simplify OIDC verification

2024-11-11 07:11:00 +00:00 · 2023-02-01 17:36:20 +01:00 · 2023-02-01 17:36:20 +01:00 · 5ca744567c
commit 5ca744567c
parent da1e64aa53
2 changed files with 6 additions and 23 deletions
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -31,16 +31,15 @@ import (

 	"github.com/fxamacker/cbor/v2"
 	"github.com/google/go-tpm/legacy/tpm2"
-
 	"github.com/smallstep/go-attestation/attest"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
+	"golang.org/x/oauth2"

 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/wire"
-	"golang.org/x/oauth2"
 )

 type ChallengeType string
@ -360,26 +359,13 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
 		return NewErrorISE("no provisioner provided")
 	}

-	var token oauth2.Token
-	err := json.Unmarshal(payload, &token)
-	if err != nil {
-		return storeError(ctx, db, ch, false, WrapError(ErrorRejectedIdentifierType, err,
-			"error unmarshalling OpenID token"))
-	}
-
-	idTokenRaw, ok := token.Extra("id_token").(string)
-	if !ok {
-		return storeError(ctx, db, ch, false, WrapError(ErrorRejectedIdentifierType, err,
-			"error retrieving ID token from OAUTH2 token"))
-	}
-
 	oidcOptions := prov.GetOptions().GetOIDCOptions()
 	idToken, err := oidcOptions.
 		GetProvider(ctx).
 		Verifier(
 			oidcOptions.
 				GetConfig()).
-		Verify(ctx, idTokenRaw)
+		Verify(ctx, string(payload))
 	if err != nil {
 		return storeError(ctx, db, ch, false, WrapError(ErrorRejectedIdentifierType, err,
 			"error verifying ID token signature"))
--- a/go.mod
+++ b/go.mod
@ -6,6 +6,7 @@ require (
 	cloud.google.com/go/longrunning v0.5.4
 	cloud.google.com/go/security v1.15.4
 	github.com/Masterminds/sprig/v3 v3.2.3
+	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/dgraph-io/badger v1.6.2
 	github.com/dgraph-io/badger/v2 v2.2007.4
 	github.com/fxamacker/cbor/v2 v2.5.0
@ -41,11 +42,6 @@ require (
 	google.golang.org/protobuf v1.32.0
 )

-require (
-	github.com/google/go-tpm v0.9.0 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-)
-
 require (
 	cloud.google.com/go v0.110.10 // indirect
 	cloud.google.com/go/compute v1.23.3 // indirect
@ -68,7 +64,6 @@ require (
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
-	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgraph-io/ristretto v0.1.0 // indirect
@ -89,6 +84,7 @@ require (
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/certificate-transparency-go v1.1.6 // indirect
+	github.com/google/go-tpm v0.9.0
 	github.com/google/go-tpm-tools v0.4.2 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
@ -142,7 +138,7 @@ require (
 	go.opentelemetry.io/otel v1.21.0 // indirect
 	go.opentelemetry.io/otel/metric v1.21.0 // indirect
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
-	golang.org/x/oauth2 v0.15.0 // indirect
+	golang.org/x/oauth2 v0.15.0
 	golang.org/x/sync v0.5.0 // indirect
 	golang.org/x/sys v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
@ -152,5 +148,6 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20231211222908-989df2bf70f3 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect; indirects
 )