More examples (covering variations of providers)

[dswbx]

Thank you very much for this library! It was exactly what I was looking for. Unfortunately I had tough times to properly set this up (mainly because it seems that the integration varies heavily depending on the provider itself).

For Github (oauth2) and Google (oidc), the examples provided went pretty well. But for Slack (both oauth2 and oidc) I ran into issues. Regarding Slack's OIDC flow, I used the OIDC-code that also worked for Google, but it seems that there is no code challenge supported. It requires a nonce, because if not provided, the callback adds a { "nonce": "" } which fails on processAuthorizationCodeOpenIDResponse with unexpected ID Token "nonce" claim value:

oauth4webapi/src/index.ts

Lines 2951 to 2968 in e4c3c56

	switch (expectedNonce) {
	case undefined:
	case expectNoNonce:
	if (claims.nonce !== undefined) {
	throw new OPE('unexpected ID Token "nonce" claim value')
	}
	break
	default:
	if (!validateString(expectedNonce)) {
	throw new TypeError('"expectedNonce" must be a non-empty string')
	}
	if (claims.nonce === undefined) {
	throw new OPE('ID Token "nonce" claim missing')
	}
	if (claims.nonce !== expectedNonce) {
	throw new OPE('unexpected ID Token "nonce" claim value')
	}
	}

I fixed it by modifying the sample code to check if as.code_challenge_methods_supported?.includes("S256") and if so, add the code_challenge (google), otherwise add it as the nonce (slack) – and of course instruct processAuthorizationCodeOpenIDResponse to then expect this nonce.

According to the OpenID spec, the "none" is optional, but Slack seem to rely on it. But it doesn't mention what "optional" means, as you expect if nonce is not given, it should not be present instead of an empty string. Because the issue could also be on my end, I also tested the flow using @auth/core and it has the same issue.

Didn't know where to post this, not sure if it's an issue, therefore going with a discussion 😉

[panva]

Hi @dswbx

integration varies heavily depending on the provider itself

Yes, that's inherent for every provider that doesn't follow the specs, I wholeheartedly recommend to open bug reports and/or support issues with every provider that doesn't follow the specs. It is not possible for the examples to account for individual provider issues though.

I've updated the examples in 1140165 to hopefully reflect non-signalled PKCE support in a bit more detail.

[dswbx]

Thank you very much! I'm also going to open a bug report on Slack, but I don't have much hope.

[panva]

Yeah I wouldn't get my hopes up, still, has to be done if they're ever to improve.