api implementation for OpenID Connect users

src/GoTrueApi.ts

@@ -6,6 +6,7 @@ import {
   UserAttributes,
   CookieOptions,
   User,
+  OpenIDConnectCredentials
 } from './lib/types'
 import { COOKIE_OPTIONS } from './lib/constants'
 import { setCookies, getCookieString } from './lib/cookies'
@@ -215,6 +216,32 @@ export default class GoTrueApi {
     }
   }
 
+  /**
+   * Logs in an OpenID Connect user using their id_token.
+   * @param id_token The IDToken of the user.
+   * @param nonce The nonce of the user. The nonce is a random value generated by the developer (= yourself) before the initial grant is started. You should check the OpenID Connect specification for details. https://openid.net/developers/specs/
+   * @param provider The provider of the user.
+   * @param client_id The clientID of the user.
+   * @param issuer The issuer of the user.
+  */
+  async signInWithOpenIDConnect({ id_token, nonce, client_id, issuer, provider }:OpenIDConnectCredentials): Promise<{ data: Session | null; error: ApiError | null }> {
+    try {
+      const headers = { ...this.headers }
+      const queryString = '?grant_type=id_token'
+      const data = await post(
+        this.fetch,
+        `${this.url}/token${queryString}`,
+        { id_token, nonce, client_id, issuer, provider },
+        { headers }
+      )
+      const session = { ...data }
+      if (session.expires_in) session.expires_at = expiresAt(data.expires_in)
+      return { data: session, error: null }
+    } catch (e) {
+      return { data: null, error: e as ApiError }
+    }
+  }
+
   /**
    * Sends a magic login link to an email address.
    * @param email The email address of the user.

src/GoTrueClient.ts

@@ -15,6 +15,7 @@ import type {
   CookieOptions,
   UserCredentials,
   VerifyOTPParams,
+  OpenIDConnectCredentials,
 } from './lib/types'
 
 polyfillGlobalThis() // Make "globalThis" available
@@ -186,7 +187,7 @@ export default class GoTrueClient {
    * @param scopes A space-separated list of scopes granted to the OAuth application.
    */
   async signIn(
-    { email, phone, password, refreshToken, provider }: UserCredentials,
+    { email, phone, password, refreshToken, provider, oidc }: UserCredentials,
     options: {
       redirectTo?: string
       scopes?: string
@@ -240,7 +241,10 @@ export default class GoTrueClient {
           scopes: options.scopes,
         })
       }
-      throw new Error(`You must provide either an email, phone number or a third-party provider.`)
+      if (oidc) {
+        return this._handleOpenIDConnectSignIn(oidc)
+      }
+      throw new Error(`You must provide either an email, phone number, a third-party provider or OpenID Connect.`)
     } catch (e) {
       return { user: null, session: null, error: e as ApiError }
     }
@@ -558,6 +562,27 @@ export default class GoTrueClient {
     }
   }
 
+  private async _handleOpenIDConnectSignIn(
+    { id_token, nonce, client_id, issuer, provider }: OpenIDConnectCredentials
+  ): Promise<{
+    session: Session | null
+    user: User | null
+    error: ApiError | null
+  }> {
+    if (id_token && nonce && ( (client_id && issuer) || provider) ) {
+      try {
+        const { data, error } = await this.api.signInWithOpenIDConnect({id_token, nonce, client_id, issuer, provider})
+        if (error || !data) return { user: null, session: null, error }
+        this._saveSession(data)
+        this._notifyAllSubscribers('SIGNED_IN')
+        return { user: data.user, session: data, error: null }
+      } catch (e) {
+        return { user: null, session: null, error: e as ApiError }
+      }
+    }
+    throw new Error(`You must provide a OpenID Connect provider with your id token and nonce.`)
+  }
+
   /**
    * Attempts to get the session from LocalStorage
    * Note: this should never be async (even for React Native), as we need it to return immediately in the constructor.

src/lib/types.ts

@@ -174,9 +174,18 @@ export interface UserCredentials {
   refreshToken?: string
   // (Optional) The name of the provider.
   provider?: Provider
+  oidc?: OpenIDConnectCredentials
 }
 
 export interface VerifyOTPParams {
   phone: string
   token: string
 }
+
+export interface OpenIDConnectCredentials {
+  id_token: string
+  nonce: string
+  provider?: Provider
+  client_id?: string
+  issuer?: string
+}

test/GoTrueClient.test.ts

@@ -1,3 +1,4 @@
+import { OpenIDConnectCredentials } from '../src'
 import {
   authClient as auth,
   authClientWithSession as authWithSession,
@@ -280,6 +281,41 @@ describe('GoTrueClient', () => {
     expect(user?.email).toBe(email)
   })
 
+  test('signIn with OpenIDConnect wrong id_token', async () => {
+    const oidc: OpenIDConnectCredentials = {
+      id_token: 'abcde',
+      nonce: 'random value',
+      provider: 'google'
+    }
+    const { session, user, error } = await auth.signIn({oidc})
+
+    expect(error).not.toBeNull()
+    expect(session).toBeNull()
+    expect(user).toBeNull()
+  })
+
+  test('signIn with OpenIDConnect both client_id and provider are null', async () => {
+    const t = async ()=>{
+      const oidc: OpenIDConnectCredentials = {
+        id_token: 'abcde',
+        nonce: 'random value',
+      }
+      await auth.signIn({oidc})
+    }
+    await expect(t).rejects.toThrow(Error)
+  })
+
+  test('signIn with OpenIDConnect both id_token and client_id is null', async () => {
+    const t = async ()=>{
+      const oidc: any = {
+        nonce: 'random value',
+        provider: 'google'
+      }
+      await auth.signIn({oidc})
+    }
+    await expect(t).rejects.toThrow(Error)
+  })
+
   test('signOut', async () => {
     const { email, password } = mockUserCredentials()