From a49966f4c99a56988389345a4ad496a1db1c2ed8 Mon Sep 17 00:00:00 2001 From: beltram Date: Tue, 28 Mar 2023 18:32:39 +0200 Subject: [PATCH] try using google oidc for demo purpose --- acme/challenge.go | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/acme/challenge.go b/acme/challenge.go index 5a010e14..fcc5d26c 100644 --- a/acme/challenge.go +++ b/acme/challenge.go @@ -382,8 +382,11 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO } var claims struct { - Name string `json:"preferred_username"` - Handle string `json:"name"` + Name string `json:"preferred_username,omitempty"` + Handle string `json:"name"` + Issuer string `json:"iss,omitempty"` + GivenName string `json:"given_name,omitempty"` + FamilyName string `json:"family_name,omitempty"` } err = idToken.Claims(&claims) if err != nil { @@ -405,8 +408,15 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO "keyAuthorization does not match; expected %s, but got %s", expectedKeyAuth, wireChallengePayload.KeyAuth)) } - if challengeValues.Name != claims.Name || challengeValues.Handle != claims.Handle { - return storeError(ctx, db, ch, false, NewError(ErrorRejectedIdentifierType, "OIDC claims don't match")) + if claims.Issuer == "https://accounts.google.com" { + var handle = fmt.Sprintf("%s.%s@wire.com", strings.ToLower(claims.GivenName), strings.ToLower(claims.FamilyName)) + if challengeValues.Name != claims.Name || challengeValues.Handle != handle { + return storeError(ctx, db, ch, false, NewError(ErrorRejectedIdentifierType, "OIDC claims don't match")) + } + } else { + if challengeValues.Name != claims.Name || challengeValues.Handle != claims.Handle { + return storeError(ctx, db, ch, false, NewError(ErrorRejectedIdentifierType, "OIDC claims don't match")) + } } // Update and store the challenge.