Skip to content

Commit

Permalink
Store transformed OIDC token
Browse files Browse the repository at this point in the history
  • Loading branch information
hslatman committed Jan 15, 2024
1 parent 29202ef commit 768a089
Showing 1 changed file with 12 additions and 19 deletions.
31 changes: 12 additions & 19 deletions acme/challenge.go
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,7 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
return WrapErrorISE(err, "error unmarshalling challenge data")
}

// TODO(hs): move this into validation?
expectedKeyAuth, err := KeyAuthorization(ch.Token, jwk)
if err != nil {
return err
Expand All @@ -410,7 +411,8 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
"keyAuthorization does not match; expected %q, but got %q", expectedKeyAuth, oidcPayload.KeyAuth))
}

if err := validateWireOIDCClaims(oidcOptions, idToken, wireID); err != nil {
transformedIDToken, err := validateWireOIDCClaims(oidcOptions, idToken, wireID)
if err != nil {
return storeError(ctx, db, ch, true, WrapError(ErrorRejectedIdentifierType, err, "claims in OIDC ID token don't match"))
}

Expand All @@ -423,15 +425,6 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
return WrapErrorISE(err, "error updating challenge")
}

parsedIDToken, err := jose.ParseSigned(oidcPayload.IDToken)
if err != nil {
return WrapErrorISE(err, "invalid OIDC ID token")
}
oidcToken := make(map[string]interface{})
if err := parsedIDToken.UnsafeClaimsWithoutVerification(&oidcToken); err != nil {
return WrapErrorISE(err, "failed parsing OIDC id token")
}

orders, err := db.GetAllOrdersByAccountID(ctx, ch.AccountID)
if err != nil {
return WrapErrorISE(err, "could not find current order by account id")
Expand All @@ -441,40 +434,40 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
}

order := orders[len(orders)-1]
if err := db.CreateOidcToken(ctx, order, oidcToken); err != nil {
if err := db.CreateOidcToken(ctx, order, transformedIDToken); err != nil {
return WrapErrorISE(err, "failed storing OIDC id token")
}

return nil
}

func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.ID) error {
func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken, wireID wire.ID) (map[string]any, error) {
var m map[string]any
if err := token.Claims(&m); err != nil {
return fmt.Errorf("failed extracting OIDC ID token claims: %w", err)
return nil, fmt.Errorf("failed extracting OIDC ID token claims: %w", err)
}
transformed, err := o.Transform(m)
if err != nil {
return fmt.Errorf("failed transforming OIDC ID token: %w", err)
return nil, fmt.Errorf("failed transforming OIDC ID token: %w", err)
}

name, ok := transformed["name"]
if !ok {
return fmt.Errorf("transformed OIDC ID token does not contain 'name'")
return nil, fmt.Errorf("transformed OIDC ID token does not contain 'name'")
}
if wireID.Name != name {
return fmt.Errorf("invalid 'name' %q after transformation", name)
return nil, fmt.Errorf("invalid 'name' %q after transformation", name)
}

handle, ok := transformed["handle"]
if !ok {
return fmt.Errorf("transformed OIDC ID token does not contain 'handle'")
return nil, fmt.Errorf("transformed OIDC ID token does not contain 'handle'")
}
if wireID.Handle != handle {
return fmt.Errorf("invalid 'handle' %q after transformation", handle)
return nil, fmt.Errorf("invalid 'handle' %q after transformation", handle)
}

return nil
return transformed, nil
}

type wireDpopPayload struct {
Expand Down

0 comments on commit 768a089

Please sign in to comment.