Fix: Auto-include openid scope in authentication methods to prevent ID token errors (#1369)

subhankarmaiti · web-flow · commit ff7fcd339ad2 · 2025-10-31T12:20:07.000+05:30
diff --git a/src/core/services/AuthenticationOrchestrator.ts b/src/core/services/AuthenticationOrchestrator.ts
@@ -35,6 +35,30 @@ import { deepCamelCase } from '../utils';
 // Represents the raw user profile returned by an API (snake_case)
 type RawUser = { [key: string]: any };
 
+/**
+ * Ensures the 'openid' scope is included in the scope string.
+ * This is required for receiving an ID token in the response.
+ * Follows the same pattern as Auth0.Android and Auth0.Swift SDKs.
+ *
+ * When no scope is provided, defaults to 'openid profile email' to match
+ * the behavior of other Auth0 SDKs and provide a complete user profile.
+ *
+ * @param scope - The original scope string (optional)
+ * @returns A scope string that includes 'openid'
+ */
+function includeRequiredScope(scope?: string): string {
+  if (!scope) {
+    return 'openid profile email';
+  }
+  
+  const scopes = scope.split(' ');
+  if (!scopes.includes('openid')) {
+    return `openid ${scope}`;
+  }
+  
+  return scope;
+}
+
 /**
  * Orchestrates all direct authentication flows by making calls to the Auth0 Authentication API.
  * This class is platform-agnostic and relies on an injected HttpClient.
@@ -107,7 +131,7 @@ export class AuthenticationOrchestrator implements IAuthenticationProvider {
       subject_token_type: payload.subjectTokenType,
       user_profile: payload.userProfile,
       audience: payload.audience,
-      scope: payload.scope,
+      scope: includeRequiredScope(payload.scope),
     };
     const { json, response } =
       await this.client.post<NativeCredentialsResponse>(
@@ -131,7 +155,7 @@ export class AuthenticationOrchestrator implements IAuthenticationProvider {
       password: payload.password,
       realm: payload.realm,
       audience: payload.audience,
-      scope: payload.scope,
+      scope: includeRequiredScope(payload.scope),
     };
     const { json, response } =
       await this.client.post<NativeCredentialsResponse>(
@@ -150,7 +174,7 @@ export class AuthenticationOrchestrator implements IAuthenticationProvider {
       grant_type: 'refresh_token',
       client_id: this.clientId,
       refresh_token: payload.refreshToken,
-      scope: payload.scope,
+      scope: includeRequiredScope(payload.scope),
     };
     const { json, response } =
       await this.client.post<NativeCredentialsResponse>(
@@ -212,7 +236,7 @@ export class AuthenticationOrchestrator implements IAuthenticationProvider {
       otp: payload.code,
       realm: 'email',
       audience: payload.audience,
-      scope: payload.scope,
+      scope: includeRequiredScope(payload.scope),
     };
     const { json, response } =
       await this.client.post<NativeCredentialsResponse>(
@@ -234,7 +258,7 @@ export class AuthenticationOrchestrator implements IAuthenticationProvider {
       otp: payload.code,
       realm: 'sms',
       audience: payload.audience,
-      scope: payload.scope,
+      scope: includeRequiredScope(payload.scope),
     };
     const { json, response } =
       await this.client.post<NativeCredentialsResponse>(
diff --git a/src/core/services/__tests__/AuthenticationOrchestrator.spec.ts b/src/core/services/__tests__/AuthenticationOrchestrator.spec.ts
@@ -119,6 +119,47 @@ describe('AuthenticationOrchestrator', () => {
         AuthError
       );
     });
+
+    it('should auto-include openid scope when scope is undefined', async () => {
+      mockHttpClientInstance.post.mockResolvedValueOnce({
+        json: tokensResponse,
+        response: new Response(null, { status: 200 }),
+      });
+      await orchestrator.passwordRealm({
+        username: 'info@auth0.com',
+        password: 'secret pass',
+        realm: 'Username-Password-Authentication',
+      });
+
+      expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+        '/oauth/token',
+        expect.objectContaining({
+          scope: 'openid profile email',
+        }),
+        undefined
+      );
+    });
+
+    it('should auto-include openid scope when not present in custom scope', async () => {
+      mockHttpClientInstance.post.mockResolvedValueOnce({
+        json: tokensResponse,
+        response: new Response(null, { status: 200 }),
+      });
+      await orchestrator.passwordRealm({
+        username: 'info@auth0.com',
+        password: 'secret pass',
+        realm: 'Username-Password-Authentication',
+        scope: 'offline_access',
+      });
+
+      expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+        '/oauth/token',
+        expect.objectContaining({
+          scope: 'openid offline_access',
+        }),
+        undefined
+      );
+    });
   });
 
