From 90cc39b5f6faadd29d8b44a802494e1ac4d2fefb Mon Sep 17 00:00:00 2001
From: aeneasr <3372410+aeneasr@users.noreply.github.com>
Date: Wed, 3 Apr 2024 11:47:13 +0200
Subject: [PATCH] fix: remove transient oidc session after use

---
 handler/openid/flow_explicit_token.go | 7 ++++++-
 handler/openid/storage.go             | 3 +--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/handler/openid/flow_explicit_token.go b/handler/openid/flow_explicit_token.go
index 0b416d2c2..cc17cbb05 100644
--- a/handler/openid/flow_explicit_token.go
+++ b/handler/openid/flow_explicit_token.go
@@ -22,13 +22,18 @@ func (c *OpenIDConnectExplicitHandler) PopulateTokenEndpointResponse(ctx context
 		return errorsx.WithStack(fosite.ErrUnknownRequest)
 	}
 
-	authorize, err := c.OpenIDConnectRequestStorage.GetOpenIDConnectSession(ctx, requester.GetRequestForm().Get("code"), requester)
+	code := requester.GetRequestForm().Get("code")
+	authorize, err := c.OpenIDConnectRequestStorage.GetOpenIDConnectSession(ctx, code, requester)
 	if errors.Is(err, ErrNoSessionFound) {
 		return errorsx.WithStack(fosite.ErrUnknownRequest.WithWrap(err).WithDebug(err.Error()))
 	} else if err != nil {
 		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
 	}
 
+	if err := c.OpenIDConnectRequestStorage.DeleteOpenIDConnectSession(ctx, code); err != nil {
+		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
+	}
+
 	if !authorize.GetGrantedScopes().Has("openid") {
 		return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("An OpenID Connect session was found but the openid scope is missing, probably due to a broken code configuration."))
 	}
diff --git a/handler/openid/storage.go b/handler/openid/storage.go
index d29f73717..065284ce5 100644
--- a/handler/openid/storage.go
+++ b/handler/openid/storage.go
@@ -22,7 +22,6 @@ type OpenIDConnectRequestStorage interface {
 	// - or an arbitrary error if an error occurred.
 	GetOpenIDConnectSession(ctx context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error)
 
-	// Deprecated: DeleteOpenIDConnectSession is not called from anywhere.
-	// Originally, it should remove an open id connect session from the store.
+	// DeleteOpenIDConnectSession removes the OpenID Connect Session from the store.
 	DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) error
 }