From 6ff9711dd2534978dad5989440d1fbcd4273e754 Mon Sep 17 00:00:00 2001
From: Jared Perreault <90656038+jaredperreault-okta@users.noreply.github.com>
Date: Tue, 23 Apr 2024 14:37:03 -0400
Subject: [PATCH] Adjusts `-admin` validation check (#1513)

OKTA-720755 fix: updates issuer validation
---
 CHANGELOG.md                                | 5 +++++
 lib/oidc/options/OAuthOptionsConstructor.ts | 2 +-
 test/spec/OktaAuth/assertValidConfig.ts     | 6 +++++-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d00b10c50..8def8d63d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,10 +3,15 @@
 ## 7.6.0
 
 ### Features
+
 - [#1507](https://github.com/okta/okta-auth-js/pull/1507) add: new method `getOrRenewAccessToken`
 - [#1505](https://github.com/okta/okta-auth-js/pull/1505) add: support of `revokeSessions` param for `OktaPassword` authenticator (can be used in `reset-authenticator` remediation)
 - [#1512](https://github.com/okta/okta-auth-js/pull/1512) add: new service `RenewOnTabActivation`
 
+### Bug Fix
+
+- [#1513](https://github.com/okta/okta-auth-js/pull/1513) fix: restricts `issuer` "-admin" validation to `.okta` domain
+
 ## 7.5.1
 
 ### Bug Fix
diff --git a/lib/oidc/options/OAuthOptionsConstructor.ts b/lib/oidc/options/OAuthOptionsConstructor.ts
index 9754b99cd..a1f47d368 100644
--- a/lib/oidc/options/OAuthOptionsConstructor.ts
+++ b/lib/oidc/options/OAuthOptionsConstructor.ts
@@ -48,7 +48,7 @@ function assertValidConfig(args) {
       'Required usage: new OktaAuth({issuer: "https://{yourOktaDomain}.com/oauth2/{authServerId}"})');
   }
 
-  if (issuer.indexOf('-admin.') !== -1) {
+  if (issuer.indexOf('-admin.okta') !== -1) {
     throw new AuthSdkError('Issuer URL passed to constructor contains "-admin" in subdomain. ' +
       'Required usage: new OktaAuth({issuer: "https://{yourOktaDomain}.com})');
   }
diff --git a/test/spec/OktaAuth/assertValidConfig.ts b/test/spec/OktaAuth/assertValidConfig.ts
index 8ea2fcb95..988462d6d 100644
--- a/test/spec/OktaAuth/assertValidConfig.ts
+++ b/test/spec/OktaAuth/assertValidConfig.ts
@@ -53,7 +53,7 @@ describe('assertValidConfig', () => {
       'Required usage: new OktaAuth({issuer: "https://{yourOktaDomain}.com/oauth2/{authServerId}"})');
   });
 
-  it('throw an error if url contains "-admin" when passed to the constructor', function () {
+  it('throw an error if url on the okta domain contains "-admin" when passed to the constructor', function () {
     var err;
     try {
       new OktaAuth({issuer: 'https://dev-12345-admin.oktapreview.com'}); // eslint-disable-line no-new
@@ -65,4 +65,8 @@ describe('assertValidConfig', () => {
       'Required usage: new OktaAuth({issuer: "https://{yourOktaDomain}.com})');
   });
 
+  it('should not throw an error if url contains "-admin" on a domain other than .okta when passed to the constructor', function () {
+    // eslint-disable-next-line no-new
+    expect(() => new OktaAuth({issuer: 'https://login-admin.foobar.com'})).not.toThrowError();
+  });
 });
\ No newline at end of file