From 795dee246f26c1fef16dcd52da37e3df75e73772 Mon Sep 17 00:00:00 2001 From: Mitar Date: Fri, 14 May 2021 07:02:57 -0700 Subject: [PATCH] fix: do not include nonce in ID tokens when not used (#570) Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com> --- token/jwt/claims_id_token.go | 2 +- token/jwt/claims_id_token_test.go | 57 ++++++++++++++++++++----------- 2 files changed, 38 insertions(+), 21 deletions(-) diff --git a/token/jwt/claims_id_token.go b/token/jwt/claims_id_token.go index 8eadc5e5..ab73f29c 100644 --- a/token/jwt/claims_id_token.go +++ b/token/jwt/claims_id_token.go @@ -59,7 +59,7 @@ func (c *IDTokenClaims) ToMap() map[string]interface{} { ret["aud"] = []string{} } - if len(c.Nonce) >= 0 { + if len(c.Nonce) > 0 { ret["nonce"] = c.Nonce } diff --git a/token/jwt/claims_id_token_test.go b/token/jwt/claims_id_token_test.go index e7d3f90c..abd09f46 100644 --- a/token/jwt/claims_id_token_test.go +++ b/token/jwt/claims_id_token_test.go @@ -30,25 +30,6 @@ import ( . "github.com/ory/fosite/token/jwt" ) -var idTokenClaims = &IDTokenClaims{ - JTI: "foo-id", - Subject: "peter", - IssuedAt: time.Now().UTC().Round(time.Second), - Issuer: "fosite", - Audience: []string{"tests"}, - ExpiresAt: time.Now().UTC().Add(time.Hour).Round(time.Second), - AuthTime: time.Now().UTC(), - RequestedAt: time.Now().UTC(), - AccessTokenHash: "foobar", - CodeHash: "barfoo", - AuthenticationContextClassReference: "acr", - AuthenticationMethodsReference: "amr", - Extra: map[string]interface{}{ - "foo": "bar", - "baz": "bar", - }, -} - func TestIDTokenAssert(t *testing.T) { assert.NoError(t, (&IDTokenClaims{ExpiresAt: time.Now().UTC().Add(time.Hour)}). ToMapClaims().Valid()) @@ -59,6 +40,24 @@ func TestIDTokenAssert(t *testing.T) { } func TestIDTokenClaimsToMap(t *testing.T) { + idTokenClaims := &IDTokenClaims{ + JTI: "foo-id", + Subject: "peter", + IssuedAt: time.Now().UTC().Round(time.Second), + Issuer: "fosite", + Audience: []string{"tests"}, + ExpiresAt: time.Now().UTC().Add(time.Hour).Round(time.Second), + AuthTime: time.Now().UTC(), + RequestedAt: time.Now().UTC(), + AccessTokenHash: "foobar", + CodeHash: "barfoo", + AuthenticationContextClassReference: "acr", + AuthenticationMethodsReference: "amr", + Extra: map[string]interface{}{ + "foo": "bar", + "baz": "bar", + }, + } assert.Equal(t, map[string]interface{}{ "jti": idTokenClaims.JTI, "sub": idTokenClaims.Subject, @@ -66,7 +65,6 @@ func TestIDTokenClaimsToMap(t *testing.T) { "rat": float64(idTokenClaims.RequestedAt.Unix()), "iss": idTokenClaims.Issuer, "aud": idTokenClaims.Audience, - "nonce": idTokenClaims.Nonce, "exp": float64(idTokenClaims.ExpiresAt.Unix()), "foo": idTokenClaims.Extra["foo"], "baz": idTokenClaims.Extra["baz"], @@ -76,4 +74,23 @@ func TestIDTokenClaimsToMap(t *testing.T) { "acr": idTokenClaims.AuthenticationContextClassReference, "amr": idTokenClaims.AuthenticationMethodsReference, }, idTokenClaims.ToMap()) + + idTokenClaims.Nonce = "foobar" + assert.Equal(t, map[string]interface{}{ + "jti": idTokenClaims.JTI, + "sub": idTokenClaims.Subject, + "iat": float64(idTokenClaims.IssuedAt.Unix()), + "rat": float64(idTokenClaims.RequestedAt.Unix()), + "iss": idTokenClaims.Issuer, + "aud": idTokenClaims.Audience, + "exp": float64(idTokenClaims.ExpiresAt.Unix()), + "foo": idTokenClaims.Extra["foo"], + "baz": idTokenClaims.Extra["baz"], + "at_hash": idTokenClaims.AccessTokenHash, + "c_hash": idTokenClaims.CodeHash, + "auth_time": idTokenClaims.AuthTime.Unix(), + "acr": idTokenClaims.AuthenticationContextClassReference, + "amr": idTokenClaims.AuthenticationMethodsReference, + "nonce": idTokenClaims.Nonce, + }, idTokenClaims.ToMap()) }