParams, request_type, skipUserInfo } = {}, stateStore ) { Log.debug("OidcClient.createSigninRequest"); @@ -83,7 +83,8 @@ export class OidcClient { authority, prompt, display, max_age, ui_locales, id_token_hint, login_hint, acr_values, resource, request, request_uri, extraQueryParams, extraTokenParams, request_type, response_mode, - client_secret: this._settings.client_secret + client_secret: this._settings.client_secret, + skipUserInfo }); var signinState = signinRequest.state; diff --git a/src/ResponseValidator.js b/src/ResponseValidator.js index 5c80ec62..6aa7c810 100644 --- a/src/ResponseValidator.js +++ b/src/ResponseValidator.js @@ -36,7 +36,7 @@ export class ResponseValidator { Log.debug("ResponseValidator.validateSigninResponse: state processed"); return this._validateTokens(state, response).then(response => { Log.debug("ResponseValidator.validateSigninResponse: tokens validated"); - return this._processClaims(response).then(response => { + return this._processClaims(state, response).then(response => { Log.debug("ResponseValidator.validateSigninResponse: claims processed"); return response; }); @@ -138,13 +138,13 @@ export class ResponseValidator { return Promise.resolve(response); } - _processClaims(response) { + _processClaims(state, response) { if (response.isOpenIdConnect) { Log.debug("ResponseValidator._processClaims: response is OIDC, processing claims"); response.profile = this._filterProtocolClaims(response.profile); - if (this._settings.loadUserInfo && response.access_token) { + if (state.skipUserInfo !== true && this._settings.loadUserInfo && response.access_token) { Log.debug("ResponseValidator._processClaims: loading user info"); return this._userInfoService.getClaims(response.access_token).then(claims => { diff --git a/src/SigninRequest.js b/src/SigninRequest.js index ccea0375..67c04c67 100644 --- a/src/SigninRequest.js +++ b/src/SigninRequest.js @@ -11,7 +11,7 @@ export class SigninRequest { url, client_id, redirect_uri, response_type, scope, authority, // optional data, prompt, display, max_age, ui_locales, id_token_hint, login_hint, acr_values, resource, response_mode, - request, request_uri, extraQueryParams, request_type, client_secret, extraTokenParams + request, request_uri, extraQueryParams, request_type, client_secret, extraTokenParams, skipUserInfo }) { if (!url) { Log.error("SigninRequest.ctor: No url passed"); @@ -49,7 +49,7 @@ export class SigninRequest { data, client_id, authority, redirect_uri, code_verifier: code, request_type, response_mode, - client_secret, scope, extraTokenParams }); + client_secret, scope, extraTokenParams, skipUserInfo }); url = UrlUtility.addQueryParam(url, "client_id", client_id); url = UrlUtility.addQueryParam(url, "redirect_uri", redirect_uri); diff --git a/src/SigninState.js b/src/SigninState.js index c2e7a5e9..72a190eb 100644 --- a/src/SigninState.js +++ b/src/SigninState.js @@ -7,7 +7,7 @@ import { JoseUtil } from './JoseUtil.js'; import random from './random.js'; export class SigninState extends State { - constructor({nonce, authority, client_id, redirect_uri, code_verifier, response_mode, client_secret, scope, extraTokenParams} = {}) { + constructor({nonce, authority, client_id, redirect_uri, code_verifier, response_mode, client_secret, scope, extraTokenParams, skipUserInfo} = {}) { super(arguments[0]); if (nonce === true) { @@ -37,6 +37,7 @@ export class SigninState extends State { this._client_secret = client_secret; this._scope = scope; this._extraTokenParams = extraTokenParams; + this._skipUserInfo = skipUserInfo; } get nonce() { @@ -69,6 +70,9 @@ export class SigninState extends State { get extraTokenParams() { return this._extraTokenParams; } + get skipUserInfo() { + return this._skipUserInfo; + } toStorageString() { Log.debug("SigninState.toStorageString"); @@ -85,7 +89,8 @@ export class SigninState extends State { response_mode: this.response_mode, client_secret: this.client_secret, scope: this.scope, - extraTokenParams : this.extraTokenParams + extraTokenParams : this.extraTokenParams, + skipUserInfo: this.skipUserInfo }); } diff --git a/src/UserManager.js b/src/UserManager.js index 7623e163..c29ff12a 100644 --- a/src/UserManager.js +++ b/src/UserManager.js @@ -328,7 +328,8 @@ export class UserManager extends OidcClient { args.redirect_uri = url; args.prompt = "none"; args.response_type = args.response_type || this.settings.query_status_response_type; - args.scope = "openid"; + args.scope = args.scope || "openid"; + args.skipUserInfo = true; return this._signinStart(args, this._iframeNavigator, { startUrl: url, diff --git a/test/unit/ResponseValidator.spec.js b/test/unit/ResponseValidator.spec.js index bcc95059..551d4433 100644 --- a/test/unit/ResponseValidator.spec.js +++ b/test/unit/ResponseValidator.spec.js @@ -441,7 +441,7 @@ describe("ResponseValidator", function () { stubResponse.isOpenIdConnect = true; stubResponse.profile = { a: 'apple', b: 'banana' }; - subject._processClaims(stubResponse).then(response => { + subject._processClaims({}, stubResponse).then(response => { subject._filterProtocolClaimsWasCalled.should.be.true; done(); }); @@ -452,7 +452,7 @@ describe("ResponseValidator", function () { stubResponse.isOpenIdConnect = false; - subject._processClaims(stubResponse).then(response => { + subject._processClaims({}, stubResponse).then(response => { assert.isUndefined(subject._filterProtocolClaimsWasCalled); done(); }); @@ -468,7 +468,7 @@ describe("ResponseValidator", function () { stubResponse.access_token = "access_token"; stubUserInfoService.getClaimsResult = Promise.resolve({ c: 'carrot' }); - subject._processClaims(stubResponse).then(response => { + subject._processClaims({}, stubResponse).then(response => { stubUserInfoService.getClaimsWasCalled.should.be.true; subject._mergeClaimsWasCalled.should.be.true; done(); @@ -485,7 +485,7 @@ describe("ResponseValidator", function () { stubResponse.access_token = "access_token"; stubUserInfoService.getClaimsResult = Promise.resolve({ c: 'carrot' }); - subject._processClaims(stubResponse).then(response => { + subject._processClaims({}, stubResponse).then(response => { stubUserInfoService.getClaimsWasCalled.should.be.false; done(); }); @@ -501,7 +501,7 @@ describe("ResponseValidator", function () { stubResponse.access_token = "access_token"; stubUserInfoService.getClaimsResult = Promise.resolve({ c: 'carrot' }); - subject._processClaims(stubResponse).then(response => { + subject._processClaims({}, stubResponse).then(response => { stubUserInfoService.getClaimsWasCalled.should.be.false; done(); }); @@ -516,7 +516,7 @@ describe("ResponseValidator", function () { stubResponse.profile = { a: 'apple', b: 'banana' }; stubUserInfoService.getClaimsResult = Promise.resolve({ c: 'carrot' }); - subject._processClaims(stubResponse).then(response => { + subject._processClaims({}, stubResponse).then(response => { stubUserInfoService.getClaimsWasCalled.should.be.false; done(); });