Skip to content

Commit

Permalink
fix: decode id_token_hint with correct signer
Browse files Browse the repository at this point in the history
BREAKING CHANGE: this commit changed OpenIDConnectTokenStrategy interface.

closes #769
  • Loading branch information
hijiki51 committed Mar 23, 2024
1 parent 1f27af4 commit 16d2b5c
Show file tree
Hide file tree
Showing 8 changed files with 41 additions and 18 deletions.
7 changes: 3 additions & 4 deletions compose/compose_openid.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"github.com/ory/fosite"
"github.com/ory/fosite/handler/oauth2"
"github.com/ory/fosite/handler/openid"
"github.com/ory/fosite/token/jwt"
)

// OpenIDConnectExplicitFactory creates an OpenID Connect explicit ("authorize code flow") grant handler.
Expand All @@ -19,7 +18,7 @@ func OpenIDConnectExplicitFactory(config fosite.Configurator, storage interface{
IDTokenHandleHelper: &openid.IDTokenHandleHelper{
IDTokenStrategy: strategy.(openid.OpenIDConnectTokenStrategy),
},
OpenIDConnectRequestValidator: openid.NewOpenIDConnectRequestValidator(strategy.(jwt.Signer), config),
OpenIDConnectRequestValidator: openid.NewOpenIDConnectRequestValidator(strategy.(openid.OpenIDConnectTokenStrategy), config),
Config: config,
}
}
Expand Down Expand Up @@ -50,7 +49,7 @@ func OpenIDConnectImplicitFactory(config fosite.Configurator, storage interface{
IDTokenHandleHelper: &openid.IDTokenHandleHelper{
IDTokenStrategy: strategy.(openid.OpenIDConnectTokenStrategy),
},
OpenIDConnectRequestValidator: openid.NewOpenIDConnectRequestValidator(strategy.(jwt.Signer), config),
OpenIDConnectRequestValidator: openid.NewOpenIDConnectRequestValidator(strategy.(openid.OpenIDConnectTokenStrategy), config),
}
}

Expand All @@ -76,6 +75,6 @@ func OpenIDConnectHybridFactory(config fosite.Configurator, storage interface{},
IDTokenStrategy: strategy.(openid.OpenIDConnectTokenStrategy),
},
OpenIDConnectRequestStorage: storage.(openid.OpenIDConnectRequestStorage),
OpenIDConnectRequestValidator: openid.NewOpenIDConnectRequestValidator(strategy.(jwt.Signer), config),
OpenIDConnectRequestValidator: openid.NewOpenIDConnectRequestValidator(strategy.(openid.OpenIDConnectTokenStrategy), config),
}
}
2 changes: 1 addition & 1 deletion handler/openid/flow_explicit_auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ func makeOpenIDConnectExplicitHandler(ctrl *gomock.Controller, minParameterEntro
IDTokenHandleHelper: &IDTokenHandleHelper{
IDTokenStrategy: j,
},
OpenIDConnectRequestValidator: NewOpenIDConnectRequestValidator(j.Signer, config),
OpenIDConnectRequestValidator: NewOpenIDConnectRequestValidator(j, config),
Config: config,
}, store
}
Expand Down
2 changes: 1 addition & 1 deletion handler/openid/flow_hybrid_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ func makeOpenIDConnectHybridHandler(minParameterEntropy int) OpenIDConnectHybrid
IDTokenStrategy: idStrategy,
},
Config: config,
OpenIDConnectRequestValidator: NewOpenIDConnectRequestValidator(j.Signer, config),
OpenIDConnectRequestValidator: NewOpenIDConnectRequestValidator(j, config),
OpenIDConnectRequestStorage: storage.NewMemoryStore(),
}
}
Expand Down
2 changes: 1 addition & 1 deletion handler/openid/flow_implicit_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ func makeOpenIDConnectImplicitHandler(minParameterEntropy int) OpenIDConnectImpl
IDTokenHandleHelper: &IDTokenHandleHelper{
IDTokenStrategy: idStrategy,
},
OpenIDConnectRequestValidator: NewOpenIDConnectRequestValidator(j.Signer, config),
OpenIDConnectRequestValidator: NewOpenIDConnectRequestValidator(j, config),
Config: config,
}
}
Expand Down
2 changes: 2 additions & 0 deletions handler/openid/strategy.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,10 @@ import (
"time"

"github.com/ory/fosite"
"github.com/ory/fosite/token/jwt"
)

type OpenIDConnectTokenStrategy interface {
GenerateIDToken(ctx context.Context, lifespan time.Duration, requester fosite.Requester) (token string, err error)
DecodeIDToken(ctx context.Context, requester fosite.Requester, token string) (*jwt.Token, error)
}
13 changes: 13 additions & 0 deletions handler/openid/strategy_jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -231,3 +231,16 @@ func (h DefaultStrategy) GenerateIDToken(ctx context.Context, lifespan time.Dura
token, _, err = h.Signer.Generate(ctx, claims.ToMapClaims(), sess.IDTokenHeaders())
return token, err
}

// DecodeIDToken decodes a JWT string.
func (h DefaultStrategy) DecodeIDToken(ctx context.Context, _ fosite.Requester, token string) (*jwt.Token, error) {
idtoken, err := h.Signer.Decode(ctx, token)
var ve *jwt.ValidationError
if errors.As(err, &ve) && ve.Has(jwt.ValidationErrorExpired) {
// Expired tokens are ok
} else if err != nil {
return nil, errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
}

return idtoken, nil
}
14 changes: 4 additions & 10 deletions handler/openid/validator.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,7 @@ import (

"github.com/ory/x/errorsx"

"github.com/pkg/errors"

"github.com/ory/fosite"
"github.com/ory/fosite/token/jwt"
"github.com/ory/go-convenience/stringslice"
)

Expand All @@ -26,11 +23,11 @@ type openIDConnectRequestValidatorConfigProvider interface {
}

type OpenIDConnectRequestValidator struct {
Strategy jwt.Signer
Strategy OpenIDConnectTokenStrategy
Config openIDConnectRequestValidatorConfigProvider
}

func NewOpenIDConnectRequestValidator(strategy jwt.Signer, config openIDConnectRequestValidatorConfigProvider) *OpenIDConnectRequestValidator {
func NewOpenIDConnectRequestValidator(strategy OpenIDConnectTokenStrategy, config openIDConnectRequestValidatorConfigProvider) *OpenIDConnectRequestValidator {
return &OpenIDConnectRequestValidator{
Strategy: strategy,
Config: config,
Expand Down Expand Up @@ -133,11 +130,8 @@ func (v *OpenIDConnectRequestValidator) ValidatePrompt(ctx context.Context, req
return nil
}

tokenHint, err := v.Strategy.Decode(ctx, idTokenHint)
var ve *jwt.ValidationError
if errors.As(err, &ve) && ve.Has(jwt.ValidationErrorExpired) {
// Expired tokens are ok
} else if err != nil {
tokenHint, err := v.Strategy.DecodeIDToken(ctx, req, idTokenHint)
if err != nil {
return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("Failed to validate OpenID Connect request as decoding id token from id_token_hint parameter failed.").WithWrap(err).WithDebug(err.Error()))
}

Expand Down
17 changes: 16 additions & 1 deletion internal/id_token_strategy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 16d2b5c

Please sign in to comment.