fix(client): preserve AS-bound client during code exchange

mattzcarey · mattzcarey · commit ed0212f34c27 · 2026-06-25T23:42:14.000+02:00
diff --git a/packages/client/src/client/auth.ts b/packages/client/src/client/auth.ts
@@ -770,7 +770,9 @@ async function authInternal(
         const staleClientInformation = await Promise.resolve(provider.clientInformation());
         // CIMD (URL-based) client IDs are portable across authorization servers
         // (SEP-991/SEP-2352) — no client invalidation or re-registration is needed.
-        if (staleClientInformation && !isHttpsUrl(staleClientInformation.client_id)) {
+        // During code exchange, keep the client registered by the redirect flow
+        // that produced this authorization code.
+        if (staleClientInformation && !isHttpsUrl(staleClientInformation.client_id) && authorizationCode === undefined) {
             await provider.invalidateCredentials?.('client');
         }
     }
@@ -948,12 +950,16 @@ export function isHttpsUrl(value?: string): boolean {
 /**
  * SEP-2352: Normalizes an authorization server identity (issuer identifier or
  * authorization server URL) for comparison, so that textual variations of the
- * same URL (e.g. a missing trailing slash on an origin-only issuer) do not
+ * same URL (e.g. a missing trailing slash on an issuer URL) do not
  * register as an authorization server change.
  */
 function normalizeAuthorizationServerIdentity(value: string): string {
     try {
-        return new URL(value).href;
+        const url = new URL(value);
+        if (url.pathname !== '/') {
+            url.pathname = url.pathname.replace(/\/+$/, '') || '/';
+        }
+        return url.href;
     } catch {
         return value;
     }
diff --git a/packages/client/test/client/auth.test.ts b/packages/client/test/client/auth.test.ts
@@ -4192,6 +4192,7 @@ describe('SEP-2352: authorization server binding', () => {
         provider: OAuthClientProvider;
         invalidateCredentials: Mock;
         saveClientInformation: Mock;
+        saveTokens: Mock;
         redirectToAuthorization: Mock;
     } {
         let clientInformation: { client_id: string; client_secret?: string } | undefined = initialClientInformation;
@@ -4204,6 +4205,7 @@ describe('SEP-2352: authorization server binding', () => {
         const saveClientInformation = vi.fn(async (info: { client_id: string; client_secret?: string }) => {
             clientInformation = info;
         });
+        const saveTokens = vi.fn();
         const redirectToAuthorization = vi.fn();
 
         const provider: OAuthClientProvider = {
@@ -4219,21 +4221,22 @@ describe('SEP-2352: authorization server binding', () => {
             clientInformation: vi.fn(async () => clientInformation),
             saveClientInformation,
             tokens: vi.fn().mockResolvedValue(undefined),
-            saveTokens: vi.fn(),
+            saveTokens,
             redirectToAuthorization,
             saveCodeVerifier: vi.fn(),
             codeVerifier: vi.fn().mockResolvedValue('test_verifier'),
             authorizationServerUrl: vi.fn().mockResolvedValue(oldAuthServerUrl),
             invalidateCredentials
         };
 
-        return { provider, invalidateCredentials, saveClientInformation, redirectToAuthorization };
+        return { provider, invalidateCredentials, saveClientInformation, saveTokens, redirectToAuthorization };
     }
 
     function mockDiscoveryAndRegistration(options: {
         resourceMetadata: { resource: string; authorization_servers: string[] };
         authMetadata: { issuer: string };
         registeredClient?: { client_id: string; client_secret?: string };
+        tokens?: OAuthTokens;
     }): void {
         mockFetch.mockImplementation((url, init) => {
             const urlString = url.toString();
@@ -4268,6 +4271,17 @@ describe('SEP-2352: authorization server binding', () => {
                 });
             }
 
+            if (urlString.includes('/token') && init?.method === 'POST') {
+                if (!options.tokens) {
+                    return Promise.reject(new Error(`Unexpected token request: ${urlString}`));
+                }
+                return Promise.resolve({
+                    ok: true,
+                    status: 200,
+                    json: async () => options.tokens
+                });
+            }
+
             return Promise.reject(new Error(`Unexpected fetch: ${urlString}`));
         });
     }
@@ -4309,6 +4323,46 @@ describe('SEP-2352: authorization server binding', () => {
         expect(redirectUrl.searchParams.get('client_id')).toBe('new-client-id');
     });
 
