mirrors/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2026-02-04 12:46:45 +00:00
Code Activity

feat: process nonce within device authorization flow (#1185)

Browse Source 
Co-authored-by: Elias Schneider <login@eliasschneider.com>
This commit is contained in:
Justin Moy
2026-01-04 11:18:17 -07:00
committed by GitHub
parent 72009ced67
commit 2d7e2ec8df
7 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
backend/internal/dto/oidc_dto.go
View File

@@ -139,6 +139,7 @@ type OidcDeviceAuthorizationRequestDto struct {
ClientSecret string `form:"client_secret"` ClientSecret string `form:"client_secret"`
ClientAssertion string `form:"client_assertion"` ClientAssertion string `form:"client_assertion"`
ClientAssertionType string `form:"client_assertion_type"` ClientAssertionType string `form:"client_assertion_type"`
Nonce string `form:"nonce"`
} }
type OidcDeviceAuthorizationResponseDto struct { type OidcDeviceAuthorizationResponseDto struct {

1
backend/internal/model/oidc.go
View File

@@ -144,6 +144,7 @@ type OidcDeviceCode struct {
DeviceCode string DeviceCode string
UserCode string UserCode string
Scope string Scope string
Nonce string
ExpiresAt datatype.DateTime ExpiresAt datatype.DateTime
IsAuthorized bool IsAuthorized bool

3
backend/internal/service/oidc_service.go
View File

@@ -314,7 +314,7 @@ func (s *OidcService) createTokenFromDeviceCode(ctx context.Context, input dto.O
} }
// Explicitly use the input clientID for the audience claim to ensure consistency // Explicitly use the input clientID for the audience claim to ensure consistency
idToken, err := s.jwtService.GenerateIDToken(userClaims, input.ClientID, "") idToken, err := s.jwtService.GenerateIDToken(userClaims, input.ClientID, deviceAuth.Nonce)
if err != nil { if err != nil {
return CreatedTokens{}, err return CreatedTokens{}, err
} }
@@ -1282,6 +1282,7 @@ func (s *OidcService) CreateDeviceAuthorization(ctx context.Context, input dto.O
ExpiresAt: datatype.DateTime(time.Now().Add(DeviceCodeDuration)), ExpiresAt: datatype.DateTime(time.Now().Add(DeviceCodeDuration)),
IsAuthorized: false, IsAuthorized: false,
ClientID: client.ID, ClientID: client.ID,
Nonce: input.Nonce,
} }
if err := s.db.Create(deviceAuth).Error; err != nil { if err := s.db.Create(deviceAuth).Error; err != nil {

1
backend/resources/migrations/postgres/20260104190900_add_nonce_to_device_codes.down.sql Normal file
View File

@@ -0,0 +1 @@
ALTER TABLE oidc_device_codes DROP COLUMN nonce;

1
backend/resources/migrations/postgres/20260104190900_add_nonce_to_device_codes.up.sql Normal file
View File

@@ -0,0 +1 @@
ALTER TABLE oidc_device_codes ADD COLUMN nonce VARCHAR(255);

5
backend/resources/migrations/sqlite/20260104190900_add_nonce_to_device_codes.down.sql Normal file
View File

@@ -0,0 +1,5 @@
PRAGMA foreign_keys=OFF;
BEGIN;
ALTER TABLE oidc_device_codes DROP COLUMN nonce;
COMMIT;
PRAGMA foreign_keys=ON;

5
backend/resources/migrations/sqlite/20260104190900_add_nonce_to_device_codes.up.sql Normal file
View File

@@ -0,0 +1,5 @@
PRAGMA foreign_keys=OFF;
BEGIN;
ALTER TABLE oidc_device_codes ADD COLUMN nonce TEXT;
COMMIT;
PRAGMA foreign_keys=ON;