From 39bf88992561cd5fe5dfc67d935c4ab3a69f64c5 Mon Sep 17 00:00:00 2001 From: beltram Date: Fri, 15 Dec 2023 15:17:17 +0100 Subject: [PATCH] feat: remove query parameters from OIDC issuerUrl so that it allows us to use it to carry the OAuth ClientId in the Challenge.target field without at the same time undermining the idToken verification which relies on a issuer (iss) claim without this query parameter --- authority/provisioner/oidc_options.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/authority/provisioner/oidc_options.go b/authority/provisioner/oidc_options.go index c601fb42..21df2d60 100644 --- a/authority/provisioner/oidc_options.go +++ b/authority/provisioner/oidc_options.go @@ -4,6 +4,7 @@ import ( "bytes" "context" "fmt" + "net/url" "text/template" "time" @@ -61,8 +62,19 @@ func (o *OIDCOptions) GetTarget(deviceID string) (string, error) { } func toProviderConfig(in ProviderJSON) *oidc.ProviderConfig { + issuerUrl, err := url.Parse(in.IssuerURL) + if err != nil { + panic(err) // config error, it's ok to panic here + } + // Removes query params from the URL because we use it as a way to notify client about the actual OAuth ClientId + // for this provisioner. + // This URL is going to look like: "https://idp:5556/dex?clientid=foo" + // If we don't trim the query params here i.e. 'clientid' then the idToken verification is going to fail because + // the 'iss' claim of the idToken will be "https://idp:5556/dex" + issuerUrl.RawQuery = "" + issuerUrl.Fragment = "" return &oidc.ProviderConfig{ - IssuerURL: in.IssuerURL, + IssuerURL: issuerUrl.String(), AuthURL: in.AuthURL, TokenURL: in.TokenURL, UserInfoURL: in.UserInfoURL,