Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow

* fixed name collision (renamed hash->hashFunc)

Signed-off-by: Bernd Eckstein <Bernd.Eckstein@faro.com>
This commit is contained in:
Bernd Eckstein 2020-07-28 14:01:40 +02:00
parent 19cd9cc65c
commit f6cd778b60
2 changed files with 19 additions and 9 deletions

View File

@ -661,7 +661,7 @@ func (s *Server) sendCodeResponse(w http.ResponseWriter, r *http.Request, authRe
return return
} }
idToken, idTokenExpiry, err = s.newIDToken(authReq.ClientID, authReq.Claims, authReq.Scopes, authReq.Nonce, accessToken, authReq.ConnectorID) idToken, idTokenExpiry, err = s.newIDToken(authReq.ClientID, authReq.Claims, authReq.Scopes, authReq.Nonce, accessToken, code.ID, authReq.ConnectorID)
if err != nil { if err != nil {
s.logger.Errorf("failed to create ID token: %v", err) s.logger.Errorf("failed to create ID token: %v", err)
s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError) s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
@ -791,7 +791,7 @@ func (s *Server) handleAuthCode(w http.ResponseWriter, r *http.Request, client s
return return
} }
idToken, expiry, err := s.newIDToken(client.ID, authCode.Claims, authCode.Scopes, authCode.Nonce, accessToken, authCode.ConnectorID) idToken, expiry, err := s.newIDToken(client.ID, authCode.Claims, authCode.Scopes, authCode.Nonce, accessToken, authCode.ID, authCode.ConnectorID)
if err != nil { if err != nil {
s.logger.Errorf("failed to create ID token: %v", err) s.logger.Errorf("failed to create ID token: %v", err)
s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError) s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
@ -1060,7 +1060,7 @@ func (s *Server) handleRefreshToken(w http.ResponseWriter, r *http.Request, clie
return return
} }
idToken, expiry, err := s.newIDToken(client.ID, claims, scopes, refresh.Nonce, accessToken, refresh.ConnectorID) idToken, expiry, err := s.newIDToken(client.ID, claims, scopes, refresh.Nonce, accessToken, "", refresh.ConnectorID)
if err != nil { if err != nil {
s.logger.Errorf("failed to create ID token: %v", err) s.logger.Errorf("failed to create ID token: %v", err)
s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError) s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
@ -1243,7 +1243,7 @@ func (s *Server) handlePasswordGrant(w http.ResponseWriter, r *http.Request, cli
} }
accessToken := storage.NewID() accessToken := storage.NewID()
idToken, expiry, err := s.newIDToken(client.ID, claims, scopes, nonce, accessToken, connID) idToken, expiry, err := s.newIDToken(client.ID, claims, scopes, nonce, accessToken, "", connID)
if err != nil { if err != nil {
s.tokenErrHelper(w, errServerError, fmt.Sprintf("failed to create ID token: %v", err), http.StatusInternalServerError) s.tokenErrHelper(w, errServerError, fmt.Sprintf("failed to create ID token: %v", err), http.StatusInternalServerError)
return return

View File

@ -217,11 +217,11 @@ func accessTokenHash(alg jose.SignatureAlgorithm, accessToken string) (string, e
return "", fmt.Errorf("unsupported signature algorithm: %s", alg) return "", fmt.Errorf("unsupported signature algorithm: %s", alg)
} }
hash := newHash() hashFunc := newHash()
if _, err := io.WriteString(hash, accessToken); err != nil { if _, err := io.WriteString(hashFunc, accessToken); err != nil {
return "", fmt.Errorf("computing hash: %v", err) return "", fmt.Errorf("computing hash: %v", err)
} }
sum := hash.Sum(nil) sum := hashFunc.Sum(nil)
return base64.RawURLEncoding.EncodeToString(sum[:len(sum)/2]), nil return base64.RawURLEncoding.EncodeToString(sum[:len(sum)/2]), nil
} }
@ -253,6 +253,7 @@ type idTokenClaims struct {
Nonce string `json:"nonce,omitempty"` Nonce string `json:"nonce,omitempty"`
AccessTokenHash string `json:"at_hash,omitempty"` AccessTokenHash string `json:"at_hash,omitempty"`
CodeHash string `json:"c_hash,omitempty"`
Email string `json:"email,omitempty"` Email string `json:"email,omitempty"`
EmailVerified *bool `json:"email_verified,omitempty"` EmailVerified *bool `json:"email_verified,omitempty"`
@ -271,11 +272,11 @@ type federatedIDClaims struct {
} }
func (s *Server) newAccessToken(clientID string, claims storage.Claims, scopes []string, nonce, connID string) (accessToken string, err error) { func (s *Server) newAccessToken(clientID string, claims storage.Claims, scopes []string, nonce, connID string) (accessToken string, err error) {
idToken, _, err := s.newIDToken(clientID, claims, scopes, nonce, storage.NewID(), connID) idToken, _, err := s.newIDToken(clientID, claims, scopes, nonce, storage.NewID(), "", connID)
return idToken, err return idToken, err
} }
func (s *Server) newIDToken(clientID string, claims storage.Claims, scopes []string, nonce, accessToken, connID string) (idToken string, expiry time.Time, err error) { func (s *Server) newIDToken(clientID string, claims storage.Claims, scopes []string, nonce, accessToken, code, connID string) (idToken string, expiry time.Time, err error) {
keys, err := s.storage.GetKeys() keys, err := s.storage.GetKeys()
if err != nil { if err != nil {
s.logger.Errorf("Failed to get keys: %v", err) s.logger.Errorf("Failed to get keys: %v", err)
@ -322,6 +323,15 @@ func (s *Server) newIDToken(clientID string, claims storage.Claims, scopes []str
tok.AccessTokenHash = atHash tok.AccessTokenHash = atHash
} }
if code != "" {
cHash, err := accessTokenHash(signingAlg, code)
if err != nil {
s.logger.Errorf("error computing c_hash: %v", err)
return "", expiry, fmt.Errorf("error computing c_hash: #{err}")
}
tok.CodeHash = cHash
}
for _, scope := range scopes { for _, scope := range scopes {
switch { switch {
case scope == scopeEmail: case scope == scopeEmail: