cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: allow expired ID token hint to end sessions (#522)

Browse source 
* fix: allow expired ID token hint to end sessions

This change adds a specific error for expired ID Token hints, including too old "issued at" and "max auth age".
The error is returned VerifyIDTokenHint so that the end session handler can choose to ignore this error.

This fixes the behavior to be in line with [OpenID Connect RP-Initiated Logout 1.0, section 4](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling).

* Tes IDTokenHintExpiredError
This commit is contained in:
Tim Möhlmann 2024-01-19 12:30:51 +02:00 committed by GitHub
parent 3f26eb10ad
commit b8e520afd0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 74 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

36
pkg/op/verifier_id_token_hint.go
View file

@ -2,6 +2,7 @@ package op
import (
"context"
"errors"
"github.com/zitadel/oidc/v3/pkg/oidc"
)
@ -27,8 +28,23 @@ func NewIDTokenHintVerifier(issuer string, keySet oidc.KeySet, opts ...IDTokenHi
return verifier
}
type IDTokenHintExpiredError struct {
error
}
func (e IDTokenHintExpiredError) Unwrap() error {
return e.error
}
func (e IDTokenHintExpiredError) Is(err error) bool {
return errors.Is(err, e.error)
}
// VerifyIDTokenHint validates the id token according to
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.
// In case of an expired token both the Claims and first encountered expiry related error
// is returned of type [IDTokenHintExpiredError]. In that case the caller can choose to still
// trust the token for cases like logout, as signature and other verifications succeeded.
func VerifyIDTokenHint[C oidc.Claims](ctx context.Context, token string, v *IDTokenHintVerifier) (claims C, err error) {
var nilClaims C
@ -49,20 +65,20 @@ func VerifyIDTokenHint[C oidc.Claims](ctx context.Context, token string, v *IDTo
return nilClaims, err
}
if err = oidc.CheckExpiration(claims, v.Offset); err != nil {
return nilClaims, err
}
if err = oidc.CheckIssuedAt(claims, v.MaxAgeIAT, v.Offset); err != nil {
return nilClaims, err
}
if err = oidc.CheckAuthorizationContextClassReference(claims, v.ACR); err != nil {
return nilClaims, err
}
if err = oidc.CheckExpiration(claims, v.Offset); err != nil {
return claims, IDTokenHintExpiredError{err}
}
if err = oidc.CheckIssuedAt(claims, v.MaxAgeIAT, v.Offset); err != nil {
return claims, IDTokenHintExpiredError{err}
}
if err = oidc.CheckAuthTime(claims, v.MaxAge); err != nil {
return nilClaims, err
return claims, IDTokenHintExpiredError{err}
}
return claims, nil
}