✨ Present nonce in id token
This commit is contained in:
@ -22,6 +22,7 @@ type PayloadClaims struct {
|
||||
|
||||
// Additonal Stuff
|
||||
AuthorizedParties string `json:"azp,omitempty"`
|
||||
Nonce string `json:"nonce,omitempty"`
|
||||
Type string `json:"typ"`
|
||||
}
|
||||
|
||||
@ -30,7 +31,7 @@ const (
|
||||
JwtRefreshType = "refresh"
|
||||
)
|
||||
|
||||
func EncodeJwt(id string, typ, sub, sed string, aud []string, exp time.Time, idTokenUser ...models.Account) (string, error) {
|
||||
func EncodeJwt(id string, typ, sub, sed string, nonce *string, aud []string, exp time.Time, idTokenUser ...models.Account) (string, error) {
|
||||
var azp string
|
||||
for _, item := range aud {
|
||||
if item != InternalTokenAudience {
|
||||
@ -61,6 +62,10 @@ func EncodeJwt(id string, typ, sub, sed string, aud []string, exp time.Time, idT
|
||||
claims.Email = user.GetPrimaryEmail().Content
|
||||
}
|
||||
|
||||
if nonce != nil {
|
||||
claims.Nonce = *nonce
|
||||
}
|
||||
|
||||
tk := jwt.NewWithClaims(jwt.SigningMethodHS512, claims)
|
||||
|
||||
return tk.SignedString([]byte(viper.GetString("secret")))
|
||||
|
||||
@ -62,8 +62,12 @@ func NewOauthTicket(
|
||||
user models.Account,
|
||||
client models.ThirdClient,
|
||||
claims, audiences []string,
|
||||
ip, ua string,
|
||||
ip, ua string, nonce *string,
|
||||
) (models.AuthTicket, error) {
|
||||
if nonce != nil && len(*nonce) == 0 {
|
||||
nonce = nil
|
||||
}
|
||||
|
||||
ticket := models.AuthTicket{
|
||||
Claims: claims,
|
||||
Audiences: audiences,
|
||||
@ -74,6 +78,7 @@ func NewOauthTicket(
|
||||
RefreshToken: lo.ToPtr(uuid.NewString()),
|
||||
AvailableAt: lo.ToPtr(time.Now()),
|
||||
ExpiredAt: lo.ToPtr(time.Now().Add(7 * 24 * time.Hour)),
|
||||
Nonce: nonce,
|
||||
ClientID: &client.ID,
|
||||
AccountID: user.ID,
|
||||
}
|
||||
|
||||
@ -25,11 +25,11 @@ func GetToken(ticket models.AuthTicket) (atk, rtk string, err error) {
|
||||
|
||||
sub := strconv.Itoa(int(ticket.AccountID))
|
||||
sed := strconv.Itoa(int(ticket.ID))
|
||||
atk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, ticket.Audiences, time.Now().Add(atkDeadline))
|
||||
atk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, nil, ticket.Audiences, time.Now().Add(atkDeadline))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
rtk, err = EncodeJwt(*ticket.RefreshToken, JwtRefreshType, sub, sed, ticket.Audiences, time.Now().Add(rtkDeadline))
|
||||
rtk, err = EncodeJwt(*ticket.RefreshToken, JwtRefreshType, sub, sed, nil, ticket.Audiences, time.Now().Add(rtkDeadline))
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
@ -89,7 +89,7 @@ func ExchangeOauthToken(clientId, clientSecret, redirectUri, token string) (idk,
|
||||
|
||||
sub := strconv.Itoa(int(ticket.AccountID))
|
||||
sed := strconv.Itoa(int(ticket.ID))
|
||||
idk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, ticket.Audiences, time.Now().Add(24*time.Minute), user)
|
||||
idk, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, ticket.Nonce, ticket.Audiences, time.Now().Add(24*time.Minute), user)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user