mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-04 03:42:49 +02:00
databroker: add audience to session (#1557)
* add audience to session * update audience * parse next url and add it to audience
This commit is contained in:
Caleb Doxsey
GitHub
parent
a85b3b04c1
commit
93c257259e
3 changed files with 44 additions and 29 deletions
|
|
@ -389,23 +389,6 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
|
|||
return nil, fmt.Errorf("error redeeming authenticate code: %w", err)
|
||||
}
|
||||
|
||||
s := sessions.State{ID: uuid.New().String()}
|
||||
err = claims.Claims.Claims(&s)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error unmarshaling session state: %w", err)
|
||||
}
|
||||
|
||||
// save the session and access token to the databroker
|
||||
err = a.saveSessionToDataBroker(ctx, &s, claims, accessToken)
|
||||
if err != nil {
|
||||
return nil, httputil.NewError(http.StatusInternalServerError, err)
|
||||
}
|
||||
|
||||
newState := sessions.NewSession(
|
||||
&s,
|
||||
state.redirectURL.Hostname(),
|
||||
[]string{state.redirectURL.Hostname()})
|
||||
|
||||
// state includes a csrf nonce (validated by middleware) and redirect uri
|
||||
bytes, err := base64.URLEncoding.DecodeString(r.FormValue("state"))
|
||||
if err != nil {
|
||||
|
|
@ -438,6 +421,27 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
|
|||
return nil, httputil.NewError(http.StatusBadRequest, err)
|
||||
}
|
||||
|
||||
s := sessions.State{ID: uuid.New().String()}
|
||||
err = claims.Claims.Claims(&s)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error unmarshaling session state: %w", err)
|
||||
}
|
||||
|
||||
newState := sessions.NewSession(
|
||||
&s,
|
||||
state.redirectURL.Hostname(),
|
||||
[]string{state.redirectURL.Hostname()})
|
||||
|
||||
if nextRedirectURL, err := urlutil.ParseAndValidateURL(redirectURL.Query().Get(urlutil.QueryRedirectURI)); err == nil {
|
||||
newState.Audience = append(newState.Audience, nextRedirectURL.Hostname())
|
||||
}
|
||||
|
||||
// save the session and access token to the databroker
|
||||
err = a.saveSessionToDataBroker(ctx, &newState, claims, accessToken)
|
||||
if err != nil {
|
||||
return nil, httputil.NewError(http.StatusInternalServerError, err)
|
||||
}
|
||||
|
||||
// ... and the user state to local storage.
|
||||
if err := state.sessionStore.SaveSession(w, r, &newState); err != nil {
|
||||
return nil, fmt.Errorf("failed saving new session: %w", err)
|
||||
|
|
@ -560,6 +564,7 @@ func (a *Authenticate) saveSessionToDataBroker(
|
|||
IssuedAt: idTokenIssuedAt,
|
||||
},
|
||||
OauthToken: manager.ToOAuthToken(accessToken),
|
||||
Audience: sessionState.Audience,
|
||||
}
|
||||
s.SetRawIDToken(claims.RawIDToken)
|
||||
s.AddClaims(claims.Flatten())
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue