barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2026-03-05 06:12:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add nonce claim support to oidc server

Browse Source
This commit is contained in:
Stavros
2026-03-03 23:13:09 +02:00
parent 0e6bcf9713
commit ec8121499c
11 changed files with 77 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
internal/service/oidc_service.go
View File

@@ -51,13 +51,14 @@ type ClaimSet struct {
Email string `json:"email,omitempty"`
PreferredUsername string `json:"preferred_username,omitempty"`
Groups []string `json:"groups,omitempty"`
Nonce string `json:"nonce,omitempty"`
}
type UserinfoResponse struct {
Sub string `json:"sub"`
Name string `json:"name"`
Email string `json:"email"`
PreferredUsername string `json:"preferred_username"`
Name string `json:"name,omitempty"`
Email string `json:"email,omitempty"`
PreferredUsername string `json:"preferred_username,omitempty"`
Groups []string `json:"groups,omitempty"`
UpdatedAt int64 `json:"updated_at"`
}
@@ -77,6 +78,7 @@ type AuthorizeRequest struct {
ClientID string `json:"client_id" binding:"required"`
RedirectURI string `json:"redirect_uri" binding:"required"`
State string `json:"state" binding:"required"`
Nonce string `json:"nonce"`
}
type OIDCServiceConfig struct {
@@ -212,6 +214,9 @@ func (service *OIDCService) Init() error {
for id, client := range service.config.Clients {
client.ID = id
if client.Name == "" {
client.Name = utils.Capitalize(client.ID)
}
service.clients[client.ClientID] = client
}
@@ -293,6 +298,7 @@ func (service *OIDCService) StoreCode(c *gin.Context, sub string, code string, r
RedirectURI: req.RedirectURI,
ClientID: req.ClientID,
ExpiresAt: expiresAt,
Nonce: req.Nonce,
})
return err
@@ -354,7 +360,7 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repos
return oidcCode, nil
}
func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user repository.OidcUserinfo, scope string) (string, error) {
func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user repository.OidcUserinfo, scope string, nonce string) (string, error) {
createdAt := time.Now().Unix()
expiresAt := time.Now().Add(time.Duration(service.config.SessionExpiry) * time.Second).Unix()
@@ -384,6 +390,7 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user
Email: userInfo.Email,
PreferredUsername: userInfo.PreferredUsername,
Groups: userInfo.Groups,
Nonce: nonce,
}
payload, err := json.Marshal(claims)
@@ -407,14 +414,14 @@ func (service *OIDCService) generateIDToken(client config.OIDCClientConfig, user
return token, nil
}
func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OIDCClientConfig, sub string, scope string) (TokenResponse, error) {
user, err := service.GetUserinfo(c, sub)
func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OIDCClientConfig, codeEntry repository.OidcCode) (TokenResponse, error) {
user, err := service.GetUserinfo(c, codeEntry.Sub)
if err != nil {
return TokenResponse{}, err
}
idToken, err := service.generateIDToken(client, user, scope)
idToken, err := service.generateIDToken(client, user, codeEntry.Sub, codeEntry.Nonce)
if err != nil {
return TokenResponse{}, err
@@ -434,15 +441,15 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OI
TokenType: "Bearer",
ExpiresIn: int64(service.config.SessionExpiry),
IDToken: idToken,
Scope: strings.ReplaceAll(scope, ",", " "),
Scope: strings.ReplaceAll(codeEntry.Scope, ",", " "),
}
_, err = service.queries.CreateOidcToken(c, repository.CreateOidcTokenParams{
Sub: sub,
Sub: codeEntry.Sub,
AccessTokenHash: service.Hash(accessToken),
RefreshTokenHash: service.Hash(refreshToken),
ClientID: client.ClientID,
Scope: scope,
Scope: codeEntry.Scope,
TokenExpiresAt: tokenExpiresAt,
RefreshTokenExpiresAt: refrshTokenExpiresAt,
})
@@ -481,7 +488,7 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
idToken, err := service.generateIDToken(config.OIDCClientConfig{
ClientID: entry.ClientID,
}, user, entry.Scope)
}, user, entry.Scope, entry.Nonce)
if err != nil {
return TokenResponse{}, err