fix: Refresh/Access token jwt decode swap (#20)

vdbulcke · Jun 2, 2022 · 0feda69 · 0feda69
1 parent 9ff2250
commit 0feda69
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 21 deletions.
diff --git a/go.mod b/go.mod
@@ -1,18 +1,34 @@
 module github.com/vdbulcke/oidc-client-demo
 
-go 1.16
+go 1.18
 
 require (
 	github.com/coreos/go-oidc/v3 v3.1.0
-	github.com/go-playground/universal-translator v0.18.0 // indirect
 	github.com/go-playground/validator v9.31.0+incompatible
 	github.com/hashicorp/go-hclog v1.0.0
-	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/spf13/cobra v1.3.0
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
+	gopkg.in/yaml.v3 v3.0.1
+)
+
+require (
+	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	github.com/fatih/color v1.13.0 // indirect
+	github.com/go-playground/locales v0.14.0 // indirect
+	github.com/go-playground/universal-translator v0.18.0 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/leodido/go-urn v1.2.1 // indirect
+	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
 	golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898 // indirect
 	golang.org/x/net v0.0.0-20220105145211-5b0dc2dfae98 // indirect
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -450,7 +450,6 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220105145211-5b0dc2dfae98 h1:+6WJMRLHlD7X7frgp7TUZ36RnQzSf9wVVTNakEp+nqY=
 golang.org/x/net v0.0.0-20220105145211-5b0dc2dfae98/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -786,8 +785,9 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

diff --git a/oidc-client/config.go b/oidc-client/config.go
@@ -6,7 +6,7 @@ import (
 	"os"
 
 	"github.com/go-playground/validator"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 
 	"github.com/vdbulcke/oidc-client-demo/oidc-client/internal"
 )

diff --git a/oidc-client/refresh_token.go b/oidc-client/refresh_token.go
@@ -51,7 +51,7 @@ func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerificati
 		c.logger.Error("no ID Token Found")
 	} else if !skipIdTokenVerification {
 		// verify and print idToken
-		_, err = c.processIdToken( idTokenRaw)
+		_, err = c.processIdToken(idTokenRaw)
 		if err != nil {
 			return err
 		}
@@ -61,14 +61,15 @@ func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerificati
 	// Validate Access Token if JWT
 	// and print claims
 	if c.config.AccessTokenJwt {
-		refreshTokenRaw := accessTokenResponse.RefreshToken
-		if refreshTokenRaw == "" {
-			c.logger.Error("no Refresh Token Found")
+		// try to parse access token as JWT
+		accessTokenRaw := accessTokenResponse.AccessToken
+		if accessTokenRaw == "" {
+			c.logger.Error("no Access Token Found")
 		} else {
 			// validate signature against the JWK
-			_, err := c.processRefreshToken(c.ctx, refreshTokenRaw)
+			_, err := c.processAccessToken(c.ctx, accessTokenRaw)
 			if err != nil {
-				c.logger.Error("Refresh Token validation failed", "err", err)
+				c.logger.Error("Access Token validation failed", "err", err)
 				return err
 			}
 		}
@@ -77,15 +78,14 @@ func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerificati
 	// Validate Access Token if JWT
 	// and print claims
 	if c.config.RefreshTokenJwt {
-		// try to parse access token as JWT
-		accessTokenRaw := accessTokenResponse.AccessToken
-		if accessTokenRaw == "" {
-			c.logger.Error("no Access Token Found")
+		refreshTokenRaw := accessTokenResponse.RefreshToken
+		if refreshTokenRaw == "" {
+			c.logger.Error("no Refresh Token Found")
 		} else {
 			// validate signature against the JWK
-			_, err := c.processAccessToken(c.ctx, accessTokenRaw)
+			_, err := c.processRefreshToken(c.ctx, refreshTokenRaw)
 			if err != nil {
-				c.logger.Error("Access Token validation failed", "err", err)
+				c.logger.Error("Refresh Token validation failed", "err", err)
 				return err
 			}
 		}
@@ -101,7 +101,6 @@ func (c *OIDCClient) RefreshTokenFlow(refreshToken string, skipIdTokenVerificati
 
 }
 
-
 // processAccessToken Handle accessToken JWT validation
 func (c *OIDCClient) processAccessToken(ctx context.Context, accessTokenRaw string) (*oidc.IDToken, error) {
 	return c.processGenericToken(ctx, accessTokenRaw, "Access")