From c0d332eee5828f56b1bb3820b804ad335ba3185a Mon Sep 17 00:00:00 2001
From: German Lena <german.lena@gmail.com>
Date: Wed, 4 Jan 2017 12:28:56 -0300
Subject: [PATCH] disable SSO for oidcConformant + first class nonce and state

---
 src/core/index.js              | 15 +++++++++++++--
 src/core/remote_data.js        | 32 +++++++++++++++++---------------
 src/core/web_api/legacy_api.js |  8 ++++++--
 src/core/web_api/p2_api.js     |  8 ++++++--
 4 files changed, 42 insertions(+), 21 deletions(-)

diff --git a/src/core/index.js b/src/core/index.js
index 49a9679f9..bef2eebdf 100644
--- a/src/core/index.js
+++ b/src/core/index.js
@@ -34,6 +34,7 @@ export function setup(id, clientID, domain, options, hookRunner, emitEventFn) {
     emitEventFn: emitEventFn,
     hookRunner: hookRunner,
     useTenantInfo: options.__useTenantInfo || false,
+    oidcConformant: options.oidcConformant || false,
     hashCleanup: options.hashCleanup === false ? false : true,
     allowedConnections: Immutable.fromJS(options.allowedConnections || []),
     ui: extractUIOptions(id, options),
@@ -69,6 +70,10 @@ export function useTenantInfo(m) {
   return get(m, "useTenantInfo");
 }
 
+export function oidcConformant(m) {
+  return get(m, "oidcConformant");
+}
+
 export function languageBaseUrl(m) {
   return get(m, "languageBaseUrl");
 }
@@ -208,7 +213,9 @@ function extractAuthOptions(options) {
     redirectUrl,
     responseMode,
     responseType,
-    sso
+    sso,
+    state,
+    nonce
   } = options.auth || {};
 
   audience = typeof audience === "string" ? audience : undefined;
@@ -217,6 +224,8 @@ function extractAuthOptions(options) {
   redirectUrl = typeof redirectUrl === "string" && redirectUrl ? redirectUrl : window.location.href;
   redirect = typeof redirect === "boolean" ? redirect : true;
   responseMode = typeof responseMode === "string" ? responseMode : undefined;
+  state = typeof state === "string" ? state : undefined;
+  nonce = typeof nonce === "string" ? nonce : undefined;
   responseType = typeof responseType === "string" ? responseType : redirectUrl ? "code" : "token";
 
   sso = typeof sso === "boolean" ? sso : true;
@@ -233,7 +242,9 @@ function extractAuthOptions(options) {
     redirectUrl,
     responseMode,
     responseType,
-    sso
+    sso,
+    state,
+    nonce
   });
 }
 
diff --git a/src/core/remote_data.js b/src/core/remote_data.js
index cf4c10acc..4ef907000 100644
--- a/src/core/remote_data.js
+++ b/src/core/remote_data.js
@@ -20,23 +20,25 @@ export function syncRemoteData(m) {
     });
   }
 
-  m = sync(m, "sso", {
-    conditionFn: l.auth.sso,
-    waitFn: m => isSuccess(m, "client"),
-    syncFn: (m, cb) => fetchSSOData(l.id(m), isADEnabled(m), cb),
-    successFn: (m, result) => m.mergeIn(["sso"], Immutable.fromJS(result)),
-    errorFn: (m, error) => {
-      // location.origin is not supported in all browsers
-      let origin = location.protocol + "//" + location.hostname;
-      if (location.port) {
-        origin += ":" + location.port;
-      }
+  if (!l.oidcConformant(m)) {
+    m = sync(m, "sso", {
+      conditionFn: l.auth.sso,
+      waitFn: m => isSuccess(m, "client"),
+      syncFn: (m, cb) => fetchSSOData(l.id(m), isADEnabled(m), cb),
+      successFn: (m, result) => m.mergeIn(["sso"], Immutable.fromJS(result)),
+      errorFn: (m, error) => {
+        // location.origin is not supported in all browsers
+        let origin = location.protocol + "//" + location.hostname;
+        if (location.port) {
+          origin += ":" + location.port;
+        }
 
-      const appSettingsUrl = `https://manage.auth0.com/#/applications/${l.clientID(m)}/settings`;
+        const appSettingsUrl = `https://manage.auth0.com/#/applications/${l.clientID(m)}/settings`;
 
-      l.warn(m, `There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a "Origin" error has been logged before this warning, please add "${origin}" to the "Allowed Origins (CORS)" list in the Auth0 dashboard: ${appSettingsUrl}`);
-    }
-  });
+        l.warn(m, `There was an error fetching the SSO data. This could simply mean that there was a problem with the network. But, if a "Origin" error has been logged before this warning, please add "${origin}" to the "Allowed Origins (CORS)" list in the Auth0 dashboard: ${appSettingsUrl}`);
+      }
+    });
+  }
 
   return m;
 }
\ No newline at end of file
diff --git a/src/core/web_api/legacy_api.js b/src/core/web_api/legacy_api.js
index 4d2973c2f..6e3628d29 100644
--- a/src/core/web_api/legacy_api.js
+++ b/src/core/web_api/legacy_api.js
@@ -27,7 +27,9 @@ class Auth0LegacyAPIClient {
     this.authOpt = {
       popup: !opts.redirect,
       popupOptions: opts.popupOptions,
-      sso: opts.sso
+      sso: opts.sso,
+      nonce: opts.nonce,
+      state: opts.state
     };
   }
 
@@ -77,7 +79,9 @@ class Auth0LegacyAPIClient {
 
   parseHash(hash = '', cb) {
     return this.client.parseHash({
-      hash: decodeURIComponent(hash)
+      hash: decodeURIComponent(hash),
+      nonce: this.authOpt.nonce,
+      state: this.authOpt.state
     }, cb);
   }
 
diff --git a/src/core/web_api/p2_api.js b/src/core/web_api/p2_api.js
index fcc6d0adf..038b4b83c 100644
--- a/src/core/web_api/p2_api.js
+++ b/src/core/web_api/p2_api.js
@@ -28,7 +28,9 @@ class Auth0APIClient {
     this.authOpt = {
       popup: !opts.redirect,
       popupOptions: opts.popupOptions,
-      sso: opts.sso
+      sso: opts.sso,
+      nonce: opts.nonce,
+      state: opts.state
     };
   }
 
@@ -74,7 +76,9 @@ class Auth0APIClient {
 
   parseHash(hash = '', cb) {
     return this.client.parseHash({
-      hash: decodeURIComponent(hash)
+      hash: decodeURIComponent(hash),
+      nonce: this.authOpt.nonce,
+      state: this.authOpt.state
     }, cb);
   }