veryroundbird.house / core
forked from tangled.org/core
this repo has no description
fork atom

appview/oauth: verify "iss" parameter in auth response

From https://datatracker.ietf.org/doc/html/rfc9207#section-2.4 :

"Clients MUST [...] compare the result to the issuer identifier of the
authorization server where the authorization request was sent to. [...]
If the value does not match the expected issuer identifier, clients MUST
reject the authorization response and MUST NOT proceed with the
authorization grant."

Signed-off-by: Mike P <fentiger@mythik.co.uk>

Mike P 801c1427 45efee41

options
unified split
Changed files
+6
appview
oauth
handler
handler.go
+6
appview/oauth/handler/handler.go 
···

       
253

       
253

       
 

       
		return


     

       
254

       
254

       
 

       
	}


     

       
255

       
255

       
 

       



     

       

       
256

       
+

       
	if iss != oauthRequest.AuthserverIss {


     

       

       
257

       
+

       
		log.Println("mismatched iss:", iss, "!=", oauthRequest.AuthserverIss, "for state:", state)


     

       

       
258

       
+

       
		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")


     

       

       
259

       
+

       
		return


     

       

       
260

       
+

       
	}


     

       

       
261

       
+

       



     

       
256

       
262

       
 

       
	self := o.oauth.ClientMetadata()


     

       
257

       
263

       
 

       



     

       
258

       
264

       
 

       
	oauthClient, err := client.NewClient(