appview/oauth: verify "iss" parameter in auth response

Monorepo for Tangled

From https://datatracker.ietf.org/doc/html/rfc9207#section-2.4 :

"Clients MUST [...] compare the result to the issuer identifier of the
authorization server where the authorization request was sent to. [...]
If the value does not match the expected issuer identifier, clients MUST
reject the authorization response and MUST NOT proceed with the
authorization grant."

Signed-off-by: Mike P <fentiger@mythik.co.uk>

authored by

Mike P and committed by

Anirudh Oppiliappan 6 months ago 801c1427 45efee41

1 changed file

expand all

unified split

appview

oauth

handler

handler.go

appview/oauth/handler/handler.go

··· 253 253 return 254 254 } 255 255 256 + if iss != oauthRequest.AuthserverIss { 257 + log.Println("mismatched iss:", iss, "!=", oauthRequest.AuthserverIss, "for state:", state) 258 + o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.") 259 + return 260 + } 261 + 256 262 self := o.oauth.ClientMetadata() 257 263 258 264 oauthClient, err := client.NewClient(