github-personal/certificates
1
0
Fork 0
mirror of https://github.com/outbackdingo/certificates.git synced 2026-01-27 10:18:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Store transformed OIDC token

Browse Source
This commit is contained in:
Herman Slatman
2024-01-15 13:47:44 +01:00
parent 29202eff26
commit 768a08965d
1 changed files with 12 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
acme/challenge.go
View File

@@ -401,6 +401,7 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
return WrapErrorISE(err, "error unmarshalling challenge data")
}
// TODO(hs): move this into validation?
expectedKeyAuth, err := KeyAuthorization(ch.Token, jwk)
if err != nil {
return err
@@ -410,7 +411,8 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
"keyAuthorization does not match; expected %q, but got %q", expectedKeyAuth, oidcPayload.KeyAuth))
}
if err := validateWireOIDCClaims(oidcOptions, idToken, wireID); err != nil {
transformedIDToken, err := validateWireOIDCClaims(oidcOptions, idToken, wireID)
if err != nil {
return storeError(ctx, db, ch, true, WrapError(ErrorRejectedIdentifierType, err, "claims in OIDC ID token don't match"))
}
@@ -423,15 +425,6 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
return WrapErrorISE(err, "error updating challenge")
}
parsedIDToken, err := jose.ParseSigned(oidcPayload.IDToken)
if err != nil {
return WrapErrorISE(err, "invalid OIDC ID token")
}
oidcToken := make(map[string]interface{})
if err := parsedIDToken.UnsafeClaimsWithoutVerification(&oidcToken); err != nil {
return WrapErrorISE(err, "failed parsing OIDC id token")
}
orders, err := db.GetAllOrdersByAccountID(ctx, ch.AccountID)
if err != nil {
return WrapErrorISE(err, "could not find current order by account id")
@@ -441,40 +434,40 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
}
order := orders[len(orders)-1]
if err := db.CreateOidcToken(ctx, order, oidcToken); err != nil {
if err := db.CreateOidcToken(ctx, order, transformedIDToken); err != nil {
return WrapErrorISE(err, "failed storing OIDC id token")
}
return nil
}
func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.ID) error {
func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.ID) (map[string]any, error) {
var m map[string]any
if err := token.Claims(&m); err != nil {
return fmt.Errorf("failed extracting OIDC ID token claims: %w", err)
return nil, fmt.Errorf("failed extracting OIDC ID token claims: %w", err)
}
transformed, err := o.Transform(m)
if err != nil {
return fmt.Errorf("failed transforming OIDC ID token: %w", err)
return nil, fmt.Errorf("failed transforming OIDC ID token: %w", err)
}
name, ok := transformed["name"]
if !ok {
return fmt.Errorf("transformed OIDC ID token does not contain 'name'")
return nil, fmt.Errorf("transformed OIDC ID token does not contain 'name'")
}
if wireID.Name != name {
return fmt.Errorf("invalid 'name' %q after transformation", name)
return nil, fmt.Errorf("invalid 'name' %q after transformation", name)
}
handle, ok := transformed["handle"]
if !ok {
return fmt.Errorf("transformed OIDC ID token does not contain 'handle'")
return nil, fmt.Errorf("transformed OIDC ID token does not contain 'handle'")
}
if wireID.Handle != handle {
return fmt.Errorf("invalid 'handle' %q after transformation", handle)
return nil, fmt.Errorf("invalid 'handle' %q after transformation", handle)
}
return nil
return transformed, nil
}
type wireDpopPayload struct {