fix(connector): support string typed boolean ID token claims for OIDC connector (#7276)

Author: darcyYe

.changeset/selfish-zoos-worry.md

@@ -0,0 +1,9 @@
+---
+"@logto/connector-oidc": patch
+---
+
+support string-typed boolean claims
+
+Add an optional `acceptStringTypedBooleanClaims` configuration to `OidcConnectorConfig`, with default value `false`.
+For standard OIDC protocol, some claims such as `email_verified` and `phone_verified` are boolean-typed, but some providers may return them as string-typed. Enabling this option will convert string-typed boolean claims to boolean-typed, which provides better compatibility.
+By enabling this configuration, the connector will accept string-typed boolean ID token claims, such as `email_verified` and `phone_verified`.

packages/connectors/connector-oidc/src/constant.ts

@@ -35,6 +35,15 @@ export const defaultMetadata: ConnectorMetadata = {
       ...scopeFormItem,
       required: true,
     },
+    {
+      key: 'acceptStringTypedBooleanClaims',
+      label: 'Accept String-typed Boolean Claims',
+      description:
+        'Whether to accept string-typed boolean claims. For standard OIDC protocol, some claims such as `email_verified` and `phone_verified` are boolean-typed, but some providers may return them as string-typed. Enabling this option will convert string-typed boolean claims to boolean-typed.',
+      type: ConnectorConfigFormItemType.Switch,
+      required: false,
+      defaultValue: false,
+    },
     {
       key: 'idTokenVerificationConfig',
       label: 'ID Token Verification Config',

packages/connectors/connector-oidc/src/index.ts

@@ -20,7 +20,11 @@ import { createRemoteJWKSet, jwtVerify } from 'jose';
 import { HTTPError } from 'ky';
 
 import { defaultMetadata } from './constant.js';
-import { idTokenProfileStandardClaimsGuard, oidcConnectorConfigGuard } from './types.js';
+import {
+  idTokenProfileStandardClaimsGuard,
+  idTokenClaimsGuardWithStringBooleans,
+  oidcConnectorConfigGuard,
+} from './types.js';
 import { getIdToken } from './utils.js';
 
 const generateNonce = () => generateStandardId();
@@ -103,7 +107,9 @@ const getUserInfo =
         }
       );
 
-      const result = idTokenProfileStandardClaimsGuard.safeParse(payload);
+      const result = parsedConfig.acceptStringTypedBooleanClaims
+        ? idTokenClaimsGuardWithStringBooleans.safeParse(payload)
+        : idTokenProfileStandardClaimsGuard.safeParse(payload);
 
       if (!result.success) {
         throw new ConnectorError(ConnectorErrorCodes.SocialIdTokenInvalid, result.error);

packages/connectors/connector-oidc/src/types.test.ts

@@ -1,4 +1,4 @@
-import { scopePostProcessor } from './types.js';
+import { scopePostProcessor, idTokenClaimsGuardWithStringBooleans } from './types.js';
 
 describe('scopePostProcessor', () => {
   it('`openid` will be added if not exists (with empty string)', () => {
@@ -13,3 +13,111 @@ describe('scopePostProcessor', () => {
     expect(scopePostProcessor('profile openid')).toEqual('profile openid');
   });
 });
+
+describe('idTokenClaimsGuardWithStringBooleans', () => {
+  it('should accept boolean values for email_verified and phone_verified', () => {
+    const result = idTokenClaimsGuardWithStringBooleans.parse({
+      sub: 'subject',
+      email_verified: true,
+      phone_verified: false,
+    });
+
+    expect(result).toEqual({
+      sub: 'subject',
+      email_verified: true,
+      phone_verified: false,
+    });
+  });
+
+  it('should accept null values for email_verified and phone_verified', () => {
+    const result = idTokenClaimsGuardWithStringBooleans.parse({
+      sub: 'subject',
+      email_verified: null,
+      phone_verified: null,
+    });
+
+    expect(result).toEqual({
+      sub: 'subject',
+      email_verified: null,
+      phone_verified: null,
+    });
+  });
+
+  it('should transform string "true" to boolean true for email_verified and phone_verified', () => {
+    const result = idTokenClaimsGuardWithStringBooleans.parse({
+      sub: 'subject',
+      email_verified: 'true',
+      phone_verified: 'TRUE',
+    });
+
+    expect(result).toEqual({
+      sub: 'subject',
+      email_verified: true,
+      phone_verified: true,
+    });
+  });
+
+  it('should transform string "false" to boolean false for email_verified and phone_verified', () => {
+    const result = idTokenClaimsGuardWithStringBooleans.parse({
+      sub: 'subject',
+      email_verified: 'false',
+      phone_verified: 'FALSE',
+    });
+
+    expect(result).toEqual({
+      sub: 'subject',
+      email_verified: false,
+      phone_verified: false,
+    });
+  });
+
+  it('should transform string "0" to boolean false for email_verified and phone_verified', () => {
+    const result = idTokenClaimsGuardWithStringBooleans.parse({
+      sub: 'subject',
+      email_verified: '0',
+      phone_verified: '0',
+    });
+
+    expect(result).toEqual({
+      sub: 'subject',
+      email_verified: false,
+      phone_verified: false,
+    });
+  });
+
+  it('should transform string "1" to boolean true for email_verified and phone_verified', () => {
+    const result = idTokenClaimsGuardWithStringBooleans.parse({
+      sub: 'subject',
+      email_verified: '1',
+      phone_verified: '1',
+    });
+
+    expect(result).toEqual({
+      sub: 'subject',
+      email_verified: true,
+      phone_verified: true,
+    });
+  });
+
+  it('should accept other standard claims', () => {
+    const result = idTokenClaimsGuardWithStringBooleans.parse({
+      sub: 'subject',
+      name: 'John Doe',
+      email: '[email protected]',
+      phone: '+1234567890',
+      picture: 'https://example.com/avatar.jpg',
+      profile: 'https://example.com/profile',
+      nonce: 'random-nonce',
+    });
+
+    expect(result).toEqual({
+      sub: 'subject',
+      name: 'John Doe',
+      email: '[email protected]',
+      phone: '+1234567890',
+      picture: 'https://example.com/avatar.jpg',
+      profile: 'https://example.com/profile',
+      nonce: 'random-nonce',
+    });
+  });
+});

