From 7be0cadfe43a9d337b6e13597ddc6ce326630320 Mon Sep 17 00:00:00 2001
From: Tushar Pandey <tushar.pandey@okta.com>
Date: Mon, 28 Oct 2024 20:08:56 +0530
Subject: [PATCH] removed check for matching org_id and organization name
 returned in token as claims during auth

---
 src/auth/id-token-validator.ts       | 12 ------
 test/auth/id-token-validator.test.ts | 56 ----------------------------
 test/auth/oauth.test.ts              | 34 -----------------
 3 files changed, 102 deletions(-)

diff --git a/src/auth/id-token-validator.ts b/src/auth/id-token-validator.ts
index 58b927014..a043c7488 100644
--- a/src/auth/id-token-validator.ts
+++ b/src/auth/id-token-validator.ts
@@ -102,24 +102,12 @@ export class IDTokenValidator {
             'Organization Id (org_id) claim must be a string present in the ID token'
           );
         }
-
-        if (payload.org_id !== organization) {
-          throw new Error(
-            `Organization Id (org_id) claim value mismatch in the ID token; expected "${organization}", found "${payload.org_id}"'`
-          );
-        }
       } else {
         if (!payload.org_name || typeof payload.org_name !== 'string') {
           throw new Error(
             'Organization Name (org_name) claim must be a string present in the ID token'
           );
         }
-
-        if (payload.org_name !== organization.toLowerCase()) {
-          throw new Error(
-            `Organization Name (org_name) claim value mismatch in the ID token; expected "${organization}", found "${payload.org_name}"'`
-          );
-        }
       }
     }
 
diff --git a/test/auth/id-token-validator.test.ts b/test/auth/id-token-validator.test.ts
index 2f0a32a81..085c905d4 100644
--- a/test/auth/id-token-validator.test.ts
+++ b/test/auth/id-token-validator.test.ts
@@ -386,60 +386,4 @@ describe('id-token-validator', () => {
       'Organization Name (org_name) claim must be a string present in the ID token'
     );
   });
-
-  it('should throw when org id claim doesnt match org expected', async () => {
-    const idTokenValidator = new IDTokenValidator({
-      domain: DOMAIN,
-      clientId: CLIENT_ID,
-      clientSecret: CLIENT_SECRET,
-    });
-
-    const jwt = await sign({ payload: { org_id: 'org_1234' } });
-
-    await expect(idTokenValidator.validate(jwt, { organization: 'org_123' })).rejects.toThrow(
-      'Organization Id (org_id) claim value mismatch in the ID token; expected "org_123", found "org_1234'
-    );
-  });
-
-  it('should throw when org name claim doesnt match org expected', async () => {
-    const idTokenValidator = new IDTokenValidator({
-      domain: DOMAIN,
-      clientId: CLIENT_ID,
-      clientSecret: CLIENT_SECRET,
-    });
-
-    const jwt = await sign({ payload: { org_name: 'notExpectedOrg' } });
-
-    await expect(idTokenValidator.validate(jwt, { organization: 'testorg' })).rejects.toThrow(
-      'Organization Name (org_name) claim value mismatch in the ID token; expected "testorg", found "notExpectedOrg'
-    );
-  });
-
-  it('should NOT throw when org_id matches expected organization', async () => {
-    const idTokenValidator = new IDTokenValidator({
-      domain: DOMAIN,
-      clientId: CLIENT_ID,
-      clientSecret: CLIENT_SECRET,
-    });
-
-    const jwt = await sign({ payload: { org_id: 'org_123' } });
-
-    await expect(
-      idTokenValidator.validate(jwt, { organization: 'org_123' })
-    ).resolves.not.toThrow();
-  });
-
-  it('should NOT throw when org_name matches expected organization', async () => {
-    const idTokenValidator = new IDTokenValidator({
-      domain: DOMAIN,
-      clientId: CLIENT_ID,
-      clientSecret: CLIENT_SECRET,
-    });
-
-    const jwt = await sign({ payload: { org_name: 'testorg' } });
-
-    await expect(
-      idTokenValidator.validate(jwt, { organization: 'testOrg' })
-    ).resolves.not.toThrow();
-  });
 });
diff --git a/test/auth/oauth.test.ts b/test/auth/oauth.test.ts
index 24ca8d13d..f879d2f09 100644
--- a/test/auth/oauth.test.ts
+++ b/test/auth/oauth.test.ts
@@ -409,38 +409,4 @@ describe('OAuth (with ID Token validation)', () => {
     );
     nockDone();
   });
-
-  it('should throw for invalid organization id', async () => {
-    const { nockDone } = await nockBack('auth/fixtures/oauth.json', {
-      before: await withIdToken({
-        ...opts,
-        payload: { org_id: 'org_123' },
-      }),
-    });
-    const oauth = new OAuth(opts);
-    await expect(
-      oauth.refreshTokenGrant(
-        { refresh_token: 'test-refresh-token' },
-        { idTokenValidateOptions: { organization: 'org_1235' } }
-      )
-    ).rejects.toThrowError(/\(org_id\) claim value mismatch in the ID token/);
-    nockDone();
-  });
-
-  it('should throw for invalid organization name', async () => {
-    const { nockDone } = await nockBack('auth/fixtures/oauth.json', {
-      before: await withIdToken({
-        ...opts,
-        payload: { org_name: 'org123' },
-      }),
-    });
-    const oauth = new OAuth(opts);
-    await expect(
-      oauth.refreshTokenGrant(
-        { refresh_token: 'test-refresh-token' },
-        { idTokenValidateOptions: { organization: 'org1235' } }
-      )
-    ).rejects.toThrowError(/\(org_name\) claim value mismatch in the ID token/);
-    nockDone();
-  });
 });