cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: append client id to aud (#71)

Browse source 
* fix: append client id to aud

* fix: append client id to aud

* Update pkg/oidc/token.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
This commit is contained in:
Fabi 2020-11-16 08:26:19 +01:00 committed by GitHub
parent 2370409a55
commit 13b14734b9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

15
pkg/oidc/token.go
View file

@ -48,8 +48,11 @@ func EmptyAccessTokenClaims() AccessTokenClaims {
return new(accessTokenClaims) return new(accessTokenClaims)
} }
func NewAccessTokenClaims(issuer, subject string, audience []string, expiration time.Time, id string) AccessTokenClaims { func NewAccessTokenClaims(issuer, subject string, audience []string, expiration time.Time, id, clientID string) AccessTokenClaims {
now := time.Now().UTC() now := time.Now().UTC()
if len(audience) == 0 {
audience = append(audience, clientID)
}
return &accessTokenClaims{ return &accessTokenClaims{
Issuer: issuer, Issuer: issuer,
Subject: subject, Subject: subject,
@ -201,6 +204,7 @@ func EmptyIDTokenClaims() IDTokenClaims {
} }
func NewIDTokenClaims(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string) IDTokenClaims { func NewIDTokenClaims(issuer, subject string, audience []string, expiration, authTime time.Time, nonce string, acr string, amr []string, clientID string) IDTokenClaims {
audience = AppendClientIDToAudience(clientID, audience)
return &idTokenClaims{ return &idTokenClaims{
Issuer: issuer, Issuer: issuer,
Audience: audience, Audience: audience,
@ -441,3 +445,12 @@ func ClaimHash(claim string, sigAlgorithm jose.SignatureAlgorithm) (string, erro
return utils.HashString(hash, claim, true), nil return utils.HashString(hash, claim, true), nil
} }
func AppendClientIDToAudience(clientID string, audience []string) []string {
for _, aud := range audience {
if aud == clientID {
return audience
}
}
return append(audience, clientID)
}

2
pkg/op/token.go
View file

@ -83,7 +83,7 @@ func CreateBearerToken(tokenID, subject string, crypto Crypto) (string, error) {
} }
func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, signer Signer, client Client, storage Storage) (string, error) { func CreateJWT(ctx context.Context, issuer string, tokenRequest TokenRequest, exp time.Time, id string, signer Signer, client Client, storage Storage) (string, error) {
claims := oidc.NewAccessTokenClaims(issuer, tokenRequest.GetSubject(), tokenRequest.GetAudience(), exp, id) claims := oidc.NewAccessTokenClaims(issuer, tokenRequest.GetSubject(), tokenRequest.GetAudience(), exp, id, client.GetID())
if client != nil { if client != nil {
restrictedScopes := client.RestrictAdditionalAccessTokenScopes()(tokenRequest.GetScopes()) restrictedScopes := client.RestrictAdditionalAccessTokenScopes()(tokenRequest.GetScopes())
privateClaims, err := storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(restrictedScopes)) privateClaims, err := storage.GetPrivateClaimsFromScopes(ctx, tokenRequest.GetSubject(), client.GetID(), removeUserinfoScopes(restrictedScopes))