From 8faf26c593381eee660170b48b4121ab7bc03433 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 10 Jan 2024 18:32:18 +0100 Subject: [PATCH] Change `KeyAuth` back to old behavior (for now) --- acme/challenge.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/acme/challenge.go b/acme/challenge.go index 52ec899d..cd25c600 100644 --- a/acme/challenge.go +++ b/acme/challenge.go @@ -357,6 +357,8 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK type WireChallengePayload struct { // IDToken IDToken string `json:"id_token,omitempty"` + // KeyAuth ({challenge-token}.{jwk-thumbprint}) + KeyAuth string `json:"keyauth,omitempty"` // AccessToken is the token generated by wire-server AccessToken string `json:"access_token,omitempty"` } @@ -386,7 +388,7 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO Handle string `json:"name"` Issuer string `json:"iss,omitempty"` GivenName string `json:"given_name,omitempty"` - KeyAuth string `json:"keyauth"` + KeyAuth string `json:"keyauth"` // TODO(hs): use this property instead of the one in the payload after https://github.com/wireapp/rusty-jwt-tools/tree/fix/keyauth is done } err = idToken.Claims(&claims) if err != nil { @@ -403,9 +405,9 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO if err != nil { return err } - if expectedKeyAuth != claims.KeyAuth { + if expectedKeyAuth != wireChallengePayload.KeyAuth { return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType, - "keyAuthorization does not match; expected %s, but got %s", expectedKeyAuth, claims.KeyAuth)) + "keyAuthorization does not match; expected %s, but got %s", expectedKeyAuth, wireChallengePayload.KeyAuth)) } if challengeValues.Name != claims.Name || challengeValues.Handle != claims.Handle {