extern/frp
1
1
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2025-02-15 17:59:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Wrap new VerifyLogin logic in allowedHostedDomains length check

Browse Source
This commit is contained in:
foresturquhart 2025-02-06 17:46:46 +00:00
parent cda2cb151e
commit b499412aee
1 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/auth/oidc.go
View File

@ -139,6 +139,8 @@ func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, verifier TokenVeri
} }
func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) { func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
// Verify hosted domain (hd claim).
if len(auth.allowedHostedDomains) > 0 {
// Decode token without verifying signature to retrieved 'hd' claim. // Decode token without verifying signature to retrieved 'hd' claim.
parts := strings.Split(loginMsg.PrivilegeKey, ".") parts := strings.Split(loginMsg.PrivilegeKey, ".")
if len(parts) != 3 { if len(parts) != 3 {
@ -155,8 +157,6 @@ func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
return fmt.Errorf("invalid OIDC token: failed to unmarshal payload: %v", err) return fmt.Errorf("invalid OIDC token: failed to unmarshal payload: %v", err)
} }
// Verify hosted domain (hd claim).
if len(auth.allowedHostedDomains) > 0 {
hd, ok := claims["hd"].(string) hd, ok := claims["hd"].(string)
if !ok { if !ok {
return fmt.Errorf("OIDC token missing required 'hd' claim") return fmt.Errorf("OIDC token missing required 'hd' claim")