✨ Present nonce in id token
This commit is contained in:
@ -39,6 +39,7 @@ type AuthTicket struct {
|
||||
ExpiredAt *time.Time `json:"expired_at"`
|
||||
AvailableAt *time.Time `json:"available_at"`
|
||||
LastGrantAt *time.Time `json:"last_grant_at"`
|
||||
Nonce *string `json:"nonce"`
|
||||
ClientID *uint `json:"client_id"`
|
||||
AccountID uint `json:"account_id"`
|
||||
}
|
||||
|
||||
@ -1,10 +1,11 @@
|
||||
package api
|
||||
|
||||
import (
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
|
||||
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
|
||||
@ -62,6 +63,7 @@ func authorizeThirdClient(c *fiber.Ctx) error {
|
||||
id := c.Query("client_id")
|
||||
response := c.Query("response_type")
|
||||
redirect := c.Query("redirect_uri")
|
||||
nonce := c.Query("nonce")
|
||||
scope := c.Query("scope")
|
||||
if len(scope) <= 0 {
|
||||
return fiber.NewError(fiber.StatusBadRequest, "invalid request params")
|
||||
@ -87,6 +89,7 @@ func authorizeThirdClient(c *fiber.Ctx) error {
|
||||
[]string{"passport", client.Alias},
|
||||
c.IP(),
|
||||
c.Get(fiber.HeaderUserAgent),
|
||||
&nonce,
|
||||
)
|
||||
|
||||
if err != nil {
|
||||
@ -107,6 +110,7 @@ func authorizeThirdClient(c *fiber.Ctx) error {
|
||||
[]string{"passport", client.Alias},
|
||||
c.IP(),
|
||||
c.Get(fiber.HeaderUserAgent),
|
||||
&nonce,
|
||||
)
|
||||
|
||||
if err != nil {
|
||||
|
||||
@ -22,6 +22,7 @@ type PayloadClaims struct {
|
||||
|
||||
// Additonal Stuff
|
||||
AuthorizedParties string `json:"azp,omitempty"`
|
||||
Nonce string `json:"nonce,omitempty"`
|
||||
Type string `json:"typ"`
|
||||
}
|
||||
|
||||
@ -30,7 +31,7 @@ const (
|
||||
JwtRefreshType = "refresh"
|
||||
)
|
||||
|
||||
func EncodeJwt(id string, typ, sub, sed string, aud []string, exp time.Time, idTokenUser ...models.Account) (string, error) {
|
||||
func EncodeJwt(id string, typ, sub, sed string, nonce *string, aud []string, exp time.Time, idTokenUser ...models.Account) (string, error) {
|
||||
var azp string
|
||||
for _, item := range aud {
|
||||
if item != InternalTokenAudience {
|
||||
@ -61,6 +62,10 @@ func EncodeJwt(id string, typ, sub, sed string, aud []string, exp time.Time, idT
|
||||
claims.Email = user.GetPrimaryEmail().Content
|
||||
}
|
||||
|
||||
if nonce != nil {
|
||||
claims.Nonce = *nonce
|
||||
}
|
||||
|
||||
tk := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
|
||||
|
||||
return tk.SignedString([]byte(viper.GetString("secret")))
|
||||
|
||||
@ -62,8 +62,12 @@ func NewOauthTicket(
|
||||
user models.Account,
|
||||
client models.ThirdClient,
|
||||
claims, audiences []string,
|
||||
ip, ua string,
|
||||
ip, ua string, nonce *string,
|
||||
) (models.AuthTicket, error) {
|
||||
if nonce != nil && len(*nonce) == 0 {
|
||||
nonce = nil
|
||||
}
|
||||
|
||||
ticket := models.AuthTicket{
|
||||
Claims: claims,
|
||||
Audiences: audiences,
|
||||
@ -74,6 +78,7 @@ func NewOauthTicket(
|
||||
RefreshToken: lo.ToPtr(uuid.NewString()),
|
||||
AvailableAt: lo.ToPtr(time.Now()),
|
||||
ExpiredAt: lo.ToPtr(time.Now().Add(7 * 24 * time.Hour)),
|
||||
Nonce: nonce,
|
||||
ClientID: &client.ID,
|
||||
AccountID: user.ID,
|
||||
}
|
||||
|
||||
@ -25,11 +25,11 @@ func GetToken(ticket models.AuthTicket) (atk, rtk string, err error) {
|
||||
|
||||
sub := strconv.Itoa(int(ticket.AccountID))
|
||||
sed := strconv.Itoa(int(ticket.ID))
|
||||
atk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, ticket.Audiences, time.Now().Add(atkDeadline))
|
||||
atk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, nil, ticket.Audiences, time.Now().Add(atkDeadline))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
rtk, err = EncodeJwt(*ticket.RefreshToken, JwtRefreshType, sub, sed, ticket.Audiences, time.Now().Add(rtkDeadline))
|
||||
rtk, err = EncodeJwt(*ticket.RefreshToken, JwtRefreshType, sub, sed, nil, ticket.Audiences, time.Now().Add(rtkDeadline))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@ -89,7 +89,7 @@ func ExchangeOauthToken(clientId, clientSecret, redirectUri, token string) (idk,
|
||||
|
||||
sub := strconv.Itoa(int(ticket.AccountID))
|
||||
sed := strconv.Itoa(int(ticket.ID))
|
||||
idk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, ticket.Audiences, time.Now().Add(24*time.Minute), user)
|
||||
idk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, ticket.Nonce, ticket.Audiences, time.Now().Add(24*time.Minute), user)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user