From f7c3ea407a1bf616cfa5edab7a0cc2c9cf7a7c2c Mon Sep 17 00:00:00 2001 From: "m.nabokikh" Date: Wed, 2 Nov 2022 22:21:14 +0100 Subject: [PATCH] fix: Do not use connector data from the refresh token field Signed-off-by: m.nabokikh --- server/refreshhandlers.go | 8 +++++--- server/server_test.go | 11 +++++++++++ 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/server/refreshhandlers.go b/server/refreshhandlers.go index ecfda137f0..11eaf2e702 100644 --- a/server/refreshhandlers.go +++ b/server/refreshhandlers.go @@ -186,6 +186,8 @@ func (s *Server) refreshWithConnector(ctx context.Context, rCtx *refreshContext, // TODO(ericchiang): We may want a strict mode where connectors that don't implement // this interface can't perform refreshing. if refreshConn, ok := rCtx.connector.Connector.(connector.RefreshConnector); ok { + // Set connector data to the one received from an offline session + ident.ConnectorData = rCtx.connectorData s.logger.Debugf("connector data before refresh: %s", ident.ConnectorData) newIdent, err := refreshConn.Refresh(ctx, parseScopes(rCtx.scopes), ident) @@ -245,7 +247,6 @@ func (s *Server) updateRefreshToken(ctx context.Context, rCtx *refreshContext) ( Email: rCtx.storageToken.Claims.Email, EmailVerified: rCtx.storageToken.Claims.EmailVerified, Groups: rCtx.storageToken.Claims.Groups, - ConnectorData: rCtx.connectorData, } refreshTokenUpdater := func(old storage.RefreshToken) (storage.RefreshToken, error) { @@ -255,6 +256,7 @@ func (s *Server) updateRefreshToken(ctx context.Context, rCtx *refreshContext) ( switch { case !rotationEnabled && reusingAllowed: // If rotation is disabled and the offline session was updated not so long ago - skip further actions. + old.ConnectorData = nil return old, nil case rotationEnabled && reusingAllowed: @@ -269,7 +271,7 @@ func (s *Server) updateRefreshToken(ctx context.Context, rCtx *refreshContext) ( // Do not update last used time for offline session if token is allowed to be reused lastUsed = old.LastUsed - ident.ConnectorData = nil + old.ConnectorData = nil return old, nil case rotationEnabled && !reusingAllowed: @@ -286,7 +288,7 @@ func (s *Server) updateRefreshToken(ctx context.Context, rCtx *refreshContext) ( old.LastUsed = lastUsed // ConnectorData has been moved to OfflineSession - old.ConnectorData = []byte{} + old.ConnectorData = nil // Call only once if there is a request which is not in the reuse interval. // This is required to avoid multiple calls to the external IdP for concurrent requests. diff --git a/server/server_test.go b/server/server_test.go index 828e7faf95..e54e80af56 100644 --- a/server/server_test.go +++ b/server/server_test.go @@ -871,6 +871,17 @@ func TestOAuth2CodeFlow(t *testing.T) { if respDump, err = httputil.DumpResponse(resp, true); err != nil { t.Fatal(err) } + + tokens, err := s.storage.ListRefreshTokens() + if err != nil { + t.Fatalf("failed to get existed refresh token: %v", err) + } + + for _, token := range tokens { + if /* token was updated */ token.ObsoleteToken != "" && token.ConnectorData != nil { + t.Fatalf("token connectorDatawith id %q field is not nil: %s", token.ID, token.ConnectorData) + } + } }) } }