DAST Browser against a page with OpenID connect


We have a web app that relies on OpenID connect for the auth and authz to return the token. This token is stored in localstorage inside an oidc object with other extra fields. Something like:

  "id_token": "SOME_ID_TOKEN",
  "session_state": "SOME_SESSION_STATE",
  "access_token": "SOME_ACCESS_TOKEN",
  "refresh_token": "SOME_REFRESH_TOKEN",
  "token_type": "Bearer",
  "scope": "openid profile offline_access roles",
  "profile": {
    "policy": "policy",
    "role": "role"
  "expires_at": 1697511597

The login part works after I set up the environment variables with the credentials, the fields to use and the button to click. But it fails to find the token after it gets redirected.

The DAST analyzer expects to find the token as the only value in the local storage item

localStorage.getItem('MyTokenKey') === "SOME_TOKEN"

Using a Python script is impossible because that’s a DAST API feature, not a Browser feature.

Any ideas on how we could solve this?

The only thing that comes to my mind is to edit the front end code to create a new item in the localStorage with the token as the only value (a string, not an object)