From e5a7b994b68b33b56c1a039b546c1fa38d5ef26c Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Fri, 15 Sep 2023 14:16:28 -0600
Subject: [PATCH] core/authenticate: validate the identity profile (#4545)

---
 authenticate/handlers.go         | 11 ++++++++++-
 authenticate/identity_profile.go | 25 +++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/authenticate/handlers.go b/authenticate/handlers.go
index a679cc98d..30e90d17f 100644
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@@ -143,7 +143,7 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
 			return a.reauthenticateOrFail(w, r, err)
 		}
 
-		_, err = a.loadIdentityProfile(r, state.cookieCipher)
+		profile, err := a.loadIdentityProfile(r, state.cookieCipher)
 		if err != nil {
 			log.FromRequest(r).Info().
 				Err(err).
@@ -152,6 +152,15 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
 			return a.reauthenticateOrFail(w, r, err)
 		}
 
+		err = a.validateIdentityProfile(ctx, profile)
+		if err != nil {
+			log.FromRequest(r).Info().
+				Err(err).
+				Str("idp_id", idpID).
+				Msg("authenticate: invalid identity profile")
+			return a.reauthenticateOrFail(w, r, err)
+		}
+
 		next.ServeHTTP(w, r.WithContext(ctx))
 		return nil
 	})
diff --git a/authenticate/identity_profile.go b/authenticate/identity_profile.go
index 7dba691b8..fe467d704 100644
--- a/authenticate/identity_profile.go
+++ b/authenticate/identity_profile.go
@@ -99,3 +99,28 @@ func (a *Authenticate) storeIdentityProfile(w http.ResponseWriter, aead cipher.A
 	cookie.Path = "/"
 	return cookieChunker.SetCookie(w, cookie)
 }
+
+func (a *Authenticate) validateIdentityProfile(ctx context.Context, profile *identitypb.Profile) error {
+	authenticator, err := a.cfg.getIdentityProvider(a.options.Load(), profile.GetProviderId())
+	if err != nil {
+		return err
+	}
+
+	oauthToken := new(oauth2.Token)
+	err = json.Unmarshal(profile.GetOauthToken(), oauthToken)
+	if err != nil {
+		return fmt.Errorf("invalid oauth token in profile: %w", err)
+	}
+
+	if !oauthToken.Valid() {
+		return fmt.Errorf("invalid oauth token in profile")
+	}
+
+	var claims identity.SessionClaims
+	err = authenticator.UpdateUserInfo(ctx, oauthToken, &claims)
+	if err != nil {
+		return fmt.Errorf("error updating user info from oauth token: %w", err)
+	}
+
+	return nil
+}