|
|
|
@ -355,6 +355,8 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
|
|
|
|
|
type WireChallengePayload struct {
|
|
|
|
|
// IdToken
|
|
|
|
|
IdToken string `json:"id_token,omitempty"`
|
|
|
|
|
// KeyAuth ({challenge-token}.{jwk-thumbprint})
|
|
|
|
|
KeyAuth string `json:"keyauth,omitempty"`
|
|
|
|
|
// AccessToken is the token generated by wire-server
|
|
|
|
|
AccessToken string `json:"access_token,omitempty"`
|
|
|
|
|
}
|
|
|
|
@ -380,9 +382,8 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var claims struct {
|
|
|
|
|
Name string `json:"name"`
|
|
|
|
|
Handle string `json:"handle"`
|
|
|
|
|
KeyAuth string `json:"keyauth"`
|
|
|
|
|
Name string `json:"preferred_username"`
|
|
|
|
|
Handle string `json:"name"`
|
|
|
|
|
}
|
|
|
|
|
err = idToken.Claims(&claims)
|
|
|
|
|
if err != nil {
|
|
|
|
@ -399,9 +400,9 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if expectedKeyAuth != claims.KeyAuth {
|
|
|
|
|
if expectedKeyAuth != wireChallengePayload.KeyAuth {
|
|
|
|
|
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
|
|
|
|
|
"keyAuthorization does not match; expected %s, but got %s", expectedKeyAuth, claims.KeyAuth))
|
|
|
|
|
"keyAuthorization does not match; expected %s, but got %s", expectedKeyAuth, wireChallengePayload.KeyAuth))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if challengeValues.Name != claims.Name || challengeValues.Handle != claims.Handle {
|
|
|
|
|