+    it('keeps the re-registered client while exchanging the authorization code after an AS migration', async () => {
+        const { provider, invalidateCredentials, saveClientInformation, saveTokens, redirectToAuthorization } = createBoundProvider({
+            client_id: 'old-client-id',
+            client_secret: 'old-client-secret'
+        });
+
+        mockDiscoveryAndRegistration({
+            resourceMetadata: newResourceMetadata,
+            authMetadata: newAuthMetadata,
+            registeredClient: { client_id: 'new-client-id', client_secret: 'new-client-secret' },
+            tokens: { access_token: 'new-access-token', token_type: 'Bearer' }
+        });
+
+        const redirectResult = await auth(provider, { serverUrl: 'https://resource.example.com' });
+
+        expect(redirectResult).toBe('REDIRECT');
+        expect(invalidateCredentials).toHaveBeenCalledWith('client');
+        expect(saveClientInformation).toHaveBeenCalledWith(expect.objectContaining({ client_id: 'new-client-id' }));
+
+        invalidateCredentials.mockClear();
+        mockFetch.mockClear();
+
+        const exchangeResult = await auth(provider, {
+            serverUrl: 'https://resource.example.com',
+            authorizationCode: 'returned-code'
+        });
+
+        expect(exchangeResult).toBe('AUTHORIZED');
+        expect(invalidateCredentials).toHaveBeenCalledWith('tokens');
+        expect(invalidateCredentials).not.toHaveBeenCalledWith('client');
+        expect(saveTokens).toHaveBeenCalledWith({ access_token: 'new-access-token', token_type: 'Bearer' });
+        expect(redirectToAuthorization).toHaveBeenCalledTimes(1);
+
+        const registrationCalls = mockFetch.mock.calls.filter(call => call[0].toString().includes('/register'));
+        expect(registrationCalls).toHaveLength(0);
+        const tokenCalls = mockFetch.mock.calls.filter(call => call[0].toString().includes('/token'));
+        expect(tokenCalls).toHaveLength(1);
+        expect(tokenCalls[0]![0].toString()).toBe('https://new-auth.example.com/token');
+    });
+
     it('refreshes cached discovery from an explicit resource metadata challenge before comparing authorization servers', async () => {
         const { provider, invalidateCredentials, saveClientInformation, redirectToAuthorization } = createBoundProvider({
             client_id: 'old-client-id',
@@ -4778,6 +4832,44 @@ describe('SEP-2352: authorization server binding', () => {
         expect(redirectUrl.searchParams.get('client_id')).toBe('old-client-id');
     });
 
+    it('does not invalidate credentials when path-bearing authorization server identities only differ by a trailing slash', async () => {
+        const tenantAuthServerUrl = 'https://auth.example.com/tenant1';
+        const tenantAuthMetadata = {
+            issuer: tenantAuthServerUrl,
+            authorization_endpoint: `${tenantAuthServerUrl}/authorize`,
+            token_endpoint: `${tenantAuthServerUrl}/token`,
+            registration_endpoint: `${tenantAuthServerUrl}/register`,
+            response_types_supported: ['code'],
+            code_challenge_methods_supported: ['S256']
+        };
+        const { provider, invalidateCredentials, redirectToAuthorization } = createBoundProvider({
+            client_id: 'tenant-client-id',
+            client_secret: 'tenant-client-secret'
+        });
+
+        provider.authorizationServerUrl = vi.fn().mockResolvedValue(`${tenantAuthServerUrl}/`);
+
+        mockDiscoveryAndRegistration({
+            resourceMetadata: {
+                resource: 'https://resource.example.com',
+                authorization_servers: [tenantAuthServerUrl]
+            },
+            authMetadata: tenantAuthMetadata
+        });
+
+        const result = await auth(provider, { serverUrl: 'https://resource.example.com' });
+
+        expect(result).toBe('REDIRECT');
+        expect(invalidateCredentials).not.toHaveBeenCalled();
+
+        const registrationCalls = mockFetch.mock.calls.filter(call => call[0].toString().includes('/register'));
+        expect(registrationCalls).toHaveLength(0);
+
+        const redirectUrl: URL = redirectToAuthorization.mock.calls[0]![0];
+        expect(redirectUrl.toString()).toContain(`${tenantAuthServerUrl}/authorize`);
+        expect(redirectUrl.searchParams.get('client_id')).toBe('tenant-client-id');
+    });
+
     it('does not invalidate credentials when the authorization server is unchanged', async () => {
         const { provider, invalidateCredentials, redirectToAuthorization } = createBoundProvider({
             client_id: 'old-client-id',
