Skip to content

Commit

Permalink
fix: update OpenID Connect session after user consent
Browse files Browse the repository at this point in the history
  • Loading branch information
wood-push-melon committed Apr 12, 2024
1 parent 615d0ce commit 580c20d
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 5 deletions.
3 changes: 1 addition & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -255,5 +255,4 @@ require (
gopkg.in/yaml.v3 v3.0.1 // indirect
)

//replace github.com/ory/fosite => github.com/canonical/fosite v0.0.0-20240329132814-3be772246a38
replace github.com/ory/fosite => github.com/canonical/fosite v0.0.0-20240409224826-9e5f7e217f9b
replace github.com/ory/fosite => github.com/canonical/fosite v0.0.0-20240412170332-7fe9b8979dd3
5 changes: 2 additions & 3 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,8 @@ github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4Yn
github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
github.com/canonical/fosite v0.0.0-20240329132814-3be772246a38 h1:tM/abV0wyvC6eekGfGIu2tyTemN3xGKhFpHFuN7wYH8=
github.com/canonical/fosite v0.0.0-20240329132814-3be772246a38/go.mod h1:G5iZOjyC42o5uZaZK4GQdrqQeLxWZ4NZpD3rDRYM0Mc=
github.com/canonical/fosite v0.0.0-20240409224826-9e5f7e217f9b/go.mod h1:G5iZOjyC42o5uZaZK4GQdrqQeLxWZ4NZpD3rDRYM0Mc=
github.com/canonical/fosite v0.0.0-20240412170332-7fe9b8979dd3 h1:ZDkf+uEuw7eOY/JcRUoncTbt+WWG0TwoIjJ8hHU5Uuw=
github.com/canonical/fosite v0.0.0-20240412170332-7fe9b8979dd3/go.mod h1:G5iZOjyC42o5uZaZK4GQdrqQeLxWZ4NZpD3rDRYM0Mc=
github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
Expand Down
11 changes: 11 additions & 0 deletions oauth2/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -760,6 +760,17 @@ func (h *Handler) performOAuth2DeviceVerificationFlow(w http.ResponseWriter, r *
return
}

// TODO evaluate if an OpenID Connect session is necessary for device flow.
// Update the OpenID Connect session if "openid" scope is granted
if req.GetGrantedScopes().Has("openid") {
err = h.r.OAuth2Storage().UpdateOpenIDConnectSessionByRequestID(ctx, f.DeviceCodeRequestID.String(), req)
if err != nil {
x.LogError(r, err, h.r.Logger())
h.r.Writer().WriteError(w, r, err)
return
}
}

redirectURL := urlx.SetQuery(h.c.DeviceDoneURL(ctx), url.Values{"consent_verifier": {string(f.ConsentVerifier)}}).String()
http.Redirect(w, r, redirectURL, http.StatusFound)
}
Expand Down
24 changes: 24 additions & 0 deletions persistence/sql/persister_oauth2.go
Original file line number Diff line number Diff line change
Expand Up @@ -446,6 +446,30 @@ func (p *Persister) CreateOpenIDConnectSession(ctx context.Context, signature st
return p.createSession(ctx, signature, requester, sqlTableOpenID)
}

// UpdateOpenIDConnectSessionByRequestID updates an OpenID session by requestID
func (p *Persister) UpdateOpenIDConnectSessionByRequestID(ctx context.Context, requestID string, requester fosite.Requester) (err error) {
ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.UpdateOpenIDConnectSessionByRequestID")
defer otelx.End(span, &err)

req, err := p.sqlSchemaFromRequest(ctx, requestID, requester, sqlTableOpenID)
if err != nil {
return err
}

stmt := fmt.Sprintf(
"UPDATE %s SET granted_scope=?, granted_audience=?, session_data=? WHERE request_id=? AND nid = ?",
OAuth2RequestSQL{Table: sqlTableOpenID}.TableName(),
)

/* #nosec G201 table is static */
err = p.Connection(ctx).RawQuery(stmt, req.GrantedScope, req.GrantedAudience, req.Session, requestID, p.NetworkID(ctx)).Exec()
if err != nil {
return sqlcon.HandleError(err)
}

return nil
}

func (p *Persister) GetOpenIDConnectSession(ctx context.Context, signature string, requester fosite.Requester) (_ fosite.Requester, err error) {
ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetOpenIDConnectSession")
defer otelx.End(span, &err)
Expand Down
2 changes: 2 additions & 0 deletions x/fosite_storer.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ type FositeStorer interface {

FlushInactiveRefreshTokens(ctx context.Context, notAfter time.Time, limit int, batchSize int) error

UpdateOpenIDConnectSessionByRequestID(ctx context.Context, requestID string, requester fosite.Requester) error

// DeleteOpenIDConnectSession deletes an OpenID Connect session.
// This is duplicated from Ory Fosite to help against deprecation linting errors.
DeleteOpenIDConnectSession(ctx context.Context, authorizeCode string) error
Expand Down

0 comments on commit 580c20d

Please sign in to comment.