verify access tokens by checking getuserinfo during a token exchange

The provider.Verifier.Verify endpoint we were using only works with ID tokens. This isn't an issue with systems which use ID tokens as access tokens (e.g. dex), but for systems with opaque access tokens (e.g. Google / GCP), those access tokens could not be verified. Instead, check the access token against the getUserInfo endpoint. Signed-off-by: Sean Liao <sean+git@liao.dev>
dexidp · Jul 4, 2023 · ddf4edc · ddf4edc
1 parent dcf7b18
commit ddf4edc
Showing 1 changed file with 20 additions and 9 deletions.
diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
@@ -301,12 +301,14 @@ func (c *oidcConnector) TokenIdentity(ctx context.Context, subjectTokenType, sub
 	var identity connector.Identity
 	token := &oauth2.Token{
 		AccessToken: subjectToken,
+		TokenType:   subjectTokenType,
 	}
 	return c.createIdentity(ctx, identity, token, exchangeCaller)
 }
 
 func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.Identity, token *oauth2.Token, caller caller) (connector.Identity, error) {
 	var claims map[string]interface{}
+	var checkAccessToken bool
 
 	if rawIDToken, ok := token.Extra("id_token").(string); ok {
 		idToken, err := c.verifier.Verify(ctx, rawIDToken)
@@ -318,21 +320,30 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 			return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
 		}
 	} else if caller == exchangeCaller {
-		// AccessToken here could be either an id token or an access token
-		idToken, err := c.provider.Verifier(&oidc.Config{SkipClientIDCheck: true}).Verify(ctx, token.AccessToken)
-		if err != nil {
-			return identity, fmt.Errorf("oidc: failed to verify token: %v", err)
-		}
-		if err := idToken.Claims(&claims); err != nil {
-			return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
+		switch token.TokenType {
+		case "urn:ietf:params:oauth:token-type:id_token":
+			// Verify only works on ID tokens
+			idToken, err := c.provider.Verifier(&oidc.Config{SkipClientIDCheck: true}).Verify(ctx, token.AccessToken)
+			if err != nil {
+				return identity, fmt.Errorf("oidc: failed to verify token: %v", err)
+			}
+			if err := idToken.Claims(&claims); err != nil {
+				return identity, fmt.Errorf("oidc: failed to decode claims: %v", err)
+			}
+		case "urn:ietf:params:oauth:token-type:access_token":
+			checkAccessToken = true
+		default:
+			return identity, fmt.Errorf("unknown token type for token exchange: %s", token.TokenType)
+
 		}
 	} else if caller != refreshCaller {
 		// ID tokens aren't mandatory in the reply when using a refresh_token grant
 		return identity, errors.New("oidc: no id_token in token response")
 	}
 
-	// We immediately want to run getUserInfo if configured before we validate the claims
-	if c.getUserInfo {
+	// We immediately want to run getUserInfo if configured before we validate the claims.
+	// For token exchanges with access tokens, this is how we verify the token.
+	if c.getUserInfo || checkAccessToken {
 		userInfo, err := c.provider.UserInfo(ctx, oauth2.StaticTokenSource(token))
 		if err != nil {
 			return identity, fmt.Errorf("oidc: error loading userinfo: %v", err)