extern/frp
1
1
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2025-02-15 09:50:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Wrap new VerifyLogin logic in allowedHostedDomains length check

Browse Source
This commit is contained in:
foresturquhart 2025-02-06 17:46:46 +00:00
parent cda2cb151e
commit b499412aee
1 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/auth/oidc.go
View File

@ -139,6 +139,8 @@ func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, verifier TokenVeri
}
func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
// Verify hosted domain (hd claim).
if len(auth.allowedHostedDomains) > 0 {
// Decode token without verifying signature to retrieved 'hd' claim.
parts := strings.Split(loginMsg.PrivilegeKey, ".")
if len(parts) != 3 {
@ -155,8 +157,6 @@ func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
return fmt.Errorf("invalid OIDC token: failed to unmarshal payload: %v", err)
}
// Verify hosted domain (hd claim).
if len(auth.allowedHostedDomains) > 0 {
hd, ok := claims["hd"].(string)
if !ok {
return fmt.Errorf("OIDC token missing required 'hd' claim")