feat(auth): Added code flow support for OIDC flow.

src/auth/auth-config.ts

@@ -810,13 +810,11 @@ export class OIDCConfig implements OIDCAuthProviderConfig {
       });
 
       const idToken = options.responseType.idToken;
-      if (typeof idToken !== 'undefined') {
-        if (!validator.isBoolean(idToken)) {
-          throw new FirebaseAuthError(
-            AuthClientErrorCode.INVALID_ARGUMENT,
-            '"OIDCAuthProviderConfig.responseType.idToken" must be a boolean.',
-          );
-        }
+      if (typeof idToken !== 'undefined' && !validator.isBoolean(idToken)) { 
+        throw new FirebaseAuthError(
+          AuthClientErrorCode.INVALID_ARGUMENT,
+          '"OIDCAuthProviderConfig.responseType.idToken" must be a boolean.',
+        );
       }
 
       const code = options.responseType.code;
@@ -829,7 +827,7 @@ export class OIDCConfig implements OIDCAuthProviderConfig {
         }
 
         // If code flow is enabled, client secret must be provided.
-        if (typeof options.clientSecret === 'undefined') {
+        if (code === true && typeof options.clientSecret === 'undefined') {
           throw new FirebaseAuthError(
             AuthClientErrorCode.MISSING_OAUTH_CLIENT_SECRET,
             'The OAuth configuration client secret is required to enable OIDC code flow.',
@@ -897,8 +895,8 @@ export class OIDCConfig implements OIDCAuthProviderConfig {
       providerId: this.providerId,
       issuer: this.issuer,
       clientId: this.clientId,
-      clientSecret: this.clientSecret,
-      responseType: this.responseType,
+      clientSecret: deepCopy(this.clientSecret),
+      responseType: deepCopy(this.responseType),
     };
   }
 }

test/unit/auth/auth-api-request.spec.ts

@@ -3503,12 +3503,20 @@ AUTH_REQUEST_HANDLER_TESTS.forEach((handler) => {
         enabled: true,
         clientId: 'CLIENT_ID',
         issuer: 'https://oidc.com/issuer',
+        clientSecret: 'CLIENT_SECRET',
+        responseType: {
+          code: true,
+        },
       };
       const expectedRequest = {
         displayName: 'OIDC_DISPLAY_NAME',
         enabled: true,
         clientId: 'CLIENT_ID',
         issuer: 'https://oidc.com/issuer',
+        clientSecret: 'CLIENT_SECRET',
+        responseType: {
+          code: true,
+        },
       };
       const expectedResult = utils.responseFrom(deepExtend({
         name: `projects/project1/oauthIdpConfigs/${providerId}`,
@@ -3594,12 +3602,20 @@ AUTH_REQUEST_HANDLER_TESTS.forEach((handler) => {
         enabled: true,
         clientId: 'CLIENT_ID',
         issuer: 'https://oidc.com/issuer',
+        clientSecret: 'CLIENT_SECRET',
+        responseType: {
+          code: true,
+        },
       };
       const expectedRequest = {
         displayName: 'OIDC_DISPLAY_NAME',
         enabled: true,
         clientId: 'CLIENT_ID',
         issuer: 'https://oidc.com/issuer',
+        clientSecret: 'CLIENT_SECRET',
+        responseType: {
+          code: true,
+        },
       };
       const expectedResult = utils.responseFrom(deepExtend({
         name: `projects/project_id/oauthIdpConfigs/${providerId}`,
@@ -3611,10 +3627,14 @@ AUTH_REQUEST_HANDLER_TESTS.forEach((handler) => {
         enabled: false,
         clientId: 'NEW_CLIENT_ID',
         issuer: 'https://oidc.com/issuer2',
+        clientSecret: 'CLIENT_SECRET',
+        responseType: {
+          code: true,
+        },
       }));
 
       it('should be fulfilled given full parameters', () => {
-        const expectedPath = path + '?updateMask=enabled,displayName,issuer,clientId';
+        const expectedPath = path + '?updateMask=enabled,displayName,issuer,clientId,clientSecret,responseType.code';
         const stub = sinon.stub(HttpClient.prototype, 'send').resolves(expectedResult);
         stubs.push(stub);
 
@@ -3708,7 +3728,7 @@ AUTH_REQUEST_HANDLER_TESTS.forEach((handler) => {
       });
 
       it('should be rejected when the backend returns a response missing name', () => {
-        const expectedPath = path + '?updateMask=enabled,displayName,issuer,clientId';
+        const expectedPath = path + '?updateMask=enabled,displayName,issuer,clientId,clientSecret,responseType.code';
         const expectedError = new FirebaseAuthError(
           AuthClientErrorCode.INTERNAL_ERROR,
           'INTERNAL ASSERT FAILED: Unable to update OIDC configuration',
@@ -3728,7 +3748,7 @@ AUTH_REQUEST_HANDLER_TESTS.forEach((handler) => {
       });
 
       it('should be rejected when the backend returns an error', () => {
-        const expectedPath = path + '?updateMask=enabled,displayName,issuer,clientId';
+        const expectedPath = path + '?updateMask=enabled,displayName,issuer,clientId,clientSecret,responseType.code';
         const expectedServerError = utils.errorFrom({
           error: {
             message: 'INVALID_CONFIG',

test/unit/auth/auth-config.spec.ts

@@ -788,10 +788,14 @@ describe('OIDCConfig', () => {
     });
 
     it('should set readonly property expected responseType', () => {
-      const expectedResponseType = {
-        code: true,
-      };
-      expect(config.responseType).to.deep.equal(expectedResponseType);
+      expect(config.responseType).to.deep.equal({ code: true });
+    });
+
+    it('should not throw on no responseType and clientSecret', () => {
+      const testResponse = deepCopy(serverResponse);
+      delete testResponse.clientSecret;
+      delete testResponse.responseType;
+      expect(() => new OIDCConfig(testResponse)).not.to.throw();
     });
 
     it('should throw on missing issuer', () => {