pfzetto/axum-oidc
1
0
Fork 0
mirror of https://github.com/pfzetto/axum-oidc.git synced 2025-12-07 08:25:16 +01:00
Code Issues Projects Releases Packages Wiki Activity

fix: #34 optional nonce in ID token refresh

Browse source 
Only verify nonce in token request response if one was given.
This commit is contained in:
Paul Zinselmeyer 2025-11-06 18:44:10 +01:00
parent 65cb175603
commit bacab1c939
Signed by: pfzetto
SSH key fingerprint: SHA256:BOdea0+zY02mYo29j2zzK6uVpcc3Gkp4w6C7YrHbN8A
1 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/middleware.rs
View file

@ -14,7 +14,7 @@ use tower_sessions::Session;
use openidconnect::{
core::{CoreAuthenticationFlow, CoreErrorResponseType, CoreGenderClaim, CoreJsonWebKey},
AccessToken, AccessTokenHash, AuthenticationContextClass, CsrfToken, IdTokenClaims,
IdTokenVerifier, Nonce, OAuth2TokenResponse, PkceCodeChallenge, RefreshToken,
IdTokenVerifier, Nonce, NonceVerifier, OAuth2TokenResponse, PkceCodeChallenge, RefreshToken,
RequestTokenError::ServerResponse,
Scope, TokenResponse,
};
@ -367,7 +367,12 @@ async fn try_refresh_token<AC: AdditionalClaims>(
.id_token()
.ok_or(MiddlewareError::IdTokenMissing)?;
let id_token_verifier = client.client.id_token_verifier();
let claims = id_token.claims(&id_token_verifier, nonce)?;
let claims = id_token.claims(&id_token_verifier, |claims_nonce: Option<&Nonce>| {
match claims_nonce {
Some(_) => nonce.verify(claims_nonce),
None => Ok(()),
}
})?;
validate_access_token_hash(
id_token,