Present nonce in id token

This commit is contained in:
2024-07-28 22:30:51 +08:00
parent 6ef46d984d
commit 7c09138ef7
9 changed files with 51 additions and 32 deletions

View File

@ -39,6 +39,7 @@ type AuthTicket struct {
ExpiredAt *time.Time `json:"expired_at"`
AvailableAt *time.Time `json:"available_at"`
LastGrantAt *time.Time `json:"last_grant_at"`
Nonce *string `json:"nonce"`
ClientID *uint `json:"client_id"`
AccountID uint `json:"account_id"`
}

View File

@ -1,10 +1,11 @@
package api
import (
"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
"strings"
"time"
"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
@ -62,6 +63,7 @@ func authorizeThirdClient(c *fiber.Ctx) error {
id := c.Query("client_id")
response := c.Query("response_type")
redirect := c.Query("redirect_uri")
nonce := c.Query("nonce")
scope := c.Query("scope")
if len(scope) <= 0 {
return fiber.NewError(fiber.StatusBadRequest, "invalid request params")
@ -87,6 +89,7 @@ func authorizeThirdClient(c *fiber.Ctx) error {
[]string{"passport", client.Alias},
c.IP(),
c.Get(fiber.HeaderUserAgent),
&nonce,
)
if err != nil {
@ -107,6 +110,7 @@ func authorizeThirdClient(c *fiber.Ctx) error {
[]string{"passport", client.Alias},
c.IP(),
c.Get(fiber.HeaderUserAgent),
&nonce,
)
if err != nil {

View File

@ -22,6 +22,7 @@ type PayloadClaims struct {
// Additonal Stuff
AuthorizedParties string `json:"azp,omitempty"`
Nonce string `json:"nonce,omitempty"`
Type string `json:"typ"`
}
@ -30,7 +31,7 @@ const (
JwtRefreshType = "refresh"
)
func EncodeJwt(id string, typ, sub, sed string, aud []string, exp time.Time, idTokenUser ...models.Account) (string, error) {
func EncodeJwt(id string, typ, sub, sed string, nonce *string, aud []string, exp time.Time, idTokenUser ...models.Account) (string, error) {
var azp string
for _, item := range aud {
if item != InternalTokenAudience {
@ -61,6 +62,10 @@ func EncodeJwt(id string, typ, sub, sed string, aud []string, exp time.Time, idT
claims.Email = user.GetPrimaryEmail().Content
}
if nonce != nil {
claims.Nonce = *nonce
}
tk := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
return tk.SignedString([]byte(viper.GetString("secret")))

View File

@ -62,8 +62,12 @@ func NewOauthTicket(
user models.Account,
client models.ThirdClient,
claims, audiences []string,
ip, ua string,
ip, ua string, nonce *string,
) (models.AuthTicket, error) {
if nonce != nil && len(*nonce) == 0 {
nonce = nil
}
ticket := models.AuthTicket{
Claims: claims,
Audiences: audiences,
@ -74,6 +78,7 @@ func NewOauthTicket(
RefreshToken: lo.ToPtr(uuid.NewString()),
AvailableAt: lo.ToPtr(time.Now()),
ExpiredAt: lo.ToPtr(time.Now().Add(7 * 24 * time.Hour)),
Nonce: nonce,
ClientID: &client.ID,
AccountID: user.ID,
}

View File

@ -25,11 +25,11 @@ func GetToken(ticket models.AuthTicket) (atk, rtk string, err error) {
sub := strconv.Itoa(int(ticket.AccountID))
sed := strconv.Itoa(int(ticket.ID))
atk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, ticket.Audiences, time.Now().Add(atkDeadline))
atk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, nil, ticket.Audiences, time.Now().Add(atkDeadline))
if err != nil {
return
}
rtk, err = EncodeJwt(*ticket.RefreshToken, JwtRefreshType, sub, sed, ticket.Audiences, time.Now().Add(rtkDeadline))
rtk, err = EncodeJwt(*ticket.RefreshToken, JwtRefreshType, sub, sed, nil, ticket.Audiences, time.Now().Add(rtkDeadline))
if err != nil {
return
}
@ -89,7 +89,7 @@ func ExchangeOauthToken(clientId, clientSecret, redirectUri, token string) (idk,
sub := strconv.Itoa(int(ticket.AccountID))
sed := strconv.Itoa(int(ticket.ID))
idk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, ticket.Audiences, time.Now().Add(24*time.Minute), user)
idk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, ticket.Nonce, ticket.Audiences, time.Now().Add(24*time.Minute), user)
return
}