pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Can bypass code verifier for specific clients

Browse Source
This commit is contained in:
Pierre HUBERT
2022-04-15 18:28:53 +02:00
parent 1d21b30b68
commit cac461e03d
3 changed files with 16 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/controllers/openid_controller.rs
View File

@ -36,7 +36,8 @@ pub async fn get_configuration(app_conf: web::Data<AppConfig>) -> impl Responder
subject_types_supported: vec!["public"],
id_token_signing_alg_values_supported: vec!["RS256"],
token_endpoint_auth_methods_supported: vec!["client_secret_post", "client_secret_basic"],
claims_supported: vec!["sub", "exp", "name", "given_name", "family_name", "email"],
claims_supported: vec!["sub", "name", "given_name", "family_name", "email"],
code_challenge_methods_supported: vec!["plain", "S256"],
})
}
@ -293,16 +294,18 @@ pub async fn token(req: HttpRequest,
}
// Check code challenge, if needed
if let Some(chall) = &session.code_challenge {
let code_verifier = match &q.code_verifier {
None => {
return Ok(error_response(&query, "access_denied", "Code verifier missing"));
}
Some(s) => s
};
if !client.disable_code_verifier.unwrap_or(false) {
if let Some(chall) = &session.code_challenge {
let code_verifier = match &q.code_verifier {
None => {
return Ok(error_response(&query, "access_denied", "Code verifier missing"));
}
Some(s) => s
};
if !chall.verify_code(code_verifier) {
return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
if !chall.verify_code(code_verifier) {
return Ok(error_response(&query, "invalid_grant", "Invalid code verifier"));
}
}
}