opengovsg · kwajiehao · Sep 14, 2023 · Sep 11, 2023 · Sep 11, 2023 · Sep 14, 2023
diff --git a/src/SgidClient.ts b/src/SgidClient.ts
@@ -157,14 +157,20 @@ export class SgidClient {
       { nonce: nonce ?? undefined, code_verifier: codeVerifier },
     )
     const { sub } = tokenSet.claims()
-    const { access_token: accessToken } = tokenSet
+
+    const { access_token: accessToken, id_token: idToken } = tokenSet
+
+    // Note that this falsey check for the id token will never be run
+    // because the nodejs openid-client library already does it for us
+    // Doing a check here just for type safety
+    if (!idToken) throw new Error(Errors.NO_ID_TOKEN_ERROR)
     if (!sub) {
       throw new Error(Errors.NO_SUB_ERROR)
     }
     if (!accessToken) {
       throw new Error(Errors.NO_ACCESS_TOKEN_ERROR)
     }
-    return { sub, accessToken }
+    return { sub, accessToken, idToken }
   }
 
   /**

diff --git a/src/error.ts b/src/error.ts
@@ -12,6 +12,8 @@ export const MISSING_REDIRECT_URI_ERROR =
 export const NO_SUB_ERROR = 'Authorization server did not return the sub claim'
 export const NO_ACCESS_TOKEN_ERROR =
   'Authorization server did not return an access token'
+export const NO_ID_TOKEN_ERROR =
+  'Authorization server did not return an ID token'
 
 // userinfo errors
 export const PRIVATE_KEY_IMPORT_ERROR =

diff --git a/src/types.ts b/src/types.ts
@@ -17,7 +17,11 @@ export type CallbackParams = {
   codeVerifier: string
 }
 
-export type CallbackReturn = { sub: string; accessToken: string }
+export type CallbackReturn = {
+  sub: string
+  accessToken: string
+  idToken: string
+}
 
 export type UserInfoParams = {
   sub: string

diff --git a/src/util.ts b/src/util.ts
@@ -25,6 +25,12 @@ export function isStringifiedArrayOrObject(
   )
 }
 
+export function isNonEmptyString(value: unknown): value is string {
+  if (typeof value !== 'string') return false
+  if (value === '') return false
+  return true
+}
+
 export function safeJsonParse(jsonString: string): ParsedSgidDataValue {
   try {
     return JSON.parse(jsonString)

diff --git a/test/unit/SgidClient.spec.ts b/test/unit/SgidClient.spec.ts
@@ -22,6 +22,7 @@ import {
   MOCK_USERINFO_PLAINTEXT,
 } from './mocks/constants'
 import {
+  tokenHandlerNoIdToken,
   tokenHandlerNoSub,
   tokenHandlerNoToken,
   userInfoHandlerMalformedData,
@@ -327,6 +328,17 @@ describe('SgidClient', () => {
       ).rejects.toThrow('Authorization server did not return an access token')
     })
 
+    it('should throw when no ID token is returned', async () => {
+      server.use(tokenHandlerNoIdToken)
+
+      await expect(
+        client.callback({
+          code: MOCK_AUTH_CODE,
+          codeVerifier: MOCK_CODE_VERIFIER,
+        }),
+      ).rejects.toThrow('id_token not present in TokenSet')
+    })
+
     it('should throw when sub is empty', async () => {
       server.use(tokenHandlerNoSub)
 

diff --git a/test/unit/mocks/handlers.ts b/test/unit/mocks/handlers.ts
@@ -67,6 +67,21 @@ export const tokenHandlerNoToken = rest.post(
   },
 )
 
+/**
+ * Handler to test case where server doesn't return an id token
+ */
+export const tokenHandlerNoIdToken = rest.post(
+  MOCK_TOKEN_ENDPOINT,
+  (_req, res, ctx) => {
+    return res(
+      ctx.status(200),
+      ctx.json({
+        access_token: MOCK_ACCESS_TOKEN,
+      }),
+    )
+  },
+)
+
 /**
  * Handler to test case where sub is empty
  */