OIDC Client and Journey Client Bug Fixes

[ancheetah]

JIRA Ticket

Description

Bug 1: fix callbackType export --> it's not really a type so it needs to be exported this way to be useful
Bug 2: fix token force renew --> calling oidcClient.user.info() after renewing tokens fails because the new token was mistakenly revoked instead of the old token

Summary by CodeRabbit

• Refactor

  • Adjusted public API exports for the client package, reorganizing which symbols are exposed.

• Bug Fixes

  • Improved background token renewal: prior tokens are conditionally revoked and storage consistently updated with the new tokens to avoid stale-token usage.
  • Fixed redirect URL behavior in an end-to-end test to match the actual client identifier format.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 036d226

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Re-exports callbackType from @forgerock/sdk-types via packages/journey-client/src/index.ts and removes it from packages/journey-client/src/types.ts. Updates OIDC background token renewal to revoke prior access token only when previous tokens exist, then store newly obtained tokens.

Changes

Cohort / File(s)	Change Summary
Journey-client export relocation \packages/journey-client/src/index.ts`, `packages/journey-client/src/types.ts``	callbackType re-export added to index.ts and removed from types.ts, shifting which file exposes the symbol in the package public API.
OIDC token renewal flow \packages/oidc-client/src/lib/client.store.ts``	Background renewal Micro.tap handler renamed param to newTokens; revocation now occurs only if prior tokens exist and have an accessToken; storage removal is limited to prior tokens; always writes newTokens to storage afterwards.
E2E test URL expectation \e2e/davinci-suites/src/phone-number-field.test.ts`, `package.json``	Updated expected redirect URL clientId to include trailing 0; one-line package.json adjustment.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Client as Client Code
  participant OIDC as oidc-client (renew flow)
  participant Store as TokenStorage
  participant Revoke as Revoke API

  Client->>OIDC: trigger token renewal
  OIDC->>Store: read current tokens (priorTokens)
  alt priorTokens exist and priorTokens.accessToken
    OIDC->>Revoke: revoke priorTokens.accessToken
    Revoke-->>OIDC: revoke result
    OIDC->>Store: remove prior token entry
  else no priorTokens
    Note right of OIDC: skip revoke/remove
  end
  OIDC->>OIDC: acquire newTokens
  OIDC->>Store: set newTokens
  OIDC-->>Client: return refreshed tokens (code + state)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(journey-client): refactored client and built test app #430: Related restructuring of journey-client exports/types affecting callbackType.
• Create journey package #412: Prior PR modifying journey-client top-level exports to expose callbackType.

Suggested reviewers

• ryanbas21
• cerebrl

Poem

🐰 I hopped through files both night and day,
I nudged a type from where it lay,
I watched old tokens bow and go,
New tokens sprout, a gentle show,
A lil' rabbit hop—code on its way!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: it's a bug fix PR addressing issues in both OIDC Client and Journey Client packages as described in the objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ryanbas21]

good catch

[ryanbas21]

cloud should be fixed hopefully today, approving now

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 036d226

Command	Status	Duration	Result
nx run-many -t build --no-agents	✅ Succeeded	1s	View ↗
nx affected -t build lint test e2e-ci	✅ Succeeded	2m 24s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-01-17 00:17:22 UTC

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@511

@forgerock/device-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/device-client@511

@forgerock/journey-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/journey-client@511

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@511

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@511

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@511

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@511

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@511

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@511

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@511

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@511

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@511

commit: 036d226

[codecov-commenter]

Codecov Report

❌ Patch coverage is 80.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.17%. Comparing base (b89ad58) to head (036d226).
⚠️ Report is 26 commits behind head on main.

Files with missing lines	Patch %	Lines
packages/journey-client/src/index.ts	0.00%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #511       +/-   ##
===========================================
+ Coverage   18.79%   72.17%   +53.37%     
===========================================
  Files         140       63       -77     
  Lines       27640     4830    -22810     
  Branches      980      476      -504     
===========================================
- Hits         5195     3486     -1709     
+ Misses      22445     1344    -21101     

Files with missing lines	Coverage Δ
packages/journey-client/src/types.ts	0.00% <ø> (ø)
packages/oidc-client/src/lib/client.store.ts	27.70% <100.00%> (+0.36%)	⬆️
packages/journey-client/src/index.ts	0.00% <0.00%> (ø)

... and 77 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Deployed 4f98a0f to https://ForgeRock.github.io/ping-javascript-sdk/pr-511/4f98a0fc083ace5236a5477600836240bf1e6060 branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🚨 Significant Changes

🔻 @forgerock/journey-client - 0.0 KB (-82.4 KB, -100.0%)

📊 Minor Changes

📈 @forgerock/oidc-client - 23.5 KB (+0.0 KB)
📈 @forgerock/journey-client - 82.5 KB (+0.1 KB)

➖ No Changes

➖ @forgerock/device-client - 9.2 KB
➖ @forgerock/protect - 150.1 KB
➖ @forgerock/sdk-utilities - 7.5 KB
➖ @forgerock/sdk-types - 8.0 KB
➖ @forgerock/storage - 1.4 KB
➖ @forgerock/sdk-logger - 1.6 KB
➖ @forgerock/iframe-manager - 2.4 KB
➖ @forgerock/sdk-request-middleware - 4.5 KB
➖ @forgerock/sdk-oidc - 2.6 KB
➖ @forgerock/davinci-client - 39.6 KB

---

13 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}

[ancheetah]

Thanks for the quick review! Moving this to draft as I may find more bugs while I develop the new sample app and already added a new one to this PR.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI Agents

