cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: simplify verifying PKCE

Browse source
This commit is contained in:
Ayato 2025-03-13 23:32:26 +09:00
parent c2842f3356
commit b06e76c54e
No known key found for this signature in database
GPG key ID: 56E05AE09DBA012D
3 changed files with 28 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

13
example/server/storage/oidc.go
View file

@ -143,6 +143,14 @@ func MaxAgeToInternal(maxAge *uint) *time.Duration {
} }
func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthRequest { func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthRequest {
var codeChallenge *OIDCCodeChallenge
if authReq.CodeChallenge != "" {
codeChallenge = &OIDCCodeChallenge{
Challenge: authReq.CodeChallenge,
Method: string(authReq.CodeChallengeMethod),
}
}
return &AuthRequest{ return &AuthRequest{
CreationDate: time.Now(), CreationDate: time.Now(),
ApplicationID: authReq.ClientID, ApplicationID: authReq.ClientID,
@ -157,10 +165,7 @@ func authRequestToInternal(authReq *oidc.AuthRequest, userID string) *AuthReques
ResponseType: authReq.ResponseType, ResponseType: authReq.ResponseType,
ResponseMode: authReq.ResponseMode, ResponseMode: authReq.ResponseMode,
Nonce: authReq.Nonce, Nonce: authReq.Nonce,
CodeChallenge: &OIDCCodeChallenge{ CodeChallenge: codeChallenge,
Challenge: authReq.CodeChallenge,
Method: string(authReq.CodeChallengeMethod),
},
} }
} }

1
pkg/op/op_test.go
View file

@ -102,6 +102,7 @@ func TestRoutes(t *testing.T) {
authReq, err := storage.CreateAuthRequest(ctx, oidcAuthReq, "id1") authReq, err := storage.CreateAuthRequest(ctx, oidcAuthReq, "id1")
require.NoError(t, err) require.NoError(t, err)
storage.AuthRequestDone(authReq.GetID()) storage.AuthRequestDone(authReq.GetID())
storage.SaveAuthCode(ctx, authReq.GetID(), "123")
accessToken, refreshToken, _, err := op.CreateAccessToken(ctx, authReq, op.AccessTokenTypeBearer, testProvider, client, "") accessToken, refreshToken, _, err := op.CreateAccessToken(ctx, authReq, op.AccessTokenTypeBearer, testProvider, client, "")
require.NoError(t, err) require.NoError(t, err)

44
pkg/op/token_code.go
View file

@ -74,6 +74,20 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
ctx, span := tracer.Start(ctx, "AuthorizeCodeClient") ctx, span := tracer.Start(ctx, "AuthorizeCodeClient")
defer span.End() defer span.End()
request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
if err != nil {
return nil, nil, err
}
codeChallenge := request.GetCodeChallenge()
if codeChallenge != nil {
err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, codeChallenge)
if err != nil {
return nil, nil, err
}
}
if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion { if tokenReq.ClientAssertionType == oidc.ClientAssertionTypeJWTAssertion {
jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger) jwtExchanger, ok := exchanger.(JWTAuthorizationGrantExchanger)
if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() { if !ok || !exchanger.AuthMethodPrivateKeyJWTSupported() {
@ -83,19 +97,9 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
codeChallenge := request.GetCodeChallenge()
if codeChallenge != nil && codeChallenge.Challenge != "" {
err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, request.GetCodeChallenge())
if err != nil {
return nil, nil, err
}
}
return request, client, err return request, client, err
} }
client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID) client, err = exchanger.Storage().GetClientByClientID(ctx, tokenReq.ClientID)
if err != nil { if err != nil {
return nil, nil, oidc.ErrInvalidClient().WithParent(err) return nil, nil, oidc.ErrInvalidClient().WithParent(err)
@ -104,12 +108,10 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
return nil, nil, oidc.ErrInvalidClient().WithDescription("private_key_jwt not allowed for this client") return nil, nil, oidc.ErrInvalidClient().WithDescription("private_key_jwt not allowed for this client")
} }
if client.AuthMethod() == oidc.AuthMethodNone { if client.AuthMethod() == oidc.AuthMethodNone {
request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code) if codeChallenge == nil {
if err != nil { return nil, nil, oidc.ErrInvalidRequest().WithDescription("PKCE required")
return nil, nil, err
} }
err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, request.GetCodeChallenge()) return request, client, nil
return request, client, err
} }
if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() { if client.AuthMethod() == oidc.AuthMethodPost && !exchanger.AuthMethodPostSupported() {
return nil, nil, oidc.ErrInvalidClient().WithDescription("auth_method post not supported") return nil, nil, oidc.ErrInvalidClient().WithDescription("auth_method post not supported")
@ -118,16 +120,6 @@ func AuthorizeCodeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest,
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
request, err = AuthRequestByCode(ctx, exchanger.Storage(), tokenReq.Code)
codeChallenge := request.GetCodeChallenge()
if codeChallenge != nil && codeChallenge.Challenge != "" {
err = AuthorizeCodeChallenge(tokenReq.CodeVerifier, request.GetCodeChallenge())
if err != nil {
return nil, nil, err
}
}
return request, client, err return request, client, err
} }