From 676525d5ae87ab45f2fe4aa925124fb05e8704dc Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Wed, 3 Apr 2024 11:47:13 +0200 Subject: [PATCH 1/3] fix: remove transient oidc session after use --- handler/openid/flow_explicit_token.go | 9 ++++++--- handler/openid/storage.go | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/handler/openid/flow_explicit_token.go b/handler/openid/flow_explicit_token.go index 67bea340..665ad67e 100644 --- a/handler/openid/flow_explicit_token.go +++ b/handler/openid/flow_explicit_token.go @@ -22,15 +22,18 @@ func (c *OpenIDConnectExplicitHandler) PopulateTokenEndpointResponse(ctx context return errorsx.WithStack(fosite.ErrUnknownRequest) } - authorizeCode := requester.GetRequestForm().Get("code") - - authorize, err := c.OpenIDConnectRequestStorage.GetOpenIDConnectSession(ctx, authorizeCode, requester) + code := requester.GetRequestForm().Get("code") + authorize, err := c.OpenIDConnectRequestStorage.GetOpenIDConnectSession(ctx, code, requester) if errors.Is(err, ErrNoSessionFound) { return errorsx.WithStack(fosite.ErrUnknownRequest.WithWrap(err).WithDebug(err.Error())) } else if err != nil { return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error())) } + if err := c.OpenIDConnectRequestStorage.DeleteOpenIDConnectSession(ctx, code); err != nil { + return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error())) + } + if !authorize.GetGrantedScopes().Has("openid") { return errorsx.WithStack(fosite.ErrMisconfiguration.WithDebug("An OpenID Connect session was found but the openid scope is missing, probably due to a broken code configuration.")) } diff --git a/handler/openid/storage.go b/handler/openid/storage.go index 6f09a7b8..e08eb585 100644 --- a/handler/openid/storage.go +++ b/handler/openid/storage.go @@ -22,6 +22,6 @@ type OpenIDConnectRequestStorage interface { // - or an arbitrary error if an error occurred. GetOpenIDConnectSession(ctx context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error) - // DeleteOpenIDConnectSession removes an open id connect session from the store. + // DeleteOpenIDConnectSession removes the OpenID Connect Session from the store. DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) error } From a9d0299b17474c19815c1f5961fab36cc161e16c Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Wed, 3 Apr 2024 11:52:34 +0200 Subject: [PATCH 2/3] chore: synchronize workspaces --- handler/openid/flow_explicit_token.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handler/openid/flow_explicit_token.go b/handler/openid/flow_explicit_token.go index 665ad67e..d31e6cdc 100644 --- a/handler/openid/flow_explicit_token.go +++ b/handler/openid/flow_explicit_token.go @@ -52,7 +52,7 @@ func (c *OpenIDConnectExplicitHandler) PopulateTokenEndpointResponse(ctx context return errorsx.WithStack(fosite.ErrServerError.WithDebug("Failed to generate id token because subject is an empty string.")) } - err = c.OpenIDConnectRequestStorage.DeleteOpenIDConnectSession(ctx, authorizeCode) + err = c.OpenIDConnectRequestStorage.DeleteOpenIDConnectSession(ctx, code) if err != nil { return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error())) } From b46b256bd514f0c4154c8e386caf3ed385816a1c Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Tue, 7 May 2024 13:48:20 +0200 Subject: [PATCH 3/3] feat: clean up openid table --- access_request_handler.go | 2 +- request.go | 15 ++++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/access_request_handler.go b/access_request_handler.go index 25dbd62a..6a994ec7 100644 --- a/access_request_handler.go +++ b/access_request_handler.go @@ -53,7 +53,7 @@ func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session if r.Method != "POST" { return accessRequest, errorsx.WithStack(ErrInvalidRequest.WithHintf("HTTP method is '%s', expected 'POST'.", r.Method)) - } else if err := r.ParseMultipartForm(1 << 20); err != nil && err != http.ErrNotMultipart { + } else if err := r.ParseMultipartForm(1 << 20); err != nil && !errors.Is(err, http.ErrNotMultipart) { return accessRequest, errorsx.WithStack(ErrInvalidRequest.WithHint("Unable to parse HTTP body, make sure to send a properly formatted form request body.").WithWrap(err).WithDebug(err.Error())) } else if len(r.PostForm) == 0 { return accessRequest, errorsx.WithStack(ErrInvalidRequest.WithHint("The POST body can not be empty.")) diff --git a/request.go b/request.go index 26fe7365..593ec4f6 100644 --- a/request.go +++ b/request.go @@ -13,13 +13,14 @@ import ( // Request is an implementation of Requester type Request struct { - ID string `json:"id" gorethink:"id"` - RequestedAt time.Time `json:"requestedAt" gorethink:"requestedAt"` - Client Client `json:"client" gorethink:"client"` - RequestedScope Arguments `json:"scopes" gorethink:"scopes"` - GrantedScope Arguments `json:"grantedScopes" gorethink:"grantedScopes"` - Form url.Values `json:"form" gorethink:"form"` - Session Session `json:"session" gorethink:"session"` + ID string `json:"id"` + RequestedAt time.Time `json:"requestedAt"` + ExpiresAt time.Time `json:"expiresAt"` + Client Client `json:"client"` + RequestedScope Arguments `json:"scopes"` + GrantedScope Arguments `json:"grantedScopes"` + Form url.Values `json:"form"` + Session Session `json:"session"` RequestedAudience Arguments `json:"requestedAudience"` GrantedAudience Arguments `json:"grantedAudience"` Lang language.Tag `json:"-"`