feat: remove query parameters from OIDC issuerUrl so that it allows us to use it to carry the OAuth ClientId in the Challenge.target field without at the same time undermining the idToken verification which relies on a issuer (iss) claim without this query parameter

2026-01-27 10:18:34 +00:00 · 2023-12-15 15:17:17 +01:00
parent d6ceebba94
commit 39bf889925
1 changed files with 13 additions and 1 deletions
--- a/authority/provisioner/oidc_options.go
+++ b/authority/provisioner/oidc_options.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"net/url"
 	"text/template"
 	"time"

@@ -61,8 +62,19 @@ func (o *OIDCOptions) GetTarget(deviceID string) (string, error) {
 }

 func toProviderConfig(in ProviderJSON) *oidc.ProviderConfig {
+	issuerUrl, err := url.Parse(in.IssuerURL)
+	if err != nil {
+		panic(err) // config error, it's ok to panic here
+	}
+	// Removes query params from the URL because we use it as a way to notify client about the actual OAuth ClientId
+	// for this provisioner.
+	// This URL is going to look like: "https://idp:5556/dex?clientid=foo"
+	// If we don't trim the query params here i.e. 'clientid' then the idToken verification is going to fail because
+	// the 'iss' claim of the idToken will be "https://idp:5556/dex"
+	issuerUrl.RawQuery = ""
+	issuerUrl.Fragment = ""
 	return &oidc.ProviderConfig{
-		IssuerURL:   in.IssuerURL,
+		IssuerURL:   issuerUrl.String(),
 		AuthURL:     in.AuthURL,
 		TokenURL:    in.TokenURL,
 		UserInfoURL: in.UserInfoURL,