Do not try to verify id_token when id_token is not used

lib/omniauth/strategies/openid_connect.rb

@@ -118,11 +118,7 @@ def callback_phase
 
         options.issuer = issuer if options.issuer.nil? || options.issuer.empty?
 
-        decode_id_token(params['id_token'])
-          .verify! issuer: options.issuer,
-                   client_id: client_options.identifier,
-                   nonce: stored_nonce
-
+        verify_id_token!
         discover!
         client.redirect_uri = redirect_uri
 
@@ -206,9 +202,7 @@ def user_info
       end
 
       def access_token
-        return @access_token if @access_token
-
-        @access_token = client.access_token!(
+        @access_token ||= client.access_token!(
           scope: (options.scope if options.send_scope_to_token_endpoint),
           client_auth_method: options.client_auth_method
         )
@@ -325,6 +319,14 @@ def configured_response_type
         @configured_response_type ||= options.response_type.to_s
       end
 
+      def verify_id_token!
+        return unless configured_response_type == 'id_token'
+
+        decode_id_token(params['id_token']).verify!(issuer: options.issuer,
+                                                    client_id: client_options.identifier,
+                                                    nonce: stored_nonce)
+      end
+
       class CallbackError < StandardError
         attr_accessor :error, :error_reason, :error_uri
 

test/lib/omniauth/strategies/openid_connect_test.rb

@@ -156,11 +156,6 @@ def test_callback_phase(session = {}, params = {})
         strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
         strategy.options.response_type = :code
 
-        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
-        id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
-        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
-        id_token.expects(:verify!)
-
         strategy.unstub(:user_info)
         access_token = stub('OpenIDConnect::AccessToken')
         access_token.stubs(:access_token)
@@ -175,6 +170,36 @@ def test_callback_phase(session = {}, params = {})
         strategy.callback_phase
       end
 
+      def test_callback_phase_with_id_token
+        code = SecureRandom.hex(16)
+        state = SecureRandom.hex(16)
+        nonce = SecureRandom.hex(16)
+        request.stubs(:params).returns('id_token' => code, 'state' => state)
+        request.stubs(:path_info).returns('')
+
+        strategy.options.issuer = 'example.com'
+        strategy.options.client_signing_alg = :RS256
+        strategy.options.client_jwk_signing_key = File.read('test/fixtures/jwks.json')
+        strategy.options.response_type = 'id_token'
+
+        strategy.unstub(:user_info)
+        access_token = stub('OpenIDConnect::AccessToken')
+        access_token.stubs(:access_token)
+        access_token.stubs(:refresh_token)
+        access_token.stubs(:expires_in)
+        access_token.stubs(:scope)
+        access_token.stubs(:id_token).returns(File.read('test/fixtures/id_token.txt'))
+
+        id_token = stub('OpenIDConnect::ResponseObject::IdToken')
+        id_token.stubs(:raw_attributes).returns('sub' => 'sub', 'name' => 'name', 'email' => 'email')
+        id_token.stubs(:verify!).with(issuer: strategy.options.issuer, client_id: @identifier, nonce: nonce).returns(true)
+        ::OpenIDConnect::ResponseObject::IdToken.stubs(:decode).returns(id_token)
+        id_token.expects(:verify!)
+
+        strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
+        strategy.callback_phase
+      end
+
       def test_callback_phase_with_discovery
         code = SecureRandom.hex(16)
         state = SecureRandom.hex(16)