fix: fix bugs in jwt parsing and redirect uri handling

This commit is contained in:
Stavros
2026-06-12 12:43:18 +03:00
parent 5c5d7a43ef
commit b75fe9ac1e
5 changed files with 26 additions and 16 deletions
+1 -1
View File
@@ -15,7 +15,7 @@ export const useRedirectUri = (
let isAllowedProto = false; let isAllowedProto = false;
let isHttpsDowngrade = false; let isHttpsDowngrade = false;
if (redirect_uri === undefined) { if (!redirect_uri) {
return { return {
valid: isValid, valid: isValid,
trusted: isTrusted, trusted: isTrusted,
+1 -5
View File
@@ -110,11 +110,7 @@ export const AuthorizePage = () => {
}, },
}); });
if ( if (!isOidc || !screenParams.oidc_ticket || !screenParams.oidc_scope) {
!isOidc ||
screenParams.oidc_ticket === undefined ||
screenParams.oidc_scope === undefined
) {
return ( return (
<Navigate <Navigate
to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`} to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
+1 -1
View File
@@ -11,7 +11,7 @@ export const ErrorPage = () => {
const { t } = useTranslation(); const { t } = useTranslation();
const { search } = useLocation(); const { search } = useLocation();
const searchParams = new URLSearchParams(search); const searchParams = new URLSearchParams(search);
const error = searchParams.get("error") ?? ""; const error = searchParams.get("error") || "";
return ( return (
<Card> <Card>
+3 -1
View File
@@ -168,7 +168,8 @@ export const LoginPage = () => {
!auth.authenticated && !auth.authenticated &&
isOauthAutoRedirect && isOauthAutoRedirect &&
!hasAutoRedirectedRef.current && !hasAutoRedirectedRef.current &&
screenParams.login_for !== undefined screenParams.redirect_uri &&
screenParams.login_for
) { ) {
hasAutoRedirectedRef.current = true; hasAutoRedirectedRef.current = true;
oauthMutate(oauth.autoRedirect); oauthMutate(oauth.autoRedirect);
@@ -180,6 +181,7 @@ export const LoginPage = () => {
oauth.autoRedirect, oauth.autoRedirect,
isOauthAutoRedirect, isOauthAutoRedirect,
screenParams.login_for, screenParams.login_for,
screenParams.redirect_uri,
]); ]);
useEffect(() => { useEffect(() => {
+20 -8
View File
@@ -107,7 +107,6 @@ type TokenResponse struct {
} }
type AuthorizeRequest struct { type AuthorizeRequest struct {
jwt.Claims
Scope string `form:"scope" json:"scope" url:"scope"` Scope string `form:"scope" json:"scope" url:"scope"`
ResponseType string `form:"response_type" json:"response_type" url:"response_type"` ResponseType string `form:"response_type" json:"response_type" url:"response_type"`
ClientID string `form:"client_id" json:"client_id" url:"client_id"` ClientID string `form:"client_id" json:"client_id" url:"client_id"`
@@ -888,19 +887,32 @@ func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
// TODO: support signed request objects in the future // TODO: support signed request objects in the future
func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) { func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
var req AuthorizeRequest var claims jwt.MapClaims
token, _, err := jwt.NewParser().ParseUnverified(tokenString, &req)
token, _, err := jwt.NewParser().ParseUnverified(tokenString, &claims)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err) return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
} }
claims, ok := token.Claims.(*AuthorizeRequest) alg, ok := token.Header["alg"].(string)
if !ok { if !ok || alg != "none" || string(token.Signature) != "" {
return nil, errors.New("failed to parse claims from authorize request jwt") return nil, fmt.Errorf("only unsigned jwts are supported for authorize requests")
} }
return claims, nil get := func(k string) string {
v, _ := claims[k].(string)
return v
}
return &AuthorizeRequest{
Scope: get("scope"),
ResponseType: get("response_type"),
ClientID: get("client_id"),
RedirectURI: get("redirect_uri"),
State: get("state"),
Nonce: get("nonce"),
CodeChallenge: get("code_challenge"),
CodeChallengeMethod: get("code_challenge_method"),
}, nil
} }