chore: add authorizationParams tests

Author: guabu

src/server/auth-client.test.ts

@@ -66,7 +66,7 @@ ca/T0LLtgmbMmxSv/MmzIg==
     nonce,
     keyPair = DEFAULT.keyPair,
     onParRequest,
-    backchannelAuth
+    onBackchannelAuthRequest
   }: {
     tokenEndpointResponse?: oauth.TokenEndpointResponse | oauth.OAuth2Error;
     tokenEndpointErrorResponse?: oauth.OAuth2Error;
@@ -76,10 +76,7 @@ ca/T0LLtgmbMmxSv/MmzIg==
     nonce?: string;
     keyPair?: jose.GenerateKeyPairResult;
     onParRequest?: (request: Request) => Promise<void>;
-    backchannelAuth?: {
-      interval: number;
-      expiresIn: number;
-    };
+    onBackchannelAuthRequest?: (request: Request) => Promise<void>;
   } = {}) {
     // this function acts as a mock authorization server
     return vi.fn(
@@ -137,7 +134,6 @@ ca/T0LLtgmbMmxSv/MmzIg==
         // PAR endpoint
         if (url.pathname === "/oauth/par") {
           if (onParRequest) {
-            // TODO: for some reason the input here is a URL and not a request
             await onParRequest(new Request(input, init));
           }
 
@@ -150,11 +146,15 @@ ca/T0LLtgmbMmxSv/MmzIg==
         }
         // Backchannel Authorize endpoint
         if (url.pathname === "/bc-authorize") {
+          if (onBackchannelAuthRequest) {
+            await onBackchannelAuthRequest(new Request(input, init));
+          }
+
           return Response.json(
             {
               auth_req_id: "auth-req-id",
-              expires_in: backchannelAuth?.expiresIn ?? 30,
-              interval: backchannelAuth?.interval ?? 0.01
+              expires_in: 30,
+              interval: 0.01
             },
             {
               status: 200
@@ -5744,6 +5744,159 @@ ca/T0LLtgmbMmxSv/MmzIg==
       );
       expect(res).toBeNull();
     });
+
+    it("should forward any statically configured authorization parameters", async () => {
+      const customScope = "openid profile email offline_access custom_scope";
+      const customAudience = "urn:mystore:api";
+      const customParamValue = "custom_value";
+
+      const secret = await generateSecret(32);
+      const transactionStore = new TransactionStore({
+        secret
+      });
+      const sessionStore = new StatelessSessionStore({
+        secret
+      });
+      const authClient = new AuthClient({
+        transactionStore,
+        sessionStore,
+
+        domain: DEFAULT.domain,
+        clientId: DEFAULT.clientId,
+        clientSecret: DEFAULT.clientSecret,
+
+        secret,
+        appBaseUrl: DEFAULT.appBaseUrl,
+
+        routes: getDefaultRoutes(),
+        authorizationParameters: {
+          scope: customScope,
+          audience: customAudience,
+          custom_param: customParamValue
+        },
+        fetch: getMockAuthorizationServer({
+          onBackchannelAuthRequest: async (req) => {
+            const formBody = await req.formData();
+            expect(formBody.get("scope")).toEqual(customScope);
+            expect(formBody.get("audience")).toEqual(customAudience);
+            expect(formBody.get("custom_param")).toEqual(customParamValue);
+          }
+        })
+      });
+
+      const [error, _] = await authClient.backchannelAuthentication({
+        bindingMessage: "test-message",
+        loginHint: {
+          sub: DEFAULT.sub
+        }
+      });
+
+      expect(error).toBeNull();
+    });
+
+    it("should forward any dynamically specified authorization parameters", async () => {
+      const customScope = "openid profile email offline_access custom_scope";
+      const customAudience = "urn:mystore:api";
+      const customParamValue = "custom_value";
+
+      const secret = await generateSecret(32);
+      const transactionStore = new TransactionStore({
+        secret
+      });
+      const sessionStore = new StatelessSessionStore({
+        secret
+      });
+      const authClient = new AuthClient({
+        transactionStore,
+        sessionStore,
+
+        domain: DEFAULT.domain,
+        clientId: DEFAULT.clientId,
+        clientSecret: DEFAULT.clientSecret,
+
+        secret,
+        appBaseUrl: DEFAULT.appBaseUrl,
+
+        routes: getDefaultRoutes(),
+        fetch: getMockAuthorizationServer({
+          onBackchannelAuthRequest: async (req) => {
+            const formBody = await req.formData();
+            expect(formBody.get("scope")).toEqual(customScope);
+            expect(formBody.get("audience")).toEqual(customAudience);
+            expect(formBody.get("custom_param")).toEqual(customParamValue);
+          }
+        })
+      });
+
+      const [error, _] = await authClient.backchannelAuthentication({
+        bindingMessage: "test-message",
+        loginHint: {
+          sub: DEFAULT.sub
+        },
+        authorizationParams: {
+          scope: customScope,
+          audience: customAudience,
+          custom_param: customParamValue
+        }
+      });
+
+      expect(error).toBeNull();
+    });
+
+    it("should give precedence to dynamically provided authorization parameters over statically configured ones", async () => {
+      const customScope = "openid profile email offline_access custom_scope";
+      const customParamValue = "custom_value";
+
+      const secret = await generateSecret(32);
+      const transactionStore = new TransactionStore({
+        secret
+      });
+      const sessionStore = new StatelessSessionStore({
+        secret
+      });
+      const authClient = new AuthClient({
+        transactionStore,
+        sessionStore,
+
+        domain: DEFAULT.domain,
+        clientId: DEFAULT.clientId,
+        clientSecret: DEFAULT.clientSecret,
+
+        secret,
+        appBaseUrl: DEFAULT.appBaseUrl,
+
+        routes: getDefaultRoutes(),
+        authorizationParameters: {
+          scope: customScope,
+          audience: "static-config-aud",
+          custom_param: customParamValue
+        },
+        fetch: getMockAuthorizationServer({
+          onBackchannelAuthRequest: async (req) => {
+            const formBody = await req.formData();
+            expect(formBody.get("scope")).toEqual(customScope);
+            expect(formBody.get("audience")).toEqual(
+              "dynamically-specific-aud"
+            );
+            expect(formBody.get("custom_param")).toEqual(customParamValue);
+          }
+        })
+      });
+
+      const [error, _] = await authClient.backchannelAuthentication({
+        bindingMessage: "test-message",
+        loginHint: {
+          sub: DEFAULT.sub
+        },
+        authorizationParams: {
+          scope: customScope,
+          audience: "dynamically-specific-aud",
+          custom_param: customParamValue
+        }
+      });
+
+      expect(error).toBeNull();
+    });
   });
 });
 

src/server/client.ts

@@ -737,14 +737,14 @@ export class Auth0Client {
   }
 
   /**
-   * Authenticates using Client-Initiated Backchannel Authentication.
+   * Authenticates using Client-Initiated Backchannel Authentication and returns the token set and optionally the ID token claims and authorization details.
    *
    * This method will initialize the backchannel authentication process with Auth0, and poll the token endpoint until the authentication is complete.
    *
    * Using Client-Initiated Backchannel Authentication requires the feature to be enabled in the Auth0 dashboard.
    * @see https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow
    */
-  async backchannelAuthentication(options: BackchannelAuthenticationOptions) {
+  async getTokenByBackchannelAuth(options: BackchannelAuthenticationOptions) {
     const [error, response] =
       await this.authClient.backchannelAuthentication(options);