Add support for nonce parameter

2024-10-17 17:47:23 +05:00 · 2024-10-17 17:47:23 +05:00 · 401009bfdb
commit 401009bfdb
parent 6e3fac77f1
4 changed files with 23 additions and 8 deletions
--- a/lib/comfycamp/sso/id_token.ex
+++ b/lib/comfycamp/sso/id_token.ex
@ -1,8 +1,8 @@
 defmodule Comfycamp.SSO.IDToken do
  @derive Jason.Encoder
-  defstruct [:iss, :sub, :aud, :exp, :iat, :email, :preferred_username]
+  defstruct [:iss, :sub, :aud, :exp, :iat, :email, :preferred_username, :nonce]

-  def build_id_token(user, client_id) do
+  def build_id_token(user, client_id, nonce) do
    {_, now} = DateTime.now("Etc/UTC")
    issued_at = DateTime.to_unix(now)

@ -18,7 +18,8 @@ defmodule Comfycamp.SSO.IDToken do
      exp: expires_at,
      iat: issued_at,
      email: user.email,
-      preferred_username: user.username
+      preferred_username: user.username,
+      nonce: nonce
    }
  end
 end
--- a/lib/comfycamp/sso/oidc_code.ex
+++ b/lib/comfycamp/sso/oidc_code.ex
@ -1,4 +1,8 @@
 defmodule Comfycamp.SSO.OIDCCode do
+  @moduledoc """
+  Temporary code that may be exchanged for an access token.
+  """
+
  use Ecto.Schema
  import Ecto.Changeset

@ -10,6 +14,7 @@ defmodule Comfycamp.SSO.OIDCCode do
  @primary_key {:value, :string, autogenerate: false}
  schema "oidc_codes" do
    field :redirect_uri, :string
+    field :nonce, :string
    belongs_to :user, User

    belongs_to :oidc_app, OIDCApp,
@ -23,9 +28,8 @@ defmodule Comfycamp.SSO.OIDCCode do
  @doc false
  def changeset(oidc_code, attrs) do
    oidc_code
-    |> cast(attrs, [:user_id, :oidc_app_id, :redirect_uri])
    |> change(value: Rand.get_random_string(12))
-    |> validate_required([:value, :user_id, :oidc_app_id, :redirect_uri])
-    |> validate_length(:value, min: 6, max: 255)
+    |> cast(attrs, [:user_id, :oidc_app_id, :redirect_uri, :nonce])
+    |> validate_required([:user_id, :oidc_app_id, :redirect_uri])
  end
 end
--- a/lib/comfycamp_web/controllers/oauth_controller.ex
+++ b/lib/comfycamp_web/controllers/oauth_controller.ex
@ -56,7 +56,8 @@ defmodule ComfycampWeb.OauthController do
        SSO.create_oidc_code(%{
          oidc_app_id: client_id,
          user_id: conn.assigns.current_user.id,
-          redirect_uri: redirect_uri
+          redirect_uri: redirect_uri,
+          nonce: params["nonce"]
        })

      uri = build_redirect_uri(redirect_uri, code.value, params["state"])
@ -88,7 +89,7 @@ defmodule ComfycampWeb.OauthController do

      {access_token, refresh_token} = Accounts.generate_oauth_tokens(code.user)

-      id_token = IDToken.build_id_token(code.user, oidc_app.client_id)
+      id_token = IDToken.build_id_token(code.user, oidc_app.client_id, code.nonce)
      {:ok, signed_id_token} = Token.sign(id_token, client_secret)

      render(conn, :token,
--- a/priv/repo/migrations/20241017124232_oidc_nonce.exs
+++ b/priv/repo/migrations/20241017124232_oidc_nonce.exs
@ -0,0 +1,9 @@
+defmodule Comfycamp.Repo.Migrations.OidcNonce do
+  use Ecto.Migration
+
+  def change do
+    alter table(:oidc_codes) do
+      add :nonce, :string
+    end
+  end
+end