packages/connectors/connector-oidc/src/types.ts

@@ -1,11 +1,14 @@
+import { yes } from '@silverhand/essentials';
 import { z } from 'zod';
 
 import { oauth2ConfigGuard } from '@logto/connector-oauth';
 
 const scopeOpenid = 'openid';
 export const delimiter = /[ +]/;
 
-// Space-delimited 'scope' MUST contain 'openid', see https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
+/**
+ * Space-delimited 'scope' MUST contain 'openid', see https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
+ */
 export const scopePostProcessor = (scope: string) => {
   const splitScopes = scope.split(delimiter).filter(Boolean);
 
@@ -16,8 +19,10 @@ export const scopePostProcessor = (scope: string) => {
   return scope;
 };
 
-// See https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims.
-// We only concern a subset of them, and social identity provider usually does not provide a complete set of them.
+/**
+ * See https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims.
+ * We only concern a subset of them, and social identity provider usually does not provide a complete set of them.
+ */
 export const idTokenProfileStandardClaimsGuard = z.object({
   sub: z.string(),
   name: z.string().nullish(),
@@ -30,6 +35,22 @@ export const idTokenProfileStandardClaimsGuard = z.object({
   nonce: z.string().nullish(),
 });
 
+/**
+ * Extend `idTokenProfileStandardClaimsGuard` by accepting string-typed boolean claims.
+ */
+export const idTokenClaimsGuardWithStringBooleans = idTokenProfileStandardClaimsGuard
+  .omit({ email_verified: true, phone_verified: true })
+  .extend({
+    email_verified: z
+      .boolean()
+      .or(z.string().transform((value: string) => yes(value)))
+      .nullish(),
+    phone_verified: z
+      .boolean()
+      .or(z.string().transform((value: string) => yes(value)))
+      .nullish(),
+  });
+
 export const userProfileGuard = z.object({
   id: z.preprocess(String, z.string()),
   email: z.string().optional(),
@@ -57,7 +78,9 @@ export const authRequestOptionalConfigGuard = z
   })
   .partial();
 
-// See https://github.com/panva/jose/blob/main/docs/interfaces/jwt_verify.JWTVerifyOptions.md for details.
+/**
+ * See https://github.com/panva/jose/blob/main/docs/interfaces/jwt_verify.JWTVerifyOptions.md for details.
+ */
 export const idTokenVerificationConfigGuard = z.object({ jwksUri: z.string() }).merge(
   z
     .object({
@@ -79,6 +102,7 @@ export type IdTokenVerificationConfig = z.infer<typeof idTokenVerificationConfig
 export const oidcConnectorConfigGuard = oauth2ConfigGuard.extend({
   // Override `scope` to ensure it contains 'openid'.
   scope: z.string().transform(scopePostProcessor),
+  acceptStringTypedBooleanClaims: z.boolean().optional().default(false),
   idTokenVerificationConfig: idTokenVerificationConfigGuard,
   authRequestOptionalConfig: authRequestOptionalConfigGuard.optional(),
   customConfig: z.record(z.string()).optional(),