cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: code challenge

Browse source
This commit is contained in:
Livio Amstutz 2020-01-20 09:07:23 +01:00
parent 5d91ebfd62
commit c065f66d08
2 changed files with 8 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
pkg/oidc/code_challenge.go
View file

@ -18,7 +18,10 @@ type CodeChallenge struct {
Method CodeChallengeMethod Method CodeChallengeMethod
} }
func (c *CodeChallenge) Verify(codeVerifier string) bool { func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool {
if c == nil {
return false //TODO: ?
}
if c.Method == CodeChallengeMethodS256 { if c.Method == CodeChallengeMethodS256 {
codeVerifier = utils.HashString(sha256.New(), codeVerifier) codeVerifier = utils.HashString(sha256.New(), codeVerifier)
} }

8
pkg/op/tokenrequest.go
View file

@ -102,7 +102,7 @@ func AuthorizeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exc
return nil, nil, err return nil, nil, err
} }
if client.GetAuthMethod() == AuthMethodNone { if client.GetAuthMethod() == AuthMethodNone {
authReq, err := AuthorizeCodeChallenge(ctx, tokenReq, exchanger.Storage()) authReq, err := AuthorizeCodeChallenge(ctx, tokenReq, exchanger)
return authReq, client, err return authReq, client, err
} }
if client.GetAuthMethod() == AuthMethodPost && !exchanger.AuthMethodPostSupported() { if client.GetAuthMethod() == AuthMethodPost && !exchanger.AuthMethodPostSupported() {
@ -123,15 +123,15 @@ func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string,
return storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret) return storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret)
} }
func AuthorizeCodeChallenge(ctx context.Context, tokenReq *oidc.AccessTokenRequest, storage AuthStorage) (AuthRequest, error) { func AuthorizeCodeChallenge(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, error) {
if tokenReq.CodeVerifier == "" { if tokenReq.CodeVerifier == "" {
return nil, ErrInvalidRequest("code_challenge required") return nil, ErrInvalidRequest("code_challenge required")
} }
authReq, err := AuthRequestByCode(ctx, tokenReq.Code, nil, storage) authReq, err := AuthRequestByCode(ctx, tokenReq.Code, exchanger.Crypto(), exchanger.Storage())
if err != nil { if err != nil {
return nil, ErrInvalidRequest("invalid code") return nil, ErrInvalidRequest("invalid code")
} }
if !authReq.GetCodeChallenge().Verify(tokenReq.CodeVerifier) { if !oidc.VerifyCodeChallenge(authReq.GetCodeChallenge(), tokenReq.CodeVerifier) {
return nil, ErrInvalidRequest("code_challenge invalid") return nil, ErrInvalidRequest("code_challenge invalid")
} }
return authReq, nil return authReq, nil