Skip to content

Commit 13516c4

Browse files
bodewigbodewig
committed
always treat invalid id_tokens as an error
1 parent b27009f commit 13516c4

File tree

2 files changed

+10
-12
lines changed

2 files changed

+10
-12
lines changed

lib/resty/openidc.lua

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1108,6 +1108,14 @@ local function openidc_access_token(opts, session, try_to_renew)
11081108
if err then
11091109
return nil, err
11101110
end
1111+
local id_token
1112+
if json.id_token then
1113+
id_token, err = openidc_load_and_validate_jwt_id_token(opts, json.id_token, session)
1114+
if err then
1115+
ngx.log(ngx.ERR, "invalid id token, discarding tokens returned while refreshing")
1116+
return nil, err
1117+
end
1118+
end
11111119
ngx.log(ngx.DEBUG, "access_token refreshed: ", json.access_token, " updated refresh_token: ", json.refresh_token)
11121120

11131121
session:start()
@@ -1119,21 +1127,11 @@ local function openidc_access_token(opts, session, try_to_renew)
11191127

11201128
if json.id_token and
11211129
(store_in_session(opts, 'enc_id_token') or store_in_session(opts, 'id_token')) then
1122-
11231130
ngx.log(ngx.DEBUG, "id_token refreshed: ", json.id_token)
11241131
if store_in_session(opts, 'enc_id_token') then
11251132
session.data.enc_id_token = json.id_token
11261133
end
11271134
if store_in_session(opts, 'id_token') then
1128-
local id_token, err = openidc_load_and_validate_jwt_id_token(opts, json.id_token, session)
1129-
if err then
1130-
ngx.log(ngx.ERR, "invalid id token, discarding tokens returned while refreshing")
1131-
session.data.access_token = nil
1132-
session.data.access_token_expiration = nil
1133-
session.data.refresh_token = nil
1134-
session:save()
1135-
return nil, err
1136-
end
11371135
session.data.id_token = id_token
11381136
end
11391137
end

tests/spec/token_refresh_spec.lua

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -194,8 +194,8 @@ describe("if refresh contains an invalid id_token", function()
194194
redirect = false,
195195
headers = { cookie = cookies },
196196
})
197-
it ("the id token gets refreshed", function()
198-
assert.error_log_contains("id_token refreshed")
197+
it ("the id token doesn't get refreshed", function()
198+
assert.is_not.error_log_contains("id_token refreshed")
199199
end)
200200
it("the tokens are rejected", function()
201201
assert.error_log_contains("invalid id token, discarding tokens returned while refreshing")

0 commit comments

Comments
 (0)