core/authenticate: validate the identity profile (#4545)

authenticate/handlers.go

@@ -143,7 +143,7 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
 			return a.reauthenticateOrFail(w, r, err)
 		}
 
-		_, err = a.loadIdentityProfile(r, state.cookieCipher)
+		profile, err := a.loadIdentityProfile(r, state.cookieCipher)
 		if err != nil {
 			log.FromRequest(r).Info().
 				Err(err).
@@ -152,6 +152,15 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
 			return a.reauthenticateOrFail(w, r, err)
 		}
 
+		err = a.validateIdentityProfile(ctx, profile)
+		if err != nil {
+			log.FromRequest(r).Info().
+				Err(err).
+				Str("idp_id", idpID).
+				Msg("authenticate: invalid identity profile")
+			return a.reauthenticateOrFail(w, r, err)
+		}
+
 		next.ServeHTTP(w, r.WithContext(ctx))
 		return nil
 	})

authenticate/identity_profile.go

@@ -99,3 +99,28 @@ func (a *Authenticate) storeIdentityProfile(w http.ResponseWriter, aead cipher.A
 	cookie.Path = "/"
 	return cookieChunker.SetCookie(w, cookie)
 }
+
+func (a *Authenticate) validateIdentityProfile(ctx context.Context, profile *identitypb.Profile) error {
+	authenticator, err := a.cfg.getIdentityProvider(a.options.Load(), profile.GetProviderId())
+	if err != nil {
+		return err
+	}
+
+	oauthToken := new(oauth2.Token)
+	err = json.Unmarshal(profile.GetOauthToken(), oauthToken)
+	if err != nil {
+		return fmt.Errorf("invalid oauth token in profile: %w", err)
+	}
+
+	if !oauthToken.Valid() {
+		return fmt.Errorf("invalid oauth token in profile")
+	}
+
+	var claims identity.SessionClaims
+	err = authenticator.UpdateUserInfo(ctx, oauthToken, &claims)
+	if err != nil {
+		return fmt.Errorf("error updating user info from oauth token: %w", err)
+	}
+
+	return nil
+}