feat: remove query parameters from OIDC issuerUrl so that it allows us to use it to carry the OAuth ClientId in the Challenge.target field without at the same time undermining the idToken verification which relies on a issuer (iss) claim without this query parameter

pull/1671/head
beltram 6 months ago committed by Herman Slatman
parent d6ceebba94
commit 39bf889925
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F

@ -4,6 +4,7 @@ import (
"bytes"
"context"
"fmt"
"net/url"
"text/template"
"time"
@ -61,8 +62,19 @@ func (o *OIDCOptions) GetTarget(deviceID string) (string, error) {
}
func toProviderConfig(in ProviderJSON) *oidc.ProviderConfig {
issuerUrl, err := url.Parse(in.IssuerURL)
if err != nil {
panic(err) // config error, it's ok to panic here
}
// Removes query params from the URL because we use it as a way to notify client about the actual OAuth ClientId
// for this provisioner.
// This URL is going to look like: "https://idp:5556/dex?clientid=foo"
// If we don't trim the query params here i.e. 'clientid' then the idToken verification is going to fail because
// the 'iss' claim of the idToken will be "https://idp:5556/dex"
issuerUrl.RawQuery = ""
issuerUrl.Fragment = ""
return &oidc.ProviderConfig{
IssuerURL: in.IssuerURL,
IssuerURL: issuerUrl.String(),
AuthURL: in.AuthURL,
TokenURL: in.TokenURL,
UserInfoURL: in.UserInfoURL,

Loading…
Cancel
Save