cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: allow expired ID token hint to end sessions

Browse source 
This change adds a specific error for expired ID Token hints, including too old "issued at" and "max auth age".
The error is returned VerifyIDTokenHint so that the end session handler can choose to ignore this error.

This fixes the behavior to be in line with [OpenID Connect RP-Initiated Logout 1.0, section 4](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling).
This commit is contained in:
Tim Möhlmann 2024-01-19 11:57:11 +02:00
parent 3f26eb10ad
commit f8b00daa1a
4 changed files with 66 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

2
pkg/oidc/verifier.go
View file

@ -57,7 +57,7 @@ var (
ErrNonceInvalid = errors.New("nonce does not match")
ErrAcrInvalid = errors.New("acr is invalid")
ErrAuthTimeNotPresent = errors.New("claim `auth_time` of token is missing")
ErrAuthTimeToOld = errors.New("auth time of token is to old")
ErrAuthTimeToOld = errors.New("auth time of token is too old")
ErrAtHash = errors.New("at_hash does not correspond to access token")
)