|
|
|
@ -357,8 +357,6 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
|
|
|
|
|
type WireChallengePayload struct {
|
|
|
|
|
// IDToken
|
|
|
|
|
IDToken string `json:"id_token,omitempty"`
|
|
|
|
|
// KeyAuth ({challenge-token}.{jwk-thumbprint})
|
|
|
|
|
KeyAuth string `json:"keyauth,omitempty"`
|
|
|
|
|
// AccessToken is the token generated by wire-server
|
|
|
|
|
AccessToken string `json:"access_token,omitempty"`
|
|
|
|
|
}
|
|
|
|
@ -388,6 +386,7 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
|
|
|
|
|
Handle string `json:"name"`
|
|
|
|
|
Issuer string `json:"iss,omitempty"`
|
|
|
|
|
GivenName string `json:"given_name,omitempty"`
|
|
|
|
|
KeyAuth string `json:"keyauth"`
|
|
|
|
|
}
|
|
|
|
|
err = idToken.Claims(&claims)
|
|
|
|
|
if err != nil {
|
|
|
|
@ -404,9 +403,9 @@ func wireOIDC01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSO
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if expectedKeyAuth != wireChallengePayload.KeyAuth {
|
|
|
|
|
if expectedKeyAuth != claims.KeyAuth {
|
|
|
|
|
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
|
|
|
|
|
"keyAuthorization does not match; expected %s, but got %s", expectedKeyAuth, wireChallengePayload.KeyAuth))
|
|
|
|
|
"keyAuthorization does not match; expected %s, but got %s", expectedKeyAuth, claims.KeyAuth))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if challengeValues.Name != claims.Name || challengeValues.Handle != claims.Handle {
|
|
|
|
|