refactor(core): remove offline_access scope by default

remove the offline_access scope by default
logto-io · Oct 14, 2024 · 54c6f7a · 54c6f7a
1 parent 791feb7
commit 54c6f7a
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 7 deletions.
diff --git a/packages/core/src/libraries/sso-connector.test.ts b/packages/core/src/libraries/sso-connector.test.ts
@@ -1,4 +1,4 @@
-import { Prompt, QueryKey, withReservedScopes } from '@logto/js';
+import { Prompt, QueryKey, ReservedScope, UserScope } from '@logto/js';
 import { ApplicationType, type SsoConnectorIdpInitiatedAuthConfig } from '@logto/schemas';
 
 import { mockSsoConnector, wellConfiguredSsoConnector } from '#src/__mocks__/sso.js';
@@ -204,7 +204,7 @@ describe('SsoConnectorLibrary', () => {
  for (const [key, value] of Object.entries(defaultQueryParameters)) {
  expect(parameters.get(key)).toBe(value);
  }
- expect(parameters.get(QueryKey.Scope)).toBe(withReservedScopes());
+ expect(parameters.get(QueryKey.Scope)).toBe(`${ReservedScope.OpenId} ${UserScope.Profile}`);
  });
 
  it('should use the provided redirectUri', async () => {
@@ -233,7 +233,7 @@ describe('SsoConnectorLibrary', () => {
  });
 
  it('should append extra scopes to the query parameters', async () => {
- const scopes = ['scope1', 'scope2'];
+ const scopes = ['organization', 'email', 'profile'];
 
  const url = await getIdpInitiatedSamlSsoSignInUrl(issuer, {
  ...authConfig,
@@ -243,7 +243,9 @@ describe('SsoConnectorLibrary', () => {
  });
 
  const parameters = new URLSearchParams(url.search);
- expect(parameters.get(QueryKey.Scope)).toBe(withReservedScopes(scopes));
+ expect(parameters.get(QueryKey.Scope)).toBe(
+ `${ReservedScope.OpenId} ${UserScope.Profile} organization email`
+ );
  });
 
  it('should be able to append extra query parameters', async () => {

diff --git a/packages/core/src/libraries/sso-connector.ts b/packages/core/src/libraries/sso-connector.ts
@@ -1,4 +1,4 @@
-import { type DirectSignInOptions, Prompt, QueryKey, withReservedScopes } from '@logto/js';
+import { type DirectSignInOptions, Prompt, QueryKey, ReservedScope, UserScope } from '@logto/js';
 import {
  ApplicationType,
  type SsoSamlAssertionContent,
@@ -7,7 +7,7 @@ import {
  type SsoConnectorIdpInitiatedAuthConfig,
 } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
-import { assert, trySafe } from '@silverhand/essentials';
+import { assert, deduplicate, trySafe } from '@silverhand/essentials';
 
 import { defaultIdPInitiatedSamlSsoSessionTtl } from '#src/constants/index.js';
 import RequestError from '#src/errors/RequestError/index.js';
@@ -141,6 +141,9 @@ export const createSsoConnectorLibrary = (queries: Queries) => {
  *
  * @remarks
  * For IdP-initiated SAML SSO flow use only. Generate the sign-in URL for the user to sign in.
+ * Default scopes: openid, profile
+ * Default prompt: login
+ * Default response type: code
  *
  * @param issuer The oidc issuer endpoint of the current tenant.
  * @param authConfig The IdP-initiated SAML SSO authentication configuration.
@@ -183,7 +186,11 @@ export const createSsoConnectorLibrary = (queries: Queries) => {
  ...extraParams,
  });
 
- queryParameters.append(QueryKey.Scope, withReservedScopes(scope?.split(' ') ?? []));
+ queryParameters.append(
+ QueryKey.Scope,
+ // For security reasons, DO NOT include the offline_access scope for IdP-initiated SAML SSO by default
+ deduplicate([ReservedScope.OpenId, UserScope.Profile, ...(scope?.split(' ') ?? [])]).join(' ')
+ );
 
  return new URL(`${issuer}/auth?${queryParameters.toString()}`);
  };