fix: oidc idp token as header, exchange endpoint change (#8370)

reggi · web-flow · commit 604c7452dabd · 2025-06-24T10:42:13.000-04:00
diff --git a/lib/utils/oidc.js b/lib/utils/oidc.js
@@ -2,6 +2,7 @@ const { log } = require('proc-log')
 const npmFetch = require('npm-registry-fetch')
 const ciInfo = require('ci-info')
 const fetch = require('make-fetch-happen')
+const npa = require('npm-package-arg')
 
 /**
  * Handles OpenID Connect (OIDC) token retrieval and exchange for CI environments.
@@ -103,21 +104,28 @@ async function oidc ({ packageName, registry, opts, config }) {
       return undefined
     }
 
-    const response = await npmFetch.json(new URL('/-/npm/v1/oidc/token/exchange', registry), {
-      ...opts,
+    const parsedRegistry = new URL(registry)
+    const regKey = `//${parsedRegistry.host}${parsedRegistry.pathname}`
+    const authTokenKey = `${regKey}:_authToken`
+
+    const escapedPackageName = npa(packageName).escapedName
+    const response = await npmFetch.json(new URL(`/-/npm/v1/oidc/token/exchange/package/${escapedPackageName}`, registry), {
+      ...{
+        ...opts,
+        [authTokenKey]: idToken, // Use the idToken as the auth token for the request
+      },
       method: 'POST',
-      body: {
-        package_name: packageName,
-        id_token: idToken,
+      headers: {
+        ...opts.headers,
+        'Content-Type': 'application/json',
+        // this will not work because the existing auth token will replace it.
+        // authorization: `Bearer ${idToken}`,
       },
     })
 
     if (!response?.token) {
       throw new Error('OIDC token exchange failure: missing token in response body')
     }
-    const parsedRegistry = new URL(registry)
-    const regKey = `//${parsedRegistry.host}${parsedRegistry.pathname}`
-    const authTokenKey = `${regKey}:_authToken`
     /*
      * The "opts" object is a clone of npm.flatOptions and is passed through the `publish` command,
      * eventually reaching `otplease`. To ensure the token is accessible during the publishing process,
diff --git a/mock-registry/lib/index.js b/mock-registry/lib/index.js
@@ -632,10 +632,10 @@ class MockRegistry {
   }
 
   mockOidcTokenExchange ({ packageName, idToken, token, statusCode = 200 } = {}) {
-    this.nock.post(this.fullPath('/-/npm/v1/oidc/token/exchange'), body => {
-      return body.package_name === packageName && body.id_token === idToken
-    }).reply(statusCode, statusCode !== 500 ? { token: token } : { message: 'Internal Server Error' })
-    return { token }
+    const encodedPackageName = npa(packageName).escapedName
+    this.nock.post(this.fullPath(`/-/npm/v1/oidc/token/exchange/package/${encodedPackageName}`))
+      .matchHeader('authorization', `Bearer ${idToken}`)
+      .reply(statusCode, statusCode !== 500 ? { token } : { message: 'Internal Server Error' })
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -632,10 +632,10 @@ class MockRegistry {`
`632`	`632`	`}`
`633`	`633`
`634`	`634`	`mockOidcTokenExchange ({ packageName, idToken, token, statusCode = 200 } = {}) {`
`635`		`- this.nock.post(this.fullPath('/-/npm/v1/oidc/token/exchange'), body => {`
`636`		`- return body.package_name === packageName && body.id_token === idToken`
`637`		`- }).reply(statusCode, statusCode !== 500 ? { token: token } : { message: 'Internal Server Error' })`
`638`		`- return { token }`
	`635`	`+ const encodedPackageName = npa(packageName).escapedName`
	`636`	+ this.nock.post(this.fullPath(`/-/npm/v1/oidc/token/exchange/package/${encodedPackageName}`))
	`637`	+ .matchHeader('authorization', `Bearer ${idToken}`)
	`638`	`+ .reply(statusCode, statusCode !== 500 ? { token } : { message: 'Internal Server Error' })`
`639`	`639`	`}`
`640`	`640`	`}`
`641`	`641`