cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: check refresh token grant type (#100)

Browse source
This commit is contained in:
Livio Amstutz 2021-05-31 11:35:03 +02:00 committed by GitHub
parent 8822aca841
commit 3e336a4075
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
pkg/op/token_refresh.go
View file

@ -69,7 +69,7 @@ func ValidateRefreshTokenRequest(ctx context.Context, tokenReq *oidc.RefreshToke
return request, client, nil return request, client, nil
} }
//ValidateRefreshTokenScopes validates that requested scope is a subset of the original auth request scope //ValidateRefreshTokenScopes validates that the requested scope is a subset of the original auth request scope
//it will set the requested scopes as current scopes onto RefreshTokenRequest //it will set the requested scopes as current scopes onto RefreshTokenRequest
//if empty the original scopes will be used //if empty the original scopes will be used
func ValidateRefreshTokenScopes(requestedScopes oidc.Scopes, authRequest RefreshTokenRequest) error { func ValidateRefreshTokenScopes(requestedScopes oidc.Scopes, authRequest RefreshTokenRequest) error {
@ -97,6 +97,9 @@ func AuthorizeRefreshClient(ctx context.Context, tokenReq *oidc.RefreshTokenRequ
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
if !ValidateGrantType(client, oidc.GrantTypeRefreshToken) {
return nil, nil, ErrInvalidRequest("invalid_grant")
}
request, err = RefreshTokenRequestByRefreshToken(ctx, exchanger.Storage(), tokenReq.RefreshToken) request, err = RefreshTokenRequestByRefreshToken(ctx, exchanger.Storage(), tokenReq.RefreshToken)
return request, client, err return request, client, err
} }
@ -104,6 +107,9 @@ func AuthorizeRefreshClient(ctx context.Context, tokenReq *oidc.RefreshTokenRequ
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
if !ValidateGrantType(client, oidc.GrantTypeRefreshToken) {
return nil, nil, ErrInvalidRequest("invalid_grant")
}
if client.AuthMethod() == oidc.AuthMethodPrivateKeyJWT { if client.AuthMethod() == oidc.AuthMethodPrivateKeyJWT {
return nil, nil, errors.New("invalid_grant") return nil, nil, errors.New("invalid_grant")
} }