auth0 · adamjmcgrath · Jul 9, 2020 · Jul 2, 2020 · Jul 2, 2020 · Jul 3, 2020
diff --git a/lib/ResponseMode.js b/lib/ResponseMode.js
diff --git a/lib/config.js b/lib/config.js
@@ -50,30 +50,30 @@ const paramsSchema = Joi.object({
   auth0Logout: Joi.boolean().optional().default(false),
   authorizationParams: Joi.object({
     response_type: Joi.string().optional().valid('id_token', 'code id_token', 'code').default('id_token'),
-    scope: Joi.string().optional().default('openid profile email'),
-    response_mode: Joi.alternatives([
-      Joi.string().optional(),
-      Joi.allow(null).optional()
-    ]).default((parent) => parent.response_type.includes('token') ? 'form_post' : undefined),
+    scope: Joi.string().optional().pattern(/\bopenid\b/, 'contains openid').default('openid profile email'),
+    response_mode: Joi.string().optional().when('response_type', {
+      is: 'code',
+      then: Joi.valid('query', 'form_post'),
+      otherwise: Joi.valid('form_post').default('form_post')
+    }),
   }).optional().unknown(true).default(),
   baseURL: Joi.string().uri().required(),
   clientID: Joi.string().required(),
   clientSecret: Joi.string().when(
-    Joi.ref('authorizationParams.response_type', { adjust: (value) => value && value.split(' ').includes('code') }),
+    Joi.ref('authorizationParams.response_type', { adjust: (value) => value && value.includes('code') }),
     {
       is: true,
       then: Joi.string().required().messages({
-        'any.required': '"clientSecret" is required for response_type code'
-      }),
-      otherwise: Joi.when(
-        Joi.ref('idTokenSigningAlg', { adjust: (value) => value && value.substring(0, 2) === 'HS' }),
-        {
-          is: true,
-          then: Joi.string().required().messages({
-            'any.required': '"clientSecret" is required for ID tokens with HS algorithms'
-          })
-        }
-      )
+        'any.required': '"clientSecret" is required for a response_type that includes code'
+      })
+    }
+  ).when(
+    Joi.ref('idTokenSigningAlg', { adjust: (value) => value && value.startsWith('HS') }),
+    {
+      is: true,
+      then: Joi.string().required().messages({
+        'any.required': '"clientSecret" is required for ID tokens with HS algorithms'
+      })
     }
   ),
   clockTolerance: Joi.number().optional().default(60),
@@ -84,10 +84,7 @@ const paramsSchema = Joi.object({
   identityClaimFilter: Joi.array().optional().default(['aud', 'iss', 'iat', 'exp', 'nbf', 'nonce', 'azp', 'auth_time', 's_hash', 'at_hash', 'c_hash']),
   idpLogout: Joi.boolean().optional().default((parent) => parent.auth0Logout || false),
   idTokenSigningAlg: Joi.string().not('none').optional().default('RS256'),
-  issuerBaseURL: Joi.alternatives([
-    Joi.string().uri(),
-    Joi.string().hostname()
-  ]).required(),
+  issuerBaseURL: Joi.string().uri().required(),
   legacySameSiteCookie: Joi.boolean().optional().default(true),
   authRequired: Joi.boolean().optional().default(true),
   routes: Joi.object({

diff --git a/lib/context.js b/lib/context.js
@@ -3,6 +3,8 @@ const url = require('url');
 const urlJoin = require('url-join');
 const { TokenSet } = require('openid-client');
 const clone = require('clone');
+const { strict: assert } = require('assert');
+
 
 const debug = require('./debug');
 const { get: getClient } = require('./client');
@@ -162,14 +164,15 @@ class ResponseContext {
         } : undefined)
       };
 
+      // TODO: validate response_type / response_mode?
+      assert(/\bopenid\b/.test(authParams.scope), 'scope should contain "openid"');
+
       // TODO: hook here
 
       if (authParams.max_age) {
         transient.store('max_age', req, res, { ...transientOpts, value: authParams.max_age });
       }
 
-      // TODO: check openid is in the scope here
-
       const authorizationUrl = client.authorizationUrl(authParams);
       res.redirect(authorizationUrl);
     } catch (err) {

diff --git a/test/auth.tests.js b/test/auth.tests.js
@@ -224,6 +224,23 @@ describe('auth', () => {
     assert.equal(decodedState.returnTo, 'https://example.org/custom-redirect');
   });
 
+  it('should not allow removing openid from scope', async function () {
+    const router = auth({ ...defaultConfig, routes: { login: false } });
+    router.get('/login', (req, res) => {
+      res.oidc.login({
+        authorizationParams: {
+          scope: 'email'
+        }
+      });
+    });
+    server = await createServer(router);
+
+    const cookieJar = request.jar();
+    const res = await request.get('/login', { cookieJar, baseUrl, json: true, followRedirect: false });
+    assert.equal(res.statusCode, 500);
+    assert.equal(res.body.err.message, 'scope should contain "openid"');
+  });
+
   it('should use a custom state builder', async () => {
     server = await createServer(auth({
       ...defaultConfig,