Skip to content

chore: change error type to 400 if id token processing fails #4389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
jonas-jonas wants to merge 1 commit into from
+6 −6
Closed

chore: change error type to 400 if id token processing fails #4389

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions selfservice/strategy/oidc/strategy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -796,33 +796,33 @@ func (s *Strategy) CompletedAuthenticationMethod(context.Context) session.Authen
func (s *Strategy) ProcessIDToken(r *http.Request, provider Provider, idToken, idTokenNonce string) (*Claims, error) {
verifier, ok := provider.(IDTokenVerifier)
if !ok {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The provider %s does not support id_token verification", provider.Config().Provider))
return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The provider %s does not support id_token verification", provider.Config().Provider))
}
claims, err := verifier.Verify(r.Context(), idToken)
if err != nil {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Could not verify id_token").WithError(err.Error()))
return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("Could not verify id_token").WithError(err.Error()))
}

if err := claims.Validate(); err != nil {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The id_token claims were invalid").WithError(err.Error()))
return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The id_token claims were invalid").WithError(err.Error()))
}

// First check if the JWT contains the nonce claim.
if claims.Nonce == "" {
// If it doesn't, check if the provider supports nonces.
if nonceSkipper, ok := verifier.(NonceValidationSkipper); !ok || !nonceSkipper.CanSkipNonce(claims) {
// If the provider supports nonces, abort the flow!
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was included in the id_token but is required by the provider"))
return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was included in the id_token but is required by the provider"))
}
// If the provider does not support nonces, we don't do validation and return the claim.
// This case only applies to Apple, as some of their devices do not support nonces.
// https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple
} else if idTokenNonce == "" {
// A nonce was present in the JWT token, but no nonce was submitted in the flow
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was provided but is required by the provider"))
return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was provided but is required by the provider"))
} else if idTokenNonce != claims.Nonce {
// The nonce from the JWT token does not match the nonce from the flow.
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The supplied nonce does not match the nonce from the id_token"))
return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The supplied nonce does not match the nonce from the id_token"))
}
// Nonce checking was successful

Expand Down
Loading