Fix OpenBao OIDC token exchange compatibility
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled

This commit is contained in:
2026-06-01 21:20:54 +02:00
parent 06d20c3379
commit d6d41dd84f
6 changed files with 43 additions and 11 deletions

View File

@@ -23,6 +23,7 @@ type PendingState struct {
PKCEChallenge string
PKCEChallengeMethod string
State string
Nonce string
Scopes []string
ExpiresAt time.Time
AuthenticatedUser string
@@ -103,6 +104,7 @@ func (h *AuthorizeHandler) serveAuthorize(w http.ResponseWriter, r *http.Request
responseType := q.Get("response_type")
scope := q.Get("scope")
state := q.Get("state")
nonce := q.Get("nonce")
codeChallenge := q.Get("code_challenge")
codeChallengeMethod := q.Get("code_challenge_method")
@@ -191,6 +193,7 @@ func (h *AuthorizeHandler) serveAuthorize(w http.ResponseWriter, r *http.Request
PKCEChallenge: codeChallenge,
PKCEChallengeMethod: codeChallengeMethod,
State: state,
Nonce: nonce,
Scopes: strings.Fields(scope),
ExpiresAt: time.Now().Add(10 * time.Minute),
})
@@ -358,6 +361,7 @@ func (h *AuthorizeHandler) completeAuthorization(w http.ResponseWriter, r *http.
PKCEChallenge: ps.PKCEChallenge,
PKCEChallengeMethod: ps.PKCEChallengeMethod,
State: ps.State,
Nonce: ps.Nonce,
Username: username,
Scopes: ps.Scopes,
ExpiresAt: time.Now().Add(10 * time.Minute),

View File

@@ -15,6 +15,7 @@ type PKCESession struct {
PKCEChallenge string // S256 challenge
PKCEChallengeMethod string // always "S256"
State string
Nonce string
Username string // set after auth
Scopes []string
ExpiresAt time.Time

View File

@@ -111,6 +111,9 @@ func (h *TokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
"exp": exp.Unix(),
"iat": now.Unix(),
}
if sess.Nonce != "" {
claims["nonce"] = sess.Nonce
}
scopeSet := make(map[string]bool)
for _, s := range sess.Scopes {

View File

@@ -107,6 +107,7 @@ func seededSession(sessions *oidc.SessionStore, verifier string) (code string) {
PKCEChallenge: challenge,
PKCEChallengeMethod: "S256",
State: "state1",
Nonce: "nonce1",
Username: "alice",
Scopes: []string{"openid", "profile", "email", "groups"},
ExpiresAt: time.Now().Add(10 * time.Minute),
@@ -323,6 +324,9 @@ func TestTokenHandler_JWTClaims_CorrectSubAndIssuer(t *testing.T) {
if claims["aud"] != "test-client" {
t.Errorf("aud: expected test-client, got %v", claims["aud"])
}
if claims["nonce"] != "nonce1" {
t.Errorf("nonce: expected nonce1, got %v", claims["nonce"])
}
}
func TestTokenHandler_ScopeFiltering_ProfileScope(t *testing.T) {