Add nonce to auth code flow

2015-08-07 21:32:48 +09:00 · 2015-08-07 21:32:48 +09:00 · 724f32604b
commit 724f32604b
parent bb8fe6aa83
4 changed files with 7 additions and 4 deletions
--- a/app/models/api/openid_connect/authorization.rb
+++ b/app/models/api/openid_connect/authorization.rb
@ -38,7 +38,7 @@ module Api
        # TODO: Add support for request object
      end

-      def create_id_token(nonce=nil)
+      def create_id_token
        id_tokens.create!(nonce: nonce)
      end

--- a/db/migrate/20150708153926_create_authorizations.rb
+++ b/db/migrate/20150708153926_create_authorizations.rb
@ -6,6 +6,7 @@ class CreateAuthorizations < ActiveRecord::Migration
      t.string :refresh_token
      t.string :code
      t.string :redirect_uri
+      t.string :nonce

      t.timestamps null: false
    end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -69,6 +69,7 @@ ActiveRecord::Schema.define(version: 20150801074555) do
    t.string   "refresh_token",         limit: 255
    t.string   "code",                  limit: 255
    t.string   "redirect_uri",          limit: 255
+    t.string   "nonce",                 limit: 255
    t.datetime "created_at",                        null: false
    t.datetime "updated_at",                        null: false
  end
--- a/lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb
+++ b/lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb
@ -23,6 +23,7 @@ module Api
        def approved!(req, res)
          auth = OpenidConnect::Authorization.find_or_create_by(
            o_auth_application: @o_auth_application, user: @user, redirect_uri: @redirect_uri)
+          auth.nonce = req.nonce
          auth.scopes << @scopes
          handle_approved_response_type(auth, req, res)
          res.approve!
@ -32,7 +33,7 @@ module Api
          response_types = Array(req.response_type)
          handle_approved_auth_code(auth, res, response_types)
          handle_approved_access_token(auth, res, response_types)
-          handle_approved_id_token(auth, req, res, response_types)
+          handle_approved_id_token(auth, res, response_types)
        end

        def handle_approved_auth_code(auth, res, response_types)
@ -45,9 +46,9 @@ module Api
          res.access_token = auth.create_access_token
        end

-        def handle_approved_id_token(auth, req, res, response_types)
+        def handle_approved_id_token(auth, res, response_types)
          return unless response_types.include?(:id_token)
-          id_token = auth.create_id_token(req.nonce)
+          id_token = auth.create_id_token
          auth_code_value = res.respond_to?(:code) ? res.code : nil
          access_token_value = res.respond_to?(:access_token) ? res.access_token : nil
          res.id_token = id_token.to_jwt(code: auth_code_value, access_token: access_token_value)