Skip to content

Commit

Permalink
fix(openid): narrow state hash conditions (#25)
Browse files Browse the repository at this point in the history 
This ensures the state hash is only included with the 'code id_token' response type as it's the only response type that benefits from it. See the FAPI 1.0 and FAPI 2.0 specs for more information:
 - https://openid.net/specs/openid-financial-api-part-2-1_0.html#id-token-as-detached-signature-2
 - https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.6
  • Loading branch information
@james-d-elliott
james-d-elliott authored Dec 22, 2023
1 parent d1c2cc8 commit a296824
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 6 deletions.
18 changes: 13 additions & 5 deletions handler/openid/flow_hybrid.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,12 +90,20 @@ func (c *OpenIDConnectHybridHandler) HandleAuthorizeEndpointRequest(ctx context.
err error
)

if state := ar.GetState(); len(state) != 0 && claims != nil {
if hash, err = c.IDTokenHandleHelper.ComputeHash(ctx, sess, ar.GetState()); err != nil {
return err
}
// FAPI 1.0 Advanced. This fulfills the ID Token as a detached signature requirement. It should be noted that in
// the FAPI 2.0 profile this is replaced by PKCE and PAR.
//
// See Also:
// - https://openid.net/specs/openid-financial-api-part-2-1_0.html#id-token-as-detached-signature-2
// - https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.6
if ar.GetResponseTypes().Matches(consts.ResponseTypeAuthorizationCodeFlow, consts.ResponseTypeImplicitFlowIDToken) {
if state := ar.GetState(); len(state) != 0 && claims != nil {
if hash, err = c.IDTokenHandleHelper.ComputeHash(ctx, sess, ar.GetState()); err != nil {
return err
}

claims.StateHash = hash
claims.StateHash = hash
}
}

if ar.GetResponseTypes().Has(consts.ResponseTypeAuthorizationCodeFlow) {
Expand Down
2 changes: 1 addition & 1 deletion handler/openid/flow_hybrid_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ func TestHybrid_HandleAuthorizeEndpointRequest(t *testing.T) {
setup: func(t *testing.T, request *oauth2.AuthorizeRequest, response *oauth2.AuthorizeResponse) OpenIDConnectHybridHandler {
request.Form.Set(consts.FormParameterNonce, "some-foobar-nonce-win")
request.Form.Set(consts.FormParameterState, "some-foobar-state-win")
request.ResponseTypes = oauth2.Arguments{consts.ResponseTypeAuthorizationCodeFlow, consts.ResponseTypeImplicitFlowToken, consts.ResponseTypeImplicitFlowIDToken}
request.ResponseTypes = oauth2.Arguments{consts.ResponseTypeAuthorizationCodeFlow, consts.ResponseTypeImplicitFlowIDToken}
request.State = "some-foobar-state-win"
request.GrantedScope = oauth2.Arguments{consts.ScopeOpenID}

Expand Down

0 comments on commit a296824

Please sign in to comment.