Skip to content

Commit

Permalink
fix: remove transient oidc session after use
Browse files Browse the repository at this point in the history
  • Loading branch information
aeneasr committed Apr 3, 2024
1 parent f411487 commit 90cc39b
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 3 deletions.
7 changes: 6 additions & 1 deletion handler/openid/flow_explicit_token.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,18 @@ func (c *OpenIDConnectExplicitHandler) PopulateTokenEndpointResponse(ctx context
return errorsx.WithStack(fosite.ErrUnknownRequest)
}

authorize, err := c.OpenIDConnectRequestStorage.GetOpenIDConnectSession(ctx, requester.GetRequestForm().Get("code"), requester)
code := requester.GetRequestForm().Get("code")
authorize, err := c.OpenIDConnectRequestStorage.GetOpenIDConnectSession(ctx, code, requester)
if errors.Is(err, ErrNoSessionFound) {
return errorsx.WithStack(fosite.ErrUnknownRequest.WithWrap(err).WithDebug(err.Error()))
} else if err != nil {
return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
}

if err := c.OpenIDConnectRequestStorage.DeleteOpenIDConnectSession(ctx, code); err != nil {
return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
}

if !authorize.GetGrantedScopes().Has("openid") {
return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("An OpenID Connect session was found but the openid scope is missing, probably due to a broken code configuration."))
}
Expand Down
3 changes: 1 addition & 2 deletions handler/openid/storage.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ type OpenIDConnectRequestStorage interface {
// - or an arbitrary error if an error occurred.
GetOpenIDConnectSession(ctx context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error)

// Deprecated: DeleteOpenIDConnectSession is not called from anywhere.
// Originally, it should remove an open id connect session from the store.
// DeleteOpenIDConnectSession removes the OpenID Connect Session from the store.
DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) error
}

0 comments on commit 90cc39b

Please sign in to comment.