In @packages/oidc-client/src/lib/client.store.ts:
- Around line 292-304: The changes to the token renewal flow (Micro.tap callback
updating tokens) are unrelated to the callbackType export fix; revert or remove
the added logic around Micro.tap, the calls to
store.dispatch(oidcApi.endpoints.revoke.initiate(...)), storageClient.remove(),
and storageClient.set(newTokens) from this PR and instead place them in a
separate focused PR or commit that clearly documents the token renewal behavior;
ensure the current PR only contains the callbackType export fix and no
modifications to the Micro.tap/token revocation flow or storageClient usage.
- Around line 292-304: The Micro.tap handler currently calls
store.dispatch(oidcApi.endpoints.revoke.initiate(...)) without checking
wellknown.revocation_endpoint and then calls storageClient.remove() before
storageClient.set(newTokens), which can throw and create a storage gap; update
the Micro.tap callback to first check that wellknown.revocation_endpoint is
present before attempting revocation, wrap the revoke call in a try-catch (or
use Micro.tapError) so any revocation failure is logged/ignored and does not
prevent saving newTokens, and avoid calling storageClient.remove(); instead call
storageClient.set(newTokens) directly to atomically overwrite existing tokens
(keeping store.dispatch and oidcApi.endpoints.revoke.initiate as the revocation
call site).

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 20a8cdf and 0bc297f.

📒 Files selected for processing (1)

• packages/oidc-client/src/lib/client.store.ts

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: ryanbas21
Repo: ForgeRock/ping-javascript-sdk PR: 430
File: packages/journey-client/src/lib/callbacks/name-callback.ts:9-15
Timestamp: 2025-10-22T15:14:00.044Z
Learning: In packages/journey-client, callback classes are internal implementation details not part of the public API. The callbacks barrel (src/lib/callbacks/index.ts) intentionally only exports the base JourneyCallback class. Internal code imports concrete callback classes directly from their individual files (e.g., factory.ts, journey-client.ts).

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Mend Code Security Check
• GitHub Check: pr

[coderabbitai]

⚠️ Potential issue | 🟠 Major

These changes appear unrelated to the PR objectives.

The PR title indicates this is about fixing callbackType export in journey-client, but this file contains token renewal flow changes in the oidc-client package. Consider whether these changes should be in a separate PR for better traceability and review focus.

🤖 Prompt for AI Agents

In @packages/oidc-client/src/lib/client.store.ts around lines 292 - 304, The
changes to the token renewal flow (Micro.tap callback updating tokens) are
unrelated to the callbackType export fix; revert or remove the added logic
around Micro.tap, the calls to
store.dispatch(oidcApi.endpoints.revoke.initiate(...)), storageClient.remove(),
and storageClient.set(newTokens) from this PR and instead place them in a
separate focused PR or commit that clearly documents the token renewal behavior;
ensure the current PR only contains the callbackType export fix and no
modifications to the Micro.tap/token revocation flow or storageClient usage.

---

⚠️ Potential issue | 🔴 Critical

Consider error handling and atomic storage updates.

The token renewal logic has several concerns:

1. Critical: Revocation failure blocks new token storage — If the old token revocation fails (e.g., token already expired/invalid), the tap will throw and prevent storing newTokens, leaving the user in a broken state. Consider using Micro.tapError or try-catch to ensure new tokens are stored even if revocation fails.

2. Missing revocation endpoint check — Unlike the token.revoke method (line 331), this code doesn't verify wellknown.revocation_endpoint exists before using it (line 298). This could cause runtime errors if the endpoint is unavailable.

3. Atomic gap in storage updates — Calling remove() followed by set() creates a brief window where no tokens exist in storage. Concurrent reads during this gap will fail. Consider directly calling storageClient.set(newTokens) without the remove, since set should overwrite existing values.

🔎 Proposed fix with better error handling

         Micro.tap(async (newTokens) => {
           if (tokens && 'accessToken' in tokens) {
-            await store.dispatch(
-              oidcApi.endpoints.revoke.initiate({
-                accessToken: tokens.accessToken,
-                clientId: config.clientId,
-                endpoint: wellknown.revocation_endpoint,
-              }),
-            );
-            await storageClient.remove();
+            if (wellknown.revocation_endpoint) {
+              try {
+                await store.dispatch(
+                  oidcApi.endpoints.revoke.initiate({
+                    accessToken: tokens.accessToken,
+                    clientId: config.clientId,
+                    endpoint: wellknown.revocation_endpoint,
+                  }),
+                );
+              } catch (error) {
+                log.warn('Failed to revoke old access token during renewal', error);
+              }
+            }
           }
           await storageClient.set(newTokens);
         }),

🤖 Prompt for AI Agents

In @packages/oidc-client/src/lib/client.store.ts around lines 292 - 304, The
Micro.tap handler currently calls
store.dispatch(oidcApi.endpoints.revoke.initiate(...)) without checking
wellknown.revocation_endpoint and then calls storageClient.remove() before
storageClient.set(newTokens), which can throw and create a storage gap; update
the Micro.tap callback to first check that wellknown.revocation_endpoint is
present before attempting revocation, wrap the revoke call in a try-catch (or
use Micro.tapError) so any revocation failure is logged/ignored and does not
prevent saving newTokens, and avoid calling storageClient.remove(); instead call
storageClient.set(newTokens) directly to atomically overwrite existing tokens
(keeping store.dispatch and oidcApi.endpoints.revoke.initiate as the revocation
call site).