   describe('refresh token', () => {
@@ -165,6 +206,43 @@ describe('AuthenticationOrchestrator', () => {
         AuthError
       );
     });
+
+    it('should auto-include openid scope when scope is undefined', async () => {
+      mockHttpClientInstance.post.mockResolvedValueOnce({
+        json: tokensResponse,
+        response: new Response(null, { status: 200 }),
+      });
+      await orchestrator.refreshToken({
+        refreshToken: 'a refresh token of a user',
+      });
+
+      expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+        '/oauth/token',
+        expect.objectContaining({
+          scope: 'openid profile email',
+        }),
+        undefined
+      );
+    });
+
+    it('should auto-include openid scope when not present in custom scope', async () => {
+      mockHttpClientInstance.post.mockResolvedValueOnce({
+        json: tokensResponse,
+        response: new Response(null, { status: 200 }),
+      });
+      await orchestrator.refreshToken({
+        refreshToken: 'a refresh token of a user',
+        scope: 'offline_access',
+      });
+
+      expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+        '/oauth/token',
+        expect.objectContaining({
+          scope: 'openid offline_access',
+        }),
+        undefined
+      );
+    });
   });
 
   describe('revoke token', () => {
@@ -290,6 +368,43 @@ describe('AuthenticationOrchestrator', () => {
           undefined
         );
       });
+
+      it('should auto-include openid scope when scope is undefined', async () => {
+        mockHttpClientInstance.post.mockResolvedValueOnce({
+          json: tokensResponse,
+          response: new Response(null, { status: 200 }),
+        });
+        await orchestrator.loginWithEmail({
+          email: 'info@auth0.com',
+          code: '123456',
+        });
+        expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+          '/oauth/token',
+          expect.objectContaining({
+            scope: 'openid profile email',
+          }),
+          undefined
+        );
+      });
+
+      it('should auto-include openid scope when not present in custom scope', async () => {
+        mockHttpClientInstance.post.mockResolvedValueOnce({
+          json: tokensResponse,
+          response: new Response(null, { status: 200 }),
+        });
+        await orchestrator.loginWithEmail({
+          email: 'info@auth0.com',
+          code: '123456',
+          scope: 'profile email',
+        });
+        expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+          '/oauth/token',
+          expect.objectContaining({
+            scope: 'openid profile email',
+          }),
+          undefined
+        );
+      });
     });
 
     describe('with SMS connection', () => {
@@ -332,6 +447,62 @@ describe('AuthenticationOrchestrator', () => {
           undefined
         );
       });
+
+      it('should auto-include openid scope when scope is undefined', async () => {
+        mockHttpClientInstance.post.mockResolvedValueOnce({
+          json: tokensResponse,
+          response: new Response(null, { status: 200 }),
+        });
+        await orchestrator.loginWithSMS({
+          phoneNumber: '+15555555555',
+          code: '123456',
+        });
+        expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+          '/oauth/token',
+          expect.objectContaining({
+            scope: 'openid profile email',
+          }),
+          undefined
+        );
+      });
+
+      it('should auto-include openid scope when not present in custom scope', async () => {
+        mockHttpClientInstance.post.mockResolvedValueOnce({
+          json: tokensResponse,
+          response: new Response(null, { status: 200 }),
+        });
+        await orchestrator.loginWithSMS({
+          phoneNumber: '+15555555555',
+          code: '123456',
+          scope: 'offline_access',
+        });
+        expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+          '/oauth/token',
+          expect.objectContaining({
+            scope: 'openid offline_access',
+          }),
+          undefined
+        );
+      });
+
+      it('should not duplicate openid scope when already present', async () => {
+        mockHttpClientInstance.post.mockResolvedValueOnce({
+          json: tokensResponse,
+          response: new Response(null, { status: 200 }),
+        });
+        await orchestrator.loginWithSMS({
+          phoneNumber: '+15555555555',
+          code: '123456',
+          scope: 'openid profile email',
+        });
+        expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+          '/oauth/token',
+          expect.objectContaining({
+            scope: 'openid profile email',
+          }),
+          undefined
+        );
+      });
     });
   });
 
@@ -595,5 +766,45 @@ describe('AuthenticationOrchestrator', () => {
         undefined
       );
     });
+
+    it('should auto-include openid scope when scope is undefined', async () => {
+      mockHttpClientInstance.post.mockResolvedValueOnce({
+        json: tokensResponse,
+        response: new Response(null, { status: 200 }),
+      });
+      await orchestrator.exchangeNativeSocial({
+        subjectToken: 'native_token',
+        subjectTokenType: 'facebook',
+      });
+
+      expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+        '/oauth/token',
+        expect.objectContaining({
+          scope: 'openid profile email',
+        }),
+        undefined
+      );
+    });
+
+    it('should auto-include openid scope when not present in custom scope', async () => {
+      mockHttpClientInstance.post.mockResolvedValueOnce({
+        json: tokensResponse,
+        response: new Response(null, { status: 200 }),
+      });
+      await orchestrator.exchangeNativeSocial({
+        subjectToken: 'native_token',
+        subjectTokenType: 'facebook',
+        scope: 'profile email',
+      });
+
+      expect(mockHttpClientInstance.post).toHaveBeenCalledWith(
+        '/oauth/token',
+        expect.objectContaining({
+          scope: 'openid profile email',
+        }),
+        undefined
+      );
+    });
   });
 });
+
