Fix the issuer path for service clients using the fallback.

wparad · Jan 7, 2023 · ba0c65c · ba0c65c
1 parent 7b9d60b
commit ba0c65c
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -1,5 +1,6 @@
 {
     "cSpell.words": [
-        "dtos"
+        "dtos",
+        "OSSL"
     ]
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,12 +1,15 @@
 # Change log
 This is the changelog for [Authress SDK](readme.md).
 
+## 2.0 ##
+* Enable passing just the access token as a string to `AuthressClient`.
+* Fix the issuer path for service client tokens to include the accountId when the custom domain is not specified. The default issuer is converted from `api.authress.io` to `accountId.api.authress.io`. if this fallback issuer domain was specified in your authorizer, upgrading this library without changing your defined issuer, which prevent future access.
+
 ## 1.3 ##
 * Add new `Pagination` type which pagination `next.cursor` to enable paging through resources.
 * Add `Extensions` api
 * Upgraded node to 14
 * Add support for users and groups at the statement level of access records.
-* Enable passing just the access token as a string to `AuthressClient`.
 
 ## 1.2 ##
 * Removed legacy support for RS512 service client tokens.

diff --git a/src/serviceClientTokenProvider.js b/src/serviceClientTokenProvider.js
@@ -8,9 +8,10 @@ function getIssuer(authressCustomDomain, decodedAccessKey) {
 }
 
 module.exports = function(accessKey, authressCustomDomain) {
+  const accountId = accessKey.split('.')[2];
   const decodedAccessKey = {
     clientId: accessKey.split('.')[0], keyId: accessKey.split('.')[1],
-    audience: `${accessKey.split('.')[2]}.accounts.authress.io`, privateKey: accessKey.split('.')[3]
+    audience: `${accountId}.accounts.authress.io`, privateKey: accessKey.split('.')[3]
   };
 
   const innerGetToken = async () => {
@@ -21,7 +22,7 @@ module.exports = function(accessKey, authressCustomDomain) {
     const now = Math.round(Date.now() / 1000);
     const jwt = {
       aud: decodedAccessKey.audience,
-      iss: getIssuer(authressCustomDomain || 'api.authress.io', decodedAccessKey),
+      iss: getIssuer(authressCustomDomain || `${accountId}.api.authress.io`, decodedAccessKey),
       sub: decodedAccessKey.clientId,
       iat: now,
       // valid for 24 hours