From d7d08c3d2f1ad2f50a006c6a0f08070e0e8e74d5 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Mon, 11 Nov 2024 19:43:57 +0100 Subject: [PATCH] oidc/oauth2: use an opaque state Signed-off-by: Nicola Murino --- internal/httpd/oauth2.go | 8 +++++--- internal/httpd/oidc.go | 8 ++++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/internal/httpd/oauth2.go b/internal/httpd/oauth2.go index fa0c3c62..49459161 100644 --- a/internal/httpd/oauth2.go +++ b/internal/httpd/oauth2.go @@ -15,13 +15,13 @@ package httpd import ( + "crypto/sha256" + "encoding/hex" "encoding/json" "errors" "sync" "time" - "github.com/rs/xid" - "github.com/drakkan/sftpgo/v2/internal/dataprovider" "github.com/drakkan/sftpgo/v2/internal/kms" "github.com/drakkan/sftpgo/v2/internal/logger" @@ -53,8 +53,10 @@ type oauth2PendingAuth struct { } func newOAuth2PendingAuth(provider int, redirectURL, clientID string, clientSecret *kms.Secret) oauth2PendingAuth { + state := sha256.Sum256(util.GenerateRandomBytes(32)) + return oauth2PendingAuth{ - State: xid.New().String(), + State: hex.EncodeToString(state[:]), Provider: provider, ClientID: clientID, ClientSecret: clientSecret, diff --git a/internal/httpd/oidc.go b/internal/httpd/oidc.go index f395952d..f01e9aa9 100644 --- a/internal/httpd/oidc.go +++ b/internal/httpd/oidc.go @@ -16,6 +16,7 @@ package httpd import ( "context" + "crypto/sha256" "encoding/hex" "errors" "fmt" @@ -202,9 +203,12 @@ type oidcPendingAuth struct { } func newOIDCPendingAuth(audience tokenAudience) oidcPendingAuth { + state := sha256.Sum256(util.GenerateRandomBytes(32)) + nonce := util.GenerateUniqueID() + return oidcPendingAuth{ - State: xid.New().String(), - Nonce: hex.EncodeToString(util.GenerateRandomBytes(20)), + State: hex.EncodeToString(state[:]), + Nonce: nonce, Audience: audience, IssuedAt: util.GetTimeAsMsSinceEpoch(time.Now()), }