devstack/authorizer
4
0
Fork 0
Code Pull Requests Actions Activity

fix: add nonce

Browse Source
This commit is contained in:
Lakhan Samani 2022-10-19 19:04:15 +05:30
parent 89f08b6d31
commit a916b8c32c
2 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/src/Root.tsx
View File

@ -38,7 +38,8 @@ export default function Root({
const scope = searchParams.get('scope') const scope = searchParams.get('scope')
? searchParams.get('scope')?.toString().split(' ') ? searchParams.get('scope')?.toString().split(' ')
: ['openid', 'profile', 'email']; : ['openid', 'profile', 'email'];
const code = searchParams.get('code') || createRandomString() const code = searchParams.get('code') || ''
const nonce = searchParams.get('nonce') || ''
const urlProps: Record<string, any> = { const urlProps: Record<string, any> = {
state, state,
@ -59,9 +60,17 @@ export default function Root({
if (token) { if (token) {
let redirectURL = config.redirectURL || '/app'; let redirectURL = config.redirectURL || '/app';
let params = `access_token=${token.access_token}&id_token=${token.id_token}&expires_in=${token.expires_in}&state=${globalState.state}&code=`+code; let params = `access_token=${token.access_token}&id_token=${token.id_token}&expires_in=${token.expires_in}&state=${globalState.state}&code=`+code;
if (code !== '') {
params += `&code=${code}`
}
if (nonce !== '') {
params += `&nonce=${nonce}`
}
if (token.refresh_token) { if (token.refresh_token) {
params += `&refresh_token=${token.refresh_token}`; params += `&refresh_token=${token.refresh_token}`;
} }
const url = new URL(redirectURL); const url = new URL(redirectURL);
if (redirectURL.includes('?')) { if (redirectURL.includes('?')) {
redirectURL = `${redirectURL}&${params}`; redirectURL = `${redirectURL}&${params}`;

9
server/handlers/authorize.go
View File

@ -78,10 +78,11 @@ func AuthorizeHandler() gin.HandlerFunc {
}) })
code := uuid.New().String() code := uuid.New().String()
nonce := uuid.New().String()
memorystore.Provider.SetState(codeChallenge, code) memorystore.Provider.SetState(codeChallenge, code)
// used for response mode query or fragment // used for response mode query or fragment
loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI + "&code=" + code loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI + "&code=" + code + "&nonce=" + nonce
loginURL := "/app?" + loginState loginURL := "/app?" + loginState
if responseMode == constants.ResponseModeFragment { if responseMode == constants.ResponseModeFragment {
@ -150,7 +151,6 @@ func AuthorizeHandler() gin.HandlerFunc {
sessionKey = claims.LoginMethod + ":" + user.ID sessionKey = claims.LoginMethod + ":" + user.ID
} }
nonce := uuid.New().String()
newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod) newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
if err != nil { if err != nil {
log.Debug("CreateSessionToken failed: ", err) log.Debug("CreateSessionToken failed: ", err)
@ -188,7 +188,7 @@ func AuthorizeHandler() gin.HandlerFunc {
// }, // },
// }) // })
params := "code=" + code + "&state=" + state params := "code=" + code + "&state=" + state + "&nonce=" + nonce
if responseMode == constants.ResponseModeQuery { if responseMode == constants.ResponseModeQuery {
if strings.Contains(redirectURI, "?") { if strings.Contains(redirectURI, "?") {
redirectURI = redirectURI + "&" + params redirectURI = redirectURI + "&" + params
@ -243,7 +243,7 @@ func AuthorizeHandler() gin.HandlerFunc {
} }
// used of query mode // used of query mode
params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token + "&code=" + code params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token + "&code=" + code + "&nonce=" + nonce
res := map[string]interface{}{ res := map[string]interface{}{
"access_token": authToken.AccessToken.Token, "access_token": authToken.AccessToken.Token,
@ -253,6 +253,7 @@ func AuthorizeHandler() gin.HandlerFunc {
"token_type": "Bearer", "token_type": "Bearer",
"expires_in": expiresIn, "expires_in": expiresIn,
"code": code, "code": code,
"nonce": nonce,
} }
if authToken.RefreshToken != nil { if authToken.RefreshToken != nil {