Skip to content

Commit

Permalink
Add support for verifying issuer when using oidc
Browse files Browse the repository at this point in the history
  • Loading branch information
@kjellkongsvik
kjellkongsvik committed Sep 20, 2023
1 parent 37e72c9 commit 960bf11
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions src/key_store.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ impl KeyStore {
url: &str,
audience: &str,
) -> Result<Self, JwksError> {
let (jwks_uri, alg) = match client.get(url).send().await?.json::<Oidc>().await {
let (jwks_uri, alg, iss) = match client.get(url).send().await?.json::<Oidc>().await {
Ok(oidc) => {
let jwks_uri = oidc.jwks_uri;
let alg = match &oidc.id_token_signing_alg_values_supported {
Expand All @@ -50,11 +50,11 @@ impl KeyStore {
},
_ => None,
};
(jwks_uri.to_string(), alg)
(jwks_uri.to_string(), alg, oidc.issuer)
}
_ => (url.to_string(), None),
_ => (url.to_string(), None, None),
};
let keys = Self::from_jwks_url(client, &jwks_uri, audience, alg).await?;
let keys = Self::from_jwks_url(client, &jwks_uri, audience, alg, iss).await?;
Ok(Self {
keys,
when: Instant::now(),
Expand All @@ -66,6 +66,7 @@ impl KeyStore {
jwks_url: &str,
audience: &str,
alg: Option<jsonwebtoken::Algorithm>,
issuer: Option<String>,
) -> Result<Keys, JwksError> {
let jwks: jwk::JwkSet = client.get(jwks_url).send().await?.json().await?;

Expand All @@ -85,6 +86,9 @@ impl KeyStore {
let mut validation =
Validation::new(jwk.common.algorithm.or(alg).unwrap_or(DEFAULT_ALG));
validation.set_audience(&[audience.clone()]);
if let Some(iss) = issuer.clone() {
validation.set_issuer(&[iss]);
};

keys.insert(
kid,
Expand Down Expand Up @@ -112,6 +116,7 @@ impl KeyStore {
struct Oidc {
jwks_uri: String,
id_token_signing_alg_values_supported: Option<Vec<String>>,
issuer: Option<String>,
}

type Keys = HashMap<String, Jwk>;
Expand Down

0 comments on commit 960bf11

Please sign in to comment.