default scope to openid for non oidc conformant, disable sso properly…

…, validate reponseType with popup
auth0 · Jan 6, 2017 · f127809 · f127809
1 parent 1a757d2
commit f127809
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 20 deletions.
diff --git a/package.json b/package.json
@@ -79,7 +79,7 @@
     "zuul-ngrok": "gnandretta/zuul-ngrok#upgrade-ngrok"
   },
   "dependencies": {
-    "auth0-js": "8.0.3",
+    "auth0-js": "8.0.4",
     "blueimp-md5": "2.3.1",
     "fbjs": "^0.3.1",
     "immutable": "^3.7.3",

diff --git a/src/core/index.js b/src/core/index.js
@@ -218,6 +218,10 @@ function extractAuthOptions(options) {
     nonce
   } = options.auth || {};
 
+  let {
+    oidcConformant
+  } = options;
+
   audience = typeof audience === "string" ? audience : undefined;
   connectionScopes = typeof connectionScopes === "object" ? connectionScopes : {};
   params = typeof params === "object" ? params : {};
@@ -234,6 +238,14 @@ function extractAuthOptions(options) {
     warn(options, "Usage of scope 'openid profile' is not recommended. See https://auth0.com/docs/scopes for more details.");
   }
 
+  if (oidcConformant && !redirect && responseType.indexOf('id_token') > -1) {
+    throw new Error("It is not posible to request an 'id_token' while using popup mode.");
+  }
+
+  if (oidcConformant && !params.scope) {
+    params.scope = 'openid';
+  }
+
   return Immutable.fromJS({
     audience,
     connectionScopes,

diff --git a/src/core/remote_data.js b/src/core/remote_data.js
@@ -20,25 +20,23 @@ export function syncRemoteData(m) {
     });
   }
 
-  if (!l.oidcConformant(m)) {
-    m = sync(m, "sso", {
-      conditionFn: l.auth.sso,
-      waitFn: m => isSuccess(m, "client"),
-      syncFn: (m, cb) => fetchSSOData(l.id(m), isADEnabled(m), cb),
-      successFn: (m, result) => m.mergeIn(["sso"], Immutable.fromJS(result)),
-      errorFn: (m, error) => {
-        // location.origin is not supported in all browsers
-        let origin = location.protocol + "//" + location.hostname;
-        if (location.port) {
-          origin += ":" + location.port;
-        }
+  m = sync(m, "sso", {
+    conditionFn: (m) => l.auth.sso(m) && !l.oidcConformant(m),
+    waitFn: m => isSuccess(m, "client"),
+    syncFn: (m, cb) => fetchSSOData(l.id(m), isADEnabled(m), cb),
+    successFn: (m, result) => m.mergeIn(["sso"], Immutable.fromJS(result)),
+    errorFn: (m, error) => {
+      // location.origin is not supported in all browsers
+      let origin = location.protocol + "//" + location.hostname;
+      if (location.port) {
+        origin += ":" + location.port;
+      }
 
-        const appSettingsUrl = `https://manage.auth0.com/#/applications/${l.clientID(m)}/settings`;
+      const appSettingsUrl = `https://manage.auth0.com/#/applications/${l.clientID(m)}/settings`;
 
-        l.warn(m, `There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a "Origin" error has been logged before this warning, please add "${origin}" to the "Allowed Origins (CORS)" list in the Auth0 dashboard: ${appSettingsUrl}`);
-      }
-    });
-  }
+      l.warn(m, `There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a "Origin" error has been logged before this warning, please add "${origin}" to the "Allowed Origins (CORS)" list in the Auth0 dashboard: ${appSettingsUrl}`);
+    }
+  });
 
   return m;
 }
diff --git a/support/index.html b/support/index.html
@@ -17,9 +17,9 @@
     const domain = "auth0-tests-lock.auth0.com";
     const options = {
       auth: {
-        responseType: 'id_token token',
+        responseType: 'id_token'
       },
-      oidcConformant: false
+      oidcConformant: true
     };
 
     const lock = new Auth0Lock(cid, domain, options);