tangled.org / core
Monorepo for Tangled tangled.org
fork atom

appview/oauth: verify "iss" parameter in auth response

From https://datatracker.ietf.org/doc/html/rfc9207#section-2.4 :

"Clients MUST [...] compare the result to the issuer identifier of the
authorization server where the authorization request was sent to. [...]
If the value does not match the expected issuer identifier, clients MUST
reject the authorization response and MUST NOT proceed with the
authorization grant."

Signed-off-by: Mike P <fentiger@mythik.co.uk>

authored by Mike P and committed by anirudh.fi 801c1427 45efee41

3/3
build.yml
fmt.yml
test.yml
options
unified split
Changed files
+6
appview
oauth
handler
handler.go
+6
appview/oauth/handler/handler.go
··· 253 253 return 254 254 } 255 255 256 + if iss != oauthRequest.AuthserverIss { 257 + log.Println("mismatched iss:", iss, "!=", oauthRequest.AuthserverIss, "for state:", state) 258 + o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.") 259 + return 260 + } 261 + 256 262 self := o.oauth.ClientMetadata() 257 263 258 264 oauthClient, err := client.NewClient(