github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-07 08:57:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: ensure acr claim exists if security level is enabled

Browse Source
This commit is contained in:
Trong Huu Nguyen
2021-09-06 11:35:46 +02:00
parent 4237e84de3
commit 09bbc35df7
2 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/router/router.go
View File

@@ -268,7 +268,15 @@ func (h *Handler) Callback(w http.ResponseWriter, r *http.Request) {
return
}
idToken, err := token.ParseIDToken(r.Context(), h.jwkSet, tokens)
parseOpts := []jwt.ParseOption{
jwt.WithRequiredClaim("sid"),
}
if h.Config.SecurityLevel.Enabled {
parseOpts = append(parseOpts, jwt.WithRequiredClaim("acr"))
}
idToken, err := token.ParseIDToken(r.Context(), h.jwkSet, tokens, parseOpts...)
if err != nil {
log.Error(err)
w.WriteHeader(http.StatusUnauthorized)

6
pkg/token/token.go
View File

@@ -37,7 +37,7 @@ func (in *IDToken) Validate(opts ...jwt.ValidateOption) error {
return nil
}
func ParseIDToken(ctx context.Context, jwks jwk.Set, token *oauth2.Token) (*IDToken, error) {
func ParseIDToken(ctx context.Context, jwks jwk.Set, token *oauth2.Token, opts ...jwt.ParseOption) (*IDToken, error) {
raw, ok := token.Extra("id_token").(string)
if !ok {
return nil, fmt.Errorf("missing id_token in token response")
@@ -50,8 +50,10 @@ func ParseIDToken(ctx context.Context, jwks jwk.Set, token *oauth2.Token) (*IDTo
parseOpts := []jwt.ParseOption{
jwt.WithKeySet(jwks),
jwt.WithRequiredClaim("sid"),
jwt.WithValidate(true),
}
parseOpts = append(parseOpts, opts...)
idToken, err := jwt.Parse([]byte(raw), parseOpts...)
if err != nil {
return nil, fmt.Errorf("parsing jwt: %w", err)