fix: push pkce <> response type resolution to the authenticate function

fixes #312
panva · Nov 30, 2020 · 1970af4 · 1970af4
1 parent a06446a
commit 1970af4
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/lib/passport_strategy.js b/lib/passport_strategy.js
@@ -29,7 +29,7 @@ function OpenIDConnectStrategy({
   params = {},
   passReqToCallback = false,
   sessionKey,
-  usePKCE,
+  usePKCE = true,
   extras = {},
 } = {}, verify) {
   if (!(client instanceof BaseClient)) {
@@ -57,7 +57,7 @@ function OpenIDConnectStrategy({
   if (!this._params.redirect_uri) this._params.redirect_uri = resolveRedirectUri.call(client);
   if (!this._params.scope) this._params.scope = 'openid';
 
-  if (this._usePKCE === true || (typeof this._usePKCE === 'undefined' && this._params.response_type.includes('code'))) {
+  if (this._usePKCE === true) {
     const supportedMethods = Array.isArray(this._issuer.code_challenge_methods_supported)
       ? this._issuer.code_challenge_methods_supported : false;
 
@@ -101,7 +101,7 @@ OpenIDConnectStrategy.prototype.authenticate = function authenticate(req, option
 
       req.session[sessionKey] = pick(params, 'nonce', 'state', 'max_age', 'response_type');
 
-      if (this._usePKCE) {
+      if (this._usePKCE && params.response_type.includes('code')) {
         const verifier = random();
         req.session[sessionKey].code_verifier = verifier;