fix: parse ISS if returned in OIDC flow (#1162)

fix: parse iss and pass when available

Co-authored-by: Nathan Sarrazin <sarrazin.nathan@gmail.com>

Author: muscionig

src/lib/server/auth.ts

@@ -110,9 +110,13 @@ export async function getOIDCAuthorizationUrl(
 	});
 }
 
-export async function getOIDCUserData(settings: OIDCSettings, code: string): Promise<OIDCUserInfo> {
+export async function getOIDCUserData(
+	settings: OIDCSettings,
+	code: string,
+	iss?: string
+): Promise<OIDCUserInfo> {
 	const client = await getOIDCClient(settings);
-	const token = await client.callback(settings.redirectURI, { code });
+	const token = await client.callback(settings.redirectURI, { code, iss });
 	const userData = await client.userinfo(token);
 
 	return { token, userData };

src/routes/login/callback/+page.server.ts

@@ -24,10 +24,11 @@ export async function load({ url, locals, cookies, request, getClientAddress })
 		throw error(400, errorName + (errorDescription ? ": " + errorDescription : ""));
 	}
 
-	const { code, state } = z
+	const { code, state, iss } = z
 		.object({
 			code: z.string(),
 			state: z.string(),
+			iss: z.string().optional(),
 		})
 		.parse(Object.fromEntries(url.searchParams.entries()));
 
@@ -39,7 +40,11 @@ export async function load({ url, locals, cookies, request, getClientAddress })
 		throw error(403, "Invalid or expired CSRF token");
 	}
 
-	const { userData } = await getOIDCUserData({ redirectURI: validatedToken.redirectUrl }, code);
+	const { userData } = await getOIDCUserData(
+		{ redirectURI: validatedToken.redirectUrl },
+		code,
+		iss
+	);
 
 	// Filter by allowed user emails
 	if (allowedUserEmails.length > 0) {