fix regression from #39 that broke #34 again

2025-12-07 16:35:17 +01:00 · 2025-11-26 15:51:30 +01:00 · 2025-11-26 15:51:30 +01:00 · 4c508a22e6
commit 4c508a22e6
parent a766608f55
1 changed files with 7 additions and 2 deletions
--- a/src/middleware.rs
+++ b/src/middleware.rs
@ -17,7 +17,7 @@ use tower_sessions::Session;
 use openidconnect::{
    core::{CoreAuthenticationFlow, CoreErrorResponseType, CoreGenderClaim, CoreJsonWebKey},
    AccessToken, AccessTokenHash, CsrfToken, IdTokenClaims, IdTokenVerifier, Nonce,
-    OAuth2TokenResponse, PkceCodeChallenge, RefreshToken,
+    NonceVerifier as _, OAuth2TokenResponse, PkceCodeChallenge, RefreshToken,
    RequestTokenError::ServerResponse,
    Scope, TokenResponse, UserInfoClaims,
 };
@ -425,7 +425,12 @@ async fn try_refresh_token<AC: AdditionalClaims>(
                .set_other_audience_verifier_fn(|audience|
                    // Return false (reject) if audience is in list of untrusted audiences
                    !client.untrusted_audiences.contains(audience));
-            let claims = id_token.claims(&id_token_verifier, nonce)?;
+            let claims = id_token.claims(&id_token_verifier, |claims_nonce: Option<&Nonce>| {
+                match claims_nonce {
+                    Some(_) => nonce.verify(claims_nonce),
+                    None => Ok(()),
+                }
+            })?;

            validate_access_token_hash(
                id_token,