fix: use decoder-only approach for ID tokens in getUserFromSession

Koosha-Owji · Koosha-Owji · commit e377c6deebb5 · 2025-07-02T13:09:14.000+10:00
Removes validation to accept expired ID tokens for user display info.
Creates cleaner separation of concerns - validate when storing, decode when reading.
diff --git a/lib/__tests__/sdk/utilities/token-utils.spec.ts b/lib/__tests__/sdk/utilities/token-utils.spec.ts
@@ -117,7 +117,7 @@ describe('token-utils', () => {
         validationDetails
       );
 
-      const storedUser = await getUserFromSession(sessionManager, validationDetails);
+      const storedUser = await getUserFromSession(sessionManager);
       const expectedUser = {
         family_name: idTokenPayload.family_name,
         given_name: idTokenPayload.given_name,
diff --git a/lib/sdk/clients/browser/authcode-with-pkce.ts b/lib/sdk/clients/browser/authcode-with-pkce.ts
@@ -114,10 +114,7 @@ const createAuthCodeWithPKCEClient = (options: BrowserPKCEClientOptions) => {
     if (!(await isAuthenticated())) {
       throw new Error('Cannot get user details, no authentication credential found');
     }
-    return (await utilities.getUserFromSession(
-      sessionManager,
-      client.tokenValidationDetails
-    ))!;
+    return (await utilities.getUserFromSession(sessionManager))!;
   };
 
   /**
diff --git a/lib/sdk/clients/server/authorization-code.ts b/lib/sdk/clients/server/authorization-code.ts
@@ -139,10 +139,7 @@ const createAuthorizationCodeClient = (
     if (!(await isAuthenticated(sessionManager))) {
       throw new Error('Cannot get user details, no authentication credential found');
     }
-    return (await utilities.getUserFromSession(
-      sessionManager,
-      client.tokenValidationDetails
-    ))!;
+    return (await utilities.getUserFromSession(sessionManager))!;
   };
 
   /**
diff --git a/lib/sdk/utilities/token-utils.ts b/lib/sdk/utilities/token-utils.ts
@@ -111,22 +111,14 @@ export const getAccessToken = async (
  * Extracts the user information from the current session returns null if
  * the token is not found.
  * @param {SessionManager} sessionManager
- * @param {TokenValidationDetailsType} validationDetails
  * @returns {UserType | null}
  */
 export const getUserFromSession = async (
-  sessionManager: SessionManager,
-  validationDetails: TokenValidationDetailsType
+  sessionManager: SessionManager
 ): Promise<UserType | null> => {
   const idTokenString = (await sessionManager.getSessionItem('id_token')) as string;
-  const validation = await validateToken({
-    token: idTokenString,
-    domain: validationDetails.issuer,
-  });
-  if (!validation.valid) {
-    throw new Error('Invalid ID token');
-  }
 
+  // Simply decode the ID token without validation to accept old tokens
   const payload: Record<string, unknown> = jwtDecoder(idTokenString) ?? {};
   if (Object.keys(payload).length === 0) {
     throw new Error('Invalid ID token');
