From 0fbdb0a096144df71d4e68ec12e5ae51c90ffaac Mon Sep 17 00:00:00 2001
From: Simon Murray <spjmurray@yahoo.co.uk>
Date: Tue, 19 Mar 2024 09:00:24 +0000
Subject: [PATCH] Add Nonce to OIDC ID Token

It's part of the spec, so we should add this in, just in case a library
does check it!
---
 charts/identity/Chart.yaml |  4 ++--
 pkg/oauth2/federated.go    | 13 +++++++------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/charts/identity/Chart.yaml b/charts/identity/Chart.yaml
index b8e4ddc7..33bbdfaa 100644
--- a/charts/identity/Chart.yaml
+++ b/charts/identity/Chart.yaml
@@ -4,7 +4,7 @@ description: A Helm chart for deploying Unikorn's IdP
 
 type: application
 
-version: v0.1.12
-appVersion: v0.1.12
+version: v0.1.13
+appVersion: v0.1.13
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
diff --git a/pkg/oauth2/federated.go b/pkg/oauth2/federated.go
index deb934e2..ee2470a6 100644
--- a/pkg/oauth2/federated.go
+++ b/pkg/oauth2/federated.go
@@ -834,7 +834,7 @@ func oidcPicture(email string) string {
 }
 
 // oidcIDToken builds an OIDC ID token.
-func (a *Authenticator) oidcIDToken(r *http.Request, scope Scope, expiry time.Time, atHash, clientID, email string) (*string, error) {
+func (a *Authenticator) oidcIDToken(r *http.Request, scope Scope, expiry time.Time, atHash string, code *Code) (*string, error) {
 	//nolint:nilnil
 	if !slices.Contains(scope, "openid") {
 		return nil, nil
@@ -843,25 +843,26 @@ func (a *Authenticator) oidcIDToken(r *http.Request, scope Scope, expiry time.Ti
 	claims := &IDToken{
 		Claims: jwt.Claims{
 			Issuer:  "https://" + r.Host,
-			Subject: email,
+			Subject: code.Subject,
 			Audience: []string{
-				clientID,
+				code.ClientID,
 			},
 			Expiry:   jwt.NewNumericDate(expiry),
 			IssuedAt: jwt.NewNumericDate(time.Now()),
 		},
 		OIDCClaims: OIDCClaims{
+			Nonce:  code.ClientNonce,
 			ATHash: atHash,
 		},
 	}
 
 	// TODO: we should just pass through the federated id_token in the code...
 	if slices.Contains(scope, "email") {
-		claims.OIDCClaimsEmail.Email = email
+		claims.OIDCClaimsEmail.Email = code.Subject
 	}
 
 	if slices.Contains(scope, "profile") {
-		claims.OIDCClaimsProfile.Picture = oidcPicture(email)
+		claims.OIDCClaimsProfile.Picture = oidcPicture(code.Subject)
 	}
 
 	idToken, err := a.issuer.EncodeJWT(claims)
@@ -901,7 +902,7 @@ func (a *Authenticator) Token(w http.ResponseWriter, r *http.Request) (*generate
 	}
 
 	// Handle OIDC.
-	idToken, err := a.oidcIDToken(r, code.ClientScope, expiry, oidcHash(accessToken), r.Form.Get("client_id"), code.Subject)
+	idToken, err := a.oidcIDToken(r, code.ClientScope, expiry, oidcHash(accessToken), code)
 	if err != nil {
 		return nil, err
 	}