From 0dc2a6e7a1bb31e1a470527a4ac95b5e98286f61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Fri, 13 Oct 2023 15:17:03 +0300 Subject: [PATCH 1/3] fix(op): return state in token response only for implicit flow (#460) * fix(op): return state in token response only for implicit flow * oops --- pkg/op/token.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/op/token.go b/pkg/op/token.go index bc45c29..63a01a6 100644 --- a/pkg/op/token.go +++ b/pkg/op/token.go @@ -51,7 +51,10 @@ func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Cli if err != nil { return nil, err } - state = authRequest.GetState() + // only implicit flow requires state to be returned. + if code == "" { + state = authRequest.GetState() + } } exp := uint64(validity.Seconds()) From 434b2e62d8f2703a86b95a4dacc9647777aad491 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Mon, 16 Oct 2023 12:02:56 +0300 Subject: [PATCH 2/3] chore(op): upgrade go-chi/chi to v5 (#462) --- example/client/api/api.go | 2 +- example/server/dynamic/login.go | 2 +- example/server/dynamic/op.go | 2 +- example/server/exampleop/device.go | 2 +- example/server/exampleop/login.go | 2 +- example/server/exampleop/op.go | 2 +- go.mod | 2 +- go.sum | 4 ++-- pkg/op/op.go | 2 +- pkg/op/server_http.go | 2 +- pkg/op/server_legacy.go | 2 +- 11 files changed, 12 insertions(+), 12 deletions(-) diff --git a/example/client/api/api.go b/example/client/api/api.go index 2f81c07..2e61c21 100644 --- a/example/client/api/api.go +++ b/example/client/api/api.go @@ -10,7 +10,7 @@ import ( "strings" "time" - "github.com/go-chi/chi" + "github.com/go-chi/chi/v5" "github.com/sirupsen/logrus" "github.com/zitadel/oidc/v3/pkg/client/rs" diff --git a/example/server/dynamic/login.go b/example/server/dynamic/login.go index d90fb8e..685b444 100644 --- a/example/server/dynamic/login.go +++ b/example/server/dynamic/login.go @@ -6,7 +6,7 @@ import ( "html/template" "net/http" - "github.com/go-chi/chi" + "github.com/go-chi/chi/v5" "github.com/zitadel/oidc/v3/pkg/op" ) diff --git a/example/server/dynamic/op.go b/example/server/dynamic/op.go index 1662729..432a575 100644 --- a/example/server/dynamic/op.go +++ b/example/server/dynamic/op.go @@ -7,7 +7,7 @@ import ( "log" "net/http" - "github.com/go-chi/chi" + "github.com/go-chi/chi/v5" "golang.org/x/text/language" "github.com/zitadel/oidc/v3/example/server/storage" diff --git a/example/server/exampleop/device.go b/example/server/exampleop/device.go index 7478750..2f9be52 100644 --- a/example/server/exampleop/device.go +++ b/example/server/exampleop/device.go @@ -8,7 +8,7 @@ import ( "net/http" "net/url" - "github.com/go-chi/chi" + "github.com/go-chi/chi/v5" "github.com/gorilla/securecookie" "github.com/sirupsen/logrus" "github.com/zitadel/oidc/v3/pkg/op" diff --git a/example/server/exampleop/login.go b/example/server/exampleop/login.go index 053525d..4d2b478 100644 --- a/example/server/exampleop/login.go +++ b/example/server/exampleop/login.go @@ -5,7 +5,7 @@ import ( "fmt" "net/http" - "github.com/go-chi/chi" + "github.com/go-chi/chi/v5" "github.com/zitadel/oidc/v3/pkg/op" ) diff --git a/example/server/exampleop/op.go b/example/server/exampleop/op.go index 830f7f6..74018da 100644 --- a/example/server/exampleop/op.go +++ b/example/server/exampleop/op.go @@ -7,7 +7,7 @@ import ( "sync/atomic" "time" - "github.com/go-chi/chi" + "github.com/go-chi/chi/v5" "github.com/zitadel/logging" "golang.org/x/exp/slog" "golang.org/x/text/language" diff --git a/go.mod b/go.mod index fee739b..d3245eb 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/zitadel/oidc/v3 go 1.19 require ( - github.com/go-chi/chi v1.5.4 + github.com/go-chi/chi/v5 v5.0.10 github.com/go-jose/go-jose/v3 v3.0.0 github.com/golang/mock v1.6.0 github.com/google/go-github/v31 v31.0.0 diff --git a/go.sum b/go.sum index e1acdae..c57f8da 100644 --- a/go.sum +++ b/go.sum @@ -1,8 +1,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs= -github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg= +github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk= +github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= diff --git a/pkg/op/op.go b/pkg/op/op.go index 5abe08f..2bd130b 100644 --- a/pkg/op/op.go +++ b/pkg/op/op.go @@ -6,7 +6,7 @@ import ( "net/http" "time" - "github.com/go-chi/chi" + "github.com/go-chi/chi/v5" jose "github.com/go-jose/go-jose/v3" "github.com/rs/cors" "github.com/zitadel/schema" diff --git a/pkg/op/server_http.go b/pkg/op/server_http.go index 3fb481d..96ee7a5 100644 --- a/pkg/op/server_http.go +++ b/pkg/op/server_http.go @@ -5,7 +5,7 @@ import ( "net/http" "net/url" - "github.com/go-chi/chi" + "github.com/go-chi/chi/v5" "github.com/rs/cors" "github.com/zitadel/logging" httphelper "github.com/zitadel/oidc/v3/pkg/http" diff --git a/pkg/op/server_legacy.go b/pkg/op/server_legacy.go index 0a7de85..5907e28 100644 --- a/pkg/op/server_legacy.go +++ b/pkg/op/server_legacy.go @@ -6,7 +6,7 @@ import ( "net/http" "time" - "github.com/go-chi/chi" + "github.com/go-chi/chi/v5" "github.com/zitadel/oidc/v3/pkg/oidc" ) From 9c0696306f3b870832695ee048be00ab89543957 Mon Sep 17 00:00:00 2001 From: mffap Date: Mon, 23 Oct 2023 16:16:48 +0200 Subject: [PATCH 3/3] docs: update security policy (#464) --- SECURITY.md | 34 ++-------------------------------- 1 file changed, 2 insertions(+), 32 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index d682630..ec216f2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,6 @@ # Security Policy -At ZITADEL we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team. +Please refer to the security policy [on zitadel/zitadel](https://github.com/zitadel/zitadel/blob/main/SECURITY.md) which is applicable for all open source repositories of our organization. ## Supported Versions @@ -18,34 +18,4 @@ We currently support the following version of the OIDC framework: [2]: https://github.com/zitadel/oidc/discussions/378 [3]: https://github.com/zitadel/oidc/tree/main [4]: https://github.com/zitadel/oidc/tree/next -[5]: https://github.com/zitadel/oidc/milestone/2 - -## Reporting a vulnerability - -To file a incident, please disclose by email to security@zitadel.com with the security details. - -At the moment GPG encryption is no yet supported, however you may sign your message at will. - -### When should I report a vulnerability - -* You think you discovered a ... - * ... potential security vulnerability in the SDK - * ... vulnerability in another project that this SDK bases on -* For projects with their own vulnerability reporting and disclosure process, please report it directly there - -### When should I NOT report a vulnerability - -* You need help applying security related updates -* Your issue is not security related - -## Security Vulnerability Response - -TBD - -## Public Disclosure - -All accepted and mitigated vulnerabilities will be published on the [Github Security Page](https://github.com/zitadel/oidc/security/advisories) - -### Timing - -We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days. +[5]: https://github.com/zitadel/oidc/milestone/2 \ No newline at end of file