Description
Version
module: 5.0.0-1667386184.dfbbb54
nuxt: 2.18.1
Nuxt configuration
mode:
- [ X ] spa
Nuxt configuration
sample: {
scheme: 'openIDConnect',
clientId: [CLIENT_ID],
codeChallengeMethod: '',
responseType: 'code',
grantType: 'authorization_code',
scope: ['openid','profile','email'],
endpoints: {
configuration: '[URL]'
},
redirectUri: ${host}/auth/[CUSTOM],
user: {
property: 'user',
autoFetch: true
}
},
Reproduction
- Set up an OIDC config (you could test this out with Google, for instance, which does not support the scope offline_access as it's an option you pass instead).
- Call loginWith for the schema
- Get an auth error because an invalid scope was passed.
What is expected?
When you specify the scope in your schema, that should override the defaults.
What is actually happening?
Whatever you're doing to initialize the configuration is merging the defaults (in your code) with the schema defaults I'm setting in the nuxt.config.js file. So if I specify a scope of ['openid', 'profile', 'email'], you will initialize with a scope of ['openid', 'profile', 'email', 'offline_access']. This seems to be true even if I explicitly pass in an array of scope values via the loginWith function's call options.
You have a workaround depicted in another issue where people can use a string instead of an array. This does override the array and replace it with the string specified in the nuxt.config.js but it leads to an warning that the openid-configuration file is not valid and causes issues with the provider.
Steps to reproduce
- Have an OIDC provider that does not support offline_access like Google.
- Set your scope in nuxt.config.js in a strategy that's using the "openIDConnect" scheme.
- Load up your Nuxt site and check the console. You'll get a warning about the openid-configuration being invalid.
- Try calling loginWith with your strategy and get an error that the attempt was invalid because the scope doesn't match.
Additional information
The easiest fix is to remove any in-code defaults though that could be problematic depending on the use case. The better fix would be to not do an Array.reduce on the field (from what I read about defu, it does do a reduce for array options when merging).
I tested the first case by just editing the file in node_modules and removing "offline_access". Fixes my problem though it's a bad solution of course because not everyone will have the same scope as I do and doing a clean prune and install for a production build will reset it.
Checklist
- [ x ] I have tested with the latest Nuxt version and the issue still occurs
- [ x ] I have tested with the latest module version and the issue still occurs
- [ x ] I have searched the issue tracker and this issue hasn't been reported yet