fix: remove check for nonce presence in params

This is a must check for idps and with the advent of request object use it doesn't make much sense for to check in this place.
panva · Dec 15, 2019 · cac46fb · cac46fb
1 parent 006fa1d
commit cac46fb
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 19 deletions.
diff --git a/lib/client.js b/lib/client.js
@@ -126,10 +126,6 @@ function authorizationParams(params) {
     }
   });
 
-  if (authParams.response_type && authParams.response_type.split(' ').includes('id_token') && !authParams.nonce) {
-    throw new TypeError('nonce MUST be provided for implicit and hybrid flows');
-  }
-
   return authParams;
 }
 

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -50,21 +50,6 @@ describe('Client', () => {
       });
     });
 
-    const nononce = ['none', 'code', 'code token'];
-    const nonce = ['id_token', 'id_token token', 'code id_token', 'code id_token token'];
-
-    nononce.forEach((type) => {
-      it(`allows response_type=${type} without nonce`, function () {
-        expect(() => this.client.authorizationUrl({ response_type: type })).not.to.throw();
-      });
-    });
-
-    nonce.forEach((type) => {
-      it(`requires nonce for response_type=${type}`, function () {
-        expect(() => this.client.authorizationUrl({ response_type: type })).to.throw(TypeError, 'nonce MUST be provided for implicit and hybrid flows');
-      });
-    });
-
     it('returns a string with the url with some basic defaults', function () {
       expect(url.parse(this.client.authorizationUrl({
         redirect_uri: 'https://rp.example.com/cb',