From 09bbc35df7b35d61d6276f10c2d6f28837a4db75 Mon Sep 17 00:00:00 2001 From: Trong Huu Nguyen Date: Mon, 6 Sep 2021 11:35:46 +0200 Subject: [PATCH] fix: ensure acr claim exists if security level is enabled --- pkg/router/router.go | 10 +++++++++- pkg/token/token.go | 6 ++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/pkg/router/router.go b/pkg/router/router.go index 13d7947..f79097b 100644 --- a/pkg/router/router.go +++ b/pkg/router/router.go @@ -268,7 +268,15 @@ func (h *Handler) Callback(w http.ResponseWriter, r *http.Request) { return } - idToken, err := token.ParseIDToken(r.Context(), h.jwkSet, tokens) + parseOpts := []jwt.ParseOption{ + jwt.WithRequiredClaim("sid"), + } + + if h.Config.SecurityLevel.Enabled { + parseOpts = append(parseOpts, jwt.WithRequiredClaim("acr")) + } + + idToken, err := token.ParseIDToken(r.Context(), h.jwkSet, tokens, parseOpts...) if err != nil { log.Error(err) w.WriteHeader(http.StatusUnauthorized) diff --git a/pkg/token/token.go b/pkg/token/token.go index c2dca8d..96967b5 100644 --- a/pkg/token/token.go +++ b/pkg/token/token.go @@ -37,7 +37,7 @@ func (in *IDToken) Validate(opts ...jwt.ValidateOption) error { return nil } -func ParseIDToken(ctx context.Context, jwks jwk.Set, token *oauth2.Token) (*IDToken, error) { +func ParseIDToken(ctx context.Context, jwks jwk.Set, token *oauth2.Token, opts ...jwt.ParseOption) (*IDToken, error) { raw, ok := token.Extra("id_token").(string) if !ok { return nil, fmt.Errorf("missing id_token in token response") @@ -50,8 +50,10 @@ func ParseIDToken(ctx context.Context, jwks jwk.Set, token *oauth2.Token) (*IDTo parseOpts := []jwt.ParseOption{ jwt.WithKeySet(jwks), - jwt.WithRequiredClaim("sid"), + jwt.WithValidate(true), } + parseOpts = append(parseOpts, opts...) + idToken, err := jwt.Parse([]byte(raw), parseOpts...) if err != nil { return nil, fmt.Errorf("parsing jwt: %w", err)