-
Notifications
You must be signed in to change notification settings - Fork 113
feat: make nonce handling configurable #111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -19,6 +19,8 @@ class Apple < OmniAuth::Strategies::OAuth2 | |||||
| response_mode: 'form_post', | ||||||
| scope: 'email name' | ||||||
| option :authorized_client_ids, [] | ||||||
| # one of :session (default), :local, :ignore | ||||||
| option :nonce, :session | ||||||
|
|
||||||
| uid { id_info[:sub] } | ||||||
|
|
||||||
|
|
@@ -56,7 +58,8 @@ def is_private_email | |||||
| end | ||||||
|
|
||||||
| def authorize_params | ||||||
| super.merge(nonce: new_nonce) | ||||||
| params = super | ||||||
| options[:nonce] != :ignore ? params.merge(nonce: new_nonce) : params | ||||||
| end | ||||||
|
|
||||||
| def callback_url | ||||||
|
|
@@ -66,11 +69,26 @@ def callback_url | |||||
| private | ||||||
|
|
||||||
| def new_nonce | ||||||
| session['omniauth.nonce'] = SecureRandom.urlsafe_base64(16) | ||||||
| nonce = SecureRandom.urlsafe_base64(16) | ||||||
| if options[:nonce] == :local | ||||||
| cookies.encrypted[:omniauth_apple_store] = | ||||||
| { same_site: :none, expires: 1.hour.from_now, secure: true, value: nonce } | ||||||
| else | ||||||
| session['omniauth.nonce'] = nonce | ||||||
| end | ||||||
| nonce | ||||||
| end | ||||||
|
|
||||||
| def stored_nonce | ||||||
| session.delete('omniauth.nonce') | ||||||
| return session.delete("omniauth.nonce") unless options[:nonce] == :local | ||||||
|
|
||||||
| nonce = cookies.encrypted[:omniauth_apple_store] | ||||||
| cookies.delete :omniauth_apple_store | ||||||
| nonce | ||||||
| end | ||||||
|
|
||||||
| def cookies | ||||||
| request.env["action_dispatch.cookies"] | ||||||
| end | ||||||
|
|
||||||
| def id_info | ||||||
|
|
@@ -105,7 +123,7 @@ def verify_claims!(id_token) | |||||
| verify_aud!(id_token) | ||||||
| verify_iat!(id_token) | ||||||
| verify_exp!(id_token) | ||||||
| verify_nonce!(id_token) if id_token[:nonce_supported] | ||||||
| verify_nonce!(id_token) if id_token[:nonce_supported] && options[:nonce] != :ignore | ||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Out of curiosity, have you considered applying the suggestion made by @btalbot in #102 and just avoid verifying a blank
Suggested change
If so then may I ask why you decided not to use this solution ? It seems to work for me and requires a lot less changes in the code.
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Because this would pass even if There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. My bad, what I meant was to update def verify_nonce!(id_token)
invalid_claim! :nonce unless id_token[:nonce] == stored_nonce
endFrom my understanding There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @bvogel do you think that solution could work in the end ?
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No, as the |
||||||
| end | ||||||
|
|
||||||
| def verify_iss!(id_token) | ||||||
|
|
||||||
Uh oh!
There was an error while loading. Please reload this page.