cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: code challenge

Browse source
This commit is contained in:
Livio Amstutz 2020-01-20 09:07:23 +01:00
parent 5d91ebfd62
commit c065f66d08
2 changed files with 8 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
pkg/oidc/code_challenge.go
View file

@ -18,7 +18,10 @@ type CodeChallenge struct {
Method CodeChallengeMethod
}
func (c *CodeChallenge) Verify(codeVerifier string) bool {
func VerifyCodeChallenge(c *CodeChallenge, codeVerifier string) bool {
if c == nil {
return false //TODO: ?
}
if c.Method == CodeChallengeMethodS256 {
codeVerifier = utils.HashString(sha256.New(), codeVerifier)
}

8
pkg/op/tokenrequest.go
View file

@ -102,7 +102,7 @@ func AuthorizeClient(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exc
return nil, nil, err
}
if client.GetAuthMethod() == AuthMethodNone {
authReq, err := AuthorizeCodeChallenge(ctx, tokenReq, exchanger.Storage())
authReq, err := AuthorizeCodeChallenge(ctx, tokenReq, exchanger)
return authReq, client, err
}
if client.GetAuthMethod() == AuthMethodPost && !exchanger.AuthMethodPostSupported() {
@ -123,15 +123,15 @@ func AuthorizeClientIDSecret(ctx context.Context, clientID, clientSecret string,
return storage.AuthorizeClientIDSecret(ctx, clientID, clientSecret)
}
func AuthorizeCodeChallenge(ctx context.Context, tokenReq *oidc.AccessTokenRequest, storage AuthStorage) (AuthRequest, error) {
func AuthorizeCodeChallenge(ctx context.Context, tokenReq *oidc.AccessTokenRequest, exchanger Exchanger) (AuthRequest, error) {
if tokenReq.CodeVerifier == "" {
return nil, ErrInvalidRequest("code_challenge required")
}
authReq, err := AuthRequestByCode(ctx, tokenReq.Code, nil, storage)
authReq, err := AuthRequestByCode(ctx, tokenReq.Code, exchanger.Crypto(), exchanger.Storage())
if err != nil {
return nil, ErrInvalidRequest("invalid code")
}
if !authReq.GetCodeChallenge().Verify(tokenReq.CodeVerifier) {
if !oidc.VerifyCodeChallenge(authReq.GetCodeChallenge(), tokenReq.CodeVerifier) {
return nil, ErrInvalidRequest("code_challenge invalid")
}
return authReq, nil