Merge pull request #1000 from damienbod/damein/bugfix-Refresh-respons…

…e-without-an-id-token-breaks-mechanism Bugfix: Refresh response without an id token breaks mechanism
damienbod · Mar 5, 2021 · 748bda7 · 748bda7
2 parents e84458f + 29504b0
commit 748bda7
Showing 1 changed file with 20 additions and 17 deletions.
diff --git a/projects/angular-auth-oidc-client/src/lib/validation/state-validation.service.ts b/projects/angular-auth-oidc-client/src/lib/validation/state-validation.service.ts
@@ -174,23 +174,26 @@ export class StateValidationService {
       return toReturn;
     }
 
-    const idTokenHeader = this.tokenHelperService.getHeaderFromToken(toReturn.idToken, false);
-
-    // The at_hash is optional for the code flow
-    if (isCurrentFlowCodeFlow && !(toReturn.decodedIdToken.at_hash as string)) {
-      this.loggerService.logDebug('Code Flow active, and no at_hash in the id_token, skipping check!');
-    } else if (
-      !this.tokenValidationService.validateIdTokenAtHash(
-        toReturn.accessToken,
-        toReturn.decodedIdToken.at_hash,
-        idTokenHeader.alg // 'RSA256'
-      ) ||
-      !toReturn.accessToken
-    ) {
-      this.loggerService.logWarning('authorizedCallback incorrect at_hash');
-      toReturn.state = ValidationResult.IncorrectAtHash;
-      this.handleUnsuccessfulValidation();
-      return toReturn;
+    // only do check if id_token returned, no always the case when using refresh tokens
+    if (callbackContext.authResult.id_token) {
+      const idTokenHeader = this.tokenHelperService.getHeaderFromToken(toReturn.idToken, false);
+
+      // The at_hash is optional for the code flow
+      if (isCurrentFlowCodeFlow && !(toReturn.decodedIdToken.at_hash as string)) {
+        this.loggerService.logDebug('Code Flow active, and no at_hash in the id_token, skipping check!');
+      } else if (
+        !this.tokenValidationService.validateIdTokenAtHash(
+          toReturn.accessToken,
+          toReturn.decodedIdToken.at_hash,
+          idTokenHeader.alg // 'RSA256'
+        ) ||
+        !toReturn.accessToken
+      ) {
+        this.loggerService.logWarning('authorizedCallback incorrect at_hash');
+        toReturn.state = ValidationResult.IncorrectAtHash;
+        this.handleUnsuccessfulValidation();
+        return toReturn;
+      }
     }
 
     toReturn.authResponseIsValid = true;