From c59ee5b8180914519c47d3500f864b15e1a811b9 Mon Sep 17 00:00:00 2001 From: Mathieu Velten Date: Tue, 15 Oct 2024 11:30:11 +0200 Subject: [PATCH] aaa --- .../src/requests/authorization_code.rs | 8 +++----- crates/oidc-client/src/requests/jose.rs | 19 +++++++------------ .../oidc-client/src/requests/refresh_token.rs | 6 +++--- crates/oidc-client/src/requests/userinfo.rs | 7 +++---- 4 files changed, 16 insertions(+), 24 deletions(-) diff --git a/crates/oidc-client/src/requests/authorization_code.rs b/crates/oidc-client/src/requests/authorization_code.rs index e1bccf0a4..e5426ee98 100644 --- a/crates/oidc-client/src/requests/authorization_code.rs +++ b/crates/oidc-client/src/requests/authorization_code.rs @@ -528,14 +528,12 @@ pub async fn access_token_with_authorization_code( .await?; let id_token = if let Some(verification_data) = id_token_verification_data { - let signing_alg = verification_data.signing_algorithm; - let id_token = token_response .id_token .as_deref() .ok_or(IdTokenError::MissingIdToken)?; - let id_token = verify_id_token(id_token, verification_data, None, now)?; + let (id_token, signing_alg) = verify_id_token(id_token, verification_data, None, now)?; let mut claims = id_token.payload().clone(); @@ -543,13 +541,13 @@ pub async fn access_token_with_authorization_code( claims::AT_HASH .extract_optional_with_options( &mut claims, - TokenHash::new(signing_alg, &token_response.access_token), + TokenHash::new(&signing_alg, &token_response.access_token), ) .map_err(IdTokenError::from)?; // Code hash must match. claims::C_HASH - .extract_optional_with_options(&mut claims, TokenHash::new(signing_alg, &code)) + .extract_optional_with_options(&mut claims, TokenHash::new(&signing_alg, &code)) .map_err(IdTokenError::from)?; // Nonce must match. diff --git a/crates/oidc-client/src/requests/jose.rs b/crates/oidc-client/src/requests/jose.rs index cce6e1193..cda5c3614 100644 --- a/crates/oidc-client/src/requests/jose.rs +++ b/crates/oidc-client/src/requests/jose.rs @@ -102,14 +102,14 @@ pub struct JwtVerificationData<'a> { pub fn verify_signed_jwt<'a>( jwt: &'a str, verification_data: JwtVerificationData<'_>, -) -> Result>, JwtVerificationError> { +) -> Result<(Jwt<'a, HashMap>, JsonWebSignatureAlg), JwtVerificationError> { tracing::debug!("Validating JWT..."); let JwtVerificationData { issuer, jwks, client_id, - signing_algorithm, + signing_algorithm: _, } = verification_data; let jwt: Jwt> = jwt.try_into()?; @@ -124,12 +124,7 @@ pub fn verify_signed_jwt<'a>( // Must have the proper audience. claims::AUD.extract_required_with_options(&mut claims, client_id)?; - // Must use the proper algorithm. - if header.alg() != signing_algorithm { - return Err(JwtVerificationError::WrongSignatureAlg); - } - - Ok(jwt) + Ok((jwt, header.alg().clone())) } /// Decode and verify an ID Token. @@ -167,8 +162,8 @@ pub fn verify_id_token<'a>( verification_data: JwtVerificationData<'_>, auth_id_token: Option<&IdToken<'_>>, now: DateTime, -) -> Result, IdTokenError> { - let id_token = verify_signed_jwt(id_token, verification_data)?; +) -> Result<(IdToken<'a>, JsonWebSignatureAlg), IdTokenError> { + let (id_token, signing_alg) = verify_signed_jwt(id_token, verification_data)?; let mut claims = id_token.payload().clone(); @@ -202,5 +197,5 @@ pub fn verify_id_token<'a>( } } - Ok(id_token) -} + Ok((id_token, signing_alg)) +} \ No newline at end of file diff --git a/crates/oidc-client/src/requests/refresh_token.rs b/crates/oidc-client/src/requests/refresh_token.rs index 036f94a6b..33b796fc8 100644 --- a/crates/oidc-client/src/requests/refresh_token.rs +++ b/crates/oidc-client/src/requests/refresh_token.rs @@ -97,9 +97,9 @@ pub async fn refresh_access_token( id_token_verification_data.zip(token_response.id_token.as_ref()) { let auth_id_token = auth_id_token.ok_or(IdTokenError::MissingAuthIdToken)?; - let signing_alg = verification_data.signing_algorithm; - let id_token = verify_id_token(id_token, verification_data, Some(auth_id_token), now)?; + let (id_token, signing_alg) = + verify_id_token(id_token, verification_data, Some(auth_id_token), now)?; let mut claims = id_token.payload().clone(); @@ -107,7 +107,7 @@ pub async fn refresh_access_token( claims::AT_HASH .extract_optional_with_options( &mut claims, - TokenHash::new(signing_alg, &token_response.access_token), + TokenHash::new(&signing_alg, &token_response.access_token), ) .map_err(IdTokenError::from)?; diff --git a/crates/oidc-client/src/requests/userinfo.rs b/crates/oidc-client/src/requests/userinfo.rs index 053c6c99b..faa7d3fb4 100644 --- a/crates/oidc-client/src/requests/userinfo.rs +++ b/crates/oidc-client/src/requests/userinfo.rs @@ -108,10 +108,9 @@ pub async fn fetch_userinfo( let response_body = std::str::from_utf8(userinfo_response.body())?; let mut claims = if let Some(verification_data) = jwt_verification_data { - verify_signed_jwt(response_body, verification_data) - .map_err(IdTokenError::from)? - .into_parts() - .1 + let (id_token, _) = + verify_signed_jwt(response_body, verification_data).map_err(IdTokenError::from)?; + id_token.into_parts().1 } else { serde_json::from_str(response_body)? };