From 77fcf9ad77e02859f57b979556a9766dcc63bc61 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Wed, 25 Sep 2019 21:20:19 +0100 Subject: [PATCH] Use a struct for connector data within OIDC connector --- connector/oidc/oidc.go | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go index df849093..749b56ed 100644 --- a/connector/oidc/oidc.go +++ b/connector/oidc/oidc.go @@ -3,6 +3,7 @@ package oidc import ( "context" + "encoding/json" "errors" "fmt" "net/http" @@ -61,6 +62,11 @@ var brokenAuthHeaderDomains = []string{ "oktapreview.com", } +// connectorData stores information for sessions authenticated by this connector +type connectorData struct { + refreshToken []byte +} + // Detect auth header provider issues for known providers. This lets users // avoid having to explicitly set "basicAuthUnsupported" in their config. // @@ -210,8 +216,14 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide // Refresh is used to refresh a session with the refresh token provided by the IdP func (c *oidcConnector) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) { + cd := connectorData{} + err := json.Unmarshal(identity.ConnectorData, &cd) + if err != nil { + return identity, fmt.Errorf("oidc: failed to unmarshal connector data: %v", err) + } + t := &oauth2.Token{ - RefreshToken: string(identity.ConnectorData), + RefreshToken: string(cd.refreshToken), Expiry: time.Now().Add(-time.Hour), } token, err := c.oauth2Config.TokenSource(ctx, t).Token() @@ -284,12 +296,21 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I } } + cd := connectorData{ + refreshToken: []byte(token.RefreshToken), + } + + connData, err := json.Marshal(&cd) + if err != nil { + return identity, fmt.Errorf("oidc: failed to encode connector data: %v", err) + } + identity = connector.Identity{ UserID: idToken.Subject, Username: name, Email: email, EmailVerified: emailVerified, - ConnectorData: []byte(token.RefreshToken), + ConnectorData: connData, } if c.userIDKey != "" {