From 538ec5124af2ad5cb090cbf0ea81f8291118af2c Mon Sep 17 00:00:00 2001 From: "James A. Robinson" Date: Fri, 5 Jan 2024 10:03:52 -0600 Subject: [PATCH] Ignore ordering of openid token in scope parameter Change the logic that checks for the "openid" token in the "scope" parameter value to ignore ordering. The Scopes section of the specification appears to only require that "openid" be present in the list, not that it be the first item in the list: OpenID Connect Basic Client Implementer's Guide 1.0 - draft 47 2.4. Scope Values https://openid.net/specs/openid-connect-basic-1_0.html#Scopes --- handlers.go | 11 +++++++---- handlers_test.go | 5 ++++- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/handlers.go b/handlers.go index 1cd7b72..0e73885 100644 --- a/handlers.go +++ b/handlers.go @@ -295,10 +295,13 @@ func (m *MockOIDC) setTokens(tr *tokenResponse, s *Session, grantType string) er if err != nil { return err } - if len(s.Scopes) > 0 && s.Scopes[0] == openidScope { - tr.IDToken, err = s.IDToken(m.Config(), m.Keypair, m.Now()) - if err != nil { - return err + for _, scope := range s.Scopes { + if scope == openidScope { + tr.IDToken, err = s.IDToken(m.Config(), m.Keypair, m.Now()) + if err != nil { + return err + } + break } } if grantType != "refresh_token" { diff --git a/handlers_test.go b/handlers_test.go index 0e9e31c..5aa7c6d 100644 --- a/handlers_test.go +++ b/handlers_test.go @@ -71,8 +71,11 @@ func TestMockOIDC_Token_CodeGrant(t *testing.T) { m, err := mockoidc.NewServer(nil) assert.NoError(t, err) + // Note: we're setting openid to the end of the scope list to test + // that ordering is not considered when checking for "openid" in the + // list session, _ := m.SessionStore.NewSession( - "openid email profile", "nonce", mockoidc.DefaultUser(), "", "") + "email profile openid", "nonce", mockoidc.DefaultUser(), "", "") assert.HTTPError(t, m.Token, http.MethodPost, mockoidc.TokenEndpoint, nil)