fix: handle reauth correctly (max_age=0 or prompt=login) (#1870)

* max age * merge main * fix when no prompt is set * fix: update oidc pkg * fix tests
2025-08-12 07:57:32 +00:00 · 2021-06-16 10:02:15 +02:00
parent 1e1ded440c
commit 4a2ca5a1e8
7 changed files with 86 additions and 48 deletions
--- a/internal/api/oidc/auth_request_converter.go
+++ b/internal/api/oidc/auth_request_converter.go
@@ -113,6 +113,7 @@ func AuthRequestFromBusiness(authReq *domain.AuthRequest) (_ op.AuthRequest, err

 func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest, userAgentID, userID string) *domain.AuthRequest {
 	return &domain.AuthRequest{
+		CreationDate:  time.Now(),
 		AgentID:       userAgentID,
 		BrowserInfo:   ParseBrowserInfoFromContext(ctx),
 		ApplicationID: authReq.ClientID,
@@ -122,7 +123,7 @@ func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest,
 		PossibleLOAs:  ACRValuesToBusiness(authReq.ACRValues),
 		UiLocales:     UILocalesToBusiness(authReq.UILocales),
 		LoginHint:     authReq.LoginHint,
-		MaxAuthAge:    authReq.MaxAge,
+		MaxAuthAge:    MaxAgeToBusiness(authReq.MaxAge),
 		UserID:        userID,
 		Request: &domain.AuthRequestOIDC{
 			Scopes:        authReq.Scopes,
@@ -161,21 +162,23 @@ func IpFromContext(ctx context.Context) net.IP {
 	return net.ParseIP(ipString)
 }

-func PromptToBusiness(prompt oidc.Prompt) domain.Prompt {
-	switch prompt {
-	case oidc.PromptNone:
-		return domain.PromptNone
-	case oidc.PromptLogin:
-		return domain.PromptLogin
-	case oidc.PromptConsent:
-		return domain.PromptConsent
-	case oidc.PromptSelectAccount:
-		return domain.PromptSelectAccount
-	case "create": //this prompt is not final yet, so not implemented in oidc lib
-		return domain.PromptCreate
-	default:
-		return domain.PromptUnspecified
+func PromptToBusiness(oidcPrompt []string) []domain.Prompt {
+	prompts := make([]domain.Prompt, len(oidcPrompt))
+	for _, oidcPrompt := range oidcPrompt {
+		switch oidcPrompt {
+		case oidc.PromptNone:
+			prompts = append(prompts, domain.PromptNone)
+		case oidc.PromptLogin:
+			prompts = append(prompts, domain.PromptLogin)
+		case oidc.PromptConsent:
+			prompts = append(prompts, domain.PromptConsent)
+		case oidc.PromptSelectAccount:
+			prompts = append(prompts, domain.PromptSelectAccount)
+		case "create": //this prompt is not final yet, so not implemented in oidc lib
+			prompts = append(prompts, domain.PromptCreate)
+		}
 	}
+	return prompts
 }

 func ACRValuesToBusiness(values []string) []domain.LevelOfAssurance {
@@ -193,6 +196,14 @@ func UILocalesToBusiness(tags []language.Tag) []string {
 	return locales
 }

+func MaxAgeToBusiness(maxAge *uint) *time.Duration {
+	if maxAge == nil {
+		return nil
+	}
+	dur := time.Duration(*maxAge) * time.Second
+	return &dur
+}
+
 func ResponseTypeToBusiness(responseType oidc.ResponseType) domain.OIDCResponseType {
 	switch responseType {
 	case oidc.ResponseTypeCode:
@@ -291,6 +302,6 @@ func (r *RefreshTokenRequest) GetSubject() string {
 	return r.UserID
 }

-func (r *RefreshTokenRequest) SetCurrentScopes(scopes oidc.Scopes) {
+func (r *RefreshTokenRequest) SetCurrentScopes(scopes []string) {
 	r.Scopes = scopes
 }
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -80,7 +80,7 @@ func (o *OPStorage) GetKeyByIDAndIssuer(ctx context.Context, keyID, issuer strin
 	}, nil
 }

-func (o *OPStorage) ValidateJWTProfileScopes(ctx context.Context, subject string, scopes oidc.Scopes) (oidc.Scopes, error) {
+func (o *OPStorage) ValidateJWTProfileScopes(ctx context.Context, subject string, scopes []string) ([]string, error) {
 	user, err := o.repo.UserByID(ctx, subject)
 	if err != nil {
 		return nil, err