fix: fix bugs in jwt parsing and redirect uri handling

frontend/src/lib/hooks/redirect-uri.ts

@@ -15,7 +15,7 @@ export const useRedirectUri = (
   let isAllowedProto = false;
   let isHttpsDowngrade = false;
 
-  if (redirect_uri === undefined) {
+  if (!redirect_uri) {
     return {
       valid: isValid,
       trusted: isTrusted,

frontend/src/pages/authorize-page.tsx

@@ -110,11 +110,7 @@ export const AuthorizePage = () => {
     },
   });
 
-  if (
-    !isOidc ||
-    screenParams.oidc_ticket === undefined ||
-    screenParams.oidc_scope === undefined
-  ) {
+  if (!isOidc || !screenParams.oidc_ticket || !screenParams.oidc_scope) {
     return (
       <Navigate
         to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}

frontend/src/pages/error-page.tsx

@@ -11,7 +11,7 @@ export const ErrorPage = () => {
   const { t } = useTranslation();
   const { search } = useLocation();
   const searchParams = new URLSearchParams(search);
-  const error = searchParams.get("error") ?? "";
+  const error = searchParams.get("error") || "";
 
   return (
     <Card>

frontend/src/pages/login-page.tsx

@@ -168,7 +168,8 @@ export const LoginPage = () => {
       !auth.authenticated &&
       isOauthAutoRedirect &&
       !hasAutoRedirectedRef.current &&
-      screenParams.login_for !== undefined
+      screenParams.redirect_uri &&
+      screenParams.login_for
     ) {
       hasAutoRedirectedRef.current = true;
       oauthMutate(oauth.autoRedirect);
@@ -180,6 +181,7 @@ export const LoginPage = () => {
     oauth.autoRedirect,
     isOauthAutoRedirect,
     screenParams.login_for,
+    screenParams.redirect_uri,
   ]);
 
   useEffect(() => {

internal/service/oidc_service.go

@@ -107,7 +107,6 @@ type TokenResponse struct {
 }
 
 type AuthorizeRequest struct {
-	jwt.Claims
 	Scope               string `form:"scope" json:"scope" url:"scope"`
 	ResponseType        string `form:"response_type" json:"response_type" url:"response_type"`
 	ClientID            string `form:"client_id" json:"client_id" url:"client_id"`
@@ -888,19 +887,32 @@ func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
 
 // TODO: support signed request objects in the future
 func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
-	var req AuthorizeRequest
-
-	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &req)
+	var claims jwt.MapClaims
 
+	token, _, err := jwt.NewParser().ParseUnverified(tokenString, &claims)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
 	}
 
-	claims, ok := token.Claims.(*AuthorizeRequest)
+	alg, ok := token.Header["alg"].(string)
 
-	if !ok {
-		return nil, errors.New("failed to parse claims from authorize request jwt")
+	if !ok || alg != "none" || string(token.Signature) != "" {
+		return nil, fmt.Errorf("only unsigned jwts are supported for authorize requests")
 	}
 
-	return claims, nil
+	get := func(k string) string {
+		v, _ := claims[k].(string)
+		return v
+	}
+
+	return &AuthorizeRequest{
+		Scope:               get("scope"),
+		ResponseType:        get("response_type"),
+		ClientID:            get("client_id"),
+		RedirectURI:         get("redirect_uri"),
+		State:               get("state"),
+		Nonce:               get("nonce"),
+		CodeChallenge:       get("code_challenge"),
+		CodeChallengeMethod: get("code_challenge_method"),
+	}, nil
 }