mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-06-03 21:46:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

callback_handler.go: assert nonce is stored correctly

Browse Source 
I think we want to do this here since we are storing all of the
other ID token claims?

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler
2020-11-20 08:38:23 -05:00
parent b25696a1fb
commit f8d76066c5
2 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
internal/oidc/callback/callback_handler.go
View File

@@ -97,7 +97,13 @@ func NewHandler(
return err
}
openIDSession := makeDownstreamSession(downstreamIssuer, downstreamAuthParams.Get("client_id"), username, groups)
openIDSession := makeDownstreamSession(
downstreamIssuer,
downstreamAuthParams.Get("client_id"),
downstreamAuthParams.Get("nonce"),
username,
groups,
)
authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession)
if err != nil {
plog.WarningErr("error while generating and saving authcode", err, "upstreamName", upstreamIDPConfig.GetName())
@@ -291,7 +297,7 @@ func getGroupsFromUpstreamIDToken(
return groups, nil
}
func makeDownstreamSession(issuer, clientID, username string, groups []string) *openid.DefaultSession {
func makeDownstreamSession(issuer, clientID, nonce, username string, groups []string) *openid.DefaultSession {
now := time.Now()
openIDSession := &openid.DefaultSession{
Claims: &jwt.IDTokenClaims{
@@ -302,6 +308,7 @@ func makeDownstreamSession(issuer, clientID, username string, groups []string) *
IssuedAt: now,
RequestedAt: now,
AuthTime: now,
Nonce: nonce,
},
}
if groups != nil {