extern/frp
1
1
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2025-02-19 03:31:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Wrap new VerifyLogin logic in allowedHostedDomains length check

Browse Source
This commit is contained in:
foresturquhart 2025-02-06 17:46:46 +00:00
parent cda2cb151e
commit b499412aee
1 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
pkg/auth/oidc.go
View File

@ -139,24 +139,24 @@ func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, verifier TokenVeri
} }
func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) { func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
// Decode token without verifying signature to retrieved 'hd' claim.
parts := strings.Split(loginMsg.PrivilegeKey, ".")
if len(parts) != 3 {
return fmt.Errorf("invalid OIDC token format")
}
payload, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return fmt.Errorf("invalid OIDC token: failed to decode payload: %v", err)
}
var claims map[string]any
if err := json.Unmarshal(payload, &claims); err != nil {
return fmt.Errorf("invalid OIDC token: failed to unmarshal payload: %v", err)
}
// Verify hosted domain (hd claim). // Verify hosted domain (hd claim).
if len(auth.allowedHostedDomains) > 0 { if len(auth.allowedHostedDomains) > 0 {
// Decode token without verifying signature to retrieved 'hd' claim.
parts := strings.Split(loginMsg.PrivilegeKey, ".")
if len(parts) != 3 {
return fmt.Errorf("invalid OIDC token format")
}
payload, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return fmt.Errorf("invalid OIDC token: failed to decode payload: %v", err)
}
var claims map[string]any
if err := json.Unmarshal(payload, &claims); err != nil {
return fmt.Errorf("invalid OIDC token: failed to unmarshal payload: %v", err)
}
hd, ok := claims["hd"].(string) hd, ok := claims["hd"].(string)
if !ok { if !ok {
return fmt.Errorf("OIDC token missing required 'hd' claim") return fmt.Errorf("OIDC token missing required 'hd